dcrat | 82c922475404a7d5d4c6744b7962f692b94750f837a98b21417dd5ef109c1a16

Analysis

max time kernel
147s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 18:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_82c922475404a7d5d4c6744b7962f692b94750f837a98b21417dd5ef109c1a16.exe
Size

1.3MB
MD5

0357c98f52b507ac83cc1a07bdeee84e
SHA1

92a46307d6fe7fa6ceac1238a53751a15117d178
SHA256

82c922475404a7d5d4c6744b7962f692b94750f837a98b21417dd5ef109c1a16
SHA512

9bd7ecef33e88df9d3090be588636bf39c7512c301724b9ab83ea6a76632ceaef916f210813b7c991c86750573336cf776dff6406bca3c1ae90949e96c2b5a00
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	2288	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	2288	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	2288	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2360	2288	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	2288	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	2288	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2492	2288	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1580	2288	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	2288	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	2288	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	2288	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	2288	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	2288	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	2288	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1220	2288	schtasks.exe	35

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000015f4c-9.dat	dcrat
behavioral1/memory/2764-13-0x0000000000AB0000-0x0000000000BC0000-memory.dmp	dcrat
behavioral1/memory/1316-66-0x0000000001370000-0x0000000001480000-memory.dmp	dcrat
behavioral1/memory/2428-244-0x0000000000030000-0x0000000000140000-memory.dmp	dcrat
behavioral1/memory/2584-304-0x0000000000950000-0x0000000000A60000-memory.dmp	dcrat
behavioral1/memory/2776-365-0x0000000001220000-0x0000000001330000-memory.dmp	dcrat
behavioral1/memory/2204-544-0x00000000002E0000-0x00000000003F0000-memory.dmp	dcrat
behavioral1/memory/2348-604-0x00000000010C0000-0x00000000011D0000-memory.dmp	dcrat
behavioral1/memory/2292-665-0x00000000010E0000-0x00000000011F0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3004	powershell.exe
544	powershell.exe
3056	powershell.exe
2020	powershell.exe
2816	powershell.exe
1536	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2764	DllCommonsvc.exe
1316	smss.exe
2876	smss.exe
464	smss.exe
2428	smss.exe
2584	smss.exe
2776	smss.exe
1080	smss.exe
2132	smss.exe
2204	smss.exe
2348	smss.exe
2292	smss.exe

