dcrat | 333eab256391cecdda902d506952e1b4c83444f1ae3874e7092bcf41e62f8077

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25-09-2022 04:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

17c93cd212fba3b61aa7c3a6ff382c23.exe
Size

2.6MB
MD5

17c93cd212fba3b61aa7c3a6ff382c23
SHA1

1f9e9f7e51dec2491210717cba4540fb15deb71e
SHA256

333eab256391cecdda902d506952e1b4c83444f1ae3874e7092bcf41e62f8077
SHA512

865001a8369a163d99496ccbcc812ff17ad655fb71821fb458ddc0fbe269ae78f3bdad7a676532aaee11bd72a697698353638b42ec0d85faa0853affe772bc73
SSDEEP

49152:IpTn80rAHkSrvT7yEBpojAGw3fo+5D0gRbfGNW8UlbSpDCP2XF:IZpktrvTOqp2Nw3L0gRbfGI8sepeu1

Score

10^/10

dcrat evasion infostealer rat spyware stealer trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	776	652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1204	652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1168	652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1284	652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	364	652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	532	652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	860	652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	836	652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1536	652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1324	652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	692	652	schtasks.exe

UAC bypass 3 TTPs 9 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

powershell.exe17c93cd212fba3b61aa7c3a6ff382c23.exe17c93cd212fba3b61aa7c3a6ff382c23.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	powershell.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	17c93cd212fba3b61aa7c3a6ff382c23.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	17c93cd212fba3b61aa7c3a6ff382c23.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	17c93cd212fba3b61aa7c3a6ff382c23.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	powershell.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	powershell.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	17c93cd212fba3b61aa7c3a6ff382c23.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	17c93cd212fba3b61aa7c3a6ff382c23.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	17c93cd212fba3b61aa7c3a6ff382c23.exe

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/1504-54-0x0000000000C70000-0x0000000000F14000-memory.dmp	dcrat
C:\Users\Admin\AppData\Local\Temp\17c93cd212fba3b61aa7c3a6ff382c23.exe	dcrat
C:\Program Files (x86)\Reference Assemblies\powershell.exe	dcrat
C:\Program Files (x86)\Reference Assemblies\powershell.exe	dcrat
behavioral1/memory/1972-140-0x0000000000380000-0x0000000000624000-memory.dmp	dcrat

Executes dropped EXE 2 IoCs

Processes:

17c93cd212fba3b61aa7c3a6ff382c23.exepowershell.exe

pid process

1320 17c93cd212fba3b61aa7c3a6ff382c23.exe
1972 powershell.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1320	17c93cd212fba3b61aa7c3a6ff382c23.exe
1972	powershell.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

17c93cd212fba3b61aa7c3a6ff382c23.exe17c93cd212fba3b61aa7c3a6ff382c23.exepowershell.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	17c93cd212fba3b61aa7c3a6ff382c23.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	17c93cd212fba3b61aa7c3a6ff382c23.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	17c93cd212fba3b61aa7c3a6ff382c23.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	17c93cd212fba3b61aa7c3a6ff382c23.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	powershell.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	powershell.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 ipinfo.io
6 ipinfo.io

flow	ioc
5	ipinfo.io
6	ipinfo.io

Drops file in Program Files directory 13 IoCs

Processes:

17c93cd212fba3b61aa7c3a6ff382c23.exe17c93cd212fba3b61aa7c3a6ff382c23.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Windows Defender\RCX5F05.tmp	17c93cd212fba3b61aa7c3a6ff382c23.exe
File created	C:\Program Files (x86)\Reference Assemblies\powershell.exe	17c93cd212fba3b61aa7c3a6ff382c23.exe
File created	C:\Program Files (x86)\Reference Assemblies\e978f868350d50	17c93cd212fba3b61aa7c3a6ff382c23.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\System.exe	17c93cd212fba3b61aa7c3a6ff382c23.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\sppsvc.exe	17c93cd212fba3b61aa7c3a6ff382c23.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\0a1fd5f707cd16	17c93cd212fba3b61aa7c3a6ff382c23.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\RCX5B9B.tmp	17c93cd212fba3b61aa7c3a6ff382c23.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\sppsvc.exe	17c93cd212fba3b61aa7c3a6ff382c23.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\powershell.exe	17c93cd212fba3b61aa7c3a6ff382c23.exe
File created	C:\Program Files (x86)\Windows Defender\System.exe	17c93cd212fba3b61aa7c3a6ff382c23.exe
File created	C:\Program Files (x86)\Windows Defender\27d1bcfc3c54e0	17c93cd212fba3b61aa7c3a6ff382c23.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\RCX675F.tmp	17c93cd212fba3b61aa7c3a6ff382c23.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\RCX6ACA.tmp	17c93cd212fba3b61aa7c3a6ff382c23.exe

Drops file in Windows directory 5 IoCs

Processes:

17c93cd212fba3b61aa7c3a6ff382c23.exe

description	ioc	process
File opened for modification	C:\Windows\SoftwareDistribution\AuthCabs\RCX8A9E.tmp	17c93cd212fba3b61aa7c3a6ff382c23.exe
File opened for modification	C:\Windows\SoftwareDistribution\AuthCabs\RCX8E09.tmp	17c93cd212fba3b61aa7c3a6ff382c23.exe
File opened for modification	C:\Windows\SoftwareDistribution\AuthCabs\sppsvc.exe	17c93cd212fba3b61aa7c3a6ff382c23.exe
File created	C:\Windows\SoftwareDistribution\AuthCabs\sppsvc.exe	17c93cd212fba3b61aa7c3a6ff382c23.exe
File created	C:\Windows\SoftwareDistribution\AuthCabs\0a1fd5f707cd16	17c93cd212fba3b61aa7c3a6ff382c23.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
1092	schtasks.exe
1284	schtasks.exe
364	schtasks.exe
836	schtasks.exe
776	schtasks.exe
1204	schtasks.exe
1688	schtasks.exe
1960	schtasks.exe
1648	schtasks.exe
1660	schtasks.exe
532	schtasks.exe
1324	schtasks.exe
1092	schtasks.exe
1168	schtasks.exe
1668	schtasks.exe
1976	schtasks.exe
860	schtasks.exe
1632	schtasks.exe
1648	schtasks.exe
1536	schtasks.exe
692	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

17c93cd212fba3b61aa7c3a6ff382c23.exe17c93cd212fba3b61aa7c3a6ff382c23.exe

pid	process
1504	17c93cd212fba3b61aa7c3a6ff382c23.exe
1504	17c93cd212fba3b61aa7c3a6ff382c23.exe
1504	17c93cd212fba3b61aa7c3a6ff382c23.exe
1504	17c93cd212fba3b61aa7c3a6ff382c23.exe
1504	17c93cd212fba3b61aa7c3a6ff382c23.exe
1504	17c93cd212fba3b61aa7c3a6ff382c23.exe
1504	17c93cd212fba3b61aa7c3a6ff382c23.exe
1504	17c93cd212fba3b61aa7c3a6ff382c23.exe
1504	17c93cd212fba3b61aa7c3a6ff382c23.exe
1504	17c93cd212fba3b61aa7c3a6ff382c23.exe
1504	17c93cd212fba3b61aa7c3a6ff382c23.exe
1504	17c93cd212fba3b61aa7c3a6ff382c23.exe
1504	17c93cd212fba3b61aa7c3a6ff382c23.exe
1504	17c93cd212fba3b61aa7c3a6ff382c23.exe
1504	17c93cd212fba3b61aa7c3a6ff382c23.exe
1504	17c93cd212fba3b61aa7c3a6ff382c23.exe
1504	17c93cd212fba3b61aa7c3a6ff382c23.exe
1504	17c93cd212fba3b61aa7c3a6ff382c23.exe
1504	17c93cd212fba3b61aa7c3a6ff382c23.exe
1504	17c93cd212fba3b61aa7c3a6ff382c23.exe
1504	17c93cd212fba3b61aa7c3a6ff382c23.exe
1504	17c93cd212fba3b61aa7c3a6ff382c23.exe
1504	17c93cd212fba3b61aa7c3a6ff382c23.exe
1504	17c93cd212fba3b61aa7c3a6ff382c23.exe
1504	17c93cd212fba3b61aa7c3a6ff382c23.exe
1504	17c93cd212fba3b61aa7c3a6ff382c23.exe
1504	17c93cd212fba3b61aa7c3a6ff382c23.exe
1504	17c93cd212fba3b61aa7c3a6ff382c23.exe
1504	17c93cd212fba3b61aa7c3a6ff382c23.exe
1504	17c93cd212fba3b61aa7c3a6ff382c23.exe
1504	17c93cd212fba3b61aa7c3a6ff382c23.exe
1504	17c93cd212fba3b61aa7c3a6ff382c23.exe
1504	17c93cd212fba3b61aa7c3a6ff382c23.exe
1504	17c93cd212fba3b61aa7c3a6ff382c23.exe
1504	17c93cd212fba3b61aa7c3a6ff382c23.exe
1504	17c93cd212fba3b61aa7c3a6ff382c23.exe
1320	17c93cd212fba3b61aa7c3a6ff382c23.exe
1320	17c93cd212fba3b61aa7c3a6ff382c23.exe
1320	17c93cd212fba3b61aa7c3a6ff382c23.exe
1320	17c93cd212fba3b61aa7c3a6ff382c23.exe
1320	17c93cd212fba3b61aa7c3a6ff382c23.exe
1320	17c93cd212fba3b61aa7c3a6ff382c23.exe
1320	17c93cd212fba3b61aa7c3a6ff382c23.exe
1320	17c93cd212fba3b61aa7c3a6ff382c23.exe
1320	17c93cd212fba3b61aa7c3a6ff382c23.exe
1320	17c93cd212fba3b61aa7c3a6ff382c23.exe
1320	17c93cd212fba3b61aa7c3a6ff382c23.exe
1320	17c93cd212fba3b61aa7c3a6ff382c23.exe
1320	17c93cd212fba3b61aa7c3a6ff382c23.exe
1320	17c93cd212fba3b61aa7c3a6ff382c23.exe
1320	17c93cd212fba3b61aa7c3a6ff382c23.exe
1320	17c93cd212fba3b61aa7c3a6ff382c23.exe
1320	17c93cd212fba3b61aa7c3a6ff382c23.exe
1320	17c93cd212fba3b61aa7c3a6ff382c23.exe
1320	17c93cd212fba3b61aa7c3a6ff382c23.exe
1320	17c93cd212fba3b61aa7c3a6ff382c23.exe
1320	17c93cd212fba3b61aa7c3a6ff382c23.exe
1320	17c93cd212fba3b61aa7c3a6ff382c23.exe
1320	17c93cd212fba3b61aa7c3a6ff382c23.exe
1320	17c93cd212fba3b61aa7c3a6ff382c23.exe
1320	17c93cd212fba3b61aa7c3a6ff382c23.exe
1320	17c93cd212fba3b61aa7c3a6ff382c23.exe
1320	17c93cd212fba3b61aa7c3a6ff382c23.exe
1320	17c93cd212fba3b61aa7c3a6ff382c23.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

