dcrat | d798c76705945847a41b2702fe0c7d097dbd67648781c918d7f4141d90a8f736

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 13:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_d798c76705945847a41b2702fe0c7d097dbd67648781c918d7f4141d90a8f736.exe
Size

1.3MB
MD5

ede00a17f0ef2a6b005d5c88571efe60
SHA1

faa8a981fa3a8f57c5f90bdec0cedb68db3bf6b1
SHA256

d798c76705945847a41b2702fe0c7d097dbd67648781c918d7f4141d90a8f736
SHA512

d009d143fff741395fce8056d1255ea622e14417bbcf36027f3c4bd7f6d8792054b37f08bae3cb6d01cbc9e06cfcfa0fccf62ef677f0f0391a5074d62084f66e
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2080	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1920	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1476	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2380	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1868	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1308	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	576	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2360	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	448	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	684	2584	schtasks.exe	34

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000800000001686c-12.dat	dcrat
behavioral1/memory/2872-13-0x00000000003E0000-0x00000000004F0000-memory.dmp	dcrat
behavioral1/memory/2316-73-0x00000000010A0000-0x00000000011B0000-memory.dmp	dcrat
behavioral1/memory/2080-132-0x00000000013D0000-0x00000000014E0000-memory.dmp	dcrat
behavioral1/memory/2420-605-0x0000000000160000-0x0000000000270000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1096	powershell.exe
316	powershell.exe
1504	powershell.exe
2776	powershell.exe
380	powershell.exe
484	powershell.exe
1284	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2872	DllCommonsvc.exe
2316	Idle.exe
2080	Idle.exe
2040	Idle.exe
1132	Idle.exe
2868	Idle.exe
2628	Idle.exe
1700	Idle.exe
3000	Idle.exe
1080	Idle.exe
2420	Idle.exe

