dcrat | ceb3185469a2c0d23d25d9aa176943d04f9f7617d342bb20f187dc77105bee7c

Analysis

max time kernel
149s
max time network
145s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 06:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_ceb3185469a2c0d23d25d9aa176943d04f9f7617d342bb20f187dc77105bee7c.exe
Size

1.3MB
MD5

6ebb52511ef8fe3c68ea92efdb130b92
SHA1

32b434b83d3cf23fd1da29d0d3ba0d140f0a4cea
SHA256

ceb3185469a2c0d23d25d9aa176943d04f9f7617d342bb20f187dc77105bee7c
SHA512

c71cc4166832eda2f899969d54b39016b3dcf979be9c1d0961581f0fa60f529bf353847117ca1b3b2dcc90551c0b58ee97cac307e71ea075f748bcfcc49174d9
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1556	3044	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	3044	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	3044	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	3044	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	3044	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2468	3044	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	876	3044	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	3044	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1084	3044	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	3044	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	3044	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	3044	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	3044	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	3044	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	3044	schtasks.exe	35

DCRat payload 12 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016d1f-9.dat	dcrat
behavioral1/memory/2836-13-0x0000000000880000-0x0000000000990000-memory.dmp	dcrat
behavioral1/memory/848-55-0x0000000000050000-0x0000000000160000-memory.dmp	dcrat
behavioral1/memory/2568-124-0x0000000000DA0000-0x0000000000EB0000-memory.dmp	dcrat
behavioral1/memory/2728-184-0x00000000003E0000-0x00000000004F0000-memory.dmp	dcrat
behavioral1/memory/1452-245-0x00000000009E0000-0x0000000000AF0000-memory.dmp	dcrat
behavioral1/memory/584-305-0x0000000000230000-0x0000000000340000-memory.dmp	dcrat
behavioral1/memory/2852-365-0x00000000000A0000-0x00000000001B0000-memory.dmp	dcrat
behavioral1/memory/1708-425-0x0000000000B30000-0x0000000000C40000-memory.dmp	dcrat
behavioral1/memory/2472-485-0x0000000000ED0000-0x0000000000FE0000-memory.dmp	dcrat
behavioral1/memory/2688-545-0x0000000000110000-0x0000000000220000-memory.dmp	dcrat
behavioral1/memory/1028-605-0x0000000000F70000-0x0000000001080000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1988	powershell.exe
680	powershell.exe
2504	powershell.exe
3060	powershell.exe
2864	powershell.exe
2616	powershell.exe

Executes dropped EXE 13 IoCs

pid	Process
2836	DllCommonsvc.exe
848	lsass.exe
2568	lsass.exe
2728	lsass.exe
1452	lsass.exe
584	lsass.exe
2852	lsass.exe
1708	lsass.exe
2472	lsass.exe
2688	lsass.exe
1028	lsass.exe
592	lsass.exe
2776	lsass.exe

Loads dropped DLL 2 IoCs

pid	Process
2300	cmd.exe
2300	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
5	raw.githubusercontent.com
19	raw.githubusercontent.com
23	raw.githubusercontent.com
33	raw.githubusercontent.com
39	raw.githubusercontent.com
40	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
16	raw.githubusercontent.com
27	raw.githubusercontent.com
30	raw.githubusercontent.com
36	raw.githubusercontent.com

