Overview

overview

10

Static

static

3

2103ddb95f...8f.exe

windows7-x64

10

2103ddb95f...8f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    118s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-12-2024 17:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe

  • Size

    4.9MB

  • MD5

    8be8a5d36bb940a1d6b70d3277ca420a

  • SHA1

    50e6780f3711ab913e56e1f159d34ef4e29e9bea

  • SHA256

    2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f

  • SHA512

    f02563d80839cf345cc8d360419c38f231f9055408afed0fe8da8f25b0b362fcb5640e5d0b7ee580d7c6df095c90923b74f45a532916245ce0314337f2a052b5

  • SSDEEP

    49152:bl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8X:v

Score
10/10
colibridcratbuild1discoveryevasionexecutioninfostealerloaderrattrojan

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

C2

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php
rc4.plain

Signatures

  • Colibri Loader

    A loader sold as MaaS first seen in August 2021.

    loadercolibri
  • Colibri family
    colibri
  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 15 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 39 IoCs
    evasiontrojan
  • DCRat payload 1 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 13 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 41 IoCs
  • Checks whether UAC is enabled 1 TTPs 26 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 12 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 13 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 47 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 39 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe
    "C:\Users\Admin\AppData\Local\Temp\2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe"
    1⤵
    • UAC bypass
    • Checks computer location settings
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:3548
    • C:\Users\Admin\AppData\Local\Temp\tmp9241.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp9241.tmp.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4764
      • C:\Users\Admin\AppData\Local\Temp\tmp9241.tmp.exe
        "C:\Users\Admin\AppData\Local\Temp\tmp9241.tmp.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1008
        • C:\Users\Admin\AppData\Local\Temp\tmp9241.tmp.exe
          "C:\Users\Admin\AppData\Local\Temp\tmp9241.tmp.exe"
          4⤵
          • Executes dropped EXE
          PID:4452
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4220
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4296
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2364
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2276
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:724
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1588
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1640
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4376
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2180
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2792
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:396
    • C:\Recovery\WindowsRE\Idle.exe
      "C:\Recovery\WindowsRE\Idle.exe"
      2⤵
      • UAC bypass
      • Checks computer location settings
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:4112
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f1f81780-a117-4ff8-bb56-fc5a7be85b52.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3080
        • C:\Recovery\WindowsRE\Idle.exe
          C:\Recovery\WindowsRE\Idle.exe
          4⤵
          • UAC bypass
          • Checks computer location settings
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2388
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\81073bc9-f262-48c6-9631-516c6ef7c8d5.vbs"
            5⤵
              PID:2948
              • C:\Recovery\WindowsRE\Idle.exe
                C:\Recovery\WindowsRE\Idle.exe
                6⤵
                • UAC bypass
                • Checks computer location settings
                • Executes dropped EXE
                • Checks whether UAC is enabled
                • Modifies registry class
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • System policy modification
                PID:2880
                • C:\Windows\System32\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5c1da28d-59dd-4704-9595-4b2ece81e465.vbs"
                  7⤵
                    PID:2444
                    • C:\Recovery\WindowsRE\Idle.exe
                      C:\Recovery\WindowsRE\Idle.exe
                      8⤵
                      • UAC bypass
                      • Checks computer location settings
                      • Executes dropped EXE
                      • Checks whether UAC is enabled
                      • Modifies registry class
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      • System policy modification
                      PID:1260
                      • C:\Windows\System32\WScript.exe
                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc58e491-be8b-4eaa-8470-28c5c2d57d55.vbs"
                        9⤵
                          PID:4648
                          • C:\Recovery\WindowsRE\Idle.exe
                            C:\Recovery\WindowsRE\Idle.exe
                            10⤵
                            • UAC bypass
                            • Checks computer location settings
                            • Executes dropped EXE
                            • Checks whether UAC is enabled
                            • Modifies registry class
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            • System policy modification
                            PID:2388
                            • C:\Windows\System32\WScript.exe
                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f7691112-b0e5-4bab-ac4e-bdce24b66bb8.vbs"
                              11⤵
                                PID:1276
                                • C:\Recovery\WindowsRE\Idle.exe
                                  C:\Recovery\WindowsRE\Idle.exe
                                  12⤵
                                  • UAC bypass
                                  • Checks computer location settings
                                  • Executes dropped EXE
                                  • Checks whether UAC is enabled
                                  • Modifies registry class
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  • System policy modification
                                  PID:4008
                                  • C:\Windows\System32\WScript.exe
                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aba36a8d-052c-4915-ba4a-7eaf2fcf6784.vbs"
                                    13⤵
                                      PID:4460
                                      • C:\Recovery\WindowsRE\Idle.exe
                                        C:\Recovery\WindowsRE\Idle.exe
                                        14⤵
                                        • UAC bypass
