dcrat | b9565d219fb7879e482bfc859721acc5e10edadb73a9bb6eb3190e58e45bea5d

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 01:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b9565d219fb7879e482bfc859721acc5e10edadb73a9bb6eb3190e58e45bea5d.exe
Size

827KB
MD5

428bdccd4c240a253810e1c2a4ff8b78
SHA1

6cb81ccde6f9cd26b0b60ce5b5d948dbda609c8c
SHA256

b9565d219fb7879e482bfc859721acc5e10edadb73a9bb6eb3190e58e45bea5d
SHA512

81619bed44fca74f7c9cd3dc7fef9d52cea24ea4d6ea5cf3eedbe25c9a3f16f12889ff30644371146f8d55a280ed2e6b730c69c50bf2b944c74cc6d7914d1a63
SSDEEP

12288:GurCqcV04iJuX03lJmrw1DMVMkNcL4uhB6lg1npjzh/Ta6:bypiJOw1D8YhB6lkpjdO6

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 27 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4912	4848	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4356	4848	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4220	4848	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	936	4848	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	804	4848	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	860	4848	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4256	4848	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4048	4848	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1332	4848	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1352	4848	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1080	4848	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	768	4848	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3180	4848	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	548	4848	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4076	4848	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	4848	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1560	4848	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3672	4848	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	736	4848	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	4848	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3968	4848	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4820	4848	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	396	4848	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	432	4848	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1824	4848	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4784	4848	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1440	4848	schtasks.exe

DCRat payload 2 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
rat

Processes:

resource yara_rule

behavioral2/memory/1408-1-0x0000000000420000-0x00000000004F6000-memory.dmp dcrat
C:\Program Files\Google\services.exe dcrat

resource	yara_rule
behavioral2/memory/1408-1-0x0000000000420000-0x00000000004F6000-memory.dmp	dcrat
C:\Program Files\Google\services.exe	dcrat

Checks computer location settings 2 TTPs 12 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

csrss.exeb9565d219fb7879e482bfc859721acc5e10edadb73a9bb6eb3190e58e45bea5d.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	b9565d219fb7879e482bfc859721acc5e10edadb73a9bb6eb3190e58e45bea5d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	csrss.exe

Executes dropped EXE 12 IoCs

Processes:

csrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exe

pid process

1084 csrss.exe
4896 csrss.exe
4860 csrss.exe
2512 csrss.exe
4748 csrss.exe
1408 csrss.exe
3036 csrss.exe
3532 csrss.exe
1088 csrss.exe
936 csrss.exe
1236 csrss.exe
1228 csrss.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service
T1102

Processes:

flow ioc

34 pastebin.com
41 pastebin.com
44 pastebin.com
45 pastebin.com
52 pastebin.com
53 pastebin.com
55 pastebin.com
23 pastebin.com
56 pastebin.com
26 pastebin.com
54 pastebin.com
22 pastebin.com

pid	process
1084	csrss.exe
4896	csrss.exe
4860	csrss.exe
2512	csrss.exe
4748	csrss.exe
1408	csrss.exe
3036	csrss.exe
3532	csrss.exe
1088	csrss.exe
936	csrss.exe
1236	csrss.exe
1228	csrss.exe

flow	ioc
34	pastebin.com
41	pastebin.com
44	pastebin.com
45	pastebin.com
52	pastebin.com
53	pastebin.com
55	pastebin.com
23	pastebin.com
56	pastebin.com
26	pastebin.com
54	pastebin.com
22	pastebin.com

Drops file in Program Files directory 11 IoCs

Processes:

b9565d219fb7879e482bfc859721acc5e10edadb73a9bb6eb3190e58e45bea5d.exe

description	ioc	process
File created	C:\Program Files\7-Zip\Lang\cc11b995f2a76d	b9565d219fb7879e482bfc859721acc5e10edadb73a9bb6eb3190e58e45bea5d.exe
File created	C:\Program Files (x86)\Windows Portable Devices\csrss.exe	b9565d219fb7879e482bfc859721acc5e10edadb73a9bb6eb3190e58e45bea5d.exe
File created	C:\Program Files\Google\services.exe	b9565d219fb7879e482bfc859721acc5e10edadb73a9bb6eb3190e58e45bea5d.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\e1ef82546f0b02	b9565d219fb7879e482bfc859721acc5e10edadb73a9bb6eb3190e58e45bea5d.exe
File created	C:\Program Files\7-Zip\Lang\winlogon.exe	b9565d219fb7879e482bfc859721acc5e10edadb73a9bb6eb3190e58e45bea5d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\winlogon.exe	b9565d219fb7879e482bfc859721acc5e10edadb73a9bb6eb3190e58e45bea5d.exe
File created	C:\Program Files (x86)\Windows Portable Devices\886983d96e3d3e	b9565d219fb7879e482bfc859721acc5e10edadb73a9bb6eb3190e58e45bea5d.exe
File created	C:\Program Files\Google\c5b4cb5e9653cc	b9565d219fb7879e482bfc859721acc5e10edadb73a9bb6eb3190e58e45bea5d.exe
File created	C:\Program Files\VideoLAN\VLC\sihost.exe	b9565d219fb7879e482bfc859721acc5e10edadb73a9bb6eb3190e58e45bea5d.exe
File created	C:\Program Files\VideoLAN\VLC\66fc9ff0ee96c2	b9565d219fb7879e482bfc859721acc5e10edadb73a9bb6eb3190e58e45bea5d.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SppExtComObj.exe	b9565d219fb7879e482bfc859721acc5e10edadb73a9bb6eb3190e58e45bea5d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 12 IoCs

Processes:

csrss.execsrss.execsrss.execsrss.exeb9565d219fb7879e482bfc859721acc5e10edadb73a9bb6eb3190e58e45bea5d.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	b9565d219fb7879e482bfc859721acc5e10edadb73a9bb6eb3190e58e45bea5d.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	csrss.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	process
1560	schtasks.exe
736	schtasks.exe
4356	schtasks.exe
1332	schtasks.exe
3180	schtasks.exe
2796	schtasks.exe
432	schtasks.exe
2940	schtasks.exe
4820	schtasks.exe
4220	schtasks.exe
936	schtasks.exe
4048	schtasks.exe
768	schtasks.exe
548	schtasks.exe
4076	schtasks.exe
396	schtasks.exe
1824	schtasks.exe
1352	schtasks.exe
1440	schtasks.exe
860	schtasks.exe
4256	schtasks.exe
1080	schtasks.exe
3672	schtasks.exe
3968	schtasks.exe
4784	schtasks.exe
4912	schtasks.exe
804	schtasks.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

b9565d219fb7879e482bfc859721acc5e10edadb73a9bb6eb3190e58e45bea5d.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exe

pid	process
1408	b9565d219fb7879e482bfc859721acc5e10edadb73a9bb6eb3190e58e45bea5d.exe
1408	b9565d219fb7879e482bfc859721acc5e10edadb73a9bb6eb3190e58e45bea5d.exe
1408	b9565d219fb7879e482bfc859721acc5e10edadb73a9bb6eb3190e58e45bea5d.exe
1408	b9565d219fb7879e482bfc859721acc5e10edadb73a9bb6eb3190e58e45bea5d.exe
1408	b9565d219fb7879e482bfc859721acc5e10edadb73a9bb6eb3190e58e45bea5d.exe
1408	b9565d219fb7879e482bfc859721acc5e10edadb73a9bb6eb3190e58e45bea5d.exe
1408	b9565d219fb7879e482bfc859721acc5e10edadb73a9bb6eb3190e58e45bea5d.exe
1408	b9565d219fb7879e482bfc859721acc5e10edadb73a9bb6eb3190e58e45bea5d.exe
1408	b9565d219fb7879e482bfc859721acc5e10edadb73a9bb6eb3190e58e45bea5d.exe
1408	b9565d219fb7879e482bfc859721acc5e10edadb73a9bb6eb3190e58e45bea5d.exe
1408	b9565d219fb7879e482bfc859721acc5e10edadb73a9bb6eb3190e58e45bea5d.exe
1408	b9565d219fb7879e482bfc859721acc5e10edadb73a9bb6eb3190e58e45bea5d.exe
1408	b9565d219fb7879e482bfc859721acc5e10edadb73a9bb6eb3190e58e45bea5d.exe
1408	b9565d219fb7879e482bfc859721acc5e10edadb73a9bb6eb3190e58e45bea5d.exe
1408	b9565d219fb7879e482bfc859721acc5e10edadb73a9bb6eb3190e58e45bea5d.exe
1084	csrss.exe
4896	csrss.exe
4860	csrss.exe
2512	csrss.exe
4748	csrss.exe
1408	csrss.exe
3036	csrss.exe
3532	csrss.exe
1088	csrss.exe
936	csrss.exe
1236	csrss.exe
1228	csrss.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

