zgrat | fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533

Analysis

max time kernel
122s
max time network
160s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
13/03/2024, 02:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe
Size

1.9MB
MD5

541a9d3031657ebc794dc43a70511384
SHA1

1c18826b93532c58a2a20ac1061e4309e7441867
SHA256

fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533
SHA512

fd3df8395904bad5ab23ebc1ac21febac8a55ebfe390039cba6b35d47c41963e91cc17f6c2144b024dc1d100528beec5ab6ee337b8181fb7c6630c6fef5e3c22
SSDEEP

24576:s7USn+9Co5+54pIbtNSPouMVMOU93aBOR/UCtN0FSrSOdJw1EgfqBhR5OMqj6oxq:8qIZuMCso1U6Tda1lAeMsynjCM5x6

Score

10^/10

zgrat rat spyware stealer

Malware Config

Signatures

Detect ZGRat V1 3 IoCs

resource	yara_rule
behavioral1/memory/1936-0-0x0000000000300000-0x00000000004E6000-memory.dmp	family_zgrat_v1
behavioral1/files/0x0008000000016cb1-34.dat	family_zgrat_v1
behavioral1/files/0x0034000000015c8e-206.dat	family_zgrat_v1

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	548	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2464	548	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	548	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1204	548	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1868	548	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	548	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	548	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	548	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	548	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	548	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	548	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	548	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	548	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	676	548	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1332	548	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1484	548	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	548	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	548	schtasks.exe	28

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Detects executables packed with unregistered version of .NET Reactor 3 IoCs

resource	yara_rule
behavioral1/memory/1936-0-0x0000000000300000-0x00000000004E6000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/files/0x0008000000016cb1-34.dat	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/files/0x0034000000015c8e-206.dat	INDICATOR_EXE_Packed_DotNetReactor

Executes dropped EXE 1 IoCs

pid	Process
2972	System.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ipinfo.io
3	ipinfo.io

