dcrat | b56efb3ca8906a817613e7e0899cffa1f5d23d39164153dc2567cf10a0314fb4

Resubmissions

14-01-2025 03:03

250114-dkgznaxmaq 10

Analysis

max time kernel
147s
max time network
150s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
14-01-2025 03:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b56efb3ca8906a817613e7e0899cffa1f5d23d39164153dc2567cf10a0314fb4.exe
Size

6.5MB
MD5

dd045e7803ef620069b0e90d9128375f
SHA1

983de7fc238cac0de7b2d74b86617501dbbfc9c6
SHA256

b56efb3ca8906a817613e7e0899cffa1f5d23d39164153dc2567cf10a0314fb4
SHA512

3ef80acad4b09dbb84835520f249c3970f0574156e77155f496dddb46927d407773315f34c4c38277e34825ac6401159b5df06776140b20fb9f820f0a4859886
SSDEEP

196608:nuaAxSTZLvD6/x1R92cJUMo7xS6eUEMW42:nRAh5n9/GMolS6eyWZ

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	2348	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	2348	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2472	2348	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	2348	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2308	2348	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	560	2348	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	532	2348	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	2348	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2520	2348	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1876	2348	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	2348	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2396	2348	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	2348	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	2348	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	2348	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	768	2348	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	568	2348	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1376	2348	schtasks.exe	38

DCRat payload 13 IoCs

rat

resource	yara_rule
behavioral1/files/0x0008000000016e1d-42.dat	family_dcrat_v2
behavioral1/memory/2928-47-0x0000000000400000-0x00000000004FD000-memory.dmp	family_dcrat_v2
behavioral1/memory/1896-62-0x0000000000BF0000-0x0000000000CB6000-memory.dmp	family_dcrat_v2
behavioral1/memory/3048-89-0x0000000001160000-0x0000000001226000-memory.dmp	family_dcrat_v2
behavioral1/memory/2176-110-0x0000000000250000-0x0000000000316000-memory.dmp	family_dcrat_v2
behavioral1/memory/552-121-0x00000000009A0000-0x0000000000A66000-memory.dmp	family_dcrat_v2
behavioral1/memory/2012-132-0x0000000000C30000-0x0000000000CF6000-memory.dmp	family_dcrat_v2
behavioral1/memory/1716-143-0x0000000000FC0000-0x0000000001086000-memory.dmp	family_dcrat_v2
behavioral1/memory/2196-164-0x0000000000380000-0x0000000000446000-memory.dmp	family_dcrat_v2
behavioral1/memory/1464-175-0x00000000008B0000-0x0000000000976000-memory.dmp	family_dcrat_v2
behavioral1/memory/2464-186-0x0000000000C40000-0x0000000000D06000-memory.dmp	family_dcrat_v2
behavioral1/memory/2168-197-0x0000000000010000-0x00000000000D6000-memory.dmp	family_dcrat_v2
behavioral1/memory/2072-208-0x00000000013B0000-0x0000000001476000-memory.dmp	family_dcrat_v2

Executes dropped EXE 19 IoCs

pid	Process
2756	svchost.exe
2996	explorer.exe
2604	cBAgHR0p6G.exe
1896	L1HpoXhDl1.exe
3048	winlogon.exe
1080	winlogon.exe
2176	winlogon.exe
552	winlogon.exe
2012	winlogon.exe
1716	winlogon.exe
1492	winlogon.exe
2196	winlogon.exe
1464	winlogon.exe
2464	winlogon.exe
2168	winlogon.exe
2072	winlogon.exe
2420	winlogon.exe
2356	winlogon.exe
2872	winlogon.exe

Loads dropped DLL 5 IoCs

pid	Process
2644	b56efb3ca8906a817613e7e0899cffa1f5d23d39164153dc2567cf10a0314fb4.exe
2644	b56efb3ca8906a817613e7e0899cffa1f5d23d39164153dc2567cf10a0314fb4.exe
2780	Process not Found
2928	RegAsm.exe
2928	RegAsm.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2756	svchost.exe
2756	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2996 set thread context of 2928	2996	explorer.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b56efb3ca8906a817613e7e0899cffa1f5d23d39164153dc2567cf10a0314fb4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2336	PING.EXE
2928	PING.EXE
1996	PING.EXE
3012	PING.EXE

Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery

T1018

pid	Process
2336	PING.EXE
2928	PING.EXE
1996	PING.EXE
3012	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2260	schtasks.exe
2356	schtasks.exe
1876	schtasks.exe
1376	schtasks.exe
2368	schtasks.exe
560	schtasks.exe
2520	schtasks.exe
2396	schtasks.exe
2896	schtasks.exe
532	schtasks.exe
1748	schtasks.exe
1628	schtasks.exe
2428	schtasks.exe
768	schtasks.exe
2472	schtasks.exe
2296	schtasks.exe
568	schtasks.exe
2308	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2756	svchost.exe
1896	L1HpoXhDl1.exe
1896	L1HpoXhDl1.exe
1896	L1HpoXhDl1.exe
1896	L1HpoXhDl1.exe
1896	L1HpoXhDl1.exe
1896	L1HpoXhDl1.exe
1896	L1HpoXhDl1.exe
1896	L1HpoXhDl1.exe
1896	L1HpoXhDl1.exe
1896	L1HpoXhDl1.exe
1896	L1HpoXhDl1.exe
1896	L1HpoXhDl1.exe
1896	L1HpoXhDl1.exe
1896	L1HpoXhDl1.exe
1896	L1HpoXhDl1.exe
1896	L1HpoXhDl1.exe
1896	L1HpoXhDl1.exe
1896	L1HpoXhDl1.exe
1896	L1HpoXhDl1.exe
1896	L1HpoXhDl1.exe
1896	L1HpoXhDl1.exe
1896	L1HpoXhDl1.exe
1896	L1HpoXhDl1.exe
1896	L1HpoXhDl1.exe
1896	L1HpoXhDl1.exe
1896	L1HpoXhDl1.exe
1896	L1HpoXhDl1.exe
1896	L1HpoXhDl1.exe
1896	L1HpoXhDl1.exe
1896	L1HpoXhDl1.exe
1896	L1HpoXhDl1.exe
1896	L1HpoXhDl1.exe
1896	L1HpoXhDl1.exe
1896	L1HpoXhDl1.exe
1896	L1HpoXhDl1.exe
1896	L1HpoXhDl1.exe
1896	L1HpoXhDl1.exe
1896	L1HpoXhDl1.exe
1896	L1HpoXhDl1.exe
1896	L1HpoXhDl1.exe
1896	L1HpoXhDl1.exe
1896	L1HpoXhDl1.exe
1896	L1HpoXhDl1.exe
1896	L1HpoXhDl1.exe
1896	L1HpoXhDl1.exe
1896	L1HpoXhDl1.exe
1896	L1HpoXhDl1.exe
1896	L1HpoXhDl1.exe
1896	L1HpoXhDl1.exe
1896	L1HpoXhDl1.exe
1896	L1HpoXhDl1.exe
1896	L1HpoXhDl1.exe
1896	L1HpoXhDl1.exe
1896	L1HpoXhDl1.exe
1896	L1HpoXhDl1.exe
1896	L1HpoXhDl1.exe
1896	L1HpoXhDl1.exe
3048	winlogon.exe
3048	winlogon.exe
3048	winlogon.exe
3048	winlogon.exe
3048	winlogon.exe
3048	winlogon.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	1896	L1HpoXhDl1.exe
Token: SeDebugPrivilege	3048	winlogon.exe
Token: SeDebugPrivilege	1080	winlogon.exe
Token: SeDebugPrivilege	2176	winlogon.exe
Token: SeDebugPrivilege	552	winlogon.exe
Token: SeDebugPrivilege	2012	winlogon.exe
Token: SeDebugPrivilege	1716	winlogon.exe
Token: SeDebugPrivilege	1492	winlogon.exe
Token: SeDebugPrivilege	2196	winlogon.exe
Token: SeDebugPrivilege	1464	winlogon.exe
Token: SeDebugPrivilege	2464	winlogon.exe
Token: SeDebugPrivilege	2168	winlogon.exe
Token: SeDebugPrivilege	2072	winlogon.exe
Token: SeDebugPrivilege	2420	winlogon.exe
Token: SeDebugPrivilege	2356	winlogon.exe
Token: SeDebugPrivilege	2872	winlogon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2644 wrote to memory of 2756	2644	b56efb3ca8906a817613e7e0899cffa1f5d23d39164153dc2567cf10a0314fb4.exe	30
PID 2644 wrote to memory of 2756	2644	b56efb3ca8906a817613e7e0899cffa1f5d23d39164153dc2567cf10a0314fb4.exe	30
PID 2644 wrote to memory of 2756	2644	b56efb3ca8906a817613e7e0899cffa1f5d23d39164153dc2567cf10a0314fb4.exe	30
PID 2644 wrote to memory of 2756	2644	b56efb3ca8906a817613e7e0899cffa1f5d23d39164153dc2567cf10a0314fb4.exe	30
PID 2644 wrote to memory of 2996	2644	b56efb3ca8906a817613e7e0899cffa1f5d23d39164153dc2567cf10a0314fb4.exe	32
PID 2644 wrote to memory of 2996	2644	b56efb3ca8906a817613e7e0899cffa1f5d23d39164153dc2567cf10a0314fb4.exe	32