Loads dropped DLL 2 IoCs

pid	Process
2220	cmd.exe
2220	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
5	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
34	raw.githubusercontent.com
37	raw.githubusercontent.com
41	raw.githubusercontent.com
4	raw.githubusercontent.com
16	raw.githubusercontent.com
19	raw.githubusercontent.com
23	raw.githubusercontent.com
27	raw.githubusercontent.com
30	raw.githubusercontent.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\es-ES\smss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\es-ES\69ddcba757bf72	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\PCHEALTH\smss.exe	DllCommonsvc.exe
File created	C:\Windows\PCHEALTH\69ddcba757bf72	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_82c922475404a7d5d4c6744b7962f692b94750f837a98b21417dd5ef109c1a16.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2760	schtasks.exe
3028	schtasks.exe
2864	schtasks.exe
3060	schtasks.exe
2828	schtasks.exe
2664	schtasks.exe
2700	schtasks.exe
2960	schtasks.exe
2492	schtasks.exe
1580	schtasks.exe
3032	schtasks.exe
1220	schtasks.exe
2724	schtasks.exe
2360	schtasks.exe
2852	schtasks.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
2764	DllCommonsvc.exe
2764	DllCommonsvc.exe
2764	DllCommonsvc.exe
2764	DllCommonsvc.exe
2764	DllCommonsvc.exe
3056	powershell.exe
2020	powershell.exe
1536	powershell.exe
2816	powershell.exe
544	powershell.exe
3004	powershell.exe
1316	smss.exe
2876	smss.exe
464	smss.exe
2428	smss.exe
2584	smss.exe
2776	smss.exe
1080	smss.exe
2132	smss.exe
2204	smss.exe
2348	smss.exe
2292	smss.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	2764	DllCommonsvc.exe
Token: SeDebugPrivilege	3056	powershell.exe
Token: SeDebugPrivilege	2020	powershell.exe
Token: SeDebugPrivilege	1536	powershell.exe
Token: SeDebugPrivilege	2816	powershell.exe
Token: SeDebugPrivilege	544	powershell.exe
Token: SeDebugPrivilege	3004	powershell.exe
Token: SeDebugPrivilege	1316	smss.exe
Token: SeDebugPrivilege	2876	smss.exe
Token: SeDebugPrivilege	464	smss.exe
Token: SeDebugPrivilege	2428	smss.exe
Token: SeDebugPrivilege	2584	smss.exe
Token: SeDebugPrivilege	2776	smss.exe
Token: SeDebugPrivilege	1080	smss.exe
Token: SeDebugPrivilege	2132	smss.exe
Token: SeDebugPrivilege	2204	smss.exe
Token: SeDebugPrivilege	2348	smss.exe
Token: SeDebugPrivilege	2292	smss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1576 wrote to memory of 492	1576	JaffaCakes118_82c922475404a7d5d4c6744b7962f692b94750f837a98b21417dd5ef109c1a16.exe	31
PID 1576 wrote to memory of 492	1576	JaffaCakes118_82c922475404a7d5d4c6744b7962f692b94750f837a98b21417dd5ef109c1a16.exe	31
PID 1576 wrote to memory of 492	1576	JaffaCakes118_82c922475404a7d5d4c6744b7962f692b94750f837a98b21417dd5ef109c1a16.exe	31
PID 1576 wrote to memory of 492	1576	JaffaCakes118_82c922475404a7d5d4c6744b7962f692b94750f837a98b21417dd5ef109c1a16.exe	31
PID 492 wrote to memory of 2220	492	WScript.exe	32
PID 492 wrote to memory of 2220	492	WScript.exe	32
PID 492 wrote to memory of 2220	492	WScript.exe	32
PID 492 wrote to memory of 2220	492	WScript.exe	32
PID 2220 wrote to memory of 2764	2220	cmd.exe	34
PID 2220 wrote to memory of 2764	2220	cmd.exe	34
PID 2220 wrote to memory of 2764	2220	cmd.exe	34
PID 2220 wrote to memory of 2764	2220	cmd.exe	34
PID 2764 wrote to memory of 2816	2764	DllCommonsvc.exe	51
PID 2764 wrote to memory of 2816	2764	DllCommonsvc.exe	51
PID 2764 wrote to memory of 2816	2764	DllCommonsvc.exe	51
PID 2764 wrote to memory of 1536	2764	DllCommonsvc.exe	52
PID 2764 wrote to memory of 1536	2764	DllCommonsvc.exe	52
PID 2764 wrote to memory of 1536	2764	DllCommonsvc.exe	52
PID 2764 wrote to memory of 3004	2764	DllCommonsvc.exe	53
PID 2764 wrote to memory of 3004	2764	DllCommonsvc.exe	53
PID 2764 wrote to memory of 3004	2764	DllCommonsvc.exe	53
PID 2764 wrote to memory of 544	2764	DllCommonsvc.exe	55
PID 2764 wrote to memory of 544	2764	DllCommonsvc.exe	55
PID 2764 wrote to memory of 544	2764	DllCommonsvc.exe	55
PID 2764 wrote to memory of 3056	2764	DllCommonsvc.exe	57
PID 2764 wrote to memory of 3056	2764	DllCommonsvc.exe	57
PID 2764 wrote to memory of 3056	2764	DllCommonsvc.exe	57
PID 2764 wrote to memory of 2020	2764	DllCommonsvc.exe	59
PID 2764 wrote to memory of 2020	2764	DllCommonsvc.exe	59
PID 2764 wrote to memory of 2020	2764	DllCommonsvc.exe	59
PID 2764 wrote to memory of 2068	2764	DllCommonsvc.exe	63
PID 2764 wrote to memory of 2068	2764	DllCommonsvc.exe	63
PID 2764 wrote to memory of 2068	2764	DllCommonsvc.exe	63
PID 2068 wrote to memory of 1532	2068	cmd.exe	65
PID 2068 wrote to memory of 1532	2068	cmd.exe	65
PID 2068 wrote to memory of 1532	2068	cmd.exe	65
PID 2068 wrote to memory of 1316	2068	cmd.exe	66
PID 2068 wrote to memory of 1316	2068	cmd.exe	66
PID 2068 wrote to memory of 1316	2068	cmd.exe	66
PID 1316 wrote to memory of 2716	1316	smss.exe	67
PID 1316 wrote to memory of 2716	1316	smss.exe	67
PID 1316 wrote to memory of 2716	1316	smss.exe	67
PID 2716 wrote to memory of 2112	2716	cmd.exe	69
PID 2716 wrote to memory of 2112	2716	cmd.exe	69
PID 2716 wrote to memory of 2112	2716	cmd.exe	69
PID 2716 wrote to memory of 2876	2716	cmd.exe	70
PID 2716 wrote to memory of 2876	2716	cmd.exe	70
PID 2716 wrote to memory of 2876	2716	cmd.exe	70
PID 2876 wrote to memory of 1924	2876	smss.exe	71
PID 2876 wrote to memory of 1924	2876	smss.exe	71
PID 2876 wrote to memory of 1924	2876	smss.exe	71
PID 1924 wrote to memory of 2616	1924	cmd.exe	73
PID 1924 wrote to memory of 2616	1924	cmd.exe	73
PID 1924 wrote to memory of 2616	1924	cmd.exe	73
PID 1924 wrote to memory of 464	1924	cmd.exe	74
PID 1924 wrote to memory of 464	1924	cmd.exe	74
PID 1924 wrote to memory of 464	1924	cmd.exe	74
PID 464 wrote to memory of 1552	464	smss.exe	75
PID 464 wrote to memory of 1552	464	smss.exe	75
PID 464 wrote to memory of 1552	464	smss.exe	75
PID 1552 wrote to memory of 2604	1552	cmd.exe	77
PID 1552 wrote to memory of 2604	1552	cmd.exe	77
PID 1552 wrote to memory of 2604	1552	cmd.exe	77
PID 1552 wrote to memory of 2428	1552	cmd.exe	78

