dcrat | 99a20865f28fae6e6830052801b8a41952a9d5822ce80d6d1abce47dba6552b8

Analysis

max time kernel
148s
max time network
144s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06-01-2025 04:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

99a20865f28fae6e6830052801b8a41952a9d5822ce80d6d1abce47dba6552b8.exe
Size

1.3MB
MD5

e04e9b351573dde7b469c75b567c0497
SHA1

7a1093ac054cc74255a4ea583d4c8c79c7b81876
SHA256

99a20865f28fae6e6830052801b8a41952a9d5822ce80d6d1abce47dba6552b8
SHA512

d4296abb1dd2657115bca9cfd512553e07c97334e817d14d02f941c06ae3d2c410f51aa0a6bd489bb204b3af94079dd2d036ce35f5eacc9669c920d7547bccba
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	2848	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	2848	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2520	2848	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	2848	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2380	2848	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	2848	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1112	2848	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	332	2848	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	572	2848	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	280	2848	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2560	2848	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	552	2848	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	2848	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	2848	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	2848	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	324	2848	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1800	2848	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	2848	schtasks.exe	32

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000014b28-12.dat	dcrat
behavioral1/memory/2904-13-0x0000000001350000-0x0000000001460000-memory.dmp	dcrat
behavioral1/memory/2000-36-0x0000000000300000-0x0000000000410000-memory.dmp	dcrat
behavioral1/memory/2572-131-0x0000000000C60000-0x0000000000D70000-memory.dmp	dcrat
behavioral1/memory/2144-310-0x0000000000FD0000-0x00000000010E0000-memory.dmp	dcrat
behavioral1/memory/548-606-0x0000000001290000-0x00000000013A0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1752	powershell.exe
1756	powershell.exe
1764	powershell.exe
2340	powershell.exe
664	powershell.exe
1536	powershell.exe
1508	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2904	DllCommonsvc.exe
2000	spoolsv.exe
2572	spoolsv.exe
1556	spoolsv.exe
2236	spoolsv.exe
2144	spoolsv.exe
556	spoolsv.exe
2736	spoolsv.exe
2368	spoolsv.exe
2624	spoolsv.exe
548	spoolsv.exe
2096	spoolsv.exe

Loads dropped DLL 2 IoCs

pid	Process
2760	cmd.exe
2760	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
19	raw.githubusercontent.com
23	raw.githubusercontent.com
26	raw.githubusercontent.com
30	raw.githubusercontent.com
33	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
4	raw.githubusercontent.com
16	raw.githubusercontent.com
37	raw.githubusercontent.com