PID 2644 wrote to memory of 2996	2644	b56efb3ca8906a817613e7e0899cffa1f5d23d39164153dc2567cf10a0314fb4.exe	32
PID 2644 wrote to memory of 2996	2644	b56efb3ca8906a817613e7e0899cffa1f5d23d39164153dc2567cf10a0314fb4.exe	32
PID 2996 wrote to memory of 2928	2996	explorer.exe	34
PID 2996 wrote to memory of 2928	2996	explorer.exe	34
PID 2996 wrote to memory of 2928	2996	explorer.exe	34
PID 2996 wrote to memory of 2928	2996	explorer.exe	34
PID 2996 wrote to memory of 2928	2996	explorer.exe	34
PID 2996 wrote to memory of 2928	2996	explorer.exe	34
PID 2996 wrote to memory of 2928	2996	explorer.exe	34
PID 2996 wrote to memory of 2928	2996	explorer.exe	34
PID 2996 wrote to memory of 2928	2996	explorer.exe	34
PID 2996 wrote to memory of 2928	2996	explorer.exe	34
PID 2996 wrote to memory of 2928	2996	explorer.exe	34
PID 2996 wrote to memory of 2928	2996	explorer.exe	34
PID 2996 wrote to memory of 2928	2996	explorer.exe	34
PID 2996 wrote to memory of 2928	2996	explorer.exe	34
PID 2928 wrote to memory of 1896	2928	RegAsm.exe	36
PID 2928 wrote to memory of 1896	2928	RegAsm.exe	36
PID 2928 wrote to memory of 1896	2928	RegAsm.exe	36
PID 2928 wrote to memory of 1896	2928	RegAsm.exe	36
PID 2756 wrote to memory of 1252	2756	svchost.exe	37
PID 2756 wrote to memory of 1252	2756	svchost.exe	37
PID 2756 wrote to memory of 1252	2756	svchost.exe	37
PID 1896 wrote to memory of 1396	1896	L1HpoXhDl1.exe	57
PID 1896 wrote to memory of 1396	1896	L1HpoXhDl1.exe	57
PID 1896 wrote to memory of 1396	1896	L1HpoXhDl1.exe	57
PID 1396 wrote to memory of 1940	1396	cmd.exe	59
PID 1396 wrote to memory of 1940	1396	cmd.exe	59
PID 1396 wrote to memory of 1940	1396	cmd.exe	59
PID 1396 wrote to memory of 1996	1396	cmd.exe	60
PID 1396 wrote to memory of 1996	1396	cmd.exe	60
PID 1396 wrote to memory of 1996	1396	cmd.exe	60
PID 1396 wrote to memory of 3048	1396	cmd.exe	61
PID 1396 wrote to memory of 3048	1396	cmd.exe	61
PID 1396 wrote to memory of 3048	1396	cmd.exe	61
PID 3048 wrote to memory of 1636	3048	winlogon.exe	62
PID 3048 wrote to memory of 1636	3048	winlogon.exe	62
PID 3048 wrote to memory of 1636	3048	winlogon.exe	62
PID 1636 wrote to memory of 1912	1636	cmd.exe	64
PID 1636 wrote to memory of 1912	1636	cmd.exe	64
PID 1636 wrote to memory of 1912	1636	cmd.exe	64
PID 1636 wrote to memory of 2320	1636	cmd.exe	65
PID 1636 wrote to memory of 2320	1636	cmd.exe	65
PID 1636 wrote to memory of 2320	1636	cmd.exe	65
PID 1636 wrote to memory of 1080	1636	cmd.exe	66
PID 1636 wrote to memory of 1080	1636	cmd.exe	66
PID 1636 wrote to memory of 1080	1636	cmd.exe	66
PID 1080 wrote to memory of 2748	1080	winlogon.exe	67
PID 1080 wrote to memory of 2748	1080	winlogon.exe	67
PID 1080 wrote to memory of 2748	1080	winlogon.exe	67
PID 2748 wrote to memory of 2668	2748	cmd.exe	69
PID 2748 wrote to memory of 2668	2748	cmd.exe	69
PID 2748 wrote to memory of 2668	2748	cmd.exe	69
PID 2748 wrote to memory of 2164	2748	cmd.exe	70
PID 2748 wrote to memory of 2164	2748	cmd.exe	70
PID 2748 wrote to memory of 2164	2748	cmd.exe	70
PID 2748 wrote to memory of 2176	2748	cmd.exe	71
PID 2748 wrote to memory of 2176	2748	cmd.exe	71