Loads dropped DLL 2 IoCs

pid	Process
2704	cmd.exe
2704	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
25	raw.githubusercontent.com
34	raw.githubusercontent.com
4	raw.githubusercontent.com
9	raw.githubusercontent.com
15	raw.githubusercontent.com
22	raw.githubusercontent.com
31	raw.githubusercontent.com
5	raw.githubusercontent.com
12	raw.githubusercontent.com
18	raw.githubusercontent.com
28	raw.githubusercontent.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\sppsvc.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\0a1fd5f707cd16	DllCommonsvc.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\security\ApplicationId\PolicyManagement\services.exe	DllCommonsvc.exe
File created	C:\Windows\security\ApplicationId\PolicyManagement\c5b4cb5e9653cc	DllCommonsvc.exe
File created	C:\Windows\ja-JP\smss.exe	DllCommonsvc.exe
File created	C:\Windows\ja-JP\69ddcba757bf72	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_d798c76705945847a41b2702fe0c7d097dbd67648781c918d7f4141d90a8f736.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2360	schtasks.exe
448	schtasks.exe
2080	schtasks.exe
2380	schtasks.exe
2900	schtasks.exe
1976	schtasks.exe
2020	schtasks.exe
1592	schtasks.exe
1992	schtasks.exe
3028	schtasks.exe
2008	schtasks.exe
1308	schtasks.exe
576	schtasks.exe
1920	schtasks.exe
1476	schtasks.exe
1868	schtasks.exe
2000	schtasks.exe
684	schtasks.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2872	DllCommonsvc.exe
2872	DllCommonsvc.exe
2872	DllCommonsvc.exe
1284	powershell.exe
1096	powershell.exe
1504	powershell.exe
380	powershell.exe
316	powershell.exe
484	powershell.exe
2776	powershell.exe
2316	Idle.exe
2080	Idle.exe
2040	Idle.exe
1132	Idle.exe
2868	Idle.exe
2628	Idle.exe
1700	Idle.exe
3000	Idle.exe
1080	Idle.exe
2420	Idle.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	2872	DllCommonsvc.exe
Token: SeDebugPrivilege	1284	powershell.exe
Token: SeDebugPrivilege	1096	powershell.exe
Token: SeDebugPrivilege	1504	powershell.exe
Token: SeDebugPrivilege	380	powershell.exe
Token: SeDebugPrivilege	316	powershell.exe
Token: SeDebugPrivilege	484	powershell.exe
Token: SeDebugPrivilege	2776	powershell.exe
Token: SeDebugPrivilege	2316	Idle.exe
Token: SeDebugPrivilege	2080	Idle.exe
Token: SeDebugPrivilege	2040	Idle.exe
Token: SeDebugPrivilege	1132	Idle.exe
Token: SeDebugPrivilege	2868	Idle.exe
Token: SeDebugPrivilege	2628	Idle.exe
Token: SeDebugPrivilege	1700	Idle.exe
Token: SeDebugPrivilege	3000	Idle.exe
Token: SeDebugPrivilege	1080	Idle.exe
Token: SeDebugPrivilege	2420	Idle.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2092 wrote to memory of 2856	2092	JaffaCakes118_d798c76705945847a41b2702fe0c7d097dbd67648781c918d7f4141d90a8f736.exe	30
PID 2092 wrote to memory of 2856	2092	JaffaCakes118_d798c76705945847a41b2702fe0c7d097dbd67648781c918d7f4141d90a8f736.exe	30
PID 2092 wrote to memory of 2856	2092	JaffaCakes118_d798c76705945847a41b2702fe0c7d097dbd67648781c918d7f4141d90a8f736.exe	30
PID 2092 wrote to memory of 2856	2092	JaffaCakes118_d798c76705945847a41b2702fe0c7d097dbd67648781c918d7f4141d90a8f736.exe	30
PID 2856 wrote to memory of 2704	2856	WScript.exe	31
PID 2856 wrote to memory of 2704	2856	WScript.exe	31
PID 2856 wrote to memory of 2704	2856	WScript.exe	31
PID 2856 wrote to memory of 2704	2856	WScript.exe	31
PID 2704 wrote to memory of 2872	2704	cmd.exe	33
PID 2704 wrote to memory of 2872	2704	cmd.exe	33
PID 2704 wrote to memory of 2872	2704	cmd.exe	33
PID 2704 wrote to memory of 2872	2704	cmd.exe	33
PID 2872 wrote to memory of 380	2872	DllCommonsvc.exe	53
PID 2872 wrote to memory of 380	2872	DllCommonsvc.exe	53
PID 2872 wrote to memory of 380	2872	DllCommonsvc.exe	53
PID 2872 wrote to memory of 484	2872	DllCommonsvc.exe	54
PID 2872 wrote to memory of 484	2872	DllCommonsvc.exe	54
PID 2872 wrote to memory of 484	2872	DllCommonsvc.exe	54
PID 2872 wrote to memory of 1284	2872	DllCommonsvc.exe	55
PID 2872 wrote to memory of 1284	2872	DllCommonsvc.exe	55
PID 2872 wrote to memory of 1284	2872	DllCommonsvc.exe	55
PID 2872 wrote to memory of 1096	2872	DllCommonsvc.exe	56
PID 2872 wrote to memory of 1096	2872	DllCommonsvc.exe	56
PID 2872 wrote to memory of 1096	2872	DllCommonsvc.exe	56
PID 2872 wrote to memory of 316	2872	DllCommonsvc.exe	57
PID 2872 wrote to memory of 316	2872	DllCommonsvc.exe	57
PID 2872 wrote to memory of 316	2872	DllCommonsvc.exe	57
PID 2872 wrote to memory of 1504	2872	DllCommonsvc.exe	58
PID 2872 wrote to memory of 1504	2872	DllCommonsvc.exe	58
PID 2872 wrote to memory of 1504	2872	DllCommonsvc.exe	58
PID 2872 wrote to memory of 2776	2872	DllCommonsvc.exe	59
PID 2872 wrote to memory of 2776	2872	DllCommonsvc.exe	59
PID 2872 wrote to memory of 2776	2872	DllCommonsvc.exe	59
PID 2872 wrote to memory of 2240	2872	DllCommonsvc.exe	66
PID 2872 wrote to memory of 2240	2872	DllCommonsvc.exe	66
PID 2872 wrote to memory of 2240	2872	DllCommonsvc.exe	66
PID 2240 wrote to memory of 1832	2240	cmd.exe	69
PID 2240 wrote to memory of 1832	2240	cmd.exe	69
PID 2240 wrote to memory of 1832	2240	cmd.exe	69
PID 2240 wrote to memory of 2316	2240	cmd.exe	70
PID 2240 wrote to memory of 2316	2240	cmd.exe	70
PID 2240 wrote to memory of 2316	2240	cmd.exe	70
PID 2316 wrote to memory of 2744	2316	Idle.exe	71
PID 2316 wrote to memory of 2744	2316	Idle.exe	71
PID 2316 wrote to memory of 2744	2316	Idle.exe	71
PID 2744 wrote to memory of 2064	2744	cmd.exe	73
PID 2744 wrote to memory of 2064	2744	cmd.exe	73
PID 2744 wrote to memory of 2064	2744	cmd.exe	73
PID 2744 wrote to memory of 2080	2744	cmd.exe	74
PID 2744 wrote to memory of 2080	2744	cmd.exe	74
PID 2744 wrote to memory of 2080	2744	cmd.exe	74
PID 2080 wrote to memory of 2736	2080	Idle.exe	75
PID 2080 wrote to memory of 2736	2080	Idle.exe	75
PID 2080 wrote to memory of 2736	2080	Idle.exe	75
PID 2736 wrote to memory of 2244	2736	cmd.exe	77
PID 2736 wrote to memory of 2244	2736	cmd.exe	77
PID 2736 wrote to memory of 2244	2736	cmd.exe	77
PID 2736 wrote to memory of 2040	2736	cmd.exe	78
PID 2736 wrote to memory of 2040	2736	cmd.exe	78
PID 2736 wrote to memory of 2040	2736	cmd.exe	78
PID 2040 wrote to memory of 2960	2040	Idle.exe	79
PID 2040 wrote to memory of 2960	2040	Idle.exe	79
PID 2040 wrote to memory of 2960	2040	Idle.exe	79
PID 2960 wrote to memory of 1708	2960	cmd.exe	81

