dcrat | a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
12-11-2024 01:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
Size

1.7MB
MD5

45ebb562b38bb86e6375e19eb7f699ad
SHA1

c3470337ef4b26a518260a9e009b474103e5baf5
SHA256

a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68
SHA512

c71a64596adb6e1785f7141f20c2b6cc1e1ae3fa53978dccb9e282df45d5318be10ab4c2352e49927bbdb5e314b5406f46a98d862a67d9a3d5364b58599ba495
SSDEEP

24576:N3QwuLyEbVoCtPreIjNLoN/VNGeSQDx1m17zezKOkCzeJGFUJ:NgwuuEpdDLNwVMeXDL0fdSzAG

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	2696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	2696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	2696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1152	2696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	2696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	2696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	2696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	2696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	2696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	2696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	2696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	2696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	2696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2520	2696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	2696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	780	2696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	2696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	856	2696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1900	2696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	2696	schtasks.exe

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/2172-1-0x0000000000890000-0x0000000000A46000-memory.dmp	dcrat
C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\Idle.exe	dcrat
behavioral1/memory/704-148-0x0000000000860000-0x0000000000A16000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1588	powershell.exe
1616	powershell.exe
352	powershell.exe
1076	powershell.exe
2584	powershell.exe
1804	powershell.exe
1816	powershell.exe
1992	powershell.exe
1508	powershell.exe
1344	powershell.exe
1756	powershell.exe
2484	powershell.exe

Drops file in Drivers directory 1 IoCs

Processes:

a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe

Executes dropped EXE 2 IoCs

Processes:

a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exea28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe

pid	process
704	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
2024	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe

Drops file in Program Files directory 20 IoCs

Processes:

a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\de-DE\RCX77D7.tmp	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\de-DE\smss.exe	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\Idle.exe	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\fr-FR\6ccacd8608530f	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\fr-FR\Idle.exe	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\de-DE\smss.exe	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\fr-FR\RCX7BF0.tmp	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\RCX79EC.tmp	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
File opened for modification	C:\Program Files\Windows Sidebar\Shared Gadgets\RCX7DF5.tmp	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
File opened for modification	C:\Program Files\Windows Sidebar\Shared Gadgets\RCX7E05.tmp	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\6ccacd8608530f	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\de-DE\RCX77D8.tmp	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\fr-FR\Idle.exe	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\46122ebb36408f	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\RCX79EB.tmp	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\fr-FR\RCX7BF1.tmp	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
File opened for modification	C:\Program Files\Windows Sidebar\Shared Gadgets\a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\de-DE\69ddcba757bf72	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\Idle.exe	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe

Drops file in Windows directory 5 IoCs

Processes:

a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe

description	ioc	process
File created	C:\Windows\Globalization\taskhost.exe	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
File created	C:\Windows\Globalization\b75386f1303e64	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
File opened for modification	C:\Windows\Globalization\RCX75D2.tmp	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
File opened for modification	C:\Windows\Globalization\RCX75D3.tmp	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
File opened for modification	C:\Windows\Globalization\taskhost.exe	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	process
2908	schtasks.exe
2640	schtasks.exe
3012	schtasks.exe
1496	schtasks.exe
1152	schtasks.exe
2364	schtasks.exe
2116	schtasks.exe
3068	schtasks.exe
2720	schtasks.exe
2120	schtasks.exe
3060	schtasks.exe
2520	schtasks.exe
2536	schtasks.exe
856	schtasks.exe
1928	schtasks.exe
1720	schtasks.exe
2888	schtasks.exe
2736	schtasks.exe
780	schtasks.exe
1900	schtasks.exe
2220	schtasks.exe

Suspicious behavior: EnumeratesProcesses 63 IoCs

Processes:

a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exea28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exea28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe

pid	process
2172	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
2172	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
2172	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
2172	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
2172	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
2172	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
2172	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
2172	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
2172	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
2172	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
2172	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
2172	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
2172	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
2172	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
2172	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
2172	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
2172	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
2172	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
2172	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
2172	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
2172	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
2172	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
2172	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
2172	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
2172	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
352	powershell.exe
1588	powershell.exe
2484	powershell.exe
1756	powershell.exe
1804	powershell.exe
1992	powershell.exe
1816	powershell.exe
1508	powershell.exe
1076	powershell.exe
1616	powershell.exe
1344	powershell.exe
2584	powershell.exe
704	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
704	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
704	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
704	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
704	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
704	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
704	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
704	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
704	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
704	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
704	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
704	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
704	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
704	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
704	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
704	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
704	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
704	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
704	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
704	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
704	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
704	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
704	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
2024	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
2024	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
2024	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exepowershell.exepowershell.exepowershell.exepowershell.exea28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exea28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe

