dcrat | 85cfbf1e77e7aa28552f5e95dd29349fdaf5094610a3068c46bc02b244a22fbe

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 06:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_85cfbf1e77e7aa28552f5e95dd29349fdaf5094610a3068c46bc02b244a22fbe.exe
Size

1.3MB
MD5

9dc28c1dea6b79854f0adb8a7805c7d7
SHA1

20e7498a342e3ef2668e6302a7544319c38d9c1a
SHA256

85cfbf1e77e7aa28552f5e95dd29349fdaf5094610a3068c46bc02b244a22fbe
SHA512

509ef6d760c41054de00759da5bf6da02512d72878d295723a9397a34f93d8ca1de22d756d32968a66f84ee7a276a059370606136094ff5765b1826b5f43ffb5
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1236	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	988	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2528	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1584	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2320	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2692	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	2820	schtasks.exe	34

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000700000001939c-12.dat	dcrat
behavioral1/memory/1696-13-0x0000000000270000-0x0000000000380000-memory.dmp	dcrat
behavioral1/memory/356-73-0x0000000001310000-0x0000000001420000-memory.dmp	dcrat
behavioral1/memory/2012-310-0x00000000003A0000-0x00000000004B0000-memory.dmp	dcrat
behavioral1/memory/1504-370-0x0000000000B00000-0x0000000000C10000-memory.dmp	dcrat
behavioral1/memory/2044-430-0x0000000000F00000-0x0000000001010000-memory.dmp	dcrat
behavioral1/memory/2224-608-0x0000000000390000-0x00000000004A0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1436	powershell.exe
1792	powershell.exe
3064	powershell.exe
2956	powershell.exe
2120	powershell.exe
1984	powershell.exe
1776	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
1696	DllCommonsvc.exe
356	cmd.exe
2116	cmd.exe
944	cmd.exe
2272	cmd.exe
2012	cmd.exe
1504	cmd.exe
2044	cmd.exe
992	cmd.exe
1136	cmd.exe
2224	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
2364	cmd.exe
2364	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
15	raw.githubusercontent.com
19	raw.githubusercontent.com
35	raw.githubusercontent.com
25	raw.githubusercontent.com
28	raw.githubusercontent.com
32	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
22	raw.githubusercontent.com