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d798c76705945847a41b2702fe0c7d097dbd67648781c918d7f4141d90a8f736.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d798c76705945847a41b2702fe0c7d097dbd67648781c918d7f4141d90a8f736.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2092
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2856
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2872
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:380
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:484
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\PrintHood\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1284
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1096
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:316
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\security\ApplicationId\PolicyManagement\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1504
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ja-JP\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2776
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RMMlzVojtJ.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2240
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1832
      - C:\MSOCache\All Users\Idle.exe
        
        "C:\MSOCache\All Users\Idle.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fq9TqI16of.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2744
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2064
        
        C:\MSOCache\All Users\Idle.exe
        
        "C:\MSOCache\All Users\Idle.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2080
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\h6hK16ZrMt.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2736
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2244
        
        C:\MSOCache\All Users\Idle.exe
        
        "C:\MSOCache\All Users\Idle.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2040
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tiHtiEmsSK.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1708
        
        C:\MSOCache\All Users\Idle.exe
        
        "C:\MSOCache\All Users\Idle.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1132
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ffEuziAK6w.bat"
        13⤵
        
        PID:2616
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2568
        
        C:\MSOCache\All Users\Idle.exe
        
        "C:\MSOCache\All Users\Idle.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2868
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bkUsYtfOrG.bat"
        15⤵
        
        PID:2604
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2792
        
        C:\MSOCache\All Users\Idle.exe
        
        "C:\MSOCache\All Users\Idle.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2628
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\s1KW4B7p45.bat"
        17⤵
        
        PID:624
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:300
        
        C:\MSOCache\All Users\Idle.exe
        
        "C:\MSOCache\All Users\Idle.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1700
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VJj2LbMAw3.bat"
        19⤵
        
        PID:1564
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2772
        
        C:\MSOCache\All Users\Idle.exe
        
        "C:\MSOCache\All Users\Idle.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3000
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kbrh69MYEy.bat"
        21⤵
        
        PID:2400
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2808
        
        C:\MSOCache\All Users\Idle.exe
        
        "C:\MSOCache\All Users\Idle.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1080
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HcCr6nEVp7.bat"
        23⤵
        
        PID:1784
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2780
        
        C:\MSOCache\All Users\Idle.exe
        
        "C:\MSOCache\All Users\Idle.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2420
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YwiSfj46e4.bat"
        25⤵
        