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Sidebar\en-US\spoolsv.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Sidebar\en-US\f3b6ecef712a24	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\088424020bedd6	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	99a20865f28fae6e6830052801b8a41952a9d5822ce80d6d1abce47dba6552b8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
552	schtasks.exe
2832	schtasks.exe
1800	schtasks.exe
1672	schtasks.exe
2500	schtasks.exe
2520	schtasks.exe
2972	schtasks.exe
324	schtasks.exe
2380	schtasks.exe
1680	schtasks.exe
280	schtasks.exe
1112	schtasks.exe
2016	schtasks.exe
2560	schtasks.exe
2860	schtasks.exe
2548	schtasks.exe
332	schtasks.exe
572	schtasks.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
2904	DllCommonsvc.exe
1764	powershell.exe
1536	powershell.exe
1756	powershell.exe
2340	powershell.exe
1508	powershell.exe
664	powershell.exe
1752	powershell.exe
2000	spoolsv.exe
2572	spoolsv.exe
1556	spoolsv.exe
2236	spoolsv.exe
2144	spoolsv.exe
556	spoolsv.exe
2736	spoolsv.exe
2368	spoolsv.exe
2624	spoolsv.exe
548	spoolsv.exe
2096	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	2904	DllCommonsvc.exe
Token: SeDebugPrivilege	2000	spoolsv.exe
Token: SeDebugPrivilege	1764	powershell.exe
Token: SeDebugPrivilege	1536	powershell.exe
Token: SeDebugPrivilege	1756	powershell.exe
Token: SeDebugPrivilege	2340	powershell.exe
Token: SeDebugPrivilege	1508	powershell.exe
Token: SeDebugPrivilege	664	powershell.exe
Token: SeDebugPrivilege	1752	powershell.exe
Token: SeDebugPrivilege	2572	spoolsv.exe
Token: SeDebugPrivilege	1556	spoolsv.exe
Token: SeDebugPrivilege	2236	spoolsv.exe
Token: SeDebugPrivilege	2144	spoolsv.exe
Token: SeDebugPrivilege	556	spoolsv.exe
Token: SeDebugPrivilege	2736	spoolsv.exe
Token: SeDebugPrivilege	2368	spoolsv.exe
Token: SeDebugPrivilege	2624	spoolsv.exe
Token: SeDebugPrivilege	548	spoolsv.exe
Token: SeDebugPrivilege	2096	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2284 wrote to memory of 2792	2284	99a20865f28fae6e6830052801b8a41952a9d5822ce80d6d1abce47dba6552b8.exe	28
PID 2284 wrote to memory of 2792	2284	99a20865f28fae6e6830052801b8a41952a9d5822ce80d6d1abce47dba6552b8.exe	28
PID 2284 wrote to memory of 2792	2284	99a20865f28fae6e6830052801b8a41952a9d5822ce80d6d1abce47dba6552b8.exe	28
PID 2284 wrote to memory of 2792	2284	99a20865f28fae6e6830052801b8a41952a9d5822ce80d6d1abce47dba6552b8.exe	28
PID 2792 wrote to memory of 2760	2792	WScript.exe	29
PID 2792 wrote to memory of 2760	2792	WScript.exe	29
PID 2792 wrote to memory of 2760	2792	WScript.exe	29
PID 2792 wrote to memory of 2760	2792	WScript.exe	29
PID 2760 wrote to memory of 2904	2760	cmd.exe	31
PID 2760 wrote to memory of 2904	2760	cmd.exe	31
PID 2760 wrote to memory of 2904	2760	cmd.exe	31
PID 2760 wrote to memory of 2904	2760	cmd.exe	31
PID 2904 wrote to memory of 1752	2904	DllCommonsvc.exe	51
PID 2904 wrote to memory of 1752	2904	DllCommonsvc.exe	51
PID 2904 wrote to memory of 1752	2904	DllCommonsvc.exe	51
PID 2904 wrote to memory of 1756	2904	DllCommonsvc.exe	52
PID 2904 wrote to memory of 1756	2904	DllCommonsvc.exe	52
PID 2904 wrote to memory of 1756	2904	DllCommonsvc.exe	52
PID 2904 wrote to memory of 1764	2904	DllCommonsvc.exe	55
PID 2904 wrote to memory of 1764	2904	DllCommonsvc.exe	55
PID 2904 wrote to memory of 1764	2904	DllCommonsvc.exe	55
PID 2904 wrote to memory of 1508	2904	DllCommonsvc.exe	56
PID 2904 wrote to memory of 1508	2904	DllCommonsvc.exe	56
PID 2904 wrote to memory of 1508	2904	DllCommonsvc.exe	56
PID 2904 wrote to memory of 2340	2904	DllCommonsvc.exe	57
PID 2904 wrote to memory of 2340	2904	DllCommonsvc.exe	57
PID 2904 wrote to memory of 2340	2904	DllCommonsvc.exe	57
PID 2904 wrote to memory of 1536	2904	DllCommonsvc.exe	58
PID 2904 wrote to memory of 1536	2904	DllCommonsvc.exe	58
PID 2904 wrote to memory of 1536	2904	DllCommonsvc.exe	58
PID 2904 wrote to memory of 664	2904	DllCommonsvc.exe	59
PID 2904 wrote to memory of 664	2904	DllCommonsvc.exe	59
PID 2904 wrote to memory of 664	2904	DllCommonsvc.exe	59
PID 2904 wrote to memory of 2000	2904	DllCommonsvc.exe	65
PID 2904 wrote to memory of 2000	2904	DllCommonsvc.exe	65
PID 2904 wrote to memory of 2000	2904	DllCommonsvc.exe	65
PID 2000 wrote to memory of 2628	2000	spoolsv.exe	66
PID 2000 wrote to memory of 2628	2000	spoolsv.exe	66
PID 2000 wrote to memory of 2628	2000	spoolsv.exe	66
PID 2628 wrote to memory of 2696	2628	cmd.exe	68
PID 2628 wrote to memory of 2696	2628	cmd.exe	68
PID 2628 wrote to memory of 2696	2628	cmd.exe	68
PID 2628 wrote to memory of 2572	2628	cmd.exe	69
PID 2628 wrote to memory of 2572	2628	cmd.exe	69
PID 2628 wrote to memory of 2572	2628	cmd.exe	69
PID 2572 wrote to memory of 2124	2572	spoolsv.exe	72
PID 2572 wrote to memory of 2124	2572	spoolsv.exe	72
PID 2572 wrote to memory of 2124	2572	spoolsv.exe	72
PID 2124 wrote to memory of 2376	2124	cmd.exe	74
PID 2124 wrote to memory of 2376	2124	cmd.exe	74
PID 2124 wrote to memory of 2376	2124	cmd.exe	74
PID 2124 wrote to memory of 1556	2124	cmd.exe	75
PID 2124 wrote to memory of 1556	2124	cmd.exe	75
PID 2124 wrote to memory of 1556	2124	cmd.exe	75
PID 1556 wrote to memory of 2088	1556	spoolsv.exe	76
PID 1556 wrote to memory of 2088	1556	spoolsv.exe	76
PID 1556 wrote to memory of 2088	1556	spoolsv.exe	76
PID 2088 wrote to memory of 1444	2088	cmd.exe	78
PID 2088 wrote to memory of 1444	2088	cmd.exe	78
PID 2088 wrote to memory of 1444	2088	cmd.exe	78
PID 2088 wrote to memory of 2236	2088	cmd.exe	79
PID 2088 wrote to memory of 2236	2088	cmd.exe	79
PID 2088 wrote to memory of 2236	2088	cmd.exe	79
PID 2236 wrote to memory of 2128	2236	spoolsv.exe	80