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_82c922475404a7d5d4c6744b7962f692b94750f837a98b21417dd5ef109c1a16.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_82c922475404a7d5d4c6744b7962f692b94750f837a98b21417dd5ef109c1a16.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1576
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:492
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2220
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2764
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2816
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1536
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PCHEALTH\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3004
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Documents\My Videos\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:544
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3056
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\es-ES\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2020
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IfYcEH062N.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2068
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1532
      - C:\Windows\PCHEALTH\smss.exe
        
        "C:\Windows\PCHEALTH\smss.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1316
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BcPyovVCSH.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2716
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2112
        
        C:\Windows\PCHEALTH\smss.exe
        
        "C:\Windows\PCHEALTH\smss.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2876
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kQw8FYVnXF.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1924
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2616
        
        C:\Windows\PCHEALTH\smss.exe
        
        "C:\Windows\PCHEALTH\smss.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:464
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6uMgbjYtd5.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1552
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2604
        
        C:\Windows\PCHEALTH\smss.exe
        
        "C:\Windows\PCHEALTH\smss.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2428
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kXH0MsH7jV.bat"
        13⤵
        
        PID:1576
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2092
        
        C:\Windows\PCHEALTH\smss.exe
        
        "C:\Windows\PCHEALTH\smss.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2584
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\n6bUdMbtqP.bat"
        15⤵
        