        PID:1548
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:1576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\PrintHood\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Admin\PrintHood\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\PrintHood\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Windows\security\ApplicationId\PolicyManagement\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\security\ApplicationId\PolicyManagement\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Windows\security\ApplicationId\PolicyManagement\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Windows\ja-JP\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\ja-JP\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Windows\ja-JP\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6cbb2da84b23708c7b4e88ef04d5fbd4

SHA1
9cb7180509d6b9e3e3037bd6f15f1a44b7d6b347

SHA256
3fa070c2cafaad07e1e5636157b32a10dc662d789c07ea1f3d1a459b4e36e49c

SHA512
3b10b1bd8748d922cf51357ea0ae8305478cd928e3ba2adfbadf38cfe3941599cf86f3e6bd103df27fe1150c4ed54db6e267992365c3592c5f79d469045a0889

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6ba31a64070f96f8f618835cc9a29d03

SHA1
d2862c8dc3d1eecf59fe601085d5f4d5ed1a02b5

SHA256
431b14ddfe135a4717021af92ff9c432da95f38ef8cfe79cb991033519d17eab

SHA512
dc340faa7ce158a4d94cbe9ec074972851d74a690e533a85d27e5361832fbb856a6a2576c952f3f70939a34d9ca2af214dfe1c64a5b95f2e501af505d861fcee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7b37a13020458e55ffcec4470d4d2b70

SHA1
b7c858dad4dda3ff537785ce7ca41f801216493b

SHA256
8bd4572cf0fc468a9c3fbf1c6b6ded0e6494d35c98f65a566f1103820818dfd4

SHA512
a41439cd702a9f677d2789dc3c2745a5b540ab9d69efa3d7e3bc2669e56958b2c4d50d0304cd21d35625b4d0bd4ef292bdf80a143f662929a74b70266d032aaa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
91216e80daae5bb90be9e92fb52e2b8b

SHA1
aed7eb900d9ff668b381ec7ea2a0c2c0b7a8ef21

SHA256
2c5bd96ff06204d420e73d9ba4b5c9514133b2639fd6bcca9d907d204bb969cd

SHA512
3c2f0126530efba2383f619e52003e95048c0131fc7cfe2baafa3ffc51840c43cee129ccc6698581a3e49c090e8e068d5f1ad08c778aaeb17022a2a76e084f75

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8b42a9ee8472e84bc35ea5387a648d2b

SHA1
7df33bfebca774df78dd87ecd32f1d285d7d3c84

SHA256
ffe744949cc5270df94ca7708e105a6d4e7c9512338ee6be289aabfb937c8635

SHA512
486cdf7bb983bb9b04af32cc5db7263a1a2622b1cbc68bc57a6076b80100ee9de3f08c4527dcd57ca6094923c1b346b14fd03a1869541fc12a4623440083ab8c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
127318e4e5b47a73eb9488d9737bdb28

SHA1
02db789fddaaa141e0d7e392f948806278bcf4f9

SHA256
06a4c418eefdcef62741018cd3a8813a3c562028dd50cdcc6b8e2aae45ff684c

SHA512
01758510d3050eb527bb54f7826f78f353ec26fed5b9c9e6490a6fe7fc8490eb6a76c176d143508771ffcb47332a99763cea7d44b498d267392fc1d7c3274679

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ff99f71f5254e784da14c20793e5acf3

SHA1
5582f3d06435270c891f365080fd9251d0747827

SHA256
237eeae43891bde4e682ff6e555fe61d87c030e1447bdf0827ab5a1e50ac43c7

SHA512
59dc33efbb454eb908298cbe34041ccaac9aaa0e5546929d73db0eeb76c29a814c3354e5616dead5d977899ec1998b17ea9112779bba75a5b608a326031f3cc7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
012e03ddfccf8af8ec3c8e419621ed10

SHA1
c48ea909d7a645197acd9a437582bc55d61cd3cb

SHA256
1ed3f00a0ca8e54b5e21b06cf7b7c9070d5f3f5ba29f6b72755cbac46079fa78

SHA512
cda96ac22356d492a1fea8f70e94ab261dc1828c77b3db62b7bb00e7182bdc05b4a0916653032d9ebf86359dc33690dfef63aa2fb1b196f67642e58e42b9ccc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a3be8d4f367f91f142addda3506f5144