                                        • Checks computer location settings
                                        • Executes dropped EXE
                                        • Checks whether UAC is enabled
                                        • Modifies registry class
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        • System policy modification
                                        PID:3300
                                        • C:\Windows\System32\WScript.exe
                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\32e0ceda-c6d8-42c0-bc4c-b0910907b55d.vbs"
                                          15⤵
                                            PID:4324
                                            • C:\Recovery\WindowsRE\Idle.exe
                                              C:\Recovery\WindowsRE\Idle.exe
                                              16⤵
                                              • UAC bypass
                                              • Checks computer location settings
                                              • Executes dropped EXE
                                              • Checks whether UAC is enabled
                                              • Modifies registry class
                                              • Suspicious behavior: EnumeratesProcesses
                                              • Suspicious use of AdjustPrivilegeToken
                                              • System policy modification
                                              PID:1428
                                              • C:\Windows\System32\WScript.exe
                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1b36e1ed-8cbe-4ea0-9170-7c9698ed6de7.vbs"
                                                17⤵
                                                  PID:2028
                                                  • C:\Recovery\WindowsRE\Idle.exe
                                                    C:\Recovery\WindowsRE\Idle.exe
                                                    18⤵
                                                    • UAC bypass
                                                    • Checks computer location settings
                                                    • Executes dropped EXE
                                                    • Checks whether UAC is enabled
                                                    • Modifies registry class
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    • System policy modification
                                                    PID:4464
                                                    • C:\Windows\System32\WScript.exe
                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\97111a71-3891-479a-9984-1acda8304641.vbs"
                                                      19⤵
                                                        PID:1376
                                                        • C:\Recovery\WindowsRE\Idle.exe
                                                          C:\Recovery\WindowsRE\Idle.exe
                                                          20⤵
                                                          • UAC bypass
                                                          • Checks computer location settings
                                                          • Executes dropped EXE
                                                          • Checks whether UAC is enabled
                                                          • Modifies registry class
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          • System policy modification
                                                          PID:3120
                                                          • C:\Windows\System32\WScript.exe
                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\87e0e372-d386-489f-b1d7-e4a48aba6c1f.vbs"
                                                            21⤵
                                                              PID:4152
                                                              • C:\Recovery\WindowsRE\Idle.exe
                                                                C:\Recovery\WindowsRE\Idle.exe
                                                                22⤵
                                                                • UAC bypass
                                                                • Checks computer location settings
                                                                • Executes dropped EXE
                                                                • Checks whether UAC is enabled
                                                                • Modifies registry class
                                                                • Suspicious behavior: EnumeratesProcesses
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                • System policy modification
                                                                PID:4672
                                                                • C:\Windows\System32\WScript.exe
                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6d2e4325-803b-4f93-969e-226013e06b15.vbs"
                                                                  23⤵
                                                                    PID:4880
                                                                    • C:\Recovery\WindowsRE\Idle.exe
                                                                      C:\Recovery\WindowsRE\Idle.exe
                                                                      24⤵
                                                                      • UAC bypass
                                                                      • Checks computer location settings
                                                                      • Executes dropped EXE
                                                                      • Checks whether UAC is enabled
                                                                      • Modifies registry class
                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      • System policy modification
                                                                      PID:1828
                                                                      • C:\Windows\System32\WScript.exe
                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\af8ed067-415c-48d5-a956-645d1aabc0fa.vbs"
                                                                        25⤵
                                                                          PID:1092
                                                                        • C:\Windows\System32\WScript.exe
                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2e79a20f-1bc4-47ae-8646-972198b40731.vbs"