        PID:2972
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2644
        
        C:\Windows\PCHEALTH\smss.exe
        
        "C:\Windows\PCHEALTH\smss.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2776
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zKs2Tjd9zb.bat"
        17⤵
        
        PID:1724
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:760
        
        C:\Windows\PCHEALTH\smss.exe
        
        "C:\Windows\PCHEALTH\smss.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1080
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hGpPWS23Hw.bat"
        19⤵
        
        PID:1972
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2352
        
        C:\Windows\PCHEALTH\smss.exe
        
        "C:\Windows\PCHEALTH\smss.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2132
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FIx4sKIZfl.bat"
        21⤵
        
        PID:2436
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1296
        
        C:\Windows\PCHEALTH\smss.exe
        
        "C:\Windows\PCHEALTH\smss.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2204
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EVfp7xrD4G.bat"
        23⤵
        
        PID:2852
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:552
        
        C:\Windows\PCHEALTH\smss.exe
        
        "C:\Windows\PCHEALTH\smss.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2348
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GvFVSjZSRs.bat"
        25⤵
        
        PID:2080
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:1988
        
        C:\Windows\PCHEALTH\smss.exe
        
        "C:\Windows\PCHEALTH\smss.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2292
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Zi7wkUpBKE.bat"
        27⤵
        
        PID:2628
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Windows\PCHEALTH\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\PCHEALTH\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Windows\PCHEALTH\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Documents\My Videos\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default\Documents\My Videos\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Documents\My Videos\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\providercommon\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Internet Explorer\es-ES\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\es-ES\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Internet Explorer\es-ES\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
08e57160fe34be946d1e1dcfb0cdbfed

SHA1
f704e326d7c1a26ea605d618f1cc068169990d07

SHA256
b8161ea834b59a5d46b92f2f40ef3719d7726262851fb7ef8811523627f970c4

SHA512
998d536ba31c328311c6768f23798298eeb415af36d1c5a3414119ecb042c7809f0cee0494aae7359ae863e92244e9a06e6ef7b527446032591c6fc614aa991d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
530c15d202040afb20fd11c9c35c967b

SHA1
a3b410da9d2975973e00ce76928470af5b0f48d9

SHA256
97fa1024e1541d3627739c2a208521805899618ee6be66c2c4191748482d2960

SHA512
5eb4d990c1036991c07bf7cf2cf4d1c7f6361ceeb20a33576e7c186d2830775fcdd221d72700b739aa5484f3c41e627a0d390c825f31460784795ae924a1f1c4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c6c96867b7215c1fbf6e296f5b940fc4

SHA1
c3531abf2991591f6caf986cc745d328aabbe120

SHA256
882ea4acdb50d9abb04b28b73217caeef5cda4177ee790a6fb9a014d63bd68cf

SHA512
c60d9ad777c8c5d13be536e4622dba8242d3f32d97e69ff29f359e0a1f3701b8f6be20342979c673d779c9fe24147122e7feb2e5399dcd225a272a65ab6b0bdf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ea90bca269a507915053da2cff3a53ab

SHA1
159b403a1fad95352f69a693c3f857af104d5f78

SHA256
687d4d5713ceea5b0d25f5590bfec0da92c6fbdabe27946c8c559274e00d9e36

SHA512
e7331506f1ca694eaeae957926b539725e6dfced829344b373ba508ca81606be729886c3d7a3ff19ba7f57654d6f14b742bbe749be163a530da7dbc4913e6eef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d19fe3140b29520ccc20622514899289

SHA1
0af75707985dffa66b1d7a3c76c7a96b4392c75f

SHA256
4225a17b7be2078308bcc1a3615495091f5afc73d7fbb23f0ba2f5e48d3f1645

SHA512
7d30dd7b9ac4b6ab618be69c346ab86f8d4c84e86ac0a78c82e624948f85d9bc6574cfec156f4338e47f19f3f3913da013731bf6cb0795697ef2df8d27d447d8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
41275072831cb3773a5d9b21e0705959