b9565d219fb7879e482bfc859721acc5e10edadb73a9bb6eb3190e58e45bea5d.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exe

description	pid	process
Token: SeDebugPrivilege	1408	b9565d219fb7879e482bfc859721acc5e10edadb73a9bb6eb3190e58e45bea5d.exe
Token: SeDebugPrivilege	1084	csrss.exe
Token: SeDebugPrivilege	4896	csrss.exe
Token: SeDebugPrivilege	4860	csrss.exe
Token: SeDebugPrivilege	2512	csrss.exe
Token: SeDebugPrivilege	4748	csrss.exe
Token: SeDebugPrivilege	1408	csrss.exe
Token: SeDebugPrivilege	3036	csrss.exe
Token: SeDebugPrivilege	3532	csrss.exe
Token: SeDebugPrivilege	1088	csrss.exe
Token: SeDebugPrivilege	936	csrss.exe
Token: SeDebugPrivilege	1236	csrss.exe
Token: SeDebugPrivilege	1228	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b9565d219fb7879e482bfc859721acc5e10edadb73a9bb6eb3190e58e45bea5d.execmd.execsrss.execmd.execsrss.execmd.execsrss.execmd.execsrss.execmd.execsrss.execmd.execsrss.execmd.execsrss.execmd.execsrss.execmd.execsrss.execmd.execsrss.execmd.exe