17c93cd212fba3b61aa7c3a6ff382c23.exe17c93cd212fba3b61aa7c3a6ff382c23.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	1504	17c93cd212fba3b61aa7c3a6ff382c23.exe
Token: SeDebugPrivilege	1320	17c93cd212fba3b61aa7c3a6ff382c23.exe
Token: SeDebugPrivilege	1972	powershell.exe
Token: SeDebugPrivilege	1812	powershell.exe
Token: SeDebugPrivilege	624	powershell.exe
Token: SeDebugPrivilege	1740	powershell.exe
Token: SeDebugPrivilege	1732	powershell.exe
Token: SeDebugPrivilege	952	powershell.exe
Token: SeDebugPrivilege	1248	powershell.exe
Token: SeDebugPrivilege	1128	powershell.exe
Token: SeDebugPrivilege	760	powershell.exe
Token: SeBackupPrivilege	2284	vssvc.exe
Token: SeRestorePrivilege	2284	vssvc.exe
Token: SeAuditPrivilege	2284	vssvc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

powershell.exe

pid process

1972 powershell.exe

pid	process
1972	powershell.exe

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

17c93cd212fba3b61aa7c3a6ff382c23.execmd.exe17c93cd212fba3b61aa7c3a6ff382c23.execmd.exe

description	pid	process	target process
PID 1504 wrote to memory of 1812	1504	17c93cd212fba3b61aa7c3a6ff382c23.exe	powershell.exe
PID 1504 wrote to memory of 1812	1504	17c93cd212fba3b61aa7c3a6ff382c23.exe	powershell.exe
PID 1504 wrote to memory of 1812	1504	17c93cd212fba3b61aa7c3a6ff382c23.exe	powershell.exe
PID 1504 wrote to memory of 1128	1504	17c93cd212fba3b61aa7c3a6ff382c23.exe	powershell.exe
PID 1504 wrote to memory of 1128	1504	17c93cd212fba3b61aa7c3a6ff382c23.exe	powershell.exe
PID 1504 wrote to memory of 1128	1504	17c93cd212fba3b61aa7c3a6ff382c23.exe	powershell.exe
PID 1504 wrote to memory of 1588	1504	17c93cd212fba3b61aa7c3a6ff382c23.exe	powershell.exe
PID 1504 wrote to memory of 1588	1504	17c93cd212fba3b61aa7c3a6ff382c23.exe	powershell.exe
PID 1504 wrote to memory of 1588	1504	17c93cd212fba3b61aa7c3a6ff382c23.exe	powershell.exe
PID 1504 wrote to memory of 624	1504	17c93cd212fba3b61aa7c3a6ff382c23.exe	powershell.exe
PID 1504 wrote to memory of 624	1504	17c93cd212fba3b61aa7c3a6ff382c23.exe	powershell.exe
PID 1504 wrote to memory of 624	1504	17c93cd212fba3b61aa7c3a6ff382c23.exe	powershell.exe
PID 1504 wrote to memory of 760	1504	17c93cd212fba3b61aa7c3a6ff382c23.exe	powershell.exe
PID 1504 wrote to memory of 760	1504	17c93cd212fba3b61aa7c3a6ff382c23.exe	powershell.exe
PID 1504 wrote to memory of 760	1504	17c93cd212fba3b61aa7c3a6ff382c23.exe	powershell.exe
PID 1504 wrote to memory of 1740	1504	17c93cd212fba3b61aa7c3a6ff382c23.exe	powershell.exe
PID 1504 wrote to memory of 1740	1504	17c93cd212fba3b61aa7c3a6ff382c23.exe	powershell.exe
PID 1504 wrote to memory of 1740	1504	17c93cd212fba3b61aa7c3a6ff382c23.exe	powershell.exe
PID 1504 wrote to memory of 1748	1504	17c93cd212fba3b61aa7c3a6ff382c23.exe	cmd.exe
PID 1504 wrote to memory of 1748	1504	17c93cd212fba3b61aa7c3a6ff382c23.exe	cmd.exe
PID 1504 wrote to memory of 1748	1504	17c93cd212fba3b61aa7c3a6ff382c23.exe	cmd.exe
PID 1748 wrote to memory of 1876	1748	cmd.exe	w32tm.exe
PID 1748 wrote to memory of 1876	1748	cmd.exe	w32tm.exe
PID 1748 wrote to memory of 1876	1748	cmd.exe	w32tm.exe
PID 1748 wrote to memory of 1320	1748	cmd.exe	17c93cd212fba3b61aa7c3a6ff382c23.exe
PID 1748 wrote to memory of 1320	1748	cmd.exe	17c93cd212fba3b61aa7c3a6ff382c23.exe