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\cmd.exe	DllCommonsvc.exe
File created	C:\Program Files\7-Zip\ebf1f9fa8afd6d	DllCommonsvc.exe
File created	C:\Program Files\7-Zip\Lang\spoolsv.exe	DllCommonsvc.exe
File created	C:\Program Files\7-Zip\Lang\f3b6ecef712a24	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\smss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\69ddcba757bf72	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_85cfbf1e77e7aa28552f5e95dd29349fdaf5094610a3068c46bc02b244a22fbe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2888	schtasks.exe
1236	schtasks.exe
988	schtasks.exe
2720	schtasks.exe
2076	schtasks.exe
2320	schtasks.exe
3020	schtasks.exe
2876	schtasks.exe
2644	schtasks.exe
2680	schtasks.exe
2936	schtasks.exe
2528	schtasks.exe
1584	schtasks.exe
2760	schtasks.exe
2860	schtasks.exe
2036	schtasks.exe
1944	schtasks.exe
2692	schtasks.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
1696	DllCommonsvc.exe
1776	powershell.exe
1984	powershell.exe
2120	powershell.exe
1436	powershell.exe
1792	powershell.exe
2956	powershell.exe
3064	powershell.exe
356	cmd.exe
2116	cmd.exe
944	cmd.exe
2272	cmd.exe
2012	cmd.exe
1504	cmd.exe
2044	cmd.exe
992	cmd.exe
1136	cmd.exe
2224	cmd.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	1696	DllCommonsvc.exe
Token: SeDebugPrivilege	1776	powershell.exe
Token: SeDebugPrivilege	1984	powershell.exe
Token: SeDebugPrivilege	2120	powershell.exe
Token: SeDebugPrivilege	1436	powershell.exe
Token: SeDebugPrivilege	1792	powershell.exe
Token: SeDebugPrivilege	2956	powershell.exe
Token: SeDebugPrivilege	3064	powershell.exe
Token: SeDebugPrivilege	356	cmd.exe
Token: SeDebugPrivilege	2116	cmd.exe
Token: SeDebugPrivilege	944	cmd.exe
Token: SeDebugPrivilege	2272	cmd.exe
Token: SeDebugPrivilege	2012	cmd.exe
Token: SeDebugPrivilege	1504	cmd.exe
Token: SeDebugPrivilege	2044	cmd.exe
Token: SeDebugPrivilege	992	cmd.exe
Token: SeDebugPrivilege	1136	cmd.exe
Token: SeDebugPrivilege	2224	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2556 wrote to memory of 2564	2556	JaffaCakes118_85cfbf1e77e7aa28552f5e95dd29349fdaf5094610a3068c46bc02b244a22fbe.exe	30
PID 2556 wrote to memory of 2564	2556	JaffaCakes118_85cfbf1e77e7aa28552f5e95dd29349fdaf5094610a3068c46bc02b244a22fbe.exe	30
PID 2556 wrote to memory of 2564	2556	JaffaCakes118_85cfbf1e77e7aa28552f5e95dd29349fdaf5094610a3068c46bc02b244a22fbe.exe	30
PID 2556 wrote to memory of 2564	2556	JaffaCakes118_85cfbf1e77e7aa28552f5e95dd29349fdaf5094610a3068c46bc02b244a22fbe.exe	30
PID 2564 wrote to memory of 2364	2564	WScript.exe	31
PID 2564 wrote to memory of 2364	2564	WScript.exe	31
PID 2564 wrote to memory of 2364	2564	WScript.exe	31
PID 2564 wrote to memory of 2364	2564	WScript.exe	31
PID 2364 wrote to memory of 1696	2364	cmd.exe	33
PID 2364 wrote to memory of 1696	2364	cmd.exe	33
PID 2364 wrote to memory of 1696	2364	cmd.exe	33
PID 2364 wrote to memory of 1696	2364	cmd.exe	33
PID 1696 wrote to memory of 2956	1696	DllCommonsvc.exe	53
PID 1696 wrote to memory of 2956	1696	DllCommonsvc.exe	53
PID 1696 wrote to memory of 2956	1696	DllCommonsvc.exe	53
PID 1696 wrote to memory of 2120	1696	DllCommonsvc.exe	54
PID 1696 wrote to memory of 2120	1696	DllCommonsvc.exe	54
PID 1696 wrote to memory of 2120	1696	DllCommonsvc.exe	54
PID 1696 wrote to memory of 3064	1696	DllCommonsvc.exe	55
PID 1696 wrote to memory of 3064	1696	DllCommonsvc.exe	55
PID 1696 wrote to memory of 3064	1696	DllCommonsvc.exe	55
PID 1696 wrote to memory of 1984	1696	DllCommonsvc.exe	56
PID 1696 wrote to memory of 1984	1696	DllCommonsvc.exe	56
PID 1696 wrote to memory of 1984	1696	DllCommonsvc.exe	56
PID 1696 wrote to memory of 1776	1696	DllCommonsvc.exe	58
PID 1696 wrote to memory of 1776	1696	DllCommonsvc.exe	58
PID 1696 wrote to memory of 1776	1696	DllCommonsvc.exe	58
PID 1696 wrote to memory of 1792	1696	DllCommonsvc.exe	59
PID 1696 wrote to memory of 1792	1696	DllCommonsvc.exe	59
PID 1696 wrote to memory of 1792	1696	DllCommonsvc.exe	59
PID 1696 wrote to memory of 1436	1696	DllCommonsvc.exe	61
PID 1696 wrote to memory of 1436	1696	DllCommonsvc.exe	61
PID 1696 wrote to memory of 1436	1696	DllCommonsvc.exe	61
PID 1696 wrote to memory of 1976	1696	DllCommonsvc.exe	67
PID 1696 wrote to memory of 1976	1696	DllCommonsvc.exe	67
PID 1696 wrote to memory of 1976	1696	DllCommonsvc.exe	67
PID 1976 wrote to memory of 1720	1976	cmd.exe	69
PID 1976 wrote to memory of 1720	1976	cmd.exe	69
PID 1976 wrote to memory of 1720	1976	cmd.exe	69
PID 1976 wrote to memory of 356	1976	cmd.exe	70
PID 1976 wrote to memory of 356	1976	cmd.exe	70
PID 1976 wrote to memory of 356	1976	cmd.exe	70
PID 356 wrote to memory of 2824	356	cmd.exe	72
PID 356 wrote to memory of 2824	356	cmd.exe	72
PID 356 wrote to memory of 2824	356	cmd.exe	72
PID 2824 wrote to memory of 1848	2824	cmd.exe	74
PID 2824 wrote to memory of 1848	2824	cmd.exe	74
PID 2824 wrote to memory of 1848	2824	cmd.exe	74
PID 2824 wrote to memory of 2116	2824	cmd.exe	75
PID 2824 wrote to memory of 2116	2824	cmd.exe	75
PID 2824 wrote to memory of 2116	2824	cmd.exe	75
PID 2116 wrote to memory of 1348	2116	cmd.exe	76
PID 2116 wrote to memory of 1348	2116	cmd.exe	76
PID 2116 wrote to memory of 1348	2116	cmd.exe	76
PID 1348 wrote to memory of 1968	1348	cmd.exe	78
PID 1348 wrote to memory of 1968	1348	cmd.exe	78
PID 1348 wrote to memory of 1968	1348	cmd.exe	78
PID 1348 wrote to memory of 944	1348	cmd.exe	79
PID 1348 wrote to memory of 944	1348	cmd.exe	79
PID 1348 wrote to memory of 944	1348	cmd.exe	79
PID 944 wrote to memory of 836	944	cmd.exe	80
PID 944 wrote to memory of 836	944	cmd.exe	80
PID 944 wrote to memory of 836	944	cmd.exe	80
PID 836 wrote to memory of 2520	836	cmd.exe	82