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\System.exe	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\System.exe	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\27d1bcfc3c54e0	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\it-IT\csrss.exe	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe
File created	C:\Windows\it-IT\886983d96e3d3e	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe
File created	C:\Windows\Branding\System.exe	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe
File created	C:\Windows\Branding\27d1bcfc3c54e0	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe
File created	C:\Windows\PolicyDefinitions\fr-FR\sppsvc.exe	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe
File created	C:\Windows\PolicyDefinitions\fr-FR\0a1fd5f707cd16	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe
File created	C:\Windows\es-ES\taskhost.exe	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe
File created	C:\Windows\es-ES\b75386f1303e64	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2812	schtasks.exe
2856	schtasks.exe
1652	schtasks.exe
2804	schtasks.exe
3012	schtasks.exe
2736	schtasks.exe
2680	schtasks.exe
1204	schtasks.exe
2672	schtasks.exe
676	schtasks.exe
1484	schtasks.exe
1724	schtasks.exe
3068	schtasks.exe
2464	schtasks.exe
1868	schtasks.exe
2008	schtasks.exe
1332	schtasks.exe
2700	schtasks.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe
1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe
1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe
1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe
1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe
1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe
1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe
1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe
1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe
1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe
1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe
1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe
1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe
1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe
1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe
1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe
1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe
1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe
1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe
1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe
1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe
1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe
1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe
1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe
1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe
1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe
1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe
1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe
1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe
1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe
1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe
1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe
1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe
1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe
1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe
1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe
1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe
1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe
1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe
1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe
1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe
1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe
1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe
1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe
1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe
1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe
1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe
1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe
1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe
1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe
1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe
1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe
1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe
1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe
1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe
1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe
1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe
1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe
1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe
1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe
1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe
1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe
1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe
1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe
Token: SeDebugPrivilege	1364	powershell.exe
Token: SeDebugPrivilege	2116	powershell.exe
Token: SeDebugPrivilege	1236	powershell.exe
Token: SeDebugPrivilege	856	powershell.exe
Token: SeDebugPrivilege	2280	powershell.exe
Token: SeDebugPrivilege	1156	powershell.exe
Token: SeDebugPrivilege	2320	powershell.exe
Token: SeDebugPrivilege	1532	powershell.exe
Token: SeDebugPrivilege	2268	powershell.exe
Token: SeDebugPrivilege	1056	powershell.exe
Token: SeDebugPrivilege	2908	powershell.exe
Token: SeDebugPrivilege	1508	powershell.exe
Token: SeDebugPrivilege	1876	powershell.exe
Token: SeDebugPrivilege	1920	powershell.exe
Token: SeDebugPrivilege	2272	powershell.exe
Token: SeDebugPrivilege	2928	powershell.exe
Token: SeDebugPrivilege	1352	powershell.exe
Token: SeDebugPrivilege	1896	powershell.exe
Token: SeDebugPrivilege	2972	System.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1936 wrote to memory of 2908	1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe	47
PID 1936 wrote to memory of 2908	1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe	47
PID 1936 wrote to memory of 2908	1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe	47
PID 1936 wrote to memory of 1896	1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe	48
PID 1936 wrote to memory of 1896	1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe	48
PID 1936 wrote to memory of 1896	1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe	48
PID 1936 wrote to memory of 856	1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe	50
PID 1936 wrote to memory of 856	1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe	50
PID 1936 wrote to memory of 856	1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe	50
PID 1936 wrote to memory of 1364	1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe	52
PID 1936 wrote to memory of 1364	1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe	52
PID 1936 wrote to memory of 1364	1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe	52
PID 1936 wrote to memory of 2116	1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe	53
PID 1936 wrote to memory of 2116	1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe	53
PID 1936 wrote to memory of 2116	1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe	53
PID 1936 wrote to memory of 1508	1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe	56
PID 1936 wrote to memory of 1508	1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe	56
PID 1936 wrote to memory of 1508	1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe	56
PID 1936 wrote to memory of 2280	1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe	57
PID 1936 wrote to memory of 2280	1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe	57
PID 1936 wrote to memory of 2280	1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe	57
PID 1936 wrote to memory of 1352	1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe	58
PID 1936 wrote to memory of 1352	1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe	58
PID 1936 wrote to memory of 1352	1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe	58
PID 1936 wrote to memory of 1236	1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe	59
PID 1936 wrote to memory of 1236	1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe	59
PID 1936 wrote to memory of 1236	1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe	59
PID 1936 wrote to memory of 1920	1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe	60
PID 1936 wrote to memory of 1920	1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe	60
PID 1936 wrote to memory of 1920	1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe	60
PID 1936 wrote to memory of 1156	1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe	61
PID 1936 wrote to memory of 1156	1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe	61
PID 1936 wrote to memory of 1156	1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe	61
PID 1936 wrote to memory of 2928	1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe	62
PID 1936 wrote to memory of 2928	1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe	62
PID 1936 wrote to memory of 2928	1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe	62
PID 1936 wrote to memory of 2268	1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe	64
PID 1936 wrote to memory of 2268	1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe	64
PID 1936 wrote to memory of 2268	1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe	64
PID 1936 wrote to memory of 2272	1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe	66
PID 1936 wrote to memory of 2272	1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe	66
PID 1936 wrote to memory of 2272	1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe	66
PID 1936 wrote to memory of 1056	1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe	68
PID 1936 wrote to memory of 1056	1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe	68
PID 1936 wrote to memory of 1056	1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe	68
PID 1936 wrote to memory of 2320	1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe	69
PID 1936 wrote to memory of 2320	1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe	69
PID 1936 wrote to memory of 2320	1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe	69
PID 1936 wrote to memory of 1532	1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe	70
PID 1936 wrote to memory of 1532	1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe	70
PID 1936 wrote to memory of 1532	1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe	70
PID 1936 wrote to memory of 1876	1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe	71
PID 1936 wrote to memory of 1876	1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe	71
PID 1936 wrote to memory of 1876	1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe	71
PID 1936 wrote to memory of 2260	1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe	83
PID 1936 wrote to memory of 2260	1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe	83
PID 1936 wrote to memory of 2260	1936	fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe	83
PID 2260 wrote to memory of 2980	2260	cmd.exe	85
PID 2260 wrote to memory of 2980	2260	cmd.exe	85
PID 2260 wrote to memory of 2980	2260	cmd.exe	85
PID 2260 wrote to memory of 2804	2260	cmd.exe	86
PID 2260 wrote to memory of 2804	2260	cmd.exe	86
PID 2260 wrote to memory of 2804	2260	cmd.exe	86
PID 2260 wrote to memory of 2972	2260	cmd.exe	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe
"C:\Users\Admin\AppData\Local\Temp\fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1936
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2908
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1896
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:856
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1364
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2116
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1508
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2280
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1352
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1236
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1920
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1156
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2928
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PolicyDefinitions\fr-FR\sppsvc.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2268
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Branding\System.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2272
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\it-IT\csrss.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1056
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\es-ES\taskhost.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2320
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\System.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1532
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1876
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\t5YQAc7xk1.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2260
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2980
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2804
- - C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\System.exe
    "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\System.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Windows\PolicyDefinitions\fr-FR\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\fr-FR\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Windows\PolicyDefinitions\fr-FR\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Windows\Branding\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Branding\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Windows\Branding\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Windows\it-IT\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\it-IT\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\it-IT\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Windows\es-ES\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\es-ES\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Windows\es-ES\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533f" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\AppData\Local\Temp\fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533f" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\AppData\Local\Temp\fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\System.exe