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\99a20865f28fae6e6830052801b8a41952a9d5822ce80d6d1abce47dba6552b8.exe
"C:\Users\Admin\AppData\Local\Temp\99a20865f28fae6e6830052801b8a41952a9d5822ce80d6d1abce47dba6552b8.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2284
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2760
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2904
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1752
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1756
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1764
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\SendTo\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1508
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2340
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\en-US\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1536
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:664
    - - C:\Program Files\Windows Sidebar\en-US\spoolsv.exe
        
        "C:\Program Files\Windows Sidebar\en-US\spoolsv.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2000
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wtOcRLEbie.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2628
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2696
        
        C:\Program Files\Windows Sidebar\en-US\spoolsv.exe
        
        "C:\Program Files\Windows Sidebar\en-US\spoolsv.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2572
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2K3DLFE7WC.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2124
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2376
        
        C:\Program Files\Windows Sidebar\en-US\spoolsv.exe
        
        "C:\Program Files\Windows Sidebar\en-US\spoolsv.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1556
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eQ9EwglUAP.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2088
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1444
        
        C:\Program Files\Windows Sidebar\en-US\spoolsv.exe
        
        "C:\Program Files\Windows Sidebar\en-US\spoolsv.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2236
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2qVagYZlTM.bat"
        12⤵
        
        PID:2128
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2764
        
        C:\Program Files\Windows Sidebar\en-US\spoolsv.exe
        
        "C:\Program Files\Windows Sidebar\en-US\spoolsv.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2144
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2tBWjDxv5U.bat"
        14⤵
        
        PID:2216
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1792
        
        C:\Program Files\Windows Sidebar\en-US\spoolsv.exe
        
        "C:\Program Files\Windows Sidebar\en-US\spoolsv.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:556
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KwQfKFARzT.bat"
        16⤵
        
        PID:2968
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2200
        
        C:\Program Files\Windows Sidebar\en-US\spoolsv.exe
        
        "C:\Program Files\Windows Sidebar\en-US\spoolsv.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2736
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pgCyA6Uc1O.bat"
        18⤵
        
        PID:2964
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2728
        
        C:\Program Files\Windows Sidebar\en-US\spoolsv.exe
        
        "C:\Program Files\Windows Sidebar\en-US\spoolsv.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2368
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NYP5fOsMgV.bat"
        20⤵
        