                                                                          25⤵
                                                                            PID:3056
                                                                      • C:\Windows\System32\WScript.exe
                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\166070dd-3e6e-4efe-96f5-6b8e252a06d7.vbs"
                                                                        23⤵
                                                                          PID:2100
                                                                        • C:\Users\Admin\AppData\Local\Temp\tmp406A.tmp.exe
                                                                          "C:\Users\Admin\AppData\Local\Temp\tmp406A.tmp.exe"
                                                                          23⤵
                                                                          • Executes dropped EXE
                                                                          • Suspicious use of SetThreadContext
                                                                          • System Location Discovery: System Language Discovery
                                                                          PID:2872
                                                                          • C:\Users\Admin\AppData\Local\Temp\tmp406A.tmp.exe
                                                                            "C:\Users\Admin\AppData\Local\Temp\tmp406A.tmp.exe"
                                                                            24⤵
                                                                            • Executes dropped EXE
                                                                            PID:1924
                                                                    • C:\Windows\System32\WScript.exe
                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\171cac2e-802b-4ef8-9e00-cd83d0cbf999.vbs"
                                                                      21⤵
                                                                        PID:3080
                                                                      • C:\Users\Admin\AppData\Local\Temp\tmp2466.tmp.exe
                                                                        "C:\Users\Admin\AppData\Local\Temp\tmp2466.tmp.exe"
                                                                        21⤵
                                                                        • Executes dropped EXE
                                                                        • Suspicious use of SetThreadContext
                                                                        • System Location Discovery: System Language Discovery
                                                                        PID:4420
                                                                        • C:\Users\Admin\AppData\Local\Temp\tmp2466.tmp.exe
                                                                          "C:\Users\Admin\AppData\Local\Temp\tmp2466.tmp.exe"
                                                                          22⤵
                                                                          • Executes dropped EXE
                                                                          PID:3436
                                                                  • C:\Windows\System32\WScript.exe
                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4c164d02-bafb-4928-9fde-65d2bed04546.vbs"
                                                                    19⤵
                                                                      PID:3624
                                                                    • C:\Users\Admin\AppData\Local\Temp\tmp90E.tmp.exe
                                                                      "C:\Users\Admin\AppData\Local\Temp\tmp90E.tmp.exe"
                                                                      19⤵
                                                                      • Executes dropped EXE
                                                                      • Suspicious use of SetThreadContext
                                                                      • System Location Discovery: System Language Discovery
                                                                      PID:1536
                                                                      • C:\Users\Admin\AppData\Local\Temp\tmp90E.tmp.exe
                                                                        "C:\Users\Admin\AppData\Local\Temp\tmp90E.tmp.exe"
                                                                        20⤵
                                                                        • Executes dropped EXE
                                                                        PID:5100
                                                                • C:\Windows\System32\WScript.exe
                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\38c0984a-fe10-40da-915b-e3aa35d1f466.vbs"
                                                                  17⤵
                                                                    PID:1328
                                                                  • C:\Users\Admin\AppData\Local\Temp\tmpD9A2.tmp.exe
                                                                    "C:\Users\Admin\AppData\Local\Temp\tmpD9A2.tmp.exe"
                                                                    17⤵
                                                                    • Executes dropped EXE
                                                                    • System Location Discovery: System Language Discovery
                                                                    PID:4816
                                                                    • C:\Users\Admin\AppData\Local\Temp\tmpD9A2.tmp.exe
                                                                      "C:\Users\Admin\AppData\Local\Temp\tmpD9A2.tmp.exe"
                                                                      18⤵
                                                                      • Executes dropped EXE
                                                                      • System Location Discovery: System Language Discovery
                                                                      PID:3188
                                                                      • C:\Users\Admin\AppData\Local\Temp\tmpD9A2.tmp.exe
                                                                        "C:\Users\Admin\AppData\Local\Temp\tmpD9A2.tmp.exe"
                                                                        19⤵
                                                                        • Executes dropped EXE