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\sppsvc.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\sppsvc.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\0a1fd5f707cd16	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\de-DE\lsass.exe	DllCommonsvc.exe
File created	C:\Windows\de-DE\6203df4a6bafc7	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_ceb3185469a2c0d23d25d9aa176943d04f9f7617d342bb20f187dc77105bee7c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1084	schtasks.exe
2700	schtasks.exe
2880	schtasks.exe
2964	schtasks.exe
2984	schtasks.exe
2796	schtasks.exe
2468	schtasks.exe
876	schtasks.exe
2648	schtasks.exe
3024	schtasks.exe
2992	schtasks.exe
2848	schtasks.exe
1556	schtasks.exe
2932	schtasks.exe
2752	schtasks.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
2836	DllCommonsvc.exe
1988	powershell.exe
680	powershell.exe
2864	powershell.exe
3060	powershell.exe
2504	powershell.exe
2616	powershell.exe
848	lsass.exe
2568	lsass.exe
2728	lsass.exe
1452	lsass.exe
584	lsass.exe
2852	lsass.exe
1708	lsass.exe
2472	lsass.exe
2688	lsass.exe
1028	lsass.exe
592	lsass.exe
2776	lsass.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	2836	DllCommonsvc.exe
Token: SeDebugPrivilege	1988	powershell.exe
Token: SeDebugPrivilege	680	powershell.exe
Token: SeDebugPrivilege	2864	powershell.exe
Token: SeDebugPrivilege	3060	powershell.exe
Token: SeDebugPrivilege	2504	powershell.exe
Token: SeDebugPrivilege	848	lsass.exe
Token: SeDebugPrivilege	2616	powershell.exe
Token: SeDebugPrivilege	2568	lsass.exe
Token: SeDebugPrivilege	2728	lsass.exe
Token: SeDebugPrivilege	1452	lsass.exe
Token: SeDebugPrivilege	584	lsass.exe
Token: SeDebugPrivilege	2852	lsass.exe
Token: SeDebugPrivilege	1708	lsass.exe
Token: SeDebugPrivilege	2472	lsass.exe
Token: SeDebugPrivilege	2688	lsass.exe
Token: SeDebugPrivilege	1028	lsass.exe
Token: SeDebugPrivilege	592	lsass.exe
Token: SeDebugPrivilege	2776	lsass.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2560 wrote to memory of 2060	2560	JaffaCakes118_ceb3185469a2c0d23d25d9aa176943d04f9f7617d342bb20f187dc77105bee7c.exe	31
PID 2560 wrote to memory of 2060	2560	JaffaCakes118_ceb3185469a2c0d23d25d9aa176943d04f9f7617d342bb20f187dc77105bee7c.exe	31
PID 2560 wrote to memory of 2060	2560	JaffaCakes118_ceb3185469a2c0d23d25d9aa176943d04f9f7617d342bb20f187dc77105bee7c.exe	31
PID 2560 wrote to memory of 2060	2560	JaffaCakes118_ceb3185469a2c0d23d25d9aa176943d04f9f7617d342bb20f187dc77105bee7c.exe	31
PID 2060 wrote to memory of 2300	2060	WScript.exe	32
PID 2060 wrote to memory of 2300	2060	WScript.exe	32
PID 2060 wrote to memory of 2300	2060	WScript.exe	32
PID 2060 wrote to memory of 2300	2060	WScript.exe	32
PID 2300 wrote to memory of 2836	2300	cmd.exe	34
PID 2300 wrote to memory of 2836	2300	cmd.exe	34
PID 2300 wrote to memory of 2836	2300	cmd.exe	34