        PID:1256
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2984
        
        C:\Program Files\Windows Sidebar\en-US\spoolsv.exe
        
        "C:\Program Files\Windows Sidebar\en-US\spoolsv.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2624
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sWmtPUST1G.bat"
        22⤵
        
        PID:332
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:896
        
        C:\Program Files\Windows Sidebar\en-US\spoolsv.exe
        
        "C:\Program Files\Windows Sidebar\en-US\spoolsv.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:548
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7C7JiPLtAl.bat"
        24⤵
        
        PID:2092
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:1760
        
        C:\Program Files\Windows Sidebar\en-US\spoolsv.exe
        
        "C:\Program Files\Windows Sidebar\en-US\spoolsv.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\providercommon\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Users\Default\SendTo\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default\SendTo\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Users\Default\SendTo\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Sidebar\en-US\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\en-US\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Sidebar\en-US\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0b9523bc16d96141845d902c69fc053c

SHA1
e25691091e9968432d14f260cbfce214e186c6a7

SHA256
2abf8245d22c01bc43d0602ce479c59b3a178b412405adefad37f32187d8f8e0

SHA512
669a46bd077cb330c1bfbc9d05dbd2b729ca09f1fda36efd3d858df1d27633e30eed2714e42b44920e36a35801ccbbec9ef842177d669d2cf88be2abebaeca65

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e8cdcc432567a8802e5e97e0ebff0e54

SHA1
b107aee512e2f8ba1167e1e03ba1ec30da9d78be

SHA256
93500406a116f0e3cfa8618f018f885b1b58e4cdd02da3f357d1ca1a015f0629

SHA512
f5560124471f029cf3c05e37744ba8cf78b4bcbc4b954ce93f3e546cea17b79272defa6538f9e0cd24ed8f0b45fdb4fd90fd40ae93565778352198685a67d1a9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
54d7ac63c79aa1db0735445f9d2788b5

SHA1
c3e47d22ff2d61fdbec000ea08c2f8b59206cc6a

SHA256
bbf19d9c7d54a695e25c367e19d81634b9341a4277e97196c5dfd1ffbc4697e7

SHA512
8e6fdcdf4bf3e2267d2d486edab7493932e2f8ba89628e513cf427486d2ebe852c638807309f28205c6ba0faf19c3e39f8df8b8133fa37f6939073372c69797d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1394498f57789cb04064a9b45eb44b0d

SHA1
96c448448025e7742efd5dfaf750f5ca8b37936e

SHA256
5cca964940177a616461b40fc9bf18a9db35cc1b49a52a1b4c2280dd4500eec0

SHA512
fe1502afc9b940a53147f3f2a510506416b3a226d28d155de50b0eea35d936d2f8e8cd01c589796677235a6aff3622673ef801c97eb05e732e56cee1a2754415

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e48adc084ff1928409ac87b96253bf25

SHA1
0fbc3d45eb8a9c507474db51d9a958e5d7d6a3a3

SHA256
006f7c08910d61ad476bdeac155d8d361b803002074968dd073ffcc9210e0845

SHA512
cc8f0198ec3592d72cd58907c5afc57915ba32a7994e82374e94b2cbf995882974a46f43cca0169648f52dad34b021ce072c57dd3994f350e9d9218eb26aa974

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
43f5311cc139bb6af99d70bdabf4a30f

SHA1
660baf3ee957cb88c966e77b0d670155afbbc3da

SHA256
a51f40ee64ba509aef3c6e3b032f3e4436c6bb56356641e16aa1940c90f4d58e

SHA512
ba17b14ae47901c2b2dea927bfdfb327c38bb60f62895e919a0a68e51428bef0e86aea92ae26200e9bd2b8029da1f2223b8dc920790acbb0bff4f009f3ad4612

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2eb7d6182a8ee0a1c366080cae5f4e71

SHA1
8274596411aef99c185b3450aedc6b4d4e3fea47

SHA256
7e191b0fd705c6f5ab99c5977f09aafd1b0284edce048a13191e353dc4a14e2e

SHA512
04a421d2d06ae4cf6f838c2e8e5b99cdabcdfd361fd59a3435184ba6918b9104cfecbbc6bba8d95a07717ee970b1a3346a685faabde56d62d4bd2d584ab77347

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7f921c4c9fc71065cc4e57c3a2b6d965