SHA1
0a4b041710f9440b1ac02bfad9941e7eaa63ec4a

SHA256
3fc71bde03dc8746468280a1bb1446713279783352eb6cfa617fa31cbbed11dc

SHA512
15531f4ac8832028c42674b299e7ad12a701b87f49e9a0faf29fc69efbbae0ba0d548e7a8efa7828d02d9cb9d03b2c4879992f20b4a14317eb6743e7957662e8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4ab1881f8b0ed670638203d5b68f6a2d

SHA1
8f54979c28d7f689baa402adebaee2b428b23546

SHA256
21a27f42b94ce6745d1b46460321a7b451245a13b12feed0e21dc72d05088dc4

SHA512
521b1e3583f2ff2da4448ee38af12cc205e7770764f77741dde1148a5a12688cb8504900c68c37caf5f5f7213666317279e5bb52ffc875ce952392228dc91346

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
32feec41e45e6bf3eeafb564903310b2

SHA1
e8d76b7cbb88a5a0ad27877ba64d91c0c52c00a0

SHA256
9dccc92205bb3708fdedd33a0208f332ded754d8ac8a1fe30dab9badaef0dd2c

SHA512
516240dde969e529b745d67831a86eabef4be687a1fb3ee48da1abaf9ac25e06adb46bca6d9df6b0ae18eae2c9d9cade34adfd11f452a086ddc103edd9f488f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
957629d267d097bb946de701b0f44306

SHA1
b2f67e0aae2fb1e4b10a2bb22e1072048b47569e

SHA256
97c2652f399a6aadb512a8d59457ae9571b607e469fe36d7812c9051921a4f96

SHA512
1c2e47c1449b3aa6e8b2296d74a1b01e8433f986db707818e74c82077cd31e28d1bb6fbcf3ce27dee89572570a546bdd67e2c38aef8a7b10db6b7e61c30b2a43

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
13a817741b7995297cda262372b9438c

SHA1
229ffedf0e3a8985f7f53392d5bdc94a50d1f900

SHA256
201f5d7b15825c80dcd3fc235b94d0e5b0c9a21b0b0a9e808d9930cd675163e8

SHA512
637a4183106d771265a82232579cd984d444b3317f213b3d3bfabae75b53a88622cdaa779d28d3f2329d0691631b0fab7e32f1e8c7743f58bf51c4f7ecb9dd8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\6uMgbjYtd5.bat

Filesize
193B

MD5
558cad3458998433e7562787b4c93f4c

SHA1
c49fd154898d30e2f207ef003f0068aa80e5a42a

SHA256
4cc4a84e0e7d267ed1331428731f5df1765fa784042f3bcacc26af12816a113e

SHA512
27e9d8390cb6863c71ab92eb8a5dd04011ca7a7d0ac061ae2bc51ea09bd11887a68556e382ac815f855e0b667ee6d2e96e189edaf7f4a58c4728f027c9adc224

Download Submit
C:\Users\Admin\AppData\Local\Temp\BcPyovVCSH.bat

Filesize
193B

MD5
a9dd11f63ab82b83cc509d60a2d8e299

SHA1
da995ae5e81b84cb901fbdc7c143b05d2928f0db

SHA256
2e00229df0c181b66f6d4e22d5e5994fd5c3699a82fbcc04fd1971c917d75b42

SHA512
7718db4d9d24898a30040beb8fade6b573937d8ac34833dfe908c37bb50616d58761a60012f0d8282067a314c70b83d0a0220f03acba5dcf144b8fb16addb893

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab145D.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EVfp7xrD4G.bat

Filesize
193B

MD5
780c0bf803abe319b312c5df96e86b50

SHA1
97c0d70deefc781cc5769abf0a87779d82ca1f78

SHA256
a5bb37fcdc3bb31cb3a8b86f94f08286f1be15fe0baba69f2500a4acefdc8632

SHA512
9d4d0083ec387f0c946e0fa7ea800cbb46f770799afe1fc0100c7906f8e452aff5d4840a00638d0058472f7512e09167a85867c595351347faa1d07fecfa5f54