Filesize
768KB

MD5
fdeadb417aa329cf09c8df606c55e9ae

SHA1
495afbb95e965462a61dd85ca3bcd5226dd9873c

SHA256
ec79df375bc789735489bc1cda623b9f4ad8a78aa3983874a505ef3d64496d72

SHA512
6cf3471e2f073730bf4db0db77ba7289469cab43e0c092278a34e5e2a5caed0a45cfd2fffda970ee5e9f9c1c1f87ef2f47e666c55faa059b32155b85e8c7371d

Download Submit
C:\Users\Admin\AppData\Local\Temp\t5YQAc7xk1.bat

Filesize
259B

MD5
5656e1fcaa92999f94f4677445d75a0e

SHA1
06e1ca6e60ae019fe7eff07cbb05479fcc009600

SHA256
004779f636871bff8fcd32b0d08917b8677309ca07945020cbdd1ab3c4af2bdc

SHA512
90c08d04e18a5d955c80c65cc462857be06131a6dda29cb263f8c63fdbc322307a9847a233386c3e90d22beec25ddf7e07f1c9b23652ce7ffc28f15bf4babc9b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
4ea9faa05fde44ff53513a678e90b49f

SHA1
7f480524c53057843ac1bdf188b299164fd63dae

SHA256
18b5dc7afe413ca8535cd7ffe16b28df18869940c0bdf0538697ba1559ef9711

SHA512
7ae6e1f0c4f8d18f42b23627996e04009864a6cb0793bd046e852d58f98c5a0deef6ca2c3de4ccc271385236f57f2aee9eb259a62ec891d33e4ed4f305302360

Download Submit
C:\Windows\PolicyDefinitions\fr-FR\sppsvc.exe

Filesize
1.9MB

MD5
541a9d3031657ebc794dc43a70511384

SHA1
1c18826b93532c58a2a20ac1061e4309e7441867

SHA256
fb40acdca9c484f7d43b5e2c7ac8e2fcb129fd90fc5d1f549f84f3d283e43533

SHA512
fd3df8395904bad5ab23ebc1ac21febac8a55ebfe390039cba6b35d47c41963e91cc17f6c2144b024dc1d100528beec5ab6ee337b8181fb7c6630c6fef5e3c22