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b56efb3ca8906a817613e7e0899cffa1f5d23d39164153dc2567cf10a0314fb4.exe
"C:\Users\Admin\AppData\Local\Temp\b56efb3ca8906a817613e7e0899cffa1f5d23d39164153dc2567cf10a0314fb4.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:1252
- C:\Users\Admin\AppData\Local\Temp\explorer.exe
  "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2996
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2928
  - - C:\Users\Admin\AppData\Roaming\cBAgHR0p6G.exe
      "C:\Users\Admin\AppData\Roaming\cBAgHR0p6G.exe"
      4⤵
      Executes dropped EXE
      PID:2604
  - - C:\Users\Admin\AppData\Roaming\L1HpoXhDl1.exe
      "C:\Users\Admin\AppData\Roaming\L1HpoXhDl1.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1896
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aUBav6SMX6.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1396
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1940
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1996
      - C:\MSOCache\All Users\winlogon.exe
        
        "C:\MSOCache\All Users\winlogon.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3048
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\I19jVKSgi3.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1636
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:1912
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2320
        
        C:\MSOCache\All Users\winlogon.exe
        
        "C:\MSOCache\All Users\winlogon.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1080
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JURhlZmnbW.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2748
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:2668
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2164
        
        C:\MSOCache\All Users\winlogon.exe
        
        "C:\MSOCache\All Users\winlogon.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2176
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0WKriXx1WO.bat"
        11⤵
        
        PID:1336
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:2616
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2628
        
        C:\MSOCache\All Users\winlogon.exe
        
        "C:\MSOCache\All Users\winlogon.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:552
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SPR0cWdHM6.bat"
        13⤵
        
        PID:1592
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:3016
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3012
        
        C:\MSOCache\All Users\winlogon.exe
        
        "C:\MSOCache\All Users\winlogon.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2012
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cMdeBf80Aw.bat"
        15⤵
        
        PID:1712
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2472
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1320
        
        C:\MSOCache\All Users\winlogon.exe
        
        "C:\MSOCache\All Users\winlogon.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1716
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5nOOmGNqzh.bat"
        17⤵
        
        PID:2276
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2156
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2336
        
        C:\MSOCache\All Users\winlogon.exe
        
        "C:\MSOCache\All Users\winlogon.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1492
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rq9fLK5Nyj.bat"
        19⤵
        
        PID:1628
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:1748
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2252
        
        C:\MSOCache\All Users\winlogon.exe
        
        "C:\MSOCache\All Users\winlogon.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2196
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NkZfuSJvBK.bat"
        21⤵
        
        PID:1676
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:1752
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2240
        
        C:\MSOCache\All Users\winlogon.exe
        
        "C:\MSOCache\All Users\winlogon.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1464
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VkZKSVlIY6.bat"
        23⤵
        
        PID:1636
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:1612
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2128
        
        C:\MSOCache\All Users\winlogon.exe
        
        "C:\MSOCache\All Users\winlogon.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2464
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3SG4wIGqnh.bat"
        25⤵
        