Download Submit
C:\Users\Admin\AppData\Local\Temp\FIx4sKIZfl.bat

Filesize
193B

MD5
c66586546f09f1ef91bbbdb082ecaeab

SHA1
c7fe77055f3e7bc249a652051a33379e3c1bf221

SHA256
00e3168d6467463b40a60fedcf2453c6a1eafe1b2c583eae104f6c4af726ff93

SHA512
0fed4719a187ede22e93bbe785dc9bc1752c6888380a6df896f12d948e435de9f687a60a37f5c4d6151c6cc81b2d33b1d77850df12972c4a3dc4ed09f750a7d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\GvFVSjZSRs.bat

Filesize
193B

MD5
f66887a4910dba1234956f99320dda31

SHA1
f749cac0328b0ba06da0756cc886eeecbec4881c

SHA256
d66a2f029ee1cb562265830e6f504ffa5e5972ae387f517caa7dbc69c7be3fc2

SHA512
4073b2273ae09c1f4988d79da5d01481f33ca0c80d93e39d90a0a8c616740390ebe85c9c91900928c7ca800ecb2a304fae14cb37d3f232397d0a434b3fbad3f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IfYcEH062N.bat

Filesize
193B

MD5
5518ef4461dab18379da59ef186186e0

SHA1
1dfc9ffbf533f24f296d6faa7e0bf26bbe819cfb

SHA256
c297328ce961e3025bc9bacc023824820814e5905e233e3c715110e294dc0cd4

SHA512
7630ddf90621532a7e69de869d30156f56051546526c1ad5f0ca27b34ae4efce8205ba8e62e2030b05f95db80d4723ee61047f93e5c3477f8741b778ccd88048

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1470.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zi7wkUpBKE.bat

Filesize
193B

MD5
d01359026b716570373f1d75cb74c9b8

SHA1
69c4dad5510f93c9c341eb49beb406a16cb236f5

SHA256
0144ad1c833a3c45050ddf5d4af7f2b6dd5fc08a1b2ef5c4cb2d38b7138abab3

SHA512
93c544a520e47a64042fe8f76843870fbc5af4fa1c1c2ea6c68b19791bf5cc090c472c8c0933b74a2de39f55ac4406cc71eb000d1f99de13fc7d1d26969b4310

Download Submit
C:\Users\Admin\AppData\Local\Temp\hGpPWS23Hw.bat

Filesize
193B

MD5
e022b1a455fa9b3d1998638d92da9604

SHA1
2ff1556ceb03c221b0c33c3262cba2938a9b6d11

SHA256
c4a31f63b21a3ea7dcac1a7e2a161c1d2711fb76e116fd78cb4fb7ed46a6e7c4

SHA512
2294c66b7b33f1c74ab33cfb53a5064d653d0eb24221b4064094c55fcd2c4180f4fbfccff40deeb1987251fbb3f9ee28bbc867afd8640bc263bcdf3a2ded9566

Download Submit
C:\Users\Admin\AppData\Local\Temp\kQw8FYVnXF.bat

Filesize
193B

MD5
363f3dd460f61ad1a591c4b99e4fc19a

SHA1
789e10a7fea11a4d1a3a3c88b49fc83bd78c0255

SHA256
d551be820bbbd48eb8022aad479b64863deb0bc32653cad1ca2e1cfc4d67cb6c

SHA512
655584ef27bed30fece74fde9732be0fb492b4333c1e89c136863946e3ef34bbad871cb3d95484a6d15312ff55e903196735eea963284c1f7fbc1645d9bf33aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\kXH0MsH7jV.bat