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_85cfbf1e77e7aa28552f5e95dd29349fdaf5094610a3068c46bc02b244a22fbe.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_85cfbf1e77e7aa28552f5e95dd29349fdaf5094610a3068c46bc02b244a22fbe.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2556
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2564
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2364
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1696
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2956
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2120
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3064
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1984
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1776
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Reader 9.0\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1792
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1436
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VKGY5p0cay.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1976
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1720
      - C:\Program Files\7-Zip\cmd.exe
        
        "C:\Program Files\7-Zip\cmd.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:356
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8tyQ25hERL.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2824
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1848
        
        C:\Program Files\7-Zip\cmd.exe
        
        "C:\Program Files\7-Zip\cmd.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2116
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\04VLARgLyy.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1348
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:1968
        
        C:\Program Files\7-Zip\cmd.exe
        
        "C:\Program Files\7-Zip\cmd.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:944
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Nl6pt1R060.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:836
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2520
        
        C:\Program Files\7-Zip\cmd.exe
        
        "C:\Program Files\7-Zip\cmd.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2272
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dk6czFnjgV.bat"
        13⤵
        
        PID:2632
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2708
        
        C:\Program Files\7-Zip\cmd.exe
        
        "C:\Program Files\7-Zip\cmd.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2012
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9avng9MHpa.bat"
        15⤵
        
        PID:2948
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2312
        
        C:\Program Files\7-Zip\cmd.exe
        
        "C:\Program Files\7-Zip\cmd.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1504
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\niOj6yjqzp.bat"
        17⤵
        
        PID:2512
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2596
        
        C:\Program Files\7-Zip\cmd.exe
        
        "C:\Program Files\7-Zip\cmd.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2044
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xZLz5Ote6t.bat"
        19⤵
        
        PID:3008
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2264
        
        C:\Program Files\7-Zip\cmd.exe
        
        "C:\Program Files\7-Zip\cmd.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:992
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TDlQnvRVvY.bat"
        21⤵
        
        PID:1780
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1424
        
        C:\Program Files\7-Zip\cmd.exe
        
        "C:\Program Files\7-Zip\cmd.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1136
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HcCr6nEVp7.bat"
        23⤵
        
        PID:1632
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:1520
        
        C:\Program Files\7-Zip\cmd.exe
        
        "C:\Program Files\7-Zip\cmd.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2224
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nKCzYbro9F.bat"
        25⤵
        
