dcrat | 50a15fc9aa3d3f0a8c441a17e9fbe8941ee5530d1f6f124614f1dc277176da66

Analysis

max time kernel
145s
max time network
140s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 06:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_50a15fc9aa3d3f0a8c441a17e9fbe8941ee5530d1f6f124614f1dc277176da66.exe
Size

1.3MB
MD5

9b48e4687c795af5b697ecf0d12049e2
SHA1

45dc786acf16f5c84c2f4d34c07fbf92e836f28f
SHA256

50a15fc9aa3d3f0a8c441a17e9fbe8941ee5530d1f6f124614f1dc277176da66
SHA512

70f63c6eddce0afa60d647076801917d0c08eee83514cfcdc3b56f94d3fa4730c3b899ebf9fff40cfd6719688206d27b08a6c3b29aa6a40e092fe785cf17d487
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2492	2412	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	2412	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	2412	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	2412	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	2412	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2412	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	2412	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	2412	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1492	2412	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	992	2412	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1268	2412	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1472	2412	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	560	2412	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	2412	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1892	2412	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1368	2412	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	2412	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1032	2412	schtasks.exe	33

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00080000000174a6-9.dat	dcrat
behavioral1/memory/2720-13-0x0000000000D40000-0x0000000000E50000-memory.dmp	dcrat
behavioral1/memory/2212-73-0x00000000008D0000-0x00000000009E0000-memory.dmp	dcrat
behavioral1/memory/544-132-0x0000000000E70000-0x0000000000F80000-memory.dmp	dcrat
behavioral1/memory/2840-251-0x00000000010C0000-0x00000000011D0000-memory.dmp	dcrat
behavioral1/memory/572-371-0x0000000000150000-0x0000000000260000-memory.dmp	dcrat
behavioral1/memory/2248-431-0x0000000000D10000-0x0000000000E20000-memory.dmp	dcrat
behavioral1/memory/2588-491-0x0000000000070000-0x0000000000180000-memory.dmp	dcrat
behavioral1/memory/1948-551-0x0000000001370000-0x0000000001480000-memory.dmp	dcrat
behavioral1/memory/1212-612-0x0000000000350000-0x0000000000460000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1028	powershell.exe
1652	powershell.exe
1056	powershell.exe
564	powershell.exe
2824	powershell.exe
2392	powershell.exe
1768	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2720	DllCommonsvc.exe
2212	DllCommonsvc.exe
544	DllCommonsvc.exe
680	DllCommonsvc.exe
2840	DllCommonsvc.exe
2776	DllCommonsvc.exe
572	DllCommonsvc.exe
2248	DllCommonsvc.exe
2588	DllCommonsvc.exe
1948	DllCommonsvc.exe
1212	DllCommonsvc.exe