description	pid	process	target process
PID 1408 wrote to memory of 4944	1408	b9565d219fb7879e482bfc859721acc5e10edadb73a9bb6eb3190e58e45bea5d.exe	cmd.exe
PID 1408 wrote to memory of 4944	1408	b9565d219fb7879e482bfc859721acc5e10edadb73a9bb6eb3190e58e45bea5d.exe	cmd.exe
PID 4944 wrote to memory of 2528	4944	cmd.exe	w32tm.exe
PID 4944 wrote to memory of 2528	4944	cmd.exe	w32tm.exe
PID 4944 wrote to memory of 1084	4944	cmd.exe	csrss.exe
PID 4944 wrote to memory of 1084	4944	cmd.exe	csrss.exe
PID 1084 wrote to memory of 3532	1084	csrss.exe	cmd.exe
PID 1084 wrote to memory of 3532	1084	csrss.exe	cmd.exe
PID 3532 wrote to memory of 536	3532	cmd.exe	w32tm.exe
PID 3532 wrote to memory of 536	3532	cmd.exe	w32tm.exe
PID 3532 wrote to memory of 4896	3532	cmd.exe	csrss.exe
PID 3532 wrote to memory of 4896	3532	cmd.exe	csrss.exe
PID 4896 wrote to memory of 4148	4896	csrss.exe	cmd.exe
PID 4896 wrote to memory of 4148	4896	csrss.exe	cmd.exe
PID 4148 wrote to memory of 3536	4148	cmd.exe	w32tm.exe
PID 4148 wrote to memory of 3536	4148	cmd.exe	w32tm.exe
PID 4148 wrote to memory of 4860	4148	cmd.exe	csrss.exe
PID 4148 wrote to memory of 4860	4148	cmd.exe	csrss.exe
PID 4860 wrote to memory of 2024	4860	csrss.exe	cmd.exe
PID 4860 wrote to memory of 2024	4860	csrss.exe	cmd.exe
PID 2024 wrote to memory of 936	2024	cmd.exe	w32tm.exe
PID 2024 wrote to memory of 936	2024	cmd.exe	w32tm.exe
PID 2024 wrote to memory of 2512	2024	cmd.exe	csrss.exe
PID 2024 wrote to memory of 2512	2024	cmd.exe	csrss.exe
PID 2512 wrote to memory of 2680	2512	csrss.exe	cmd.exe
PID 2512 wrote to memory of 2680	2512	csrss.exe	cmd.exe
PID 2680 wrote to memory of 2784	2680	cmd.exe	w32tm.exe
PID 2680 wrote to memory of 2784	2680	cmd.exe	w32tm.exe
PID 2680 wrote to memory of 4748	2680	cmd.exe	csrss.exe
PID 2680 wrote to memory of 4748	2680	cmd.exe	csrss.exe
PID 4748 wrote to memory of 2684	4748	csrss.exe	cmd.exe
PID 4748 wrote to memory of 2684	4748	csrss.exe	cmd.exe
PID 2684 wrote to memory of 2588	2684	cmd.exe	w32tm.exe
PID 2684 wrote to memory of 2588	2684	cmd.exe	w32tm.exe
PID 2684 wrote to memory of 1408	2684	cmd.exe	csrss.exe
PID 2684 wrote to memory of 1408	2684	cmd.exe	csrss.exe
PID 1408 wrote to memory of 4944	1408	csrss.exe	cmd.exe
PID 1408 wrote to memory of 4944	1408	csrss.exe	cmd.exe
PID 4944 wrote to memory of 4812	4944	cmd.exe	w32tm.exe
PID 4944 wrote to memory of 4812	4944	cmd.exe	w32tm.exe
PID 4944 wrote to memory of 3036	4944	cmd.exe	csrss.exe
PID 4944 wrote to memory of 3036	4944	cmd.exe	csrss.exe
PID 3036 wrote to memory of 1724	3036	csrss.exe	cmd.exe
PID 3036 wrote to memory of 1724	3036	csrss.exe	cmd.exe
PID 1724 wrote to memory of 2696	1724	cmd.exe	w32tm.exe
PID 1724 wrote to memory of 2696	1724	cmd.exe	w32tm.exe
PID 1724 wrote to memory of 3532	1724	cmd.exe	csrss.exe
PID 1724 wrote to memory of 3532	1724	cmd.exe	csrss.exe
PID 3532 wrote to memory of 4608	3532	csrss.exe	cmd.exe
PID 3532 wrote to memory of 4608	3532	csrss.exe	cmd.exe
PID 4608 wrote to memory of 3844	4608	cmd.exe	w32tm.exe
PID 4608 wrote to memory of 3844	4608	cmd.exe	w32tm.exe
PID 4608 wrote to memory of 1088	4608	cmd.exe	csrss.exe
PID 4608 wrote to memory of 1088	4608	cmd.exe	csrss.exe
PID 1088 wrote to memory of 2956	1088	csrss.exe	cmd.exe
PID 1088 wrote to memory of 2956	1088	csrss.exe	cmd.exe
PID 2956 wrote to memory of 652	2956	cmd.exe	w32tm.exe
PID 2956 wrote to memory of 652	2956	cmd.exe	w32tm.exe
PID 2956 wrote to memory of 936	2956	cmd.exe	csrss.exe
PID 2956 wrote to memory of 936	2956	cmd.exe	csrss.exe
PID 936 wrote to memory of 1788	936	csrss.exe	cmd.exe
PID 936 wrote to memory of 1788	936	csrss.exe	cmd.exe
PID 1788 wrote to memory of 2728	1788	cmd.exe	w32tm.exe
PID 1788 wrote to memory of 2728	1788	cmd.exe	w32tm.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b9565d219fb7879e482bfc859721acc5e10edadb73a9bb6eb3190e58e45bea5d.exe
"C:\Users\Admin\AppData\Local\Temp\b9565d219fb7879e482bfc859721acc5e10edadb73a9bb6eb3190e58e45bea5d.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1408

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UtjMKxjHs4.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:4944

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
3⤵
PID:2528

C:\Users\Default\Links\csrss.exe
"C:\Users\Default\Links\csrss.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1084

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iYTmIkWLiw.bat"
4⤵
- Suspicious use of WriteProcessMemory
PID:3532

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
5⤵
PID:536

C:\Users\Default\Links\csrss.exe
"C:\Users\Default\Links\csrss.exe"
5⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4896

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SvvYNrLnHE.bat"
6⤵
- Suspicious use of WriteProcessMemory
PID:4148

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
7⤵
PID:3536

C:\Users\Default\Links\csrss.exe
"C:\Users\Default\Links\csrss.exe"
7⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4860

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HAQQp9H1T4.bat"
8⤵
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
9⤵
PID:936

C:\Users\Default\Links\csrss.exe
"C:\Users\Default\Links\csrss.exe"
9⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2512

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\N4rS0hE0df.bat"
10⤵
- Suspicious use of WriteProcessMemory
PID:2680

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
11⤵
PID:2784

C:\Users\Default\Links\csrss.exe
"C:\Users\Default\Links\csrss.exe"
11⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4748

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BDCDGXc9ch.bat"
12⤵
- Suspicious use of WriteProcessMemory
PID:2684

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
13⤵
PID:2588

C:\Users\Default\Links\csrss.exe
"C:\Users\Default\Links\csrss.exe"
13⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1408