                                                                        • Suspicious use of SetThreadContext
                                                                        • System Location Discovery: System Language Discovery
                                                                        PID:3516
                                                                        • C:\Users\Admin\AppData\Local\Temp\tmpD9A2.tmp.exe
                                                                          "C:\Users\Admin\AppData\Local\Temp\tmpD9A2.tmp.exe"
                                                                          20⤵
                                                                          • Executes dropped EXE
                                                                          PID:3808
                                                              • C:\Windows\System32\WScript.exe
                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d9399fa7-d274-4e5f-a51e-fe8db7a34a96.vbs"
                                                                15⤵
                                                                  PID:4052
                                                                • C:\Users\Admin\AppData\Local\Temp\tmpA9B8.tmp.exe
                                                                  "C:\Users\Admin\AppData\Local\Temp\tmpA9B8.tmp.exe"
                                                                  15⤵
                                                                  • Executes dropped EXE
                                                                  • Suspicious use of SetThreadContext
                                                                  • System Location Discovery: System Language Discovery
                                                                  PID:884
                                                                  • C:\Users\Admin\AppData\Local\Temp\tmpA9B8.tmp.exe
                                                                    "C:\Users\Admin\AppData\Local\Temp\tmpA9B8.tmp.exe"
                                                                    16⤵
                                                                    • Executes dropped EXE
                                                                    PID:5044
                                                            • C:\Windows\System32\WScript.exe
                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a2bb01ba-0e9b-48da-b1eb-1da326647e2f.vbs"
                                                              13⤵
                                                                PID:3480
                                                              • C:\Users\Admin\AppData\Local\Temp\tmp76E1.tmp.exe
                                                                "C:\Users\Admin\AppData\Local\Temp\tmp76E1.tmp.exe"
                                                                13⤵
                                                                • Executes dropped EXE
                                                                • System Location Discovery: System Language Discovery
                                                                PID:4572
                                                                • C:\Users\Admin\AppData\Local\Temp\tmp76E1.tmp.exe
                                                                  "C:\Users\Admin\AppData\Local\Temp\tmp76E1.tmp.exe"
                                                                  14⤵
                                                                  • Executes dropped EXE
                                                                  • Suspicious use of SetThreadContext
                                                                  • System Location Discovery: System Language Discovery
                                                                  PID:4996
                                                                  • C:\Users\Admin\AppData\Local\Temp\tmp76E1.tmp.exe
                                                                    "C:\Users\Admin\AppData\Local\Temp\tmp76E1.tmp.exe"
                                                                    15⤵
                                                                    • Executes dropped EXE
                                                                    PID:392
                                                          • C:\Windows\System32\WScript.exe
                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a958330a-3bda-480e-8d82-3ee5fff61f92.vbs"
                                                            11⤵
                                                              PID:4708
                                                            • C:\Users\Admin\AppData\Local\Temp\tmp4551.tmp.exe
                                                              "C:\Users\Admin\AppData\Local\Temp\tmp4551.tmp.exe"
                                                              11⤵
                                                              • Executes dropped EXE
                                                              • Suspicious use of SetThreadContext
                                                              • System Location Discovery: System Language Discovery
                                                              PID:2576
                                                              • C:\Users\Admin\AppData\Local\Temp\tmp4551.tmp.exe
                                                                "C:\Users\Admin\AppData\Local\Temp\tmp4551.tmp.exe"
                                                                12⤵
                                                                • Executes dropped EXE
                                                                PID:4872
                                                        • C:\Windows\System32\WScript.exe
                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ccc08959-2503-4e35-9bde-0e217711e0c4.vbs"
                                                          9⤵
                                                            PID:4320
                                                          • C:\Users\Admin\AppData\Local\Temp\tmp272A.tmp.exe
                                                            "C:\Users\Admin\AppData\Local\Temp\tmp272A.tmp.exe"
                                                            9⤵
                                                            • Executes dropped EXE
                                                            • Suspicious use of SetThreadContext
                                                            • System Location Discovery: System Language Discovery
                                                            PID:1816
                                                            • C:\Users\Admin\AppData\Local\Temp\tmp272A.tmp.exe