Loads dropped DLL 2 IoCs

pid	Process
2524	cmd.exe
2524	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
5	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
15	raw.githubusercontent.com
19	raw.githubusercontent.com
22	raw.githubusercontent.com
26	raw.githubusercontent.com
4	raw.githubusercontent.com
29	raw.githubusercontent.com
32	raw.githubusercontent.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Sidebar\es-ES\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\es-ES\a76d7bf15d8370	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\de-DE\lsm.exe	DllCommonsvc.exe
File created	C:\Windows\de-DE\101b941d020240	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_50a15fc9aa3d3f0a8c441a17e9fbe8941ee5530d1f6f124614f1dc277176da66.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2944	schtasks.exe
2696	schtasks.exe
1948	schtasks.exe
992	schtasks.exe
2492	schtasks.exe
2620	schtasks.exe
1492	schtasks.exe
1472	schtasks.exe
1924	schtasks.exe
1892	schtasks.exe
1640	schtasks.exe
2936	schtasks.exe
560	schtasks.exe
2892	schtasks.exe
1268	schtasks.exe
1368	schtasks.exe
2384	schtasks.exe
1032	schtasks.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
2720	DllCommonsvc.exe
1028	powershell.exe
1768	powershell.exe
564	powershell.exe
1056	powershell.exe
2392	powershell.exe
1652	powershell.exe
2824	powershell.exe
2212	DllCommonsvc.exe
544	DllCommonsvc.exe
680	DllCommonsvc.exe
2840	DllCommonsvc.exe
2776	DllCommonsvc.exe
572	DllCommonsvc.exe
2248	DllCommonsvc.exe
2588	DllCommonsvc.exe
1948	DllCommonsvc.exe
1212	DllCommonsvc.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	2720	DllCommonsvc.exe
Token: SeDebugPrivilege	1028	powershell.exe
Token: SeDebugPrivilege	1768	powershell.exe
Token: SeDebugPrivilege	564	powershell.exe
Token: SeDebugPrivilege	1056	powershell.exe
Token: SeDebugPrivilege	2392	powershell.exe
Token: SeDebugPrivilege	1652	powershell.exe
Token: SeDebugPrivilege	2824	powershell.exe
Token: SeDebugPrivilege	2212	DllCommonsvc.exe
Token: SeDebugPrivilege	544	DllCommonsvc.exe
Token: SeDebugPrivilege	680	DllCommonsvc.exe
Token: SeDebugPrivilege	2840	DllCommonsvc.exe
Token: SeDebugPrivilege	2776	DllCommonsvc.exe
Token: SeDebugPrivilege	572	DllCommonsvc.exe
Token: SeDebugPrivilege	2248	DllCommonsvc.exe
Token: SeDebugPrivilege	2588	DllCommonsvc.exe
Token: SeDebugPrivilege	1948	DllCommonsvc.exe
Token: SeDebugPrivilege	1212	DllCommonsvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2796 wrote to memory of 2560	2796	JaffaCakes118_50a15fc9aa3d3f0a8c441a17e9fbe8941ee5530d1f6f124614f1dc277176da66.exe	29
PID 2796 wrote to memory of 2560	2796	JaffaCakes118_50a15fc9aa3d3f0a8c441a17e9fbe8941ee5530d1f6f124614f1dc277176da66.exe	29
PID 2796 wrote to memory of 2560	2796	JaffaCakes118_50a15fc9aa3d3f0a8c441a17e9fbe8941ee5530d1f6f124614f1dc277176da66.exe	29
PID 2796 wrote to memory of 2560	2796	JaffaCakes118_50a15fc9aa3d3f0a8c441a17e9fbe8941ee5530d1f6f124614f1dc277176da66.exe	29
PID 2560 wrote to memory of 2524	2560	WScript.exe	30
PID 2560 wrote to memory of 2524	2560	WScript.exe	30
PID 2560 wrote to memory of 2524	2560	WScript.exe	30
PID 2560 wrote to memory of 2524	2560	WScript.exe	30
PID 2524 wrote to memory of 2720	2524	cmd.exe	32
PID 2524 wrote to memory of 2720	2524	cmd.exe	32
PID 2524 wrote to memory of 2720	2524	cmd.exe	32
PID 2524 wrote to memory of 2720	2524	cmd.exe	32
PID 2720 wrote to memory of 1028	2720	DllCommonsvc.exe	52
PID 2720 wrote to memory of 1028	2720	DllCommonsvc.exe	52
PID 2720 wrote to memory of 1028	2720	DllCommonsvc.exe	52
PID 2720 wrote to memory of 1652	2720	DllCommonsvc.exe	53
PID 2720 wrote to memory of 1652	2720	DllCommonsvc.exe	53
PID 2720 wrote to memory of 1652	2720	DllCommonsvc.exe	53
PID 2720 wrote to memory of 1056	2720	DllCommonsvc.exe	54
PID 2720 wrote to memory of 1056	2720	DllCommonsvc.exe	54
PID 2720 wrote to memory of 1056	2720	DllCommonsvc.exe	54
PID 2720 wrote to memory of 564	2720	DllCommonsvc.exe	55
PID 2720 wrote to memory of 564	2720	DllCommonsvc.exe	55
PID 2720 wrote to memory of 564	2720	DllCommonsvc.exe	55
PID 2720 wrote to memory of 1768	2720	DllCommonsvc.exe	56
PID 2720 wrote to memory of 1768	2720	DllCommonsvc.exe	56
PID 2720 wrote to memory of 1768	2720	DllCommonsvc.exe	56
PID 2720 wrote to memory of 2824	2720	DllCommonsvc.exe	57
PID 2720 wrote to memory of 2824	2720	DllCommonsvc.exe	57
PID 2720 wrote to memory of 2824	2720	DllCommonsvc.exe	57
PID 2720 wrote to memory of 2392	2720	DllCommonsvc.exe	58
PID 2720 wrote to memory of 2392	2720	DllCommonsvc.exe	58
PID 2720 wrote to memory of 2392	2720	DllCommonsvc.exe	58
PID 2720 wrote to memory of 2332	2720	DllCommonsvc.exe	66
PID 2720 wrote to memory of 2332	2720	DllCommonsvc.exe	66
PID 2720 wrote to memory of 2332	2720	DllCommonsvc.exe	66
PID 2332 wrote to memory of 604	2332	cmd.exe	68
PID 2332 wrote to memory of 604	2332	cmd.exe	68
PID 2332 wrote to memory of 604	2332	cmd.exe	68
PID 2332 wrote to memory of 2212	2332	cmd.exe	69
PID 2332 wrote to memory of 2212	2332	cmd.exe	69
PID 2332 wrote to memory of 2212	2332	cmd.exe	69
PID 2212 wrote to memory of 2896	2212	DllCommonsvc.exe	70
PID 2212 wrote to memory of 2896	2212	DllCommonsvc.exe	70
PID 2212 wrote to memory of 2896	2212	DllCommonsvc.exe	70
PID 2896 wrote to memory of 988	2896	cmd.exe	72
PID 2896 wrote to memory of 988	2896	cmd.exe	72
PID 2896 wrote to memory of 988	2896	cmd.exe	72
PID 2896 wrote to memory of 544	2896	cmd.exe	73
PID 2896 wrote to memory of 544	2896	cmd.exe	73
PID 2896 wrote to memory of 544	2896	cmd.exe	73
PID 544 wrote to memory of 620	544	DllCommonsvc.exe	74
PID 544 wrote to memory of 620	544	DllCommonsvc.exe	74
PID 544 wrote to memory of 620	544	DllCommonsvc.exe	74
PID 620 wrote to memory of 1664	620	cmd.exe	76
PID 620 wrote to memory of 1664	620	cmd.exe	76
PID 620 wrote to memory of 1664	620	cmd.exe	76
PID 620 wrote to memory of 680	620	cmd.exe	77
PID 620 wrote to memory of 680	620	cmd.exe	77
PID 620 wrote to memory of 680	620	cmd.exe	77
PID 680 wrote to memory of 1596	680	DllCommonsvc.exe	78
PID 680 wrote to memory of 1596	680	DllCommonsvc.exe	78
PID 680 wrote to memory of 1596	680	DllCommonsvc.exe	78
PID 1596 wrote to memory of 1384	1596	cmd.exe	80