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cqXkQwtlzQ.bat"
14⤵
- Suspicious use of WriteProcessMemory
PID:4944

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
15⤵
PID:4812

C:\Users\Default\Links\csrss.exe
"C:\Users\Default\Links\csrss.exe"
15⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3036

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cqXkQwtlzQ.bat"
16⤵
- Suspicious use of WriteProcessMemory
PID:1724

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
17⤵
PID:2696

C:\Users\Default\Links\csrss.exe
"C:\Users\Default\Links\csrss.exe"
17⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3532

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\T7QXgceCiI.bat"
18⤵
- Suspicious use of WriteProcessMemory
PID:4608

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
19⤵
PID:3844

C:\Users\Default\Links\csrss.exe
"C:\Users\Default\Links\csrss.exe"
19⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1088

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Q0tVgmHuxR.bat"
20⤵
- Suspicious use of WriteProcessMemory
PID:2956

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
21⤵
PID:652

C:\Users\Default\Links\csrss.exe
"C:\Users\Default\Links\csrss.exe"
21⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:936

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pgCyA6Uc1O.bat"
22⤵
- Suspicious use of WriteProcessMemory
PID:1788

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
23⤵
PID:2728

C:\Users\Default\Links\csrss.exe
"C:\Users\Default\Links\csrss.exe"
23⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1236

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\T7QXgceCiI.bat"
24⤵
PID:4892

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
25⤵
PID:1804

C:\Users\Default\Links\csrss.exe
"C:\Users\Default\Links\csrss.exe"
25⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files\7-Zip\Lang\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files\7-Zip\Lang\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Links\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\Links\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Links\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files\Google\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Google\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files\Google\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Program Files\VideoLAN\VLC\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Program Files\VideoLAN\VLC\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Documents\My Videos\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Admin\Documents\My Videos\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Documents\My Videos\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Templates\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\Default\Templates\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Templates\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1440

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\services.exe
Filesize
827KB

MD5
428bdccd4c240a253810e1c2a4ff8b78

SHA1
6cb81ccde6f9cd26b0b60ce5b5d948dbda609c8c

SHA256
b9565d219fb7879e482bfc859721acc5e10edadb73a9bb6eb3190e58e45bea5d

SHA512
81619bed44fca74f7c9cd3dc7fef9d52cea24ea4d6ea5cf3eedbe25c9a3f16f12889ff30644371146f8d55a280ed2e6b730c69c50bf2b944c74cc6d7914d1a63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\csrss.exe.log
Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Temp\BDCDGXc9ch.bat
Filesize
197B

MD5
5c5260db308fc35d52aa65a275c8ae16

SHA1
f0606a4534607fc950e9e5b140787412c3af98fc

SHA256
008ec64d169be28288af9c76f92ba653dc1bd5a3f89cebc5a55621b674157aca

SHA512
9a99d277af80b9f4fd5aeae485c24145fb2ec3dc23857bdae03d5a44abd752a10863710c28b89d608a9b3286e4029841d9e2f86f833bf6cf64b0db8d7dbd7f53

Download Submit
C:\Users\Admin\AppData\Local\Temp\HAQQp9H1T4.bat
Filesize
197B

MD5
50366452faafa441a5d80ca9bf6eb0a7

SHA1
24a6429a0e14777eee38f9e7f5b79dc097260fc9

SHA256
08819c2693793b35b8c9822782696df97d23b77a07d72b929d30e115240d18c9

SHA512
fcba7b45f795584602489dc6f12c4c0b97577a29e25e4f235ee94f1dcaf7ce4200fcfbda106954ad4f9fcc13c9fe496f4eabcf746564d7b03e34ade55bc4030d

Download Submit
C:\Users\Admin\AppData\Local\Temp\N4rS0hE0df.bat
Filesize
197B

MD5
c6c915cef313e1ba1e090a17c88ba197

SHA1
a85fae8b81d4782480f25bba3af87db481a9b35e

SHA256
80337ea2f26156891a4e7128d11922f93643ede0b4ab20da731660468e780d26

SHA512
ffe012da206ac6f21dd6a7ddef21bfa389eece8dddac92703666c6f1a00cc5d6282e12795075e1270b782cf631abf685ece134262c2bcc8092f01d410e7ca9e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Q0tVgmHuxR.bat
Filesize
197B