PID 1748 wrote to memory of 1320	1748	cmd.exe	17c93cd212fba3b61aa7c3a6ff382c23.exe
PID 1320 wrote to memory of 952	1320	17c93cd212fba3b61aa7c3a6ff382c23.exe	powershell.exe
PID 1320 wrote to memory of 952	1320	17c93cd212fba3b61aa7c3a6ff382c23.exe	powershell.exe
PID 1320 wrote to memory of 952	1320	17c93cd212fba3b61aa7c3a6ff382c23.exe	powershell.exe
PID 1320 wrote to memory of 1732	1320	17c93cd212fba3b61aa7c3a6ff382c23.exe	powershell.exe
PID 1320 wrote to memory of 1732	1320	17c93cd212fba3b61aa7c3a6ff382c23.exe	powershell.exe
PID 1320 wrote to memory of 1732	1320	17c93cd212fba3b61aa7c3a6ff382c23.exe	powershell.exe
PID 1320 wrote to memory of 1248	1320	17c93cd212fba3b61aa7c3a6ff382c23.exe	powershell.exe
PID 1320 wrote to memory of 1248	1320	17c93cd212fba3b61aa7c3a6ff382c23.exe	powershell.exe
PID 1320 wrote to memory of 1248	1320	17c93cd212fba3b61aa7c3a6ff382c23.exe	powershell.exe
PID 1320 wrote to memory of 1460	1320	17c93cd212fba3b61aa7c3a6ff382c23.exe	cmd.exe
PID 1320 wrote to memory of 1460	1320	17c93cd212fba3b61aa7c3a6ff382c23.exe	cmd.exe
PID 1320 wrote to memory of 1460	1320	17c93cd212fba3b61aa7c3a6ff382c23.exe	cmd.exe
PID 1460 wrote to memory of 1816	1460	cmd.exe	w32tm.exe
PID 1460 wrote to memory of 1816	1460	cmd.exe	w32tm.exe
PID 1460 wrote to memory of 1816	1460	cmd.exe	w32tm.exe
PID 1460 wrote to memory of 1972	1460	cmd.exe	powershell.exe
PID 1460 wrote to memory of 1972	1460	cmd.exe	powershell.exe
PID 1460 wrote to memory of 1972	1460	cmd.exe	powershell.exe

System policy modification 1 TTPs 9 IoCs

evasion

Modify Registry

T1112

Processes:

17c93cd212fba3b61aa7c3a6ff382c23.exe17c93cd212fba3b61aa7c3a6ff382c23.exepowershell.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	17c93cd212fba3b61aa7c3a6ff382c23.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	17c93cd212fba3b61aa7c3a6ff382c23.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	powershell.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	powershell.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	powershell.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	17c93cd212fba3b61aa7c3a6ff382c23.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	17c93cd212fba3b61aa7c3a6ff382c23.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	17c93cd212fba3b61aa7c3a6ff382c23.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	17c93cd212fba3b61aa7c3a6ff382c23.exe

C:\Users\Admin\AppData\Local\Temp\17c93cd212fba3b61aa7c3a6ff382c23.exe
"C:\Users\Admin\AppData\Local\Temp\17c93cd212fba3b61aa7c3a6ff382c23.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1504

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\17c93cd212fba3b61aa7c3a6ff382c23.exe'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1812

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\System.exe'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1128

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\sppsvc.exe'
2⤵
PID:1588

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\d6223342-1a8a-11ed-b209-a59dca5554ed\17c93cd212fba3b61aa7c3a6ff382c23.exe'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:624

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:760

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SoftwareDistribution\AuthCabs\sppsvc.exe'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1740