PID 2300 wrote to memory of 2836	2300	cmd.exe	34
PID 2836 wrote to memory of 2864	2836	DllCommonsvc.exe	51
PID 2836 wrote to memory of 2864	2836	DllCommonsvc.exe	51
PID 2836 wrote to memory of 2864	2836	DllCommonsvc.exe	51
PID 2836 wrote to memory of 2616	2836	DllCommonsvc.exe	52
PID 2836 wrote to memory of 2616	2836	DllCommonsvc.exe	52
PID 2836 wrote to memory of 2616	2836	DllCommonsvc.exe	52
PID 2836 wrote to memory of 3060	2836	DllCommonsvc.exe	54
PID 2836 wrote to memory of 3060	2836	DllCommonsvc.exe	54
PID 2836 wrote to memory of 3060	2836	DllCommonsvc.exe	54
PID 2836 wrote to memory of 1988	2836	DllCommonsvc.exe	55
PID 2836 wrote to memory of 1988	2836	DllCommonsvc.exe	55
PID 2836 wrote to memory of 1988	2836	DllCommonsvc.exe	55
PID 2836 wrote to memory of 680	2836	DllCommonsvc.exe	56
PID 2836 wrote to memory of 680	2836	DllCommonsvc.exe	56
PID 2836 wrote to memory of 680	2836	DllCommonsvc.exe	56
PID 2836 wrote to memory of 2504	2836	DllCommonsvc.exe	57
PID 2836 wrote to memory of 2504	2836	DllCommonsvc.exe	57
PID 2836 wrote to memory of 2504	2836	DllCommonsvc.exe	57
PID 2836 wrote to memory of 848	2836	DllCommonsvc.exe	63
PID 2836 wrote to memory of 848	2836	DllCommonsvc.exe	63
PID 2836 wrote to memory of 848	2836	DllCommonsvc.exe	63
PID 848 wrote to memory of 272	848	lsass.exe	64
PID 848 wrote to memory of 272	848	lsass.exe	64
PID 848 wrote to memory of 272	848	lsass.exe	64
PID 272 wrote to memory of 2124	272	cmd.exe	66
PID 272 wrote to memory of 2124	272	cmd.exe	66
PID 272 wrote to memory of 2124	272	cmd.exe	66
PID 272 wrote to memory of 2568	272	cmd.exe	67
PID 272 wrote to memory of 2568	272	cmd.exe	67
PID 272 wrote to memory of 2568	272	cmd.exe	67
PID 2568 wrote to memory of 2556	2568	lsass.exe	68
PID 2568 wrote to memory of 2556	2568	lsass.exe	68
PID 2568 wrote to memory of 2556	2568	lsass.exe	68
PID 2556 wrote to memory of 1852	2556	cmd.exe	70
PID 2556 wrote to memory of 1852	2556	cmd.exe	70
PID 2556 wrote to memory of 1852	2556	cmd.exe	70
PID 2556 wrote to memory of 2728	2556	cmd.exe	71
PID 2556 wrote to memory of 2728	2556	cmd.exe	71
PID 2556 wrote to memory of 2728	2556	cmd.exe	71
PID 2728 wrote to memory of 1600	2728	lsass.exe	72
PID 2728 wrote to memory of 1600	2728	lsass.exe	72
PID 2728 wrote to memory of 1600	2728	lsass.exe	72
PID 1600 wrote to memory of 1216	1600	cmd.exe	74
PID 1600 wrote to memory of 1216	1600	cmd.exe	74
PID 1600 wrote to memory of 1216	1600	cmd.exe	74
PID 1600 wrote to memory of 1452	1600	cmd.exe	75
PID 1600 wrote to memory of 1452	1600	cmd.exe	75
PID 1600 wrote to memory of 1452	1600	cmd.exe	75
PID 1452 wrote to memory of 2316	1452	lsass.exe	76
PID 1452 wrote to memory of 2316	1452	lsass.exe	76
PID 1452 wrote to memory of 2316	1452	lsass.exe	76
PID 2316 wrote to memory of 1524	2316	cmd.exe	78