        PID:2700
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:2716
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:2548
        
        C:\MSOCache\All Users\winlogon.exe
        
        "C:\MSOCache\All Users\winlogon.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2168
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Tl03UWnGtn.bat"
        27⤵
        
        PID:2672
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:2960
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2928
        
        C:\MSOCache\All Users\winlogon.exe
        
        "C:\MSOCache\All Users\winlogon.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2072
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gXPzuBRgcB.bat"
        29⤵
        
        PID:2536
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:2328
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        30⤵
        
        PID:1920
        
        C:\MSOCache\All Users\winlogon.exe
        
        "C:\MSOCache\All Users\winlogon.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2420
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Cq054WUQlS.bat"
        31⤵
        
        PID:1712
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:996
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        32⤵
        
        PID:1560
        
        C:\MSOCache\All Users\winlogon.exe
        
        "C:\MSOCache\All Users\winlogon.exe"
        32⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2356
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zq8KtNWkLV.bat"
        33⤵
        
        PID:2044
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        34⤵
        
        PID:2212
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        34⤵
        
        PID:2444
        
        C:\MSOCache\All Users\winlogon.exe
        
        "C:\MSOCache\All Users\winlogon.exe"
        34⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Users\Public\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Public\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Users\Public\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Users\Public\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Public\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Users\Public\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Favorites\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\All Users\Favorites\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Favorites\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "L1HpoXhDl1L" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\AppData\Roaming\L1HpoXhDl1.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "L1HpoXhDl1" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\L1HpoXhDl1.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "L1HpoXhDl1L" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\AppData\Roaming\L1HpoXhDl1.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0WKriXx1WO.bat

Filesize
210B

MD5
16f80e60f5114711f9af79fcc860f651

SHA1
fc22f32f24f411758c30e677134c7f46ef304d2a

SHA256
cd90acf6cb063563db3667fac0f1feec04400ed0ec2c20ea83bc70d059146212

SHA512
89b975348eba0213c0d6d4b327f894388b44128f63ec41234511225bc47a03579e0faf7fc114cad2b4f9f66ee3f824c228b9a1387dd2a7f382a0cfd40b8c7921

Download Submit
C:\Users\Admin\AppData\Local\Temp\3SG4wIGqnh.bat

Filesize
210B

MD5
7d43d92bdc756be620218f8acd6fd5f2

SHA1
c09f30ecd96d3dc89128105f5651fd7c6d2a1f28

SHA256
61f28d7202a2bb5bc041d80f11348e7d59a291de50d7704ddb3dc012a4ce9b9b

SHA512
586614a5d15a95f9b10ec5b426988337b0aa1277273b25c9d053a31f0753b70baf88dd59198a33e7383dd2e4d20993c0be9f667d29a876d6a0e2daa590b4be91

Download Submit
C:\Users\Admin\AppData\Local\Temp\5nOOmGNqzh.bat

Filesize
162B

MD5
2009ef0ecaa8cb89281393595d811076

SHA1
9e186476828b1bfe52952be930e374d1b033aa7c

SHA256
819062a9cb62c1399a1300c557c6b6166193a3cb4df0313486174238e79096b8

SHA512
934568e5daee652557d5cf007fe135d2f4553ce8300fde954a1dcac83c75525fe6c3d81334064fa828377a998679b179d9289dba5c6925eb94ce2cc9a646569a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cq054WUQlS.bat

Filesize
210B

MD5
94f2c770cd42132c9a388cb28cd87eed

SHA1
0f15484003f42fa4003b31c65fc4063f59eecf3e

SHA256
d6ba2d035abe26ac43bc7d891a86d930876f32c50091dfbfe17561297f3a7986

SHA512
baad9a2c24c32ffc167f1f058b1cb5355124be4e6d20876e6bd56b4a49d957fb498addf21512dadb32d2dcc73007a72f4551495c0be2de71c711bb6bb08ac379

Download Submit
C:\Users\Admin\AppData\Local\Temp\I19jVKSgi3.bat

Filesize
210B

MD5
1f83e1b316b01799dc8d89753970d5cd

SHA1
d710f174fe45421f8c6d14772753d8a3dd65f92f

SHA256
b476bd24d9634a5955425e72fa8232945d85a5ea1e7cf4f3954f02e4934f40d8

SHA512
dca4d464937cb8f6621126f61bff43018cec5fb47f310b9858b34b75f88e6dc2b4a3faaf5e039135e74c1c3b2135529428b68da818555a462f2fc12943454393