description	pid	process
Token: SeDebugPrivilege	2172	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
Token: SeDebugPrivilege	2484	powershell.exe
Token: SeDebugPrivilege	1588	powershell.exe
Token: SeDebugPrivilege	352	powershell.exe
Token: SeDebugPrivilege	1756	powershell.exe
Token: SeDebugPrivilege	704	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
Token: SeDebugPrivilege	1804	powershell.exe
Token: SeDebugPrivilege	1992	powershell.exe
Token: SeDebugPrivilege	1816	powershell.exe
Token: SeDebugPrivilege	1508	powershell.exe
Token: SeDebugPrivilege	1076	powershell.exe
Token: SeDebugPrivilege	1616	powershell.exe
Token: SeDebugPrivilege	1344	powershell.exe
Token: SeDebugPrivilege	2584	powershell.exe
Token: SeDebugPrivilege	2024	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exea28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exeWScript.exe

description	pid	process	target process
PID 2172 wrote to memory of 1588	2172	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe	powershell.exe
PID 2172 wrote to memory of 1588	2172	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe	powershell.exe
PID 2172 wrote to memory of 1588	2172	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe	powershell.exe
PID 2172 wrote to memory of 1616	2172	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe	powershell.exe
PID 2172 wrote to memory of 1616	2172	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe	powershell.exe
PID 2172 wrote to memory of 1616	2172	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe	powershell.exe
PID 2172 wrote to memory of 2484	2172	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe	powershell.exe
PID 2172 wrote to memory of 2484	2172	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe	powershell.exe
PID 2172 wrote to memory of 2484	2172	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe	powershell.exe
PID 2172 wrote to memory of 1804	2172	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe	powershell.exe
PID 2172 wrote to memory of 1804	2172	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe	powershell.exe
PID 2172 wrote to memory of 1804	2172	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe	powershell.exe
PID 2172 wrote to memory of 1756	2172	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe	powershell.exe
PID 2172 wrote to memory of 1756	2172	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe	powershell.exe
PID 2172 wrote to memory of 1756	2172	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe	powershell.exe
PID 2172 wrote to memory of 1344	2172	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe	powershell.exe
PID 2172 wrote to memory of 1344	2172	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe	powershell.exe
PID 2172 wrote to memory of 1344	2172	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe	powershell.exe
PID 2172 wrote to memory of 1508	2172	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe	powershell.exe
PID 2172 wrote to memory of 1508	2172	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe	powershell.exe
PID 2172 wrote to memory of 1508	2172	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe	powershell.exe
PID 2172 wrote to memory of 2584	2172	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe	powershell.exe
PID 2172 wrote to memory of 2584	2172	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe	powershell.exe
PID 2172 wrote to memory of 2584	2172	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe	powershell.exe
PID 2172 wrote to memory of 1992	2172	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe	powershell.exe
PID 2172 wrote to memory of 1992	2172	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe	powershell.exe
PID 2172 wrote to memory of 1992	2172	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe	powershell.exe
PID 2172 wrote to memory of 1076	2172	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe	powershell.exe
PID 2172 wrote to memory of 1076	2172	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe	powershell.exe
PID 2172 wrote to memory of 1076	2172	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe	powershell.exe
PID 2172 wrote to memory of 352	2172	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe	powershell.exe
PID 2172 wrote to memory of 352	2172	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe	powershell.exe
PID 2172 wrote to memory of 352	2172	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe	powershell.exe
PID 2172 wrote to memory of 1816	2172	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe	powershell.exe
PID 2172 wrote to memory of 1816	2172	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe	powershell.exe
PID 2172 wrote to memory of 1816	2172	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe	powershell.exe
PID 2172 wrote to memory of 704	2172	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
PID 2172 wrote to memory of 704	2172	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
PID 2172 wrote to memory of 704	2172	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
PID 704 wrote to memory of 1140	704	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe	WScript.exe
PID 704 wrote to memory of 1140	704	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe	WScript.exe
PID 704 wrote to memory of 1140	704	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe	WScript.exe
PID 704 wrote to memory of 1528	704	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe	WScript.exe
PID 704 wrote to memory of 1528	704	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe	WScript.exe
PID 704 wrote to memory of 1528	704	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe	WScript.exe
PID 1140 wrote to memory of 2024	1140	WScript.exe	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
PID 1140 wrote to memory of 2024	1140	WScript.exe	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
PID 1140 wrote to memory of 2024	1140	WScript.exe	a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
"C:\Users\Admin\AppData\Local\Temp\a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe"
1⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1588
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1616
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2484
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1804
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1756
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1344
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1508
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2584
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1992
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1076
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:352
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1816
- C:\Program Files\Windows Sidebar\Shared Gadgets\a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
  "C:\Program Files\Windows Sidebar\Shared Gadgets\a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:704
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\05bcae39-9834-4502-a5d6-ec3b5908dcdc.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1140
  - - C:\Program Files\Windows Sidebar\Shared Gadgets\a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe
      "C:\Program Files\Windows Sidebar\Shared Gadgets\a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2024
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\405a91e0-cdc5-4c05-a929-0667b308b136.vbs"
    3⤵
    PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Admin\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Windows\Globalization\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\Globalization\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Windows\Globalization\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\fr-FR\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\fr-FR\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\fr-FR\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68a" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68a" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\Idle.exe