SHA1
c41db55b6e0cd4da31592ebded09e136e50f4340

SHA256
3a9ea9828744ebf8a3736c8bb3a09b70fc903adcf816c15980fb12eca730f666

SHA512
e481759c44e73fa8bc49ec27f4bee0d65e5cec75947f1ee2922e31dc0e1455e72015b087587d1e864e5135e30e5eb557cfd8301159009ef810343a1ed819720c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6B91.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\HcCr6nEVp7.bat

Filesize
195B

MD5
3c137ae9bd11919e5565b6c06e552882

SHA1
13f733cd59d9354f69673ba3f36bdcd8dc357bc7

SHA256
77b666be012bc71c7a1ea150e94551b9458c385cf8db86954be8ffe4fb16edda

SHA512
6b9c2c90c07ab459d70499072c6947bfa51927e8b34bb3adaf95f0db6484fcb980ebf180dffe2d84d5b4e6b85664e4915969265e71c46827f609d4342a8c0b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\RMMlzVojtJ.bat

Filesize
195B

MD5
84827e7a81e400b163bd41d3e8d65348

SHA1
ce426f51f9972c2d7b6589f793ce6654285292d1

SHA256
a096bcd0faeacbd15377085fc9c4bb092cdfa0d68a5af25b2f5651b8ff6bd161

SHA512
334e971ff5a44de766a12d88deba328ef8792a8233140f38a312ad7cbe38c05042b2ded33766a49d3e10b6e681aa83a62583b2ca3bee723bf7d008e5e47eb33d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6B94.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\VJj2LbMAw3.bat

Filesize
195B

MD5
024c2dee085d50900bb2b5a49075062f

SHA1
aa556c9688e2fb1ee45562333a62b08a72fc0a1a

SHA256
42999a97b9c23aba5446b951a37f8b970edfb1601e0269680c07628a63a8d6cb

SHA512
4ad90836e0f578232da25b9142d91299fb477b790cd91137792003754bcf6c23414e2b00cda547394ecdb0615e801c5e4599623feb639f8b976cd2e327af1cc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\YwiSfj46e4.bat

Filesize
195B

MD5
c7249e2fc279c838ad3bddaa109f98fe

SHA1
68ff87ee7f4e75d2ae59e35b26258fc4d53ef35c

SHA256
d3c95c4758479d9994ea1706764d85cafad2eef329835b654258440c45fcdbdf

SHA512
db7708dcd2047f0ed98ed800403f1874f78da277f42e017a6589c84ae3acc64daebbcc2ee6f3630fcbf6611f056adce3b507c0897e277af3bd100b0af50ee1ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\bkUsYtfOrG.bat

Filesize
195B

MD5
f2658e2115867e2784f40b4f6d347f46

SHA1
0de1d07e527f55f7581c45f34c35578a48060aa1

SHA256
9b01c542e439aac2be48cf89f97332ec7fe3c3df9a6ffc0feffd08dc9d3d72b1

SHA512
325ffa93c852ab77ee5ff4888af64135fc3d16c65888f03f20daa5d797b507b7d60e2aef73e9ff3225bbc5a6be07b0cf70a3e0820977d02ee7474da8fa576bcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ffEuziAK6w.bat

Filesize
195B

MD5
d09050b80b943e43bca61e4b5c32547b

SHA1
b427948b22b9fa613cf9f9dc1cebd0e6dc441bb9

SHA256
94e43b0364f195830edc46a4b0835ab0d75ebf651de281bc137c126e0fd1b7a2

SHA512
9271e6a12d20f7756a4305aa73197aab2039d6b73e63e02a40ece55817ae10ad6563606acd16df5b428c2af9e6acc1c437e73a03cd950dea84ce0909b46ba562