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ceb3185469a2c0d23d25d9aa176943d04f9f7617d342bb20f187dc77105bee7c.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ceb3185469a2c0d23d25d9aa176943d04f9f7617d342bb20f187dc77105bee7c.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2560
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2060
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2300
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2836
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2864
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\RedistList\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2616
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3060
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\de-DE\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1988
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:680
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2504
    - - C:\Windows\de-DE\lsass.exe
        
        "C:\Windows\de-DE\lsass.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:848
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8YXrskW4JY.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:272
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2124
        
        C:\Windows\de-DE\lsass.exe
        
        "C:\Windows\de-DE\lsass.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2568
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zY3yp8Lh1n.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2556
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:1852
        
        C:\Windows\de-DE\lsass.exe
        
        "C:\Windows\de-DE\lsass.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nAABNdhKLs.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1600
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1216
        
        C:\Windows\de-DE\lsass.exe
        
        "C:\Windows\de-DE\lsass.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1452
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HD5NsnfB5C.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1524
        
        C:\Windows\de-DE\lsass.exe
        
        "C:\Windows\de-DE\lsass.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:584
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yQKAuQiBIV.bat"
        14⤵
        
        PID:2028
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2296
        
        C:\Windows\de-DE\lsass.exe
        
        "C:\Windows\de-DE\lsass.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2852
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RgqsKqwwLg.bat"
        16⤵
        
        PID:2536
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:3032
        
        C:\Windows\de-DE\lsass.exe
        
        "C:\Windows\de-DE\lsass.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1708
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wpigNgqS7W.bat"
        18⤵
        
        PID:1528
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:372
        
        C:\Windows\de-DE\lsass.exe
        
        "C:\Windows\de-DE\lsass.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2472
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WYuyh03jyF.bat"
        20⤵
        
        PID:3028
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:1480
        
        C:\Windows\de-DE\lsass.exe
        
        "C:\Windows\de-DE\lsass.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2688
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XFk51gP3Gp.bat"
        22⤵
        
        PID:2604
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:3020
        
        C:\Windows\de-DE\lsass.exe
        
        "C:\Windows\de-DE\lsass.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1028
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3j9hYFnRH7.bat"
        24⤵
        
        PID:1668
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:1660
        
        C:\Windows\de-DE\lsass.exe
        
        "C:\Windows\de-DE\lsass.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:592
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8pOjIocmws.bat"
        26⤵
        
        PID:2324
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:1116
        
        C:\Windows\de-DE\lsass.exe
        
        "C:\Windows\de-DE\lsass.exe"
        27⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Users\Default\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Users\Default\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Windows\de-DE\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\de-DE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Windows\de-DE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0a68b0a70c70046bdb7e1c882f288d59

SHA1
4d17b934e6541e066a8c0d6df9b4dc14c16ff02c

SHA256
7a59b1b2c33c4fc6fcab183cc60eb466285f244281fa78f6f61406f5e74edfd3

SHA512
901c8433bea6b2c12a0b84d9d8adb4769d2df6f60005c9b7ccb0a6e1f0fa67e6c27d2f5b05be17dbc4ae8c3a260d48ca31b805c2fbfd08c7ceca2a78d6a099c8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1f0428e6ebf3cb545220dcd50676ae85

SHA1
884bbd24d4aa7de708418fd62408d671064e78a9

SHA256
53191bd77d19ee3fefe116b7b8f18c8a4f683d57ee0fd6e299d281768b528b0f

SHA512
4defe93f59bdebba9ea5eb819182bd7b00ad9ba02febcb7d2f9921cebfcdf448c8333fa8ff35236fa0d7b1dee13dcefeb6fc1ccc48e3bf8ee82acda29c6ce37b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2b436dc51648e4226a4182b25a076d3d

SHA1
0f949c8df97ee09a999e47314e5a05917ca12d6f

SHA256
701b8c8f2eba8da6fc2aa3092d70ed754bc4837d0af55d4e0a7c3529fdcdccd3

SHA512
7180c66dc5ae3263fc96639d26132f1628ce486d9e1e3d39b99429f2198b7e1097a0186b9a5456e852dc907aeec0a91073aa77b814ba20c79a3d4897af1f4ebe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5acb6f85adc0b6bbccf5528ab8e87cce

SHA1
726721f1ea9056dbd98134b10cbb265e2a0ee8d7

SHA256
de35431a4029d3524e55e5c0b1edba8527ef2a56ce0bdc0d06d59e1d7d487032

SHA512
f23cd11355ab5faca55b186a953956764a3852a2676b4629a94753826bc9e8e6576cee3f0f7d6021aadb76f0ab464ce21e2dea32324693da6639c1d47cc7be36

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
252f420bf698aaed2b7271a36a0ab888