        PID:3016
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Users\Default\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Users\Default\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Program Files\7-Zip\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\7-Zip\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Program Files\7-Zip\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files\7-Zip\Lang\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files\7-Zip\Lang\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Default User\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9db99a2ff9a458da6ecdebb0c1298213

SHA1
436142fded637dccc779d8a7fcd2cdba3782d895

SHA256
dfab609283135126470dc0923c28d55f1e44258ca9499e447b4bfbc993f642fa

SHA512
bb366eb7ff75697d997a39d9243cd2fe74675f4b065dfca69d6966984ba9e4de8cee4085a456bcbf5b9288be4c2741a56c38cc6647334d018660f42b1ee5c389

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
035a4f4e11b579e8c948003350df568c

SHA1
d3b066fb5649b534ede797c3ff3691f115312d4d

SHA256
2ab6ac297fcbcfa0879b6be8dcd0bc8ca3914b57fc15f193ffdc0c53a4477d62

SHA512
2b938bc1f791ca7fdd1c3e14864eeb3bca75f163c775cbe8057200596dc1a0e6461e8cc6b720aab8d577cc37c0e02ac609cef18b7bba696811b77f15d9bac38e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a862aef9061db74c8526e827ffb81994

SHA1
d0c57fc3064751c09b56cb8d9d586e695d75d666

SHA256
d8a3f0e0e3aa549cc3eafb4e5e3c0afdcfe6f582b080f3ab637fea55dbf70ba8

SHA512
ed8aee4604420a7d353e1b52509c256aad6f548b699c4f811789ea27fc5d21055f1d97da87edbae084242ac9b1ee38f5ad87db591f051289d122b7eeb2b1022e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f1cecbee02870943460792155a70f5a0

SHA1
6a2971d20e8272e0a7bec117a63dd9841cd56b3d

SHA256
842dba5597902bed9e74d08c7a9998ff60e7abf916e9187b7be81e4fe03276a3

SHA512
af73750cdca50c035d438fb27428eaf2c9846f3bf751dc4b026991cc546c8080a8bebaaa9103eaaf54682524b6183efba4dff03a28a9e48b63b8f759826e10a8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
953ddbf8f51ea18a0533cf42c29cf30c

SHA1
b3b87415c06406edb79c73682df2c2b89772c240

SHA256
a0ca89c498f211bfa01ddb0fd783b7357550f59ba0bac4aa55c5eb9de01e06eb

SHA512
1c60f844d0f6b05dd71c123aed9072d31874c6bb9c4e61154b2677571a520a14e4f4ce2d4e6e1980ba1869b1c943e2bbf10fe9abf388520f2a48bd34405cb0f7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
98f7eaaa282e15032108a2ea4ca9f80a

SHA1
52164408a26efda02fc1420f56ba1d993f8e019c

SHA256
76d6ed867a4e374185888f7c7a8ac007c1d483934fcef3ac2ffcfea978d4839d

SHA512
e404067505f4f573e1d6a6a4f946fd316612cd40667a209f8ab3faa92396974274fe2722f4ff8ce8d7d918c77f94cbbce8292d07cd2406a627fde3e68402fefa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
46cd2943f74b7c02c32ab81a19cdbe32

SHA1
caf32b55b474427e03c88a457605600f432be4db

SHA256
4a8079bd05b36b0985fa453d3b69ca582ee851661e23191fdc809d2631c76a12

SHA512
8ad588e1d66672617cfc572a667428284f064010b470680a6cb16a1c6077f77978340be31ae6553bd39347b4ceb3d129b4c4b728b2d16932f14b88246a848c0a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
81f00c9316175aa43eba66a77dafd8f0

SHA1
6be794c6898fefb91da654743a27eb1e97fb85be

SHA256
28e75091966168b25fc37e9b84089ee3dac95df429f0b925ab349fc019bed9d5

SHA512
95632bd7ca67dd1f585f8995d28078619f15f5f82bd312677875d14e6de06b9d51378587cce3b7530cffc983fac39c3184d5922a2273baaae0288c46ce9a686a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e53f54acfce0ea6f3589df41e8dadb94

SHA1
548d71c58e6926e641dc3e3e1f529e8105d4bc77

SHA256
75f3c85474db8a042c8d664b0d856622637d4af78d3a8dea0746cc7e4146e699

SHA512
2c2a88695d0404f21dddd7615e01acc1cc2fd2ec93fa53dd4fa0810742aac7e6bd6d16400a78eda208d438413faa73218bc4d0a96f6c6331bbd78db8c8d80f22