Download Submit
C:\Users\Admin\AppData\Local\Temp\fq9TqI16of.bat

Filesize
195B

MD5
3ca52624f72c1491141b7bb5fe99fd95

SHA1
3f5657ba6dfcca3112e48bdd262806a027d4b887

SHA256
a2fc990c71df39f260e55e9488688c9f141aefe10d1f29ef9b876fb1185ec7f0

SHA512
131b24e19896029331640cbc6c45d4c258e1ddb4a1a994c52e133df80f9b70646b01674a29c41141f0d05e333071ffa2307d480244096cb75b4a15cc1231a1cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\h6hK16ZrMt.bat

Filesize
195B

MD5
58eaa6fb5a3d342fef79c79fc6cabd82

SHA1
32d6397f9d470c2d7f4456e74527d42a65f2f1f9

SHA256
9b5912951a4dd2f86ec19236e62bcb40a2895c1ca375a0fb12128bd9de670e64

SHA512
4d4e5834f290742c6afb30072697fbdc70503bd4a7569f3c355f4b3f1c7e833be97cf69542c80e5c7ed41337727e0ac52780134ec19aa19ba2d78037a63ba69a

Download Submit
C:\Users\Admin\AppData\Local\Temp\kbrh69MYEy.bat

Filesize
195B

MD5
e14f2e60fc8ca4b9019bd48727a9d79d

SHA1
c49c1b672b3933fc2cbcb125e89cefcaf36a066c

SHA256
b82efd7345b1087c5ac8463b3f672798bb0404279c2b44dc961452badb826ffe

SHA512
494a8c423bfb67fa660c4bdb9ee8f077f0530216e7491629494d7297fc96a9daa1a18e8f45a46946c6ea57e90361bd9c2b3d231e0dfe8cef232dd8acad66cbf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\s1KW4B7p45.bat

Filesize
195B

MD5
08c20bb73745a4769e2708b0f1710bbc

SHA1
90e8ce4fa7b6757c3b270b6ca34ea0ecce7af92a

SHA256
34e5eadd52b6c59425c2510f943053b2bc68c7e1d3f42f055fe616a3ea84d3d5

SHA512
39d28b5498e621633bff3ea87eade1c78911e0cd3e52b837c5868f083fa0d1f796165119ecc3ee868b2234c137e91be58ba7a5cb1646d010169d1c5b9d4fb6be

Download Submit
C:\Users\Admin\AppData\Local\Temp\tiHtiEmsSK.bat

Filesize
195B

MD5
7b8ee47d7186b50d93d9e4f85d15df05

SHA1
2652ec19355be3321a219b711dae3c3edf1bdef0

SHA256
0fcd4ee232c49d32c55a835acad6ae0027425878e9a6841f64f49aaf62cde7d4

SHA512
d3137429e45d2a8a0ae4f60352058b99769f8b769aad2fdc1b212739f17e7a680e98363438f7fe5c2250368ddd0a7b1a732e8e156a2803dc653cedbd161d7306

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
96be29dc58f96d92ce28b9c95d77450b

SHA1
e8776e0b65abfd9cb473340740b068237b3f5108

SHA256
38584752777ff2abbab90b8b8910219bc4ca395bcf20c642a20d8d8d429e8266

SHA512
5a1507fb6736ddf068eb132671f8506a9d5a3dc7d649cdec404f594a8347c0089e054ab453eff9f70b368de9d0eafe620adc61a4e2584e095c1ea47157497372

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/1284-38-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

Filesize
2.9MB

Download
memory/1284-39-0x00000000028E0000-0x00000000028E8000-memory.dmp

Filesize
32KB

Download
memory/2080-132-0x00000000013D0000-0x00000000014E0000-memory.dmp

Filesize
1.1MB

Download
memory/2316-73-0x00000000010A0000-0x00000000011B0000-memory.dmp

Filesize
1.1MB

Download
memory/2420-605-0x0000000000160000-0x0000000000270000-memory.dmp

Filesize
1.1MB

Download
memory/2872-17-0x0000000000170000-0x000000000017C000-memory.dmp

Filesize
48KB

Download
memory/2872-13-0x00000000003E0000-0x00000000004F0000-memory.dmp

Filesize
1.1MB

Download
memory/2872-14-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download
memory/2872-15-0x0000000000160000-0x000000000016C000-memory.dmp

Filesize
48KB

Download
memory/2872-16-0x0000000000150000-0x000000000015C000-memory.dmp

Filesize
48KB

Download