Download Submit
C:\Users\Admin\AppData\Local\Temp\JURhlZmnbW.bat

Filesize
210B

MD5
49cb16257d8cb0a0d46677758cad9c94

SHA1
a78503147e721ca29f61f9b0b4ef1d42c1b7cb85

SHA256
2e4d78333587cdd607d45b53cc69c0c495f10b7fd725f8d6aee3ab6afeb2e8de

SHA512
d511a449a2304bb7597347ede46b97db208b18b306d1706265463341f203c6ae1faa12a152c800817d91a8bf379a6f443f591cea77c774e4a55b3ffd50770943

Download Submit
C:\Users\Admin\AppData\Local\Temp\NkZfuSJvBK.bat

Filesize
210B

MD5
a6a16910b76ba5a737f3f2be7c33c855

SHA1
29246e0b461e3aa8f5864d994d29d8c7b451165f

SHA256
c0eae3d29e16c7c7b00dbf5e310a728529782a76745daf7baa1bc51f12219baf

SHA512
f49e58bd5b07298b49392a2227ee412d743269b471d36d883dda00decae708b7983504a15d0a692ee7142b61093b14c8aad0266c3e18e461fabd2ef2b9da0126

Download Submit
C:\Users\Admin\AppData\Local\Temp\SPR0cWdHM6.bat

Filesize
162B

MD5
b2a133f3dba98fd4896fdbd67de8bf5d

SHA1
0a917875f23ecc95d8d23ef72dae31551afbac55

SHA256
bd6edd996ba05a053d2cbbe859a69f8876004f3a25e31ec2e9d1eb5393349845

SHA512
2fb2d158cb2f689069a0119fc7ce1d1571d51070f04cea97fb473883e2d29a461419d80c88239b7fac8f3fdc828f3449a9ec6a4e7636fb4cfcde606e1cc67117

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tl03UWnGtn.bat

Filesize
162B

MD5
416133bb229c1c4f1810bad5dbff1ec5

SHA1
c0c0829e1039f07fd8ba5f82227fb9e63345345d

SHA256
a06d78436d3ed4647e325eac35d84da0b99de6daad03ae61496b87b6b5c38e4c

SHA512
93ddbef34fe878cb36f7f00b2ae975d1b2e53ddcd403e9da39a77474f141c1fca5d03096e8f1b8641c81c546158dc70e82f6570ec3472ddd9c5e309483419a36

Download Submit
C:\Users\Admin\AppData\Local\Temp\VkZKSVlIY6.bat

Filesize
210B

MD5
d4ab565469c8963bb9786ae987cb1dcf

SHA1
46e7d50a44e14557094be668cd8706babb866101

SHA256
eb6f0e3d66de4d539fa2cda98a2a243a03f8dacf269507493550f405817dfcb5

SHA512
54a8a857a25fd5bef40fea4cdf66e06b87474d5b0817330bedf48a2ef11121ab1508066f269f0020e68b1d8665f4cd07b1b3286c054b3f68ca7f66e4ec25f485

Download Submit
C:\Users\Admin\AppData\Local\Temp\aUBav6SMX6.bat

Filesize
162B

MD5
5ce2f47db3f6f1f3cb644065bab86a7b

SHA1
3d65e44d2e50b82b16a288bbe32e59a81c37ac3a

SHA256
2425c192511596eb9f2dd017ea19fbb7c849d8f7d57408e2aadff790146911c8

SHA512
b47994a6514b4420a2e61087884ddddf177a4c188f79e046adcb6ce7e90ba0949600b7cfd268cf1f37c8604810006d90c38f3dff053ea76f8807c6e032fc9196

Download Submit
C:\Users\Admin\AppData\Local\Temp\cMdeBf80Aw.bat

Filesize
210B

MD5
e1e82482e0bb6d6ccfd700b58e0eeaed

SHA1
0a1e9d00c49f94a2de7c055619999a35390dde96

SHA256
56e3fbab1917eb54b0ef74066bff65577743c982d42be7e718748a5c94c59a9d

SHA512
bd2782d84d8eeec03b48db5106af0982f1ab813cdfa8e1640f17a0fb2940bf3a0a174fbf786cd0616c7d9caf692fe1619b0f1856526f4d14132c73061c2e5f8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\gXPzuBRgcB.bat