Download Submit
C:\Users\Admin\AppData\Local\Temp\04VLARgLyy.bat

Filesize
195B

MD5
f74f791d7077a16401167af637193864

SHA1
ca0657f79b3d7aa8d68076a204896386853cf12f

SHA256
0139bc990b9be13d22801abb9b78eddd9471ff1e247875d76aa2bef33d5204b9

SHA512
7b1ba1cdfe2b070657248fc41d992b6a89e2d9927af5e03737f06f13b96b8a4d8d573f49cc53fae53b5e9544e03c1511a682e790836514b1b79240568e82cc83

Download Submit
C:\Users\Admin\AppData\Local\Temp\8tyQ25hERL.bat

Filesize
195B

MD5
2411c2a140fedfddcf0927020af4d417

SHA1
bba024cf2bddd36555d754c3f70e1c65ae081d98

SHA256
58042697356ad9556c805b9d93b7f5c7348321cd6894230a36f5c936bb0714db

SHA512
56684d3fc0a943b51f9bdff48683ee2cbb2e433a71f19ae0119f03f09e00023d7417e735cd74f0b34e531de1dd128afe394579641bcf649b9f830af9ef8549f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\9avng9MHpa.bat

Filesize
195B

MD5
6e7ddb1ee0a679b3f8ed3b5fd67101bf

SHA1
a87dada138da8f03bac630fb2f534ba2936c9dc2

SHA256
9b2f689854d76b0a3f4a75bc5d556d39782068a886b4c038cd9237c5704b95de

SHA512
73e2e910ba911059e9d2c3d9bcc524a8c5fd377f3f44242c57d4b68600dadcd8bec98e140e130f1a65be994e370f9255804d9d45d595bbd699cc932d62d08e25

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE024.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\HcCr6nEVp7.bat

Filesize
195B

MD5
898872a63c6294cbc360ea9f0b47b65f

SHA1
f840a7418857f873cb6ab67aa1087e1d10af21b8

SHA256
77ecf268873ebe20f80df4917f310b39922945b8ba143c7588c334466a6bed9f

SHA512
c91f4623e78b1cdf218afbb76b447e6291f6b7a8b6c10b5a7ae2705f347cc24e4e87f9549320d6f141d359fd3525724c193b7e682026150f5c2891c983b4c828

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nl6pt1R060.bat

Filesize
195B

MD5
71ec88a9df3341e153dd798850059e2a

SHA1
72e83f94ea3771024c25e51662afcc90240ddde1

SHA256
7d36b6ea65d005f6758aa4c3f5730e614d4fdf01f89bd6e68e2b6fe1cbd52ed4

SHA512
a995398b26727b330a986094b1eb77123d58726626489bf2b5ec529cd6cd692cb93cc2208d691343a422dd5cc5465da53a36cf5c38a029e618a132c646d23907

Download Submit
C:\Users\Admin\AppData\Local\Temp\TDlQnvRVvY.bat

Filesize
195B

MD5
756eea97d26c868528cce086aecdc564

SHA1
6963faa49664a142935dcc9e642b75bc735ae298

SHA256
169c432ccaf3a2413a3f5a5c3346582b394334f6a20e3b2f6722708a2ae48cfb

SHA512
8d68e2e6ef9766720d249ae9f1c9c4e1d78c45bfff6d58fc8950e397d167850b2e3ba782754e63b6b3a64ab5b4e705812c5346cd61e6b286d6d396ad93909a96

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE046.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\VKGY5p0cay.bat

Filesize
195B

MD5
a12d7e9d64106c0f280df57f3cd69138

SHA1
c2277abdf748011fb1690e012358dd8e53aafe76

SHA256
91aeae2277603231b51eb544ea60642c7979d9d542413d68fe0b8341fdc66c5a

SHA512
905ed54e769fd6b23498bcdbf03cd2059fa685c88c9b87d09eb8fa8bed115884f1b57925ca88626be17cbab0fcb4950b92b2fe1cd0fcb84daa0689d8dd973630