                                                              "C:\Users\Admin\AppData\Local\Temp\tmp272A.tmp.exe"
                                                              10⤵
                                                              • Executes dropped EXE
                                                              PID:3612
                                                      • C:\Windows\System32\WScript.exe
                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0a0fce59-9731-44c4-acfd-9497c73d41ab.vbs"
                                                        7⤵
                                                          PID:4364
                                                        • C:\Users\Admin\AppData\Local\Temp\tmpF656.tmp.exe
                                                          "C:\Users\Admin\AppData\Local\Temp\tmpF656.tmp.exe"
                                                          7⤵
                                                          • Executes dropped EXE
                                                          • Suspicious use of SetThreadContext
                                                          • System Location Discovery: System Language Discovery
                                                          PID:2592
                                                          • C:\Users\Admin\AppData\Local\Temp\tmpF656.tmp.exe
                                                            "C:\Users\Admin\AppData\Local\Temp\tmpF656.tmp.exe"
                                                            8⤵
                                                            • Executes dropped EXE
                                                            PID:3940
                                                    • C:\Windows\System32\WScript.exe
                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\42738328-3bce-42ea-8a90-3fddf7858a4f.vbs"
                                                      5⤵
                                                        PID:4200
                                                      • C:\Users\Admin\AppData\Local\Temp\tmpDA91.tmp.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\tmpDA91.tmp.exe"
                                                        5⤵
                                                        • Executes dropped EXE
                                                        • Suspicious use of SetThreadContext
                                                        • System Location Discovery: System Language Discovery
                                                        • Suspicious use of WriteProcessMemory
                                                        PID:1908
                                                        • C:\Users\Admin\AppData\Local\Temp\tmpDA91.tmp.exe
                                                          "C:\Users\Admin\AppData\Local\Temp\tmpDA91.tmp.exe"
                                                          6⤵
                                                          • Executes dropped EXE
                                                          PID:4052
                                                  • C:\Windows\System32\WScript.exe
                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\655ae96f-37d3-4583-a403-29c62bf82e7e.vbs"
                                                    3⤵
                                                      PID:768
                                                    • C:\Users\Admin\AppData\Local\Temp\tmpA846.tmp.exe
                                                      "C:\Users\Admin\AppData\Local\Temp\tmpA846.tmp.exe"
                                                      3⤵
                                                      • Executes dropped EXE
                                                      • System Location Discovery: System Language Discovery
                                                      • Suspicious use of WriteProcessMemory
                                                      PID:1628
                                                      • C:\Users\Admin\AppData\Local\Temp\tmpA846.tmp.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\tmpA846.tmp.exe"
                                                        4⤵
                                                        • Executes dropped EXE
                                                        • Suspicious use of SetThreadContext
                                                        • System Location Discovery: System Language Discovery
                                                        • Suspicious use of WriteProcessMemory
                                                        PID:2972
                                                        • C:\Users\Admin\AppData\Local\Temp\tmpA846.tmp.exe
                                                          "C:\Users\Admin\AppData\Local\Temp\tmpA846.tmp.exe"
                                                          5⤵
                                                          • Executes dropped EXE
                                                          PID:3928
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files\WindowsPowerShell\Modules\RuntimeBroker.exe'" /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:4312
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Modules\RuntimeBroker.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:1584
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files\WindowsPowerShell\Modules\RuntimeBroker.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:2020
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:3140
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:1032
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:2196
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\Sun\Java\Deployment\csrss.exe'" /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:884
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Sun\Java\Deployment\csrss.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:2944
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\Sun\Java\Deployment\csrss.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:1500
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Desktop\System.exe'" /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:2856
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Public\Desktop\System.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:4512
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Desktop\System.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:3496
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Users\Public\winlogon.exe'" /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:3052
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Public\winlogon.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:2032
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Users\Public\winlogon.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:4080