SHA1
931dfa26b4044e89bcd46cb88ec44d8863f45f38

SHA256
e63bb33ef081435c78eb965b64da22cfd94419a9f95e0382a2cf4ca87b8ce602

SHA512
7f7585b6cfd87b35519663c451806c02c10f23cb42ee7a1c4e3fbfb964f8ce1323ec74a4261fba69bff95063d9b2a0c838c4d8600ed12031d0268dbcfdb9df62

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f529c8c4eab823fc085e6df709d80fc6

SHA1
5e12313f6de8b116147188de553600fbe1baa883

SHA256
c12f433e426f6faa41e32122a956e5f599c6b8fe019afc0ac78e5791b8231aa6

SHA512
cc8682c05b4abbdeecdb838660b961e1598744e5321cf14b99735145e3c9a5f4e694fdeba5b8f9e4a978935c8d1948311737955cc818aa890fd85d723365bb38

Download Submit
C:\Users\Admin\AppData\Local\Temp\2K3DLFE7WC.bat

Filesize
215B

MD5
5ce4b673d9d3f349ec70161b0e1dd5d6

SHA1
b1abc63090214bd11c118714497a8e0d56e2f3bb

SHA256
aaa54352b48dd19e55f65c896c05557732c461b234a9a99baf0f6add91e98009

SHA512
bc750e618aab712783293996e4c83bbcb4cef6931f53aec74c2d29fac06e6ef8a38b640196078467e615f3fb9d4de6e447231b79cd699d1315f161af22630d59

Download Submit
C:\Users\Admin\AppData\Local\Temp\2qVagYZlTM.bat

Filesize
215B

MD5
928f44c91f93ab90da6cdc61747bf6db

SHA1
b2d62dc5e403b6d5baf4239cfaf36e8b976a35d6

SHA256
b6fe364f96a7540cbdfc1d97fcd1808dc75374b14be2aadb315d8024a8797e90

SHA512
e59368ef8d2d6188c29046ee900e1d13a5c51948a7d3a7881f9e937b23ee8bf0e796e0c9c5d86e85b6918c6955b96a2b5b8b103c6098d5f283b68f82765547b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\2tBWjDxv5U.bat

Filesize
215B

MD5
5ebc45f5ad7885c8bf74a09fecbf72e9

SHA1
4b2fa80507a10c8cb70f3522b8ff1c5d80a6ddd2

SHA256
217c8da5774c1d510818f25afe77749425299d79b616d8db5faf1f1b01f6ef24

SHA512
983d60e7b55e47fb6504fe5a1ec0ca8fdeda9b25fc6acb2df5fbbbdd746dc0b3d01ad4409e454bc1b8fecf573efe9d03f61f77fe125132bfd387a4a79758232b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7C7JiPLtAl.bat

Filesize
215B

MD5
b0acc48dd3fc2a1c3dc93ef2eb931369

SHA1
9f898cbc87ea01312a7157e12264c166b980f14a

SHA256
723a38fb38e7b706968da5b8110228e691e21837b941cab3c3463c77e633eb1f

SHA512
7690fb08784159c89a2a859d79bb7b019b1c772125bfe61f7e91e8b3d3ea2e8acb2be90ca329cf93cb5754ee24283aa2e7cac31637ed63b6c0262799f3b79c8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA2E6.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\KwQfKFARzT.bat

Filesize
215B

MD5
521246357728fa0700c868ae2b611857

SHA1
19e0932da28d187cbeabfece8bb1c4e1eef4c558

SHA256
f11be76feea2f7e159a40d5600e7a4f3088460dfae63545e8993dbad06e6816f

SHA512
19d6f859b5fa3d495e7a3a9d57b247a8b4988523a061c9a7a48bfec2f4a53612c2884ad487ac26b2f22e0cd3a9e81e40ec3a58cff59f4b3f83ddacab6e95f7ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\NYP5fOsMgV.bat

Filesize
215B

MD5
2a8be220fd1e4cd87b8b023dd21c33bf

SHA1
949679c519a887e84a53db1906a94736c6710cf1

SHA256
4c709cc5efd6657db1af5ffd1dc2be98cbbf370dcfbd04edb6ac3eb29c7eb730

SHA512
126ebc167bef4c11991e61b4debe2b9d48169e21b3edf5572417c6e4bed51a2a3c15d1257b875067c16e4b0700145097e5e01bef70ad0c8611eee287c5a7712c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA2F8.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\eQ9EwglUAP.bat