Download Submit
memory/856-158-0x0000000002940000-0x00000000029C0000-memory.dmp

Filesize
512KB

Download
memory/856-157-0x000007FEEDB30000-0x000007FEEE4CD000-memory.dmp

Filesize
9.6MB

Download
memory/856-159-0x0000000002940000-0x00000000029C0000-memory.dmp

Filesize
512KB

Download
memory/856-164-0x0000000002940000-0x00000000029C0000-memory.dmp

Filesize
512KB

Download
memory/1056-167-0x00000000029B0000-0x0000000002A30000-memory.dmp

Filesize
512KB

Download
memory/1056-166-0x00000000029B0000-0x0000000002A30000-memory.dmp

Filesize
512KB

Download
memory/1056-165-0x000007FEEDB30000-0x000007FEEE4CD000-memory.dmp

Filesize
9.6MB

Download
memory/1156-169-0x0000000002240000-0x00000000022C0000-memory.dmp

Filesize
512KB

Download
memory/1156-168-0x000007FEEDB30000-0x000007FEEE4CD000-memory.dmp

Filesize
9.6MB

Download
memory/1156-171-0x0000000002240000-0x00000000022C0000-memory.dmp

Filesize
512KB

Download
memory/1156-170-0x0000000002240000-0x00000000022C0000-memory.dmp

Filesize
512KB

Download
memory/1236-151-0x0000000002640000-0x00000000026C0000-memory.dmp

Filesize
512KB

Download
memory/1236-140-0x0000000002640000-0x00000000026C0000-memory.dmp

Filesize
512KB

Download
memory/1236-139-0x000007FEEDB30000-0x000007FEEE4CD000-memory.dmp

Filesize
9.6MB

Download
memory/1236-137-0x0000000002640000-0x00000000026C0000-memory.dmp

Filesize
512KB

Download
memory/1236-136-0x000007FEEDB30000-0x000007FEEE4CD000-memory.dmp

Filesize
9.6MB

Download
memory/1364-147-0x000007FEEDB30000-0x000007FEEE4CD000-memory.dmp

Filesize
9.6MB

Download
memory/1364-149-0x0000000002520000-0x00000000025A0000-memory.dmp

Filesize
512KB

Download
memory/1364-153-0x0000000002520000-0x00000000025A0000-memory.dmp

Filesize
512KB

Download
memory/1364-74-0x0000000002510000-0x0000000002518000-memory.dmp

Filesize
32KB

Download
memory/1364-152-0x000007FEEDB30000-0x000007FEEE4CD000-memory.dmp

Filesize
9.6MB

Download
memory/1364-156-0x0000000002520000-0x00000000025A0000-memory.dmp

Filesize
512KB

Download
memory/1508-172-0x000007FEEDB30000-0x000007FEEE4CD000-memory.dmp

Filesize
9.6MB

Download
memory/1508-173-0x0000000002920000-0x00000000029A0000-memory.dmp

Filesize
512KB

Download
memory/1508-174-0x0000000002920000-0x00000000029A0000-memory.dmp

Filesize
512KB

Download
memory/1936-24-0x000007FEF5DF0000-0x000007FEF67DC000-memory.dmp

Filesize
9.9MB

Download
memory/1936-18-0x00000000777C0000-0x00000000777C1000-memory.dmp

Filesize
4KB

Download
memory/1936-1-0x000007FEF5DF0000-0x000007FEF67DC000-memory.dmp

Filesize
9.9MB

Download
memory/1936-2-0x000000001B100000-0x000000001B180000-memory.dmp

Filesize
512KB

Download
memory/1936-138-0x000007FEF5DF0000-0x000007FEF67DC000-memory.dmp

Filesize
9.9MB

Download
memory/1936-39-0x000000001B100000-0x000000001B180000-memory.dmp

Filesize
512KB

Download
memory/1936-3-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1936-4-0x000000001B100000-0x000000001B180000-memory.dmp