MD5
7f3fd58b16712ea850ade2a51449e12d

SHA1
aaa7858b7999e5fa7c3b7ec151c5049290accc00

SHA256
741677e0b9d00dfef556b603e1d4ca3f21de41bbae14c342ca03fd5cb5a93758

SHA512
deb05c5be74e9ed7690784b7eff188a3f883e04189b95144781b48b67e5c023a352de5101cd02605a53f049212fd2cf25d62c6ccab7b450016c254e1b55be261

Download Submit
C:\Users\Admin\AppData\Local\Temp\SvvYNrLnHE.bat
Filesize
197B

MD5
c9207554c52321918d106e974c613e27

SHA1
5786b3216dc2d09ce916a9a63fd2547ad89a88ed

SHA256
7e0c48f3e0075ea898aa8a7310161e47cec5c43a340678cd980171e089556393

SHA512
c32634585a7ebbb9310cbe3e1d13e31ff48216d8906ac748b42f1fac4b89928bf0effe258e1619b11c1da5425fd77b63d3fc7f3deff49c7c3ad5a9df00eeb8eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\T7QXgceCiI.bat
Filesize
197B

MD5
e3a5bb6386954fe28f613dff1f35f3c9

SHA1
f983a2247953c4d2a538198bad62fe994ba9ec26

SHA256
ec9d08fe30bc1f0786998e1bfec4334477232e7ef01d91e624df9d5b2e2e58a4

SHA512
22cd07245e76caa876df1e8fcc6e7bea1b31ab69b56c816b5ae8fb55190b73e0f70bc9e89fb6557c615d523963196f5b2df0dd33d4416e36ba2529c418872f95

Download Submit
C:\Users\Admin\AppData\Local\Temp\UtjMKxjHs4.bat
Filesize
197B

MD5
9e6774641e50ae61e8a341ffc8127bc7

SHA1
24107ed86c871b19642eddb29a78fdefa6abc4c6

SHA256
31fc05cbc43ff2dc35e158629aaf4853c7722443d8324cbe98409cb20375745c

SHA512
bd16627877e7ef7f967d85bb9728dfacbb359bcae3488d00919742859b993c71a5dc4655b856816582a5428f6146f86a514fd0600c20738b33b9be4d23867f23

Download Submit
C:\Users\Admin\AppData\Local\Temp\cqXkQwtlzQ.bat
Filesize
197B

MD5
ff0a6f64fd30d06ee32cc8f29e840d26

SHA1
4de646560d7f7c7eb31570684c3cea8fabb51bf3

SHA256
71781aed45ab711128202308f075bad5c874faf67fcd8ed2b6ae09dd4bedaf3a

SHA512
793c5b7011bb161c605a7bce5ae65e795a8c0a48cea9531e0b1e95e2d7d3d4cbc86d252ed85d0d9c764ddbf683c827ed3351e15ec4949bf77bee7a9fc9c236f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\iYTmIkWLiw.bat
Filesize
197B

MD5
81c50ee307d651251269fe8dce0d5778

SHA1
3df9fc2837ec787ca2c04cea0f5feff662b64dd5

SHA256
d0a6bd4b5f30002301dd6151373f2334c10695af44feb7aeb3439d7772133c5f

SHA512
aa7fb9b322c41aa810bff2ebf108b26cd37e993c026f6455aa6d08f8a0933f780d5c347229b27e830348682e5dd6521b5834845e756f28b54b4dee85c75a62cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\pgCyA6Uc1O.bat
Filesize
197B

MD5
30cb8e3bf4ad3b166c2fac3c396e0eda

SHA1
0b3d97cb274ce00c78b1e7ce819f827e6241acf0

SHA256
d1618b62edaa792a9694c9b7b399ac67a6f5eae79837668f6e56d8069d5c5fe2

SHA512
5c22f47fdd0b0c084fc0b845921725ed8df45ece0ac58f2108dc048a2c628976442392e688d47327a722740ed29c2b04b7b9c29c414c1d7f6f6bab1316d0594e

Download Submit
memory/1408-26-0x00007FFA94B30000-0x00007FFA955F1000-memory.dmp

Filesize
10.8MB

Download
memory/1408-0-0x00007FFA94B33000-0x00007FFA94B35000-memory.dmp

Filesize
8KB

Download
memory/1408-4-0x00007FFA94B30000-0x00007FFA955F1000-memory.dmp

Filesize
10.8MB

Download
memory/1408-1-0x0000000000420000-0x00000000004F6000-memory.dmp

Filesize
856KB

Download