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wGw2lvD9xQ.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:1748

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
3⤵
PID:1876

C:\Users\Admin\AppData\Local\Temp\17c93cd212fba3b61aa7c3a6ff382c23.exe
"C:\Users\Admin\AppData\Local\Temp\17c93cd212fba3b61aa7c3a6ff382c23.exe"
3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1320

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\17c93cd212fba3b61aa7c3a6ff382c23.exe'
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:952

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\d6223342-1a8a-11ed-b209-a59dca5554ed\Idle.exe'
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1732

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\powershell.exe'
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1248

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\daHDUzbFiW.bat"
4⤵
- Suspicious use of WriteProcessMemory
PID:1460

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
5⤵
PID:1816

C:\Program Files (x86)\Reference Assemblies\powershell.exe
"C:\Program Files (x86)\Reference Assemblies\powershell.exe"
5⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Defender\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "17c93cd212fba3b61aa7c3a6ff382c231" /sc MINUTE /mo 8 /tr "'C:\Recovery\d6223342-1a8a-11ed-b209-a59dca5554ed\17c93cd212fba3b61aa7c3a6ff382c23.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "17c93cd212fba3b61aa7c3a6ff382c23" /sc ONLOGON /tr "'C:\Recovery\d6223342-1a8a-11ed-b209-a59dca5554ed\17c93cd212fba3b61aa7c3a6ff382c23.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "17c93cd212fba3b61aa7c3a6ff382c231" /sc MINUTE /mo 7 /tr "'C:\Recovery\d6223342-1a8a-11ed-b209-a59dca5554ed\17c93cd212fba3b61aa7c3a6ff382c23.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Windows\SoftwareDistribution\AuthCabs\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\AuthCabs\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Windows\SoftwareDistribution\AuthCabs\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Recovery\d6223342-1a8a-11ed-b209-a59dca5554ed\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\d6223342-1a8a-11ed-b209-a59dca5554ed\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Recovery\d6223342-1a8a-11ed-b209-a59dca5554ed\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Reference Assemblies\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Reference Assemblies\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:692

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2284

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2460

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Reference Assemblies\powershell.exe
Filesize
2.6MB

MD5
17c93cd212fba3b61aa7c3a6ff382c23

SHA1
1f9e9f7e51dec2491210717cba4540fb15deb71e

SHA256
333eab256391cecdda902d506952e1b4c83444f1ae3874e7092bcf41e62f8077

SHA512
865001a8369a163d99496ccbcc812ff17ad655fb71821fb458ddc0fbe269ae78f3bdad7a676532aaee11bd72a697698353638b42ec0d85faa0853affe772bc73

Download Submit
C:\Program Files (x86)\Reference Assemblies\powershell.exe
Filesize
2.6MB

MD5
17c93cd212fba3b61aa7c3a6ff382c23

SHA1
1f9e9f7e51dec2491210717cba4540fb15deb71e

SHA256
333eab256391cecdda902d506952e1b4c83444f1ae3874e7092bcf41e62f8077

SHA512
865001a8369a163d99496ccbcc812ff17ad655fb71821fb458ddc0fbe269ae78f3bdad7a676532aaee11bd72a697698353638b42ec0d85faa0853affe772bc73

Download Submit
C:\Users\Admin\AppData\Local\Temp\17c93cd212fba3b61aa7c3a6ff382c23.exe
Filesize
2.6MB

MD5
17c93cd212fba3b61aa7c3a6ff382c23

SHA1
1f9e9f7e51dec2491210717cba4540fb15deb71e

SHA256
333eab256391cecdda902d506952e1b4c83444f1ae3874e7092bcf41e62f8077

SHA512
865001a8369a163d99496ccbcc812ff17ad655fb71821fb458ddc0fbe269ae78f3bdad7a676532aaee11bd72a697698353638b42ec0d85faa0853affe772bc73

Download Submit
C:\Users\Admin\AppData\Local\Temp\861618fce7a13414d9661467cafea3df858c46384.5.332Rat01ae5043b4edcb8cf00c21396080e054436dcfb1
Filesize
276B

MD5
43d06eb0e5996843ca03b4a485c2b602

SHA1
207f9a75e562fa8e80376aa3b54aaef8b6536fec

SHA256
86ef08d4fc1c3855ee3f917b68620348e77adf4dcfc8cf594022a1c8d4b3d370

SHA512
98bdaa16be991a402328dd67b397a0720b31aac77ede5e6548319413323a5be216b62ba6fbaa879387a1f5c40fa600253825b3cf3286b25bb260eec3fe4fdb4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\daHDUzbFiW.bat
Filesize
223B

MD5
d89369be6d04786ff983367b51982bbf

SHA1
d6e56394b079957a5f2a337b66fa417aee7b2f7a

SHA256
075809816861b40fa78da735fd8972dbdc24e761d8b51d8119fc878a23aae6c3

SHA512
0f1d6a1a5b372d74be80956193fee5be4ebe2c6b44039649ba47645fa7fd89d9b3e2e09d8c20f0cdea01800b4e60256c3d4acf218536ca27cac6be2c24fa1817