                                                Network

                                                MITRE ATT&CK Enterprise v15

                                                Replay Monitor

                                                Loading Replay Monitor...

                                                Downloads

                                                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Idle.exe.log
                                                  Filesize

                                                  1KB

                                                  MD5

                                                  4a667f150a4d1d02f53a9f24d89d53d1

                                                  SHA1

                                                  306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

                                                  SHA256

                                                  414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

                                                  SHA512

                                                  4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                                  Filesize

                                                  2KB

                                                  MD5

                                                  440cb38dbee06645cc8b74d51f6e5f71

                                                  SHA1

                                                  d7e61da91dc4502e9ae83281b88c1e48584edb7c

                                                  SHA256

                                                  8ef7a682dfd99ff5b7e9de0e1be43f0016d68695a43c33c028af2635cc15ecfe

                                                  SHA512

                                                  3aab19578535e6ba0f6beb5690c87d970292100704209d2dcebddcdd46c6bead27588ef5d98729bfd50606a54cc1edf608b3d15bef42c13b9982aaaf15de7fd6

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                  Filesize

                                                  944B

                                                  MD5

                                                  d28a889fd956d5cb3accfbaf1143eb6f

                                                  SHA1

                                                  157ba54b365341f8ff06707d996b3635da8446f7

                                                  SHA256

                                                  21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

                                                  SHA512

                                                  0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                  Filesize

                                                  944B

                                                  MD5

                                                  5f0ddc7f3691c81ee14d17b419ba220d

                                                  SHA1

                                                  f0ef5fde8bab9d17c0b47137e014c91be888ee53

                                                  SHA256

                                                  a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

                                                  SHA512

                                                  2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                  Filesize

                                                  944B

                                                  MD5

                                                  cadef9abd087803c630df65264a6c81c

                                                  SHA1

                                                  babbf3636c347c8727c35f3eef2ee643dbcc4bd2

                                                  SHA256

                                                  cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

                                                  SHA512

                                                  7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                  Filesize

                                                  944B

                                                  MD5

                                                  59d97011e091004eaffb9816aa0b9abd

                                                  SHA1

                                                  1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

                                                  SHA256

                                                  18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

                                                  SHA512

                                                  d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                  Filesize

                                                  944B

                                                  MD5

                                                  bd5940f08d0be56e65e5f2aaf47c538e

                                                  SHA1

                                                  d7e31b87866e5e383ab5499da64aba50f03e8443

                                                  SHA256

                                                  2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

                                                  SHA512

                                                  c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Temp\32e0ceda-c6d8-42c0-bc4c-b0910907b55d.vbs
                                                  Filesize

                                                  706B

                                                  MD5

                                                  c851b7f9a35b65d305711c505b4b7c4d

                                                  SHA1

                                                  0521680843a9ff6d713f8dd9b97642f71e613fad

                                                  SHA256

                                                  fa2c6a967afaa762022ebb9cb742bf31de45098c20644768594585db246fbcd3

                                                  SHA512

                                                  3adb96130136db99250f00ce3c0021377de9a9db6c011166359a67e27370858e88dc40d130c23617024858445899bdbfb962c75f530e9dbed4c4b4a939f74f16

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Temp\5c1da28d-59dd-4704-9595-4b2ece81e465.vbs
                                                  Filesize

                                                  706B

                                                  MD5

                                                  b49d8a18d5e398d17d12d94d7f77a242

                                                  SHA1

                                                  ab0731c2cd2b133c68efcc8594b56851adc2ceaa

                                                  SHA256

                                                  8d0000d1e9f4e84790f6fdebcf03bb8f84c20388eb6d3d882e79020c9ddf0493

                                                  SHA512

                                                  5244470cc644f6461ceb5cc5e0bac60419d755724185c3fdc434a8e954e655866bc6f28b07cc4e6b1528cfe567ac6dc3b43bf3e040e20964a597a54218efdfaa

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Temp\655ae96f-37d3-4583-a403-29c62bf82e7e.vbs
                                                  Filesize

                                                  482B

                                                  MD5

                                                  11f1172fac2a38230e1feb5b2845a843

                                                  SHA1

                                                  50ad29dacca77151b239c8e73abd3a74e35fb237

                                                  SHA256

                                                  56cd20337bbbeefdf49bb162f2b09f96a6ced9cee2182477ea31b80d54d01a35

                                                  SHA512

                                                  a06da5d6f7e90034f6e01b0a3f09bda175800d60eabbd9ca5570fca0aead2b849bb96482ac37053cf8f605f2e68398ea86aea0b0be267db2ce8a9180e2d00f1b