Filesize
1.7MB

MD5
45ebb562b38bb86e6375e19eb7f699ad

SHA1
c3470337ef4b26a518260a9e009b474103e5baf5

SHA256
a28a597c8feb874a3e13d38a2b8d56ce8fb7e3256146b63450e746eb6d1e2d68

SHA512
c71a64596adb6e1785f7141f20c2b6cc1e1ae3fa53978dccb9e282df45d5318be10ab4c2352e49927bbdb5e314b5406f46a98d862a67d9a3d5364b58599ba495

Download Submit
C:\Users\Admin\AppData\Local\Temp\05bcae39-9834-4502-a5d6-ec3b5908dcdc.vbs

Filesize
791B

MD5
2c6b40d6ac0eef157c5c5b101a6f44d2

SHA1
db97fe20dbd75c063a962a5a2c390ff7d8e9eca9

SHA256
90731dff488c087380ddf22cbdfe204bfb389374b5528f0775ae3ba2c3ad6437

SHA512
eecf09d13724be323986f8d915a942b5463ec643a76331dac525436371cff230f2d803319541fef551925730e11da6b02ac4b95f81dda3307d1fe3641c5b5c09

Download Submit
C:\Users\Admin\AppData\Local\Temp\405a91e0-cdc5-4c05-a929-0667b308b136.vbs

Filesize
568B

MD5
84c1ccb71f34c52e7d835c2db735ddb7

SHA1
c0059f23836533e1dcd3a7555147a8cbe1b46906

SHA256
6c1ffbb2738c262670ac77a30d4f307aaa0c197c6b7ed9220f43157ee52ae807

SHA512
c62fa96d546132112b51e3fc996bb5e8a0449c47091b15ddb93809bb388c93f92cc7a03331337a59af553d518d1d69aa54a90dd4a15b9ec4860320864a6abeb7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
b930435d8c97488a062448d22788909b

SHA1
f1a4e6d7e03a46ee5a09af58514c318da5350023

SHA256
d4488da64a0512fddabbf8afd0819d1fecb670ad519c470c0a8fd289f1774629

SHA512
bbb0386533a9867c2b9435d13ce8f39d229b6f1c80d9c62cfa17646be6753d7f955e903e3bf34f3f16a0d3d9b25877847309947d6ab01c2a3940abc2fd6fccd4

Download Submit
memory/352-149-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/704-186-0x0000000000180000-0x0000000000192000-memory.dmp

Filesize
72KB

Download
memory/704-148-0x0000000000860000-0x0000000000A16000-memory.dmp

Filesize
1.7MB

Download
memory/1756-147-0x000000001B590000-0x000000001B872000-memory.dmp

Filesize
2.9MB

Download
memory/2024-202-0x0000000000490000-0x00000000004A2000-memory.dmp

Filesize
72KB

Download
memory/2172-7-0x0000000000420000-0x0000000000432000-memory.dmp

Filesize
72KB

Download
memory/2172-9-0x0000000000440000-0x000000000044C000-memory.dmp

Filesize
48KB

Download
memory/2172-12-0x00000000005E0000-0x00000000005EC000-memory.dmp

Filesize
48KB

Download
memory/2172-13-0x00000000005F0000-0x00000000005FC000-memory.dmp

Filesize
48KB

Download
memory/2172-14-0x0000000000600000-0x000000000060A000-memory.dmp

Filesize
40KB

Download
memory/2172-15-0x0000000000610000-0x0000000000618000-memory.dmp

Filesize
32KB

Download
memory/2172-16-0x0000000000620000-0x000000000062C000-memory.dmp

Filesize
48KB

Download
memory/2172-17-0x0000000000630000-0x000000000063C000-memory.dmp

Filesize
48KB

Download
memory/2172-20-0x000007FEF53F0000-0x000007FEF5DDC000-memory.dmp

Filesize
9.9MB

Download
memory/2172-10-0x0000000000450000-0x0000000000458000-memory.dmp

Filesize
32KB

Download
memory/2172-8-0x0000000000430000-0x0000000000440000-memory.dmp

Filesize
64KB

Download
memory/2172-0-0x000007FEF53F3000-0x000007FEF53F4000-memory.dmp

Filesize
4KB

Download
memory/2172-6-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2172-5-0x00000000003F0000-0x0000000000400000-memory.dmp

Filesize
64KB

Download
memory/2172-150-0x000007FEF53F0000-0x000007FEF5DDC000-memory.dmp

Filesize
9.9MB

Download
memory/2172-4-0x0000000000140000-0x0000000000148000-memory.dmp

Filesize
32KB

Download
memory/2172-3-0x00000000001D0000-0x00000000001EC000-memory.dmp

Filesize
112KB

Download
memory/2172-2-0x000007FEF53F0000-0x000007FEF5DDC000-memory.dmp

Filesize
9.9MB

Download
memory/2172-1-0x0000000000890000-0x0000000000A46000-memory.dmp

Filesize
1.7MB

Download