SHA1
f720fb42e05966e035f23ecf16765e22f179d91f

SHA256
c30af7b1bdf514327da90e58573dc16caa1ec3ff0a1fbc0534d6f36bffbb1b3e

SHA512
b8eea0c74df7fb339fae59b0c9b515fb7122501510e9a6815801b0f92e9518be724b84c5d1c4aa6719c1c925666cf5e7d88c0e90d39f8202e91d0923f6439312

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
041f8f86f78bfba7059c5d8f517d00ea

SHA1
9999171664e5b3b28a3ec1ac9c806ffdb9906ae2

SHA256
7cb02cc83e993d8a4d564fb4996d6774035484d2ce1b5e0a9d7ea43a82429c4d

SHA512
ee68791a8fdc17978c339fc23896a09813922e1dbf5cb5ce461c5143026fa0e46d73125fbef27a7659c363e48cb71fcb8ea9c48ffe7e95ff6802c7be2cbf58a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d58ff99b825536ae156cdf7f352d1820

SHA1
24feeb291c4849ec496f53870f0ce41db91a87d1

SHA256
9540d8321c3711036482b889c2c58830f08e20469ca6913d225f566f25698440

SHA512
b2939bc46be37dafc3f632bf878e8b39532837ee6a1210867f37ac597eeffde3992cfdd647ac662dfeefa9921725ba668c77e92b080b3ffe17ac10f6f6646e8e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f6bd31c87bde1a49a7902b8d6dee1eaf

SHA1
03007da13dcb57cd7ff934fd9deb0c0c0df6fe7d

SHA256
ada9e4893a7af3cb5cd5e514fea5e03fb70a048ba726ec0009ba8186f6f66a69

SHA512
0550aa4a258cf843bb9e740eb7785bfd2d1c60cc5f7d6fafc4cf9ef183b50d6dd481be0da5b2ec96cabe0dafe3253a052953f6f54bba960cc4d822cdedae4261

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5dea15aaf2a1c756c053f6f676c40fce

SHA1
19547e33d90a7f016ae52ee206b7173d08001af6

SHA256
44493630036a1c60690f4d8e3842ada99d3ba12ba3ffa7ec7f24ea2ea0ebac9c

SHA512
683b468f5db7f8c518128bbe530e99ca147337ad59483a6f17ce6cd2585a6144196f75ae9657b634c0f3d5c7b4c0c581633a32031833394542681e6e83ea1c6c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
95681d4d71adc4678d63fcec71993bc3

SHA1
e2305a943db33a46f6407660eda825d3928540a4

SHA256
d9e33e6048d8ec71286ce8f0cc4deaa95f22595fc619738d619773c9502c5af5

SHA512
1593850abaf1fccb68a2cab2ac4f488df694bd42c2a03cb11f96bb5f8ce9b991bdf69d5ee86d481fe5ea7aa509c1ba04903b0134ee50367f127dcfe4ea13d623

Download Submit
C:\Users\Admin\AppData\Local\Temp\3j9hYFnRH7.bat

Filesize
191B

MD5
2a2931044ddea61ddd629c84b385c914

SHA1
1673354e379f6f6f6570d0295518e2fb7bed8feb

SHA256
5888f6944ca720b77913989584586712005b959bf78471e497bd0c88383612e0

SHA512
5ccd2889b1ed06d165e29f01150f8f9b16cee3ced9811657c93d809b76ef3f07f30bb0808532e0b2d28828aeea37d5dcd95ea817a76471d5d841687f7bfa8770

Download Submit
C:\Users\Admin\AppData\Local\Temp\8YXrskW4JY.bat

Filesize
191B

MD5
978d14e5885a77fcdb6426a66fc80a63

SHA1
c5b030af9455899772f2f9608594d597f7bc49bf

SHA256
b384a614beb7efe733946988d4fa5778ea48773651ce97e2ae1c6bcd8f08e528

SHA512
d4f1bd5ca433b81990f300d242ccbbb96eb81a758b6ed7b8238b075d1e30cce8a7b44117c563a366b92425b14007c0359e711da134d20d990328a7bac1fef38e