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Temp\81073bc9-f262-48c6-9631-516c6ef7c8d5.vbs
                                                  Filesize

                                                  706B

                                                  MD5

                                                  e31a341d02589be35bc8b15562467f79

                                                  SHA1

                                                  4f5a6045a1292177fb3833835e8d6fddba17fb93

                                                  SHA256

                                                  1b707fd5decf996ae7f6bb80cee90ee948bdd710a3ddd10c244ceba38a096988

                                                  SHA512

                                                  21a3e838c0ef981f81a2ef2f3d924703c6778d394034bbd8f23a1cbb4225e9333f32256ddb314c1b27406d79165c6e32242ae45f29cfaae0f3c1a2fbc0ef3796

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sjrqresi.jmr.ps1
                                                  Filesize

                                                  60B

                                                  MD5

                                                  d17fe0a3f47be24a6453e9ef58c94641

                                                  SHA1

                                                  6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                  SHA256

                                                  96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                  SHA512

                                                  5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Temp\aba36a8d-052c-4915-ba4a-7eaf2fcf6784.vbs
                                                  Filesize

                                                  706B

                                                  MD5

                                                  fa683d9e8e11ede4cbf1e1e71a98e05b

                                                  SHA1

                                                  ac4adacf7dbf13d744f4a6b1c4e153550b3df314

                                                  SHA256

                                                  8c566208df5f3efafe71fc9022df167a753716065628c4c60fd95cd46c8ae791

                                                  SHA512

                                                  5d07fe98772cf39c117ecefe3a5c9e79838a2a4db0f24ed47fb601853fead30f4ef0187386d38b5c01324e95fc4625e6507117ec7effd22b4ad3e93a3327a91c

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Temp\cc58e491-be8b-4eaa-8470-28c5c2d57d55.vbs
                                                  Filesize

                                                  706B

                                                  MD5

                                                  bef39fbea5c3af5119b443002b69f64c

                                                  SHA1

                                                  352d376cbeb05f531b1c5c7f5277d348e7931341

                                                  SHA256

                                                  d14daad402feb365da85648fd0d91f15b8b4c3fd6f8aa9489ed8577d2363b486

                                                  SHA512

                                                  79f3cc503b74369de26a0955a199003389defeece694cd2d45fb08441fdfa9f16bb6d47b67b4a65ebe68e9aebfb011b2b4eb0c8c0cdd067c6a1107267c0f2ac2

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Temp\f1f81780-a117-4ff8-bb56-fc5a7be85b52.vbs
                                                  Filesize

                                                  706B

                                                  MD5

                                                  3e38eda9d87cea6ae4708e13988df47e

                                                  SHA1

                                                  684b05d591c4d6663c13cfffd4eef211affd88c2

                                                  SHA256

                                                  f7f92b77c06e7fde3803a23ec7220c3ae117315dece8800213cde74b2e724523

                                                  SHA512

                                                  fbb49a615afe6b1f848eeb6c2594c20f2fc7f3715fee2332b5ed8501163ed7c32e7851be15746ba22d819c6ae3e801b80221e26d586818ab5d551b7cc9577d0e

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Temp\tmp9241.tmp.exe
                                                  Filesize

                                                  75KB

                                                  MD5

                                                  e0a68b98992c1699876f818a22b5b907

                                                  SHA1

                                                  d41e8ad8ba51217eb0340f8f69629ccb474484d0

                                                  SHA256

                                                  2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

                                                  SHA512

                                                  856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

                                                  Download Submit

                                                • C:\Users\Public\winlogon.exe
                                                  Filesize

                                                  4.9MB

                                                  MD5

                                                  1a3ceb280bf71c6516839bb887c895e4

                                                  SHA1

                                                  3dda6ce8da111709d5a49174a3f118daf4fd51d4

                                                  SHA256

                                                  637ad536bf9a2d9c74adb12f4f6dab2a7242fbd2a536a80d48ee40ae2adb6733

                                                  SHA512

                                                  e01bc21703544a4e8215becd610a18015f073fc51925b19a42bb48c6f984a14063f9ab2b3c1fd5efb8d263e82330f220d5003d92533f9cf6d07268f738ac1776