Download Submit
C:\Users\Admin\AppData\Local\Temp\wGw2lvD9xQ.bat
Filesize
235B

MD5
2bc55fc50d50d333d5e57a2b2741370d

SHA1
f59c564870f0d16699f8b8509efdb4ef763d0da4

SHA256
611bc41da9e96f4719b964d170a780c8ac9fbc41a347866de84dcda45d7a11c3

SHA512
19d445e8d8f90aea0091dbd750320546b16cf21b22b282fe1828768f66d15b0781a9d51fc150ae62fb4a7e091b9a7870ca46aa98cb2252cda16a47aed21f12da

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
0a1ec5c5ff90c94ca5ae5b728e099839

SHA1
0b0799b24c130ebf53f868b807b36f518ed11690

SHA256
88695d51d192a4a2af82fe43130e223cba94ca7950b7d76ba68a2dd60553e426

SHA512
1abdea97a51b756d0ca4b459b69ed8fe91b8898603b0d85f8c7b52482aa3846ccdf7cd776edeea4d6b9b353783ce3efbd6f342097eecaa826412804a9ff31b11

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
0a1ec5c5ff90c94ca5ae5b728e099839

SHA1
0b0799b24c130ebf53f868b807b36f518ed11690

SHA256
88695d51d192a4a2af82fe43130e223cba94ca7950b7d76ba68a2dd60553e426

SHA512
1abdea97a51b756d0ca4b459b69ed8fe91b8898603b0d85f8c7b52482aa3846ccdf7cd776edeea4d6b9b353783ce3efbd6f342097eecaa826412804a9ff31b11

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
0a1ec5c5ff90c94ca5ae5b728e099839

SHA1
0b0799b24c130ebf53f868b807b36f518ed11690

SHA256
88695d51d192a4a2af82fe43130e223cba94ca7950b7d76ba68a2dd60553e426

SHA512
1abdea97a51b756d0ca4b459b69ed8fe91b8898603b0d85f8c7b52482aa3846ccdf7cd776edeea4d6b9b353783ce3efbd6f342097eecaa826412804a9ff31b11

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
0a1ec5c5ff90c94ca5ae5b728e099839

SHA1
0b0799b24c130ebf53f868b807b36f518ed11690

SHA256
88695d51d192a4a2af82fe43130e223cba94ca7950b7d76ba68a2dd60553e426

SHA512
1abdea97a51b756d0ca4b459b69ed8fe91b8898603b0d85f8c7b52482aa3846ccdf7cd776edeea4d6b9b353783ce3efbd6f342097eecaa826412804a9ff31b11

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
0a1ec5c5ff90c94ca5ae5b728e099839

SHA1
0b0799b24c130ebf53f868b807b36f518ed11690

SHA256
88695d51d192a4a2af82fe43130e223cba94ca7950b7d76ba68a2dd60553e426

SHA512
1abdea97a51b756d0ca4b459b69ed8fe91b8898603b0d85f8c7b52482aa3846ccdf7cd776edeea4d6b9b353783ce3efbd6f342097eecaa826412804a9ff31b11

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
0a1ec5c5ff90c94ca5ae5b728e099839

SHA1
0b0799b24c130ebf53f868b807b36f518ed11690

SHA256
88695d51d192a4a2af82fe43130e223cba94ca7950b7d76ba68a2dd60553e426

SHA512
1abdea97a51b756d0ca4b459b69ed8fe91b8898603b0d85f8c7b52482aa3846ccdf7cd776edeea4d6b9b353783ce3efbd6f342097eecaa826412804a9ff31b11

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
0a1ec5c5ff90c94ca5ae5b728e099839

SHA1
0b0799b24c130ebf53f868b807b36f518ed11690

SHA256
88695d51d192a4a2af82fe43130e223cba94ca7950b7d76ba68a2dd60553e426

SHA512
1abdea97a51b756d0ca4b459b69ed8fe91b8898603b0d85f8c7b52482aa3846ccdf7cd776edeea4d6b9b353783ce3efbd6f342097eecaa826412804a9ff31b11

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/624-168-0x0000000002824000-0x0000000002827000-memory.dmp