Download Submit
C:\Users\Admin\AppData\Local\Temp\8pOjIocmws.bat

Filesize
191B

MD5
6a153c8c4611d9436820169aba013618

SHA1
c244e62f043da514555e9db8bc00be09cbf19967

SHA256
a83ea86368de26899b84f2e6ebd5a9a8f55df2242f8da2b3ad51f8206f94aab8

SHA512
c1b2ef4af070039921de8f4117c48f9d51c2d35a320b2f7f39b881083349773c52e489be3f369f3a30fd18e3bda137c4627bf395abe30f53a6d7d7641c32bd7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2213.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD5NsnfB5C.bat

Filesize
191B

MD5
ac587ed2c880b525929d55b0e167c1c0

SHA1
d6fe099aee5c03da07c8de044dee80c86dbc0bd2

SHA256
214e63df1961b001d711d0e8315092ac6f019ee3be772a1af2454cee21a48a07

SHA512
b4c8af9c5492a7154ede303bf446e1d7ca8d8c651bb50c81ae03f572810c81c0c02dc022c3751160816e2d97328b484482644ce78e9d00d15a7ab8e8a47128cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RgqsKqwwLg.bat

Filesize
191B

MD5
d26c04807e9186d4a5632a3c448daaf3

SHA1
8799d9b7aa1e6f81a30b6d44965e5967c78e1f18

SHA256
21e5e2cb9e6f09d81d07e1436707ccebbd10329c255b7e1b6003923d35997170

SHA512
8501a4d80c63b76a0f4a957ef9a3208970026f10ac59d95be0070b62958edf87f371aee306ae31b41b93c6eef14b8420b10f060298a5cb5eec152227326c7c1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2235.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WYuyh03jyF.bat

Filesize
191B

MD5
6cdc60caea4ccf919a07ac8353534dce

SHA1
734746e10ce2c8a109a6f864deafee298c612ea2

SHA256
70bef065a3f727d95e9a6087878485978904c5e53b69882b1d7130ccc1922c70

SHA512
2fb9c41f4faea34b1a83c9de639b838b19da36a0e314c6b5591de92626f0ad54a39b6c0a59f2269c1da2d3604fb07a1e821fe6a7d09a49a25df5f8cd490b6043

Download Submit
C:\Users\Admin\AppData\Local\Temp\XFk51gP3Gp.bat

Filesize
191B

MD5
235251c72eb219550d795c90ed6cf6df

SHA1
3cfbcda154ea957d741f376abdcb3b014301a8c9

SHA256
55b25940fd5f7883969e33aa5d85107a8978e38e2aaf874d4539ca87c16f59f3

SHA512
0681f3a2ec159c80d2b00b666e2b4f38c4a2a3ccc402c1ff65043ca32476b767b7f4d2aa0240b8ff48f7ef3051226d6b0ea4352f0188dc215f1ad8f5cf378781

Download Submit
C:\Users\Admin\AppData\Local\Temp\nAABNdhKLs.bat

Filesize
191B

MD5
6eaf95e999e8de4b05d6d71f8f9cb783

SHA1
3530362f56e2978c20a54decce2aaf25e17ea2f1

SHA256
67a209524f3e5dec063cf0adc66bdf51bb223c681e3789d12ae4ea1ae5d899f8

SHA512
30821cb170e4c27de95908870f16bbe25f586f37de552bc065d64a2f2381dcded3d7e04088ec014db76a1573dcf5dd45b60c781149cc506ac5fbafb7f952c5cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\wpigNgqS7W.bat