Filesize
210B

MD5
57da462731b0cab93e297d07bed3bc44

SHA1
147105e5f5d3eca369055fac466b85d24d727e4b

SHA256
70079cfc85858e2d0282bf948a5f528c6a1b08bb29a76db81d9e7df77a7898c1

SHA512
cdf4c6713e24203546d5e26604e114b8a0934c1d2b51ab7924c2ddf21cdb55d3f2d30ebd4cbbe073999903cc88ae2604e48ea9fd48b12b718524e5df856246fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\rq9fLK5Nyj.bat

Filesize
210B

MD5
5f691441d2d46185a00c24f8ef4898a4

SHA1
f98c6fdc81bb7233fef1a8e4d53ebe2ae591bac3

SHA256
6975bf09f16ed52ed65927f07f27844467aeaf4c6f293e33dfa05280ca73f8dd

SHA512
9cf130d37d9d3f4683482fefa8c9238668706691c66e8c7bb8e9a4c247a3c0da846a0687978ebeb85dba2917a9360515f957399682496b894a2382672392d3c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
5.5MB

MD5
52aaa8c3fd6b813b713ae05ab9e4829c

SHA1
d4ac8addbe5e15e867afe58f4bbb8319395ad38e

SHA256
0c30d4cb510304d4ce140952f8ce316056cc4bc552cef78a81fd5301aecc1fd2

SHA512
c39bba95a8554f1115d0362bad33901fd87e00d5de7671cd48d7b537c97889882b9009a83948087cf8516a32588e4ef831531977740b17a2791cec927934fdd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\zq8KtNWkLV.bat

Filesize
210B

MD5
3ba27af27334de9c66576e70e258b239

SHA1
3cf66b64b2b5aca42f345ee59559278387920111

SHA256
25facf4d6b900494dea1f5cae6f1b915b54dcddf70e9349e402f5190478ae9c6

SHA512
b6c1702b2f9c169af5419e42084ce70cda7c89c1308ce1e0b460c2d913bbbcb56f7f1bc7f88974be256563844c9a6ad292fae211ea34cdadf82171110896ae0a

Download Submit
C:\Users\Admin\AppData\Roaming\cBAgHR0p6G.exe

Filesize
18KB

MD5
f3edff85de5fd002692d54a04bcb1c09

SHA1
4c844c5b0ee7cb230c9c28290d079143e00cb216

SHA256
caf29650446db3842e1c1e8e5e1bafadaf90fc82c5c37b9e2c75a089b7476131

SHA512
531d920e2567f58e8169afc786637c1a0f7b9b5c27b27b5f0eddbfc3e00cecd7bea597e34061d836647c5f8c7757f2fe02952a9793344e21b39ddd4bf7985f9d

Download Submit
\Users\Admin\AppData\Local\Temp\explorer.exe

Filesize
1009KB

MD5
37248e1253355bc6e356e31346f35e30

SHA1
76a4c49df25f3621ef38426d726eafd9f67be20b

SHA256
917c39f77f2a2851383d506c884cc114a992c5e15d0c2993625a4b9186e26ad4

SHA512
1e4f5eb77fed7a1a25f6684fcd42b3097e666ea942995027cf9eab3d4f176eed8c2c9f561cf6e53e8769890fcbf08e559cbe9c05d42ae8ce2dbecb8c7733fd08

Download Submit
\Users\Admin\AppData\Roaming\L1HpoXhDl1.exe

Filesize
768KB

MD5
e3aae84e507657a2a81745500460f5f7

SHA1
dd53b7b8b0eab343f1ed3f0983326bc433304110

SHA256
b8f3077a6dd5d704139f7ccfe6e453adf3ebc0100c617fd2c9f3c51650a0ea25

SHA512
4bee0f7325bdb02528e78d21f65ccbdc9450316d6681022ddc6c85540a4a6b22c4cc4cfda36824a4e5c17a9b1f66845b61c82d822806dde1e006b9cee7da5d66