Filesize
12KB

Download
memory/624-91-0x000007FEEAFB0000-0x000007FEEB9D3000-memory.dmp

Filesize
10.1MB

Download
memory/624-170-0x000000000282B000-0x000000000284A000-memory.dmp

Filesize
124KB

Download
memory/624-103-0x000007FEE9BC0000-0x000007FEEA71D000-memory.dmp

Filesize
11.4MB

Download
memory/624-108-0x0000000002824000-0x0000000002827000-memory.dmp

Filesize
12KB

Download
memory/624-78-0x0000000000000000-mapping.dmp

Download
memory/760-158-0x000000000293B000-0x000000000295A000-memory.dmp

Filesize
124KB

Download
memory/760-93-0x000007FEEAFB0000-0x000007FEEB9D3000-memory.dmp

Filesize
10.1MB

Download
memory/760-114-0x000007FEE9BC0000-0x000007FEEA71D000-memory.dmp

Filesize
11.4MB

Download
memory/760-157-0x0000000002934000-0x0000000002937000-memory.dmp

Filesize
12KB

Download
memory/760-151-0x000000001B7F0000-0x000000001BAEF000-memory.dmp

Filesize
3.0MB

Download
memory/760-106-0x0000000002934000-0x0000000002937000-memory.dmp

Filesize
12KB

Download
memory/760-79-0x0000000000000000-mapping.dmp

Download
memory/952-153-0x000000001B800000-0x000000001BAFF000-memory.dmp

Filesize
3.0MB

Download
memory/952-117-0x0000000000000000-mapping.dmp

Download
memory/952-129-0x000007FEEAFB0000-0x000007FEEB9D3000-memory.dmp

Filesize
10.1MB

Download
memory/952-135-0x00000000024E4000-0x00000000024E7000-memory.dmp

Filesize
12KB

Download
memory/952-142-0x000007FEE9BC0000-0x000007FEEA71D000-memory.dmp

Filesize
11.4MB

Download
memory/952-169-0x00000000024EB000-0x000000000250A000-memory.dmp

Filesize
124KB

Download
memory/952-164-0x00000000024E4000-0x00000000024E7000-memory.dmp

Filesize
12KB

Download
memory/1128-115-0x000007FEE9BC0000-0x000007FEEA71D000-memory.dmp

Filesize
11.4MB

Download
memory/1128-80-0x000007FEFC141000-0x000007FEFC143000-memory.dmp

Filesize
8KB

Download
memory/1128-76-0x0000000000000000-mapping.dmp

Download
memory/1128-161-0x0000000002744000-0x0000000002747000-memory.dmp

Filesize
12KB

Download
memory/1128-110-0x0000000002744000-0x0000000002747000-memory.dmp

Filesize
12KB

Download
memory/1128-166-0x000000000274B000-0x000000000276A000-memory.dmp

Filesize
124KB

Download
memory/1128-149-0x000000001B840000-0x000000001BB3F000-memory.dmp

Filesize
3.0MB

Download
memory/1128-92-0x000007FEEAFB0000-0x000007FEEB9D3000-memory.dmp

Filesize
10.1MB

Download
memory/1248-131-0x000007FEEAFB0000-0x000007FEEB9D3000-memory.dmp

Filesize
10.1MB

Download
memory/1248-148-0x000000001B6E0000-0x000000001B9DF000-memory.dmp

Filesize
3.0MB

Download
memory/1248-136-0x0000000002014000-0x0000000002017000-memory.dmp

Filesize
12KB

Download
memory/1248-119-0x0000000000000000-mapping.dmp

Download
memory/1248-156-0x000000000201B000-0x000000000203A000-memory.dmp

Filesize
124KB

Download
memory/1248-155-0x0000000002014000-0x0000000002017000-memory.dmp

Filesize
12KB

Download
memory/1248-143-0x000007FEE9BC0000-0x000007FEEA71D000-memory.dmp

Filesize
11.4MB

Download
memory/1320-111-0x0000000002430000-0x0000000002486000-memory.dmp

Filesize
344KB

Download
memory/1320-112-0x0000000000500000-0x0000000000512000-memory.dmp

Filesize
72KB

Download
memory/1320-113-0x000000001B346000-0x000000001B365000-memory.dmp

Filesize
124KB

Download
memory/1320-100-0x0000000000000000-mapping.dmp

Download
memory/1320-107-0x0000000000420000-0x0000000000432000-memory.dmp

Filesize
72KB

Download
memory/1320-126-0x000000001B346000-0x000000001B365000-memory.dmp

Filesize
124KB

Download
memory/1460-120-0x0000000000000000-mapping.dmp

Download
memory/1504-74-0x000000001B266000-0x000000001B285000-memory.dmp

Filesize
124KB

Download
memory/1504-58-0x0000000000510000-0x0000000000518000-memory.dmp

Filesize
32KB

Download
memory/1504-73-0x000000001B266000-0x000000001B285000-memory.dmp

Filesize
124KB

Download
memory/1504-98-0x000000001B266000-0x000000001B285000-memory.dmp

Filesize
124KB

Download
memory/1504-60-0x0000000000540000-0x0000000000550000-memory.dmp

Filesize
64KB

Download