Download Submit
C:\Users\Admin\AppData\Local\Temp\dk6czFnjgV.bat

Filesize
195B

MD5
1fd579b66b5ca670352d8d7eb640e929

SHA1
6c3430ed40924aa661e2cd1e464a179ed5f032e1

SHA256
d24186da19580cef4038df0df2de60ce5a1af8fa648f6c74e438e1a896356ccb

SHA512
29b31782e01672a74aa3b63835cfd45e7f00df941ec861d59f0ce210517971ae99a2edb749615880112e35e3a16680abcbbf89deb2a950f297fff0c82eb44449

Download Submit
C:\Users\Admin\AppData\Local\Temp\nKCzYbro9F.bat

Filesize
195B

MD5
82f869cc1f176f4685c590279a08d652

SHA1
82dcfd394c3c0e51486c0594be672d9670ee3968

SHA256
af495186a5823beaeb063e3663ff1aac9fc716c20baa5abdcb9c065dfc6599bd

SHA512
b9b4c86bad8e265cb7a98868f496d38eef9434d294c870d489f5142eec34b31f79adacc1aecc1baffab2c0f778fb581f37813eb98ccd97fad5467db93455e657

Download Submit
C:\Users\Admin\AppData\Local\Temp\niOj6yjqzp.bat

Filesize
195B

MD5
2eda285f39e59ba5bad9bb38725cb23b

SHA1
cce57e0ee0626463c8780ab899d938a57b031c72

SHA256
87bde6f8c02cc4873d0a61dc446bf7c5c9709e666611a24d9c629f4634302312

SHA512
15ee48645e5a3fc73a7c63d830ce9346e53b059864e81a8c7c18a25165d3855e59d61e1cc1f4c96f06058532c4cdbc3a665ccb8b172a2dc5295cd182c99fe7ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\xZLz5Ote6t.bat

Filesize
195B

MD5
b3ecdaba2274b5f8ad3f82d3d08af184

SHA1
c0c57ca81722385b80a17f1e1166f950d681eb17

SHA256
276c209ee246f0a498b2dd78bf5b58eae981eed2eccbb3ea5f320f7754b2f489

SHA512
2c46e13933aefca10c2cd899b22d84c36abf4fb781f19272ae82ba94145c3e83adf021eef7122aee44311b082658e083df71be42867772a942abf6ccdcd4fd7d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
d9308bc2d45e704805879571eef20f89

SHA1
c8bbe33f8a2c99620da129b2db76c3fdf2be367d

SHA256
1b751707a0541cb6ae2fc2bcece376282c07ca88c3e97cba2039db7df4d7eae1

SHA512
5f03aaa01ebe48c0121391fdcf798db689e2f52eadf2fa4c998611784fdbc88c93e69a7560a931731b0b5a07b801ba78bcb3847132f26b256d397c4872935510

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/356-74-0x00000000005C0000-0x00000000005D2000-memory.dmp

Filesize
72KB

Download
memory/356-73-0x0000000001310000-0x0000000001420000-memory.dmp

Filesize
1.1MB

Download
memory/1504-370-0x0000000000B00000-0x0000000000C10000-memory.dmp

Filesize
1.1MB

Download
memory/1696-16-0x0000000000670000-0x000000000067C000-memory.dmp

Filesize
48KB

Download
memory/1696-14-0x0000000000650000-0x0000000000662000-memory.dmp

Filesize
72KB

Download
memory/1696-13-0x0000000000270000-0x0000000000380000-memory.dmp

Filesize
1.1MB

Download
memory/1696-15-0x0000000000660000-0x000000000066C000-memory.dmp

Filesize
48KB

Download
memory/1696-17-0x0000000000890000-0x000000000089C000-memory.dmp

Filesize
48KB

Download
memory/1776-65-0x0000000002780000-0x0000000002788000-memory.dmp

Filesize
32KB

Download
memory/1776-63-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

Filesize
2.9MB

Download
memory/2012-310-0x00000000003A0000-0x00000000004B0000-memory.dmp

Filesize
1.1MB

Download
memory/2044-430-0x0000000000F00000-0x0000000001010000-memory.dmp

Filesize
1.1MB

Download
memory/2224-608-0x0000000000390000-0x00000000004A0000-memory.dmp

Filesize
1.1MB

Download