Download Submit
memory/552-121-0x00000000009A0000-0x0000000000A66000-memory.dmp

Filesize
792KB

Download
memory/1464-175-0x00000000008B0000-0x0000000000976000-memory.dmp

Filesize
792KB

Download
memory/1716-143-0x0000000000FC0000-0x0000000001086000-memory.dmp

Filesize
792KB

Download
memory/1896-66-0x0000000000420000-0x000000000043C000-memory.dmp

Filesize
112KB

Download
memory/1896-62-0x0000000000BF0000-0x0000000000CB6000-memory.dmp

Filesize
792KB

Download
memory/1896-64-0x00000000002C0000-0x00000000002CE000-memory.dmp

Filesize
56KB

Download
memory/1896-68-0x0000000000450000-0x0000000000468000-memory.dmp

Filesize
96KB

Download
memory/1896-70-0x0000000000410000-0x000000000041C000-memory.dmp

Filesize
48KB

Download
memory/2012-132-0x0000000000C30000-0x0000000000CF6000-memory.dmp

Filesize
792KB

Download
memory/2072-208-0x00000000013B0000-0x0000000001476000-memory.dmp

Filesize
792KB

Download
memory/2168-197-0x0000000000010000-0x00000000000D6000-memory.dmp

Filesize
792KB

Download
memory/2176-110-0x0000000000250000-0x0000000000316000-memory.dmp

Filesize
792KB

Download
memory/2196-164-0x0000000000380000-0x0000000000446000-memory.dmp

Filesize
792KB

Download
memory/2464-186-0x0000000000C40000-0x0000000000D06000-memory.dmp

Filesize
792KB

Download
memory/2644-1-0x0000000000B40000-0x00000000011CC000-memory.dmp

Filesize
6.5MB

Download
memory/2644-0-0x000000007475E000-0x000000007475F000-memory.dmp

Filesize
4KB

Download
memory/2756-55-0x00000000776F0000-0x00000000776F2000-memory.dmp

Filesize
8KB

Download
memory/2756-51-0x00000000776E0000-0x00000000776E2000-memory.dmp

Filesize
8KB

Download
memory/2756-53-0x00000000776E0000-0x00000000776E2000-memory.dmp

Filesize
8KB

Download
memory/2756-59-0x00000000776F0000-0x00000000776F2000-memory.dmp

Filesize
8KB

Download
memory/2756-49-0x00000000776E0000-0x00000000776E2000-memory.dmp

Filesize
8KB

Download
memory/2756-60-0x0000000140000000-0x00000001408C1000-memory.dmp

Filesize
8.8MB

Download
memory/2756-57-0x00000000776F0000-0x00000000776F2000-memory.dmp

Filesize
8KB

Download
memory/2928-30-0x0000000000400000-0x00000000004FD000-memory.dmp

Filesize
1012KB

Download
memory/2928-34-0x0000000000400000-0x00000000004FD000-memory.dmp

Filesize
1012KB

Download
memory/2928-47-0x0000000000400000-0x00000000004FD000-memory.dmp

Filesize
1012KB

Download
memory/2928-29-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2928-23-0x0000000000400000-0x00000000004FD000-memory.dmp

Filesize
1012KB

Download
memory/2928-31-0x0000000000400000-0x00000000004FD000-memory.dmp

Filesize
1012KB

Download
memory/2928-17-0x0000000000400000-0x00000000004FD000-memory.dmp

Filesize
1012KB

Download
memory/2928-25-0x0000000000400000-0x00000000004FD000-memory.dmp

Filesize
1012KB

Download
memory/2928-21-0x0000000000400000-0x00000000004FD000-memory.dmp

Filesize
1012KB

Download
memory/2928-35-0x0000000000400000-0x00000000004FD000-memory.dmp

Filesize
1012KB

Download
memory/2928-19-0x0000000000400000-0x00000000004FD000-memory.dmp

Filesize
1012KB

Download
memory/2928-27-0x0000000000400000-0x00000000004FD000-memory.dmp

Filesize
1012KB

Download
memory/2996-15-0x00000000008F0000-0x00000000009F2000-memory.dmp

Filesize
1.0MB

Download
memory/3048-89-0x0000000001160000-0x0000000001226000-memory.dmp

Filesize
792KB

Download