memory/1504-72-0x0000000002380000-0x000000000238C000-memory.dmp

Filesize
48KB

Download
memory/1504-59-0x0000000000520000-0x0000000000532000-memory.dmp

Filesize
72KB

Download
memory/1504-71-0x0000000002370000-0x0000000002378000-memory.dmp

Filesize
32KB

Download
memory/1504-70-0x0000000002360000-0x000000000236E000-memory.dmp

Filesize
56KB

Download
memory/1504-69-0x0000000002350000-0x0000000002358000-memory.dmp

Filesize
32KB

Download
memory/1504-55-0x0000000000260000-0x000000000026E000-memory.dmp

Filesize
56KB

Download
memory/1504-54-0x0000000000C70000-0x0000000000F14000-memory.dmp

Filesize
2.6MB

Download
memory/1504-68-0x0000000002340000-0x000000000234C000-memory.dmp

Filesize
48KB

Download
memory/1504-57-0x0000000000280000-0x0000000000290000-memory.dmp

Filesize
64KB

Download
memory/1504-56-0x0000000000270000-0x0000000000278000-memory.dmp

Filesize
32KB

Download
memory/1504-67-0x0000000000590000-0x000000000059C000-memory.dmp

Filesize
48KB

Download
memory/1504-66-0x0000000000580000-0x0000000000592000-memory.dmp

Filesize
72KB

Download
memory/1504-61-0x000000001B080000-0x000000001B08A000-memory.dmp

Filesize
40KB

Download
memory/1504-62-0x00000000009B0000-0x0000000000A06000-memory.dmp

Filesize
344KB

Download
memory/1504-63-0x0000000000530000-0x000000000053C000-memory.dmp

Filesize
48KB

Download
memory/1504-65-0x0000000000570000-0x0000000000578000-memory.dmp

Filesize
32KB

Download
memory/1504-64-0x0000000000560000-0x000000000056C000-memory.dmp

Filesize
48KB

Download
memory/1588-77-0x0000000000000000-mapping.dmp

Download
memory/1732-118-0x0000000000000000-mapping.dmp

Download
memory/1732-141-0x000007FEE9BC0000-0x000007FEEA71D000-memory.dmp

Filesize
11.4MB

Download
memory/1732-125-0x000007FEEAFB0000-0x000007FEEB9D3000-memory.dmp

Filesize
10.1MB

Download
memory/1732-159-0x00000000028A4000-0x00000000028A7000-memory.dmp

Filesize
12KB

Download
memory/1732-134-0x00000000028A4000-0x00000000028A7000-memory.dmp

Filesize
12KB

Download
memory/1732-163-0x00000000028AB000-0x00000000028CA000-memory.dmp

Filesize
124KB

Download
memory/1732-154-0x000000001B8A0000-0x000000001BB9F000-memory.dmp

Filesize
3.0MB

Download
memory/1740-99-0x000007FEEAFB0000-0x000007FEEB9D3000-memory.dmp

Filesize
10.1MB

Download
memory/1740-165-0x000000000296B000-0x000000000298A000-memory.dmp

Filesize
124KB

Download
memory/1740-147-0x000000001B8B0000-0x000000001BBAF000-memory.dmp

Filesize
3.0MB

Download
memory/1740-81-0x0000000000000000-mapping.dmp

Download
memory/1740-160-0x0000000002964000-0x0000000002967000-memory.dmp

Filesize
12KB

Download
memory/1740-105-0x0000000002964000-0x0000000002967000-memory.dmp

Filesize
12KB

Download
memory/1740-102-0x000007FEE9BC0000-0x000007FEEA71D000-memory.dmp

Filesize
11.4MB

Download
memory/1748-95-0x0000000000000000-mapping.dmp

Download
memory/1812-75-0x0000000000000000-mapping.dmp

Download
memory/1812-150-0x000000001B7E0000-0x000000001BADF000-memory.dmp

Filesize
3.0MB

Download
memory/1812-162-0x0000000002684000-0x0000000002687000-memory.dmp

Filesize
12KB

Download
memory/1812-104-0x000007FEE9BC0000-0x000007FEEA71D000-memory.dmp

Filesize
11.4MB

Download
memory/1812-90-0x000007FEEAFB0000-0x000007FEEB9D3000-memory.dmp

Filesize
10.1MB

Download
memory/1812-109-0x0000000002684000-0x0000000002687000-memory.dmp

Filesize
12KB

Download
memory/1812-167-0x000000000268B000-0x00000000026AA000-memory.dmp

Filesize
124KB

Download
memory/1816-133-0x0000000000000000-mapping.dmp

Download
memory/1876-97-0x0000000000000000-mapping.dmp

Download
memory/1972-137-0x0000000000000000-mapping.dmp

Download
memory/1972-140-0x0000000000380000-0x0000000000624000-memory.dmp

Filesize
2.6MB

Download
memory/1972-144-0x0000000000790000-0x00000000007A2000-memory.dmp

Filesize
72KB

Download
memory/1972-152-0x000000001B436000-0x000000001B455000-memory.dmp

Filesize
124KB

Download
memory/1972-145-0x000000001B436000-0x000000001B455000-memory.dmp

Filesize
124KB

Download