Filesize
193B

MD5
e80462bcf397fa4714eef861a6f47fce

SHA1
6e76209783db02e4fa85f70c89f6010a1fa69b83

SHA256
888776ad4a474db6b6e613b72df2ad869be95f97f9d442d45c22be8caccd08f5

SHA512
40e5e62457dc0beee0532a4af5c3c26c372be75eaca756064fa3ed340c0bdfb624b33f873568e6a1e33ee12779084c0ef5c6cb80f80913f22756544275135f19

Download Submit
C:\Users\Admin\AppData\Local\Temp\n6bUdMbtqP.bat

Filesize
193B

MD5
6b8bebd4d389c7e44baec1ef08c77b7b

SHA1
de871469aee2410093584d585a984a762e71f133

SHA256
3ca42929c7dc960f22f4b2043523164202fcb017ef137f707fd51fc12587c457

SHA512
dfee24bfe9e05efc75fbf0adcd60596f8043fbc9078df8646a4a3820b6cc914030cef87ec2a4e2564882dd582165bd6cdc0490c4379b7584de8dabbe73c59ec6

Download Submit
C:\Users\Admin\AppData\Local\Temp\zKs2Tjd9zb.bat

Filesize
193B

MD5
f9be0ea3a1786866197e73d4cc58ebf4

SHA1
5f5828ac130b07212cfbf655f525c60213b437e8

SHA256
df84516cd4037875083220eb0d1da16e1daaf354c8de76d44771b28f3a0570f5

SHA512
17c607464300ec7a06b5efe10f8d7860b95c9ff8d88dca025f306558c9a777fbfa6a1d53c08c57a81e440412dc51d4e5a5e6cc8daac5dced86c41c78033eeac4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
c4bd4f972a9b8c9621c9ac91bc24d79f

SHA1
cf1406838a904f0515d79875295785cc2605e966

SHA256
980bc98a94e0b9ed0e84b2f876e0cdf785cb33b8f3ad66760470d6fd01c8d86b

SHA512
c0ff175f8cb3a0e466ede710c584388f529aedf3f39deb2f4b083c560682d4d9db5e1b995378835db2e3e63904fd872cb7c128ef897a2b3d433547995b1224df

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/1316-66-0x0000000001370000-0x0000000001480000-memory.dmp

Filesize
1.1MB

Download
memory/1316-67-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/2020-45-0x000000001B580000-0x000000001B862000-memory.dmp

Filesize
2.9MB

Download
memory/2204-544-0x00000000002E0000-0x00000000003F0000-memory.dmp

Filesize
1.1MB

Download
memory/2292-665-0x00000000010E0000-0x00000000011F0000-memory.dmp

Filesize
1.1MB

Download
memory/2348-605-0x00000000004C0000-0x00000000004D2000-memory.dmp

Filesize
72KB

Download
memory/2348-604-0x00000000010C0000-0x00000000011D0000-memory.dmp

Filesize
1.1MB

Download
memory/2428-244-0x0000000000030000-0x0000000000140000-memory.dmp

Filesize
1.1MB

Download
memory/2584-304-0x0000000000950000-0x0000000000A60000-memory.dmp

Filesize
1.1MB

Download
memory/2584-305-0x0000000000450000-0x0000000000462000-memory.dmp

Filesize
72KB

Download
memory/2764-15-0x00000000003E0000-0x00000000003EC000-memory.dmp

Filesize
48KB

Download
memory/2764-14-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/2764-16-0x0000000001FC0000-0x0000000001FCC000-memory.dmp

Filesize
48KB

Download
memory/2764-17-0x0000000001FD0000-0x0000000001FDC000-memory.dmp

Filesize
48KB

Download
memory/2764-13-0x0000000000AB0000-0x0000000000BC0000-memory.dmp

Filesize
1.1MB

Download
memory/2776-366-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download
memory/2776-365-0x0000000001220000-0x0000000001330000-memory.dmp

Filesize
1.1MB

Download
memory/3056-46-0x0000000001D80000-0x0000000001D88000-memory.dmp

Filesize
32KB

Download