Filesize
512KB

Download
memory/1936-5-0x0000000077800000-0x0000000077801000-memory.dmp

Filesize
4KB

Download
memory/1936-6-0x000000001B100000-0x000000001B180000-memory.dmp

Filesize
512KB

Download
memory/1936-38-0x000000001B100000-0x000000001B180000-memory.dmp

Filesize
512KB

Download
memory/1936-8-0x00000000005F0000-0x00000000005FE000-memory.dmp

Filesize
56KB

Download
memory/1936-37-0x000000001B100000-0x000000001B180000-memory.dmp

Filesize
512KB

Download
memory/1936-36-0x000000001B100000-0x000000001B180000-memory.dmp

Filesize
512KB

Download
memory/1936-25-0x00000000777B0000-0x00000000777B1000-memory.dmp

Filesize
4KB

Download
memory/1936-9-0x00000000777F0000-0x00000000777F1000-memory.dmp

Filesize
4KB

Download
memory/1936-11-0x0000000000620000-0x000000000063C000-memory.dmp

Filesize
112KB

Download
memory/1936-0-0x0000000000300000-0x00000000004E6000-memory.dmp

Filesize
1.9MB

Download
memory/1936-22-0x0000000000860000-0x000000000086C000-memory.dmp

Filesize
48KB

Download
memory/1936-13-0x00000000006C0000-0x00000000006D8000-memory.dmp

Filesize
96KB

Download
memory/1936-20-0x0000000000610000-0x0000000000618000-memory.dmp

Filesize
32KB

Download
memory/1936-17-0x00000000777D0000-0x00000000777D1000-memory.dmp

Filesize
4KB

Download
memory/1936-14-0x00000000777E0000-0x00000000777E1000-memory.dmp

Filesize
4KB

Download
memory/1936-16-0x0000000000600000-0x000000000060C000-memory.dmp

Filesize
48KB

Download
memory/2116-143-0x00000000026C0000-0x0000000002740000-memory.dmp

Filesize
512KB

Download
memory/2116-148-0x000007FEEDB30000-0x000007FEEE4CD000-memory.dmp

Filesize
9.6MB

Download
memory/2116-160-0x00000000026C0000-0x0000000002740000-memory.dmp

Filesize
512KB

Download
memory/2116-141-0x000007FEEDB30000-0x000007FEEE4CD000-memory.dmp

Filesize
9.6MB

Download
memory/2116-142-0x00000000026C0000-0x0000000002740000-memory.dmp

Filesize
512KB

Download
memory/2268-163-0x00000000024E0000-0x0000000002560000-memory.dmp

Filesize
512KB

Download
memory/2268-161-0x000007FEEDB30000-0x000007FEEE4CD000-memory.dmp

Filesize
9.6MB

Download
memory/2268-162-0x00000000024E0000-0x0000000002560000-memory.dmp

Filesize
512KB

Download
memory/2280-154-0x0000000002664000-0x0000000002667000-memory.dmp

Filesize
12KB

Download
memory/2280-150-0x000007FEEDB30000-0x000007FEEE4CD000-memory.dmp

Filesize
9.6MB

Download
memory/2908-146-0x000007FEEDB30000-0x000007FEEE4CD000-memory.dmp

Filesize
9.6MB

Download
memory/2908-144-0x000007FEEDB30000-0x000007FEEE4CD000-memory.dmp

Filesize
9.6MB

Download
memory/2908-69-0x000000001B280000-0x000000001B562000-memory.dmp

Filesize
2.9MB

Download
memory/2908-145-0x0000000002850000-0x00000000028D0000-memory.dmp

Filesize
512KB

Download
memory/2928-155-0x00000000028C0000-0x0000000002940000-memory.dmp

Filesize
512KB

Download