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_50a15fc9aa3d3f0a8c441a17e9fbe8941ee5530d1f6f124614f1dc277176da66.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_50a15fc9aa3d3f0a8c441a17e9fbe8941ee5530d1f6f124614f1dc277176da66.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2796
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2560
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2524
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2720
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1028
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\Application\SetupMetrics\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1652
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\de-DE\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1056
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:564
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\es-ES\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1768
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2824
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2392
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YDZtC7gNkI.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2332
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:604
      - C:\Program Files (x86)\Windows Sidebar\es-ES\DllCommonsvc.exe
        
        "C:\Program Files (x86)\Windows Sidebar\es-ES\DllCommonsvc.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2212
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZES4mQr7Bk.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2896
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:988
        
        C:\Program Files (x86)\Windows Sidebar\es-ES\DllCommonsvc.exe
        
        "C:\Program Files (x86)\Windows Sidebar\es-ES\DllCommonsvc.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:544
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:620
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:1664
        
        C:\Program Files (x86)\Windows Sidebar\es-ES\DllCommonsvc.exe
        
        "C:\Program Files (x86)\Windows Sidebar\es-ES\DllCommonsvc.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:680
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nGcIoKmMem.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1596
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1384
        
        C:\Program Files (x86)\Windows Sidebar\es-ES\DllCommonsvc.exe
        
        "C:\Program Files (x86)\Windows Sidebar\es-ES\DllCommonsvc.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2840
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pgCyA6Uc1O.bat"
        13⤵
        
        PID:2468
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:320
        
        C:\Program Files (x86)\Windows Sidebar\es-ES\DllCommonsvc.exe
        
        "C:\Program Files (x86)\Windows Sidebar\es-ES\DllCommonsvc.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2776
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\826UXRAQMN.bat"
        15⤵
        
        PID:1912
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2956
        
        C:\Program Files (x86)\Windows Sidebar\es-ES\DllCommonsvc.exe
        
        "C:\Program Files (x86)\Windows Sidebar\es-ES\DllCommonsvc.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:572
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Zcl4dB2r8y.bat"
        17⤵
        