Filesize
191B

MD5
02b9181c433ed9bc0a5f57242cd4b011

SHA1
a3675cd3ed2a5db9cf98921da249ad27b816189b

SHA256
fd1987ed1052d656b9116ba26038438f4216dfb781db30758d886c33cece0740

SHA512
ff5d30156e88d7613d7344b9f7cef6aeeefe0605a427348b1bfcd40fed50d01a478f4c39cedf04f846dfc5e8d62162716227eab47f596e057517e8dcd342d801

Download Submit
C:\Users\Admin\AppData\Local\Temp\yQKAuQiBIV.bat

Filesize
191B

MD5
f8504d323e813e98668fd2c692862b09

SHA1
7f03e78dbc76124cd0afc16881f7acea22ccb5ad

SHA256
aae6e4a04ba791b971ec0e8767aef7c372ce57bb5366614c14e519263f405174

SHA512
59a667ed42f37fb2468cf51e98d8b1ae98591925e6be5cdae7425a1e491efd37fc3406d08d669a700c116fc5379c444d51d4a0c775772401193791134b128435

Download Submit
C:\Users\Admin\AppData\Local\Temp\zY3yp8Lh1n.bat

Filesize
191B

MD5
e21da12143ef740bc03b9d8ef8ea828e

SHA1
beea30e9cd62d6674f6a47d5346b4d3c83a28b7e

SHA256
fce84e69adc4b28a0a175e3af9e8c46532b49b8231df504751a6c11245fd7db9

SHA512
efda4c81a8d1097841147ad43540696bc1b7b58eb57c8ead284a3a291a575330fb9511cfe83ea592ecea235bd4e3897bd788c77007c2df42a8653027464a0e0d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
55a3dcb3a392a7e052a5157cce39b9b6

SHA1
cafe23730040977c6d398e71e69b967e6e2bdf09

SHA256
dc71baaca3a0d133182cb38d5a1f851679168946ec92459d8b39c010de36073a

SHA512
8a19b28bd34b8706dd285a316d62362a2e7407d595106aeea6690ffa3aa73d9a4e0ba26cf8dfd3c3784b7d539b68298766c1dc770170d9594ec68aa379bd9d99

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/584-305-0x0000000000230000-0x0000000000340000-memory.dmp

Filesize
1.1MB

Download
memory/680-49-0x0000000001EE0000-0x0000000001EE8000-memory.dmp

Filesize
32KB

Download
memory/680-48-0x000000001B560000-0x000000001B842000-memory.dmp

Filesize
2.9MB

Download
memory/848-55-0x0000000000050000-0x0000000000160000-memory.dmp

Filesize
1.1MB

Download
memory/1028-605-0x0000000000F70000-0x0000000001080000-memory.dmp

Filesize
1.1MB

Download
memory/1452-245-0x00000000009E0000-0x0000000000AF0000-memory.dmp

Filesize
1.1MB

Download
memory/1708-425-0x0000000000B30000-0x0000000000C40000-memory.dmp

Filesize
1.1MB

Download
memory/2472-485-0x0000000000ED0000-0x0000000000FE0000-memory.dmp

Filesize
1.1MB

Download
memory/2568-124-0x0000000000DA0000-0x0000000000EB0000-memory.dmp

Filesize
1.1MB

Download
memory/2688-545-0x0000000000110000-0x0000000000220000-memory.dmp

Filesize
1.1MB

Download
memory/2728-184-0x00000000003E0000-0x00000000004F0000-memory.dmp

Filesize
1.1MB

Download
memory/2728-185-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/2836-17-0x00000000005F0000-0x00000000005FC000-memory.dmp

Filesize
48KB

Download
memory/2836-16-0x00000000005E0000-0x00000000005EC000-memory.dmp

Filesize
48KB

Download
memory/2836-15-0x00000000002D0000-0x00000000002DC000-memory.dmp

Filesize
48KB

Download
memory/2836-14-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/2836-13-0x0000000000880000-0x0000000000990000-memory.dmp

Filesize
1.1MB

Download
memory/2852-365-0x00000000000A0000-0x00000000001B0000-memory.dmp

Filesize
1.1MB

Download