                                                  Download Submit

                                                • C:\Users\Public\winlogon.exe
                                                  Filesize

                                                  4.9MB

                                                  MD5

                                                  8be8a5d36bb940a1d6b70d3277ca420a

                                                  SHA1

                                                  50e6780f3711ab913e56e1f159d34ef4e29e9bea

                                                  SHA256

                                                  2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f

                                                  SHA512

                                                  f02563d80839cf345cc8d360419c38f231f9055408afed0fe8da8f25b0b362fcb5640e5d0b7ee580d7c6df095c90923b74f45a532916245ce0314337f2a052b5

                                                  Download Submit

                                                • memory/3548-12-0x000000001C250000-0x000000001C778000-memory.dmp

                                                  Filesize

                                                  5.2MB

                                                  Download

                                                • memory/3548-7-0x00000000028B0000-0x00000000028C0000-memory.dmp

                                                  Filesize

                                                  64KB

                                                  Download

                                                • memory/3548-11-0x0000000002910000-0x0000000002922000-memory.dmp

                                                  Filesize

                                                  72KB

                                                  Download

                                                • memory/3548-17-0x00000000029B0000-0x00000000029B8000-memory.dmp

                                                  Filesize

                                                  32KB

                                                  Download

                                                • memory/3548-18-0x000000001B5A0000-0x000000001B5AC000-memory.dmp

                                                  Filesize

                                                  48KB

                                                  Download

                                                • memory/3548-13-0x0000000002920000-0x000000000292A000-memory.dmp

                                                  Filesize

                                                  40KB

                                                  Download

                                                • memory/3548-2-0x00007FFE39140000-0x00007FFE39C01000-memory.dmp

                                                  Filesize

                                                  10.8MB

                                                  Download

                                                • memory/3548-240-0x00007FFE39140000-0x00007FFE39C01000-memory.dmp

                                                  Filesize

                                                  10.8MB

                                                  Download

                                                • memory/3548-10-0x0000000002900000-0x000000000290A000-memory.dmp

                                                  Filesize

                                                  40KB

                                                  Download

                                                • memory/3548-15-0x0000000002990000-0x000000000299E000-memory.dmp

                                                  Filesize

                                                  56KB

                                                  Download

                                                • memory/3548-1-0x0000000000240000-0x0000000000734000-memory.dmp

                                                  Filesize

                                                  5.0MB

                                                  Download

                                                • memory/3548-0-0x00007FFE39143000-0x00007FFE39145000-memory.dmp

                                                  Filesize

                                                  8KB

                                                  Download

                                                • memory/3548-14-0x0000000002930000-0x000000000293E000-memory.dmp

                                                  Filesize

                                                  56KB

                                                  Download

                                                • memory/3548-9-0x00000000028F0000-0x0000000002900000-memory.dmp

                                                  Filesize

                                                  64KB

                                                  Download

                                                • memory/3548-8-0x00000000028C0000-0x00000000028D6000-memory.dmp

                                                  Filesize

                                                  88KB

                                                  Download

                                                • memory/3548-6-0x00000000028A0000-0x00000000028A8000-memory.dmp

                                                  Filesize

                                                  32KB

                                                  Download

                                                • memory/3548-16-0x00000000029A0000-0x00000000029A8000-memory.dmp

                                                  Filesize

                                                  32KB

                                                  Download

                                                • memory/3548-5-0x0000000002940000-0x0000000002990000-memory.dmp

                                                  Filesize

                                                  320KB

                                                  Download

                                                • memory/3548-4-0x0000000001040000-0x000000000105C000-memory.dmp

                                                  Filesize

                                                  112KB

                                                  Download

                                                • memory/3548-3-0x000000001B5F0000-0x000000001B71E000-memory.dmp

                                                  Filesize

                                                  1.2MB

                                                  Download

                                                • memory/4376-138-0x0000018458FB0000-0x0000018458FD2000-memory.dmp

                                                  Filesize

                                                  136KB

                                                  Download

                                                • memory/4452-72-0x0000000000400000-0x0000000000407000-memory.dmp

                                                  Filesize

                                                  28KB

                                                  Download