        PID:1524
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2024
        
        C:\Program Files (x86)\Windows Sidebar\es-ES\DllCommonsvc.exe
        
        "C:\Program Files (x86)\Windows Sidebar\es-ES\DllCommonsvc.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2248
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kvUluF99a5.bat"
        19⤵
        
        PID:2576
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2556
        
        C:\Program Files (x86)\Windows Sidebar\es-ES\DllCommonsvc.exe
        
        "C:\Program Files (x86)\Windows Sidebar\es-ES\DllCommonsvc.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2588
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZgKlNS7JdR.bat"
        21⤵
        
        PID:2484
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1812
        
        C:\Program Files (x86)\Windows Sidebar\es-ES\DllCommonsvc.exe
        
        "C:\Program Files (x86)\Windows Sidebar\es-ES\DllCommonsvc.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1948
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PX74P8KQcP.bat"
        23⤵
        
        PID:856
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:940
        
        C:\Program Files (x86)\Windows Sidebar\es-ES\DllCommonsvc.exe
        
        "C:\Program Files (x86)\Windows Sidebar\es-ES\DllCommonsvc.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Windows\de-DE\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\de-DE\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Windows\de-DE\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Sidebar\es-ES\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\es-ES\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\es-ES\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\providercommon\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
023f00ebceebe108e4d3494492e050c8

SHA1
566ae482413ef827d337b7da89b20a54652fef14

SHA256
2651d9eb884c82e1ccb716d170256667f0f846f9053c66bb239be6e3a32fe500

SHA512
bba420de30c93959d3ba7bf93868bce4d5009392562735a2d547dd2f8572014644d6cf5f9804f81ff93ba102e25423652623d698916cc4c87a245556ac54157f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2bbac11edb9318005502e562299187f3

SHA1
200edffbda82c45b62055b42708194865dd804ee

SHA256
af7cd08f8058d5ff4f8ae7b155e01884dbf954baadff33e0c67b7161a5a250aa

SHA512
5ce67b882278d6de3317e3212e5d7d59273c2c988e1b7211507a333b83bca0a92f6b30d72ea67fdf5c42cf880bb87aa569d8a3b026181d5e43a491ba0235f8f5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1d2febbe8e98e0e9a599964d3292196c

SHA1
5b267a045f84bf6b9d95c2e9c1652bc5a2a107fe

SHA256
61cc6742a93c97c981ffaa48efa4d72fd2dbe880714bd2724ef2cade11708715

SHA512
f5eb3d8eb343950816d4c0a8d4d3076dff2eeab0b82b621d5ef81a792eff55f6720ac8298e3e40cb940d18c5061e91901e65f2685a0208f48601a9f0fe3ae83c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8956fe49367628aa7a54fe0a33a6f113

SHA1
fff48433d45289375b59049befe11ac86196237f

SHA256
0e7b972e7bd3aa57564d3a2b3b7fc8a4457a100dabe3bdd0250c4ce85ace19be

SHA512
0cd127dedf7dc3cb66c3df260b45bee80feb56ab380056514b25a16d884abf751d5369981f50e329e84bc7b1d28ba18c9d0820ad9e935f4e1bd7ccdeca67a750

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3d94d76cb0a99ddef5617e3e372f0d7d

SHA1
2f3977468d7b94b44c56450b68dfda18a07cb3a4

SHA256
11716e717a7d286cb24f92741afa1a1afbe9803faaea1a516b42acfade5d44df

SHA512
a97cde35dad8bbb99e20a22130983418c673ea94633d68e5aec540427706b24f73132f340645ab54825c8d24910b8c71664e247005d05900e3acd8b7d2959cfc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0507f60a213c30fc9aaf3ceb473fafa6

SHA1
22daa0cdcde8613a446173d7638c2d3de7ba7756

SHA256
943061498b9c12be2e93b283dd23041f81c28794d5e9c3bb372b09fa18386650

SHA512
e8639ecb966d2b576a9bb7f0819132396ecb6093d0cc935f387caea5a9bcf4e46309a970d9a68a1e5cb1fc44f781195e152460dd9ea7b14390ceedd464f0eaee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0309a143e0fba40581c9b8a6ef036e3b