Filesize
215B

MD5
06c6a8ac1a2fe1bf59b7c773a8c16a1d

SHA1
7d9b65277a5a5e411dde1ba472c8000f1562690e

SHA256
2fac76bbd809e402d2e6b53626924dbbddb405a3bb21789befb40ac1f58964bf

SHA512
085823ba687cceba1dca6bace888d5bea8fd34d79b82c6f9d340df75e921c58fdacc12634c0424301c2a11ab5ff5670dffe46f75b35d986171c127675398af6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\pgCyA6Uc1O.bat

Filesize
215B

MD5
23db51587ccd055f1da1c989bf476e3a

SHA1
af09380e5304f16a82fc3518c67b31b2d5df8565

SHA256
b34a989472455b093e9165cb4102d94bb7e3ff5a0926288bc29be201e24c8411

SHA512
36a24ebb776a4ff8407fc39658d2737e183a37de1142247f12683cd9f9b1b8a5148c1031c74bc897926b64f38525277e835e50e34f8f3d84af9170bdfd339621

Download Submit
C:\Users\Admin\AppData\Local\Temp\sWmtPUST1G.bat

Filesize
215B

MD5
473b7ac1b47248ac79b5fa08471d51dc

SHA1
3189d1bdea432381c5d5726a0e927ad4f8608d13

SHA256
598692143b9dabfa6e22cf538c149833a14ed30770763a99d26299cc194c51ee

SHA512
4e1168b78de3d9ff2343ee8489cc0a9772562d4206570421a1b1c6e4993dec55d0f6fb7e2b0b7a2fe62b8bd1eb49d8c1cb0077dafa0a6adb77502b0c982ffdc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\wtOcRLEbie.bat

Filesize
215B

MD5
909a0d2a8c419677b10b768858441642

SHA1
feca360e323961302c749426b4c759c7bc6a7c3e

SHA256
fb49c5af332346802fc4eb7af1e5a572c06b40c9024caec5f390e949aeab591f

SHA512
f758cb5c26ff38c3e9d7c00fd6aa0b50741e9008d262d2eb60032f6348523c6a920fe2c6005ab7cdb730291ed771054d256aa9cd53603b5c75a2ebce90d9eaf1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
f365824254b5bac96d7d49a230c7455e

SHA1
e941bb52235ba2a38892cf726b46d5d6519ae4f0

SHA256
83333b304f7c9a502c342c291bf969eb9d35ef62d9a7ba5fb352aed6b6a7f457

SHA512
2b95573218d49c693d8e89d0e7926bace9e6d16cb9100f0f02cd6cb250e8ccb3a48f84540d1252762c683c9f938acee343739897c1835c4e4c2a7320b3e0a25a

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/548-606-0x0000000001290000-0x00000000013A0000-memory.dmp

Filesize
1.1MB

Download
memory/1536-51-0x000000001B7D0000-0x000000001BAB2000-memory.dmp

Filesize
2.9MB

Download
memory/1764-52-0x00000000022A0000-0x00000000022A8000-memory.dmp

Filesize
32KB

Download
memory/2000-36-0x0000000000300000-0x0000000000410000-memory.dmp

Filesize
1.1MB

Download
memory/2144-310-0x0000000000FD0000-0x00000000010E0000-memory.dmp

Filesize
1.1MB

Download
memory/2572-131-0x0000000000C60000-0x0000000000D70000-memory.dmp

Filesize
1.1MB

Download
memory/2572-132-0x00000000002B0000-0x00000000002C2000-memory.dmp

Filesize
72KB

Download
memory/2904-17-0x0000000000270000-0x000000000027C000-memory.dmp

Filesize
48KB

Download
memory/2904-13-0x0000000001350000-0x0000000001460000-memory.dmp

Filesize
1.1MB

Download
memory/2904-14-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/2904-15-0x0000000000250000-0x000000000025C000-memory.dmp

Filesize
48KB

Download
memory/2904-16-0x0000000000260000-0x000000000026C000-memory.dmp

Filesize
48KB

Download