SHA1
bdbf0e831c4e03ea4c8667a967233b76c99bcfb8

SHA256
56d77c2bde19824d40cd2f1781ccf6315ce0b0891516cecf5cdf5baaab70f0be

SHA512
70bd0470b10fdb9b4943664b9f01fcb7a81f0acc1fe715ba447458ba595d468a2e512643921aa2f827896ba7921ecf16d48cbc375c582401b5c5b94fb6f8e50e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6373f446efe8f1d8fae520c3216cec2c

SHA1
70352208a8171feb14b0a85efbd9fed08770b284

SHA256
576412704f2afcf710a3633171a7651861e64f9aae7ddb2413b79188801e95e5

SHA512
3385a8967a65111bd46b3d8d262eeeb37bd3fc3cfd116bf4c9f4a40e04ba26dfa6e1a6e85c3f0e6c462ca7fc806de7c271e2af5d3a955368b6a558c29e5c189b

Download Submit
C:\Users\Admin\AppData\Local\Temp\826UXRAQMN.bat

Filesize
226B

MD5
c2c2c12d51009adccd0b2e96751d0ebb

SHA1
0b44b6f18ddaf16d64292b5a27f5dc578126b883

SHA256
e25f11923d8cc3073637f6c0681bdf3428677a4269fd533b41437f263fd6c627

SHA512
1fdcf8edfc709735613febd59d1beeff1164042853ebc7a386779675484d9569407b54d4e26e619ead2a71858052961a79c0cc673dd8a833007a0d02a752a207

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5B6B.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat

Filesize
226B

MD5
f18f83a5c39a3c0f42919f309f368b24

SHA1
e8641addb7ce45c1bf8f7de47c8d4c3abbca6100

SHA256
350e3004cba7c5806d3855f0854455db13b53f0eacbc7fb4a2d7a68883d33344

SHA512
6a4012c80566a53a75be0302044bf29c2480cba243f29876cf6ecad4ee0300e21c8c2311ba443d316fadaaed6fd0cc434135f136d4a91c465c43e714c29a4be3

Download Submit
C:\Users\Admin\AppData\Local\Temp\PX74P8KQcP.bat

Filesize
226B

MD5
75b74111a5452263235cb7d89d3a2506

SHA1
97ca5890b488f2d456d04f6cf082c5c396140057

SHA256
c916533d0033096edbdbca6b95bee28f24533efbbf71a87f3c49a6bab68e7fae

SHA512
66425cc1a9280bcc0b6d9a2931f8e7ad80993b4056f36cbac605f547b3e24d95a3bc366176e738d038b27447911dc3abe52c67ba33f76e66406484151778f659

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5B7E.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\YDZtC7gNkI.bat

Filesize
226B

MD5
030cf96d2960d4253f254dc85b109a59

SHA1
69e6408673a5b29bc9e492a0396da28be422246e

SHA256
5784bbad1a12395a59deb2f7fe82cc051b327f4cfb0990b1fcb7a59ac79092a1

SHA512
b9301e81df3829449f96a8a16170eca7b933ec66e36fd2c572f3e679c3d057da7108cec13dfe61a370d866574fa5da7c75f7ed49494105915247ab64046f9eca

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZES4mQr7Bk.bat

Filesize
226B

MD5
48b9c8b7d20b5c474c0cb33e67786f13

SHA1
7d2439f886e1b81bd7aa5652c8d3e1c00d063cfd

SHA256
b7362a30bbfeea7d300b7d65222cd8bd24bedf4e62fd36fd20f9b0d6f92bac59

SHA512
12df306e34ff70a13aa839ef57aa66fa04499f34db7292c0b114b0f958de14dec47fef2a79508eeb4d4cd64b7293bccf5b0bf9e57b788e2d36fb9bf4c0ad0378

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zcl4dB2r8y.bat

Filesize
226B

MD5
f072d6a84aa205f32f8623aa013d99cd

SHA1
198c9f9a48d96a14fae6889c97f2d72806a2c16c

SHA256
35625059da8d6c933cba99e9acb8f3f8f1af88191c23e0b519cc65ffec7a4f0c

SHA512
d8c431fc02eb6d81d31497097cc0b9a95b59cfe260ed50c964fc5038497e62a3da94da7787ef136978592ad613c8e2a5dd09ddf88c2e73ca6f6d67f30f12d0ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZgKlNS7JdR.bat

Filesize
226B

MD5
847296741836c4b95c269cc79bc70bb7

SHA1
0362f16b8c7d4eda6c0568cc7b6cd90275c225f4

SHA256
c8f2487f4e84f420d7fdb7655a7d93144aec40456d52806789e5e27b221d5bf0

SHA512
0fe6d96e7055ad9b5e43819cec5a7ad3770351ca7a87253fb5aa368e22229b9ae8da75480b52ba6f809f62f77361cd5503ad47a5c4d56e76dbd100887d802da7

Download Submit
C:\Users\Admin\AppData\Local\Temp\kvUluF99a5.bat

Filesize
226B

MD5
6fb555f173cca09252a3532f33503928

SHA1
eba07fc4e1440177c67c28d36418307db855e66b

SHA256
2c8f0d832044ae1835bd399b88c14ed9ac5ddb219bb83b239cec9dc07c2d9b02

SHA512
411a83bab1feca40ccaa690647525e6cfbd5b4087828f3e5c6a0108ee723bc03d629a99f0a60a28da7c8be00e7088a5ec3338095fd3be8f1d1d1572a04e6c5a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nGcIoKmMem.bat

Filesize
226B

MD5
89ea503be400c6a798eef376d2dcf0a4

SHA1
2787fb4709f4fc356c90f884250262589a9223de

SHA256
44a62cf387813d1101f69ef50cc5eb245de123e421e0ff5f7abc67909e67ee14

SHA512
6c2de758542445e4c89d30ab1ee3ee371b36d2f11632d295eaec02233430173096d92bbfa2bd68dd6a3283537cd0ce7f8d64916e9c39d93c97d6151331d7a05b

Download Submit
C:\Users\Admin\AppData\Local\Temp\pgCyA6Uc1O.bat

Filesize
226B

MD5
c14f6060fbfd7c610a7a2b159f67ab3e

SHA1
bd9f067b5a904fb512f4a2355ddcab3fb520dce2

SHA256
12626ac960cb680df6e659cbb6e29f37f391507becd26285d3448b9db32fbec6

SHA512
84d8322ee5b9799cc95eee7865eeb72e33714f513addb286aab817046d1e13492b07ccd0bf89ab948cf08104a48122e459a2865f3622aa12f384d7695a8e5b0d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
71cef4e53f2975b40c8109ac8bdfa368

SHA1
a1bed09c757f3c3a0449177ab2e8f555e843b916

SHA256
1eeb90ee9b93f74a11a529d479c8d6008e931f22dcee032a2eb0764a86aaf322

SHA512
6534815cab2e5c6d58d7f367e2b1fa646b61ea2e87e09f0f33d758d961228c901f24b0fcc84ccd259667f893895f20467bb981a4c65aa36340c92c2ed47b2e9d

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/544-132-0x0000000000E70000-0x0000000000F80000-memory.dmp

Filesize
1.1MB

Download
memory/564-53-0x000000001B720000-0x000000001BA02000-memory.dmp

Filesize
2.9MB

Download
memory/572-371-0x0000000000150000-0x0000000000260000-memory.dmp

Filesize
1.1MB

Download
memory/1028-55-0x0000000001DE0000-0x0000000001DE8000-memory.dmp

Filesize
32KB

Download
memory/1212-612-0x0000000000350000-0x0000000000460000-memory.dmp

Filesize
1.1MB

Download
memory/1948-551-0x0000000001370000-0x0000000001480000-memory.dmp

Filesize
1.1MB

Download
memory/1948-552-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/2212-73-0x00000000008D0000-0x00000000009E0000-memory.dmp

Filesize
1.1MB

Download
memory/2248-431-0x0000000000D10000-0x0000000000E20000-memory.dmp

Filesize
1.1MB

Download
memory/2588-491-0x0000000000070000-0x0000000000180000-memory.dmp

Filesize
1.1MB

Download
memory/2720-17-0x0000000000270000-0x000000000027C000-memory.dmp

Filesize
48KB

Download
memory/2720-15-0x0000000000260000-0x000000000026C000-memory.dmp

Filesize
48KB

Download
memory/2720-16-0x0000000000250000-0x000000000025C000-memory.dmp

Filesize
48KB

Download
memory/2720-14-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/2720-13-0x0000000000D40000-0x0000000000E50000-memory.dmp

Filesize
1.1MB

Download
memory/2776-311-0x00000000004D0000-0x00000000004E2000-memory.dmp

Filesize
72KB

Download
memory/2840-251-0x00000000010C0000-0x00000000011D0000-memory.dmp

Filesize
1.1MB

Download