dcrat | 2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253

Analysis

max time kernel
53s
max time network
87s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
25-01-2025 21:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe
Size

1.9MB
MD5

51ee1c43b8c4c83a1ee89f486a002e8a
SHA1

ac3559b85e9f8328fc661c4f7dc17d464aa461fa
SHA256

2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253
SHA512

3191012d5078beb815ff733c3981545858a30e5051ffbbb7b4bb1dff5bab82004809a0d407af0d8312b241c05738591d7a83ce2e01e0c9b2e8f9d325ca9649d6
SSDEEP

49152:SIsY+oZb+wZGTt6IDmYYg+tfxXi1Mq39V:SIg6IDatJXbM9V

Score

10^/10

dcrat execution infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\twain_32\\OSPPSVC.exe\""	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\twain_32\\OSPPSVC.exe\", \"C:\\Program Files\\Windows Media Player\\Visualizations\\csrss.exe\""	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\twain_32\\OSPPSVC.exe\", \"C:\\Program Files\\Windows Media Player\\Visualizations\\csrss.exe\", \"C:\\Recovery\\f6a14ac2-8725-11ef-a9ab-dab21757c799\\lsass.exe\""	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\twain_32\\OSPPSVC.exe\", \"C:\\Program Files\\Windows Media Player\\Visualizations\\csrss.exe\", \"C:\\Recovery\\f6a14ac2-8725-11ef-a9ab-dab21757c799\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\csrss.exe\""	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\twain_32\\OSPPSVC.exe\", \"C:\\Program Files\\Windows Media Player\\Visualizations\\csrss.exe\", \"C:\\Recovery\\f6a14ac2-8725-11ef-a9ab-dab21757c799\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\csrss.exe\", \"C:\\Recovery\\f6a14ac2-8725-11ef-a9ab-dab21757c799\\dwm.exe\""	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\twain_32\\OSPPSVC.exe\", \"C:\\Program Files\\Windows Media Player\\Visualizations\\csrss.exe\", \"C:\\Recovery\\f6a14ac2-8725-11ef-a9ab-dab21757c799\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\csrss.exe\", \"C:\\Recovery\\f6a14ac2-8725-11ef-a9ab-dab21757c799\\dwm.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe\""	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1184	2460	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	2460	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	2460	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2460	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	2460	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	2460	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1228	2460	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2552	2460	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	2460	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1516	2460	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1040	2460	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2492	2460	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	2460	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2088	2460	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	2460	schtasks.exe	30

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1140	powershell.exe
424	powershell.exe
1848	powershell.exe
2468	powershell.exe
1856	powershell.exe
2212	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
584	dwm.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Windows Media Player\\Visualizations\\csrss.exe\""	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Recovery\\f6a14ac2-8725-11ef-a9ab-dab21757c799\\lsass.exe\""	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Recovery\\f6a14ac2-8725-11ef-a9ab-dab21757c799\\lsass.exe\""	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\csrss.exe\""	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\csrss.exe\""	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Recovery\\f6a14ac2-8725-11ef-a9ab-dab21757c799\\dwm.exe\""	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe\""	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Windows\\twain_32\\OSPPSVC.exe\""	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Windows Media Player\\Visualizations\\csrss.exe\""	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Recovery\\f6a14ac2-8725-11ef-a9ab-dab21757c799\\dwm.exe\""	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe\""	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Windows\\twain_32\\OSPPSVC.exe\""	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ipinfo.io
5	ipinfo.io
12	ipinfo.io
13	ipinfo.io

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC959EC0EE96954B8A96CD551FAC8B9D24.TMP	csc.exe
File created	\??\c:\Windows\System32\9w3j6e.exe	csc.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Media Player\Visualizations\csrss.exe	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe
File created	C:\Program Files\Windows Media Player\Visualizations\886983d96e3d3e	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\twain_32\OSPPSVC.exe	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe
File created	C:\Windows\twain_32\1610b97d3ab4a7	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe

Modifies system certificate store 2 TTPs 2 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2720	schtasks.exe
1228	schtasks.exe
1516	schtasks.exe
2492	schtasks.exe
1184	schtasks.exe
2552	schtasks.exe
632	schtasks.exe
2868	schtasks.exe
2516	schtasks.exe
2088	schtasks.exe
2032	schtasks.exe
2316	schtasks.exe
484	schtasks.exe
2076	schtasks.exe
2776	schtasks.exe
2892	schtasks.exe
2564	schtasks.exe
1040	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2780	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe
2780	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe
2780	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe
2780	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe
2780	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe
2780	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe
2780	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe
2780	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe
2780	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe
2780	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe
2780	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe
2780	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe
2780	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe
2780	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe
2780	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe
2780	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe
2780	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe
2780	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe
2780	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe
2780	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe
2780	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe
2780	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe
2780	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe
2780	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe
2780	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe
2780	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe
2780	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe
2780	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe
2780	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe
2780	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe
2780	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe
2780	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe
2780	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe
2780	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe
2780	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe
2780	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe
2780	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe
2780	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe
2780	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe
2780	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe
2780	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe
2780	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe
2780	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe
2780	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe
2780	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe
2780	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe
2780	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe
2780	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe
2780	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe
2780	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe
2780	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe
2780	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe
2780	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe
2780	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe
2780	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe
2780	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe
2780	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe
2780	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe
2780	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe
2780	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe
2780	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe
2780	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe
2780	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe
2780	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2780	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe
Token: SeDebugPrivilege	1856	powershell.exe
Token: SeDebugPrivilege	424	powershell.exe
Token: SeDebugPrivilege	2212	powershell.exe
Token: SeDebugPrivilege	1140	powershell.exe
Token: SeDebugPrivilege	1848	powershell.exe
Token: SeDebugPrivilege	2468	powershell.exe
Token: SeDebugPrivilege	584	dwm.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2780 wrote to memory of 1844	2780	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe	34
PID 2780 wrote to memory of 1844	2780	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe	34
PID 2780 wrote to memory of 1844	2780	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe	34
PID 1844 wrote to memory of 2120	1844	csc.exe	36
PID 1844 wrote to memory of 2120	1844	csc.exe	36
PID 1844 wrote to memory of 2120	1844	csc.exe	36
PID 2780 wrote to memory of 2212	2780	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe	52
PID 2780 wrote to memory of 2212	2780	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe	52
PID 2780 wrote to memory of 2212	2780	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe	52
PID 2780 wrote to memory of 1140	2780	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe	53
PID 2780 wrote to memory of 1140	2780	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe	53
PID 2780 wrote to memory of 1140	2780	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe	53
PID 2780 wrote to memory of 1856	2780	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe	54
PID 2780 wrote to memory of 1856	2780	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe	54
PID 2780 wrote to memory of 1856	2780	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe	54
PID 2780 wrote to memory of 2468	2780	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe	55
PID 2780 wrote to memory of 2468	2780	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe	55
PID 2780 wrote to memory of 2468	2780	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe	55
PID 2780 wrote to memory of 424	2780	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe	58
PID 2780 wrote to memory of 424	2780	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe	58
PID 2780 wrote to memory of 424	2780	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe	58
PID 2780 wrote to memory of 1848	2780	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe	59
PID 2780 wrote to memory of 1848	2780	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe	59
PID 2780 wrote to memory of 1848	2780	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe	59
PID 2780 wrote to memory of 1992	2780	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe	64
PID 2780 wrote to memory of 1992	2780	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe	64
PID 2780 wrote to memory of 1992	2780	2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe	64
PID 1992 wrote to memory of 1636	1992	cmd.exe	66
PID 1992 wrote to memory of 1636	1992	cmd.exe	66
PID 1992 wrote to memory of 1636	1992	cmd.exe	66
PID 1992 wrote to memory of 1732	1992	cmd.exe	67
PID 1992 wrote to memory of 1732	1992	cmd.exe	67
PID 1992 wrote to memory of 1732	1992	cmd.exe	67
PID 1992 wrote to memory of 584	1992	cmd.exe	68
PID 1992 wrote to memory of 584	1992	cmd.exe	68
PID 1992 wrote to memory of 584	1992	cmd.exe	68

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe
"C:\Users\Admin\AppData\Local\Temp\2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2780
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kxl4h4ta\kxl4h4ta.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1844
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES78D8.tmp" "c:\Windows\System32\CSC959EC0EE96954B8A96CD551FAC8B9D24.TMP"
    3⤵
    PID:2120
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\twain_32\OSPPSVC.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2212
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\Visualizations\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1140
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1856
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2468
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:424
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1848
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\42ySuzm8ZS.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1992
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:1636
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1732
- - C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dwm.exe
    "C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dwm.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Windows\twain_32\OSPPSVC.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\twain_32\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Windows\twain_32\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Media Player\Visualizations\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Visualizations\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Media Player\Visualizations\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd132532" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\AppData\Local\Temp\2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd132532" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\AppData\Local\Temp\2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\42ySuzm8ZS.bat

Filesize
232B

MD5
89836581cea0e437db391eb1e14f3b0f

SHA1
edda27e0e2f8ac08e940e09b2ab85b6763ff3d54

SHA256
b855e82b19575b9cb5e9b6e5f4ca6ca05cac08d1f4274ac4776eb7c816934bbb

SHA512
6ea7d93c34bd0e6a5ce0fc2ffa4fd427d53f62d016482ad5172978abd69e7fec74ae08874f6fbe2d5ca882bdccf110e7bd78f3b80862d139b02b92989317ba2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES78D8.tmp

Filesize
1KB

MD5
38bef38fc6977b0b9ad5d9630a1e1fd5

SHA1
73e0f494d8e1d5e3245b5245013b2e54b26d863b

SHA256
fbbb814ef1f2d482f41f840d527ce9fc78ea773be431f7f5f0837eac7298c68c

SHA512
8f71385911e9f926f235318e1717cf75bd35ac47e03dcba49f826b831b278a217ee37ea9cd81bab09679ff8b1290146aa0b377672b5401f91bf1699c162a12b1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
c14ce59fb7c226fc4177044136c4e6ff

SHA1
f094ef6e9ad1d7c66b447f6e6a747fd8d3dde261

SHA256
5a48fed156001b97711262e795c6d85d17983544830292566ec7f210bc6ece21

SHA512
7f9f8c3d820f375e0e7b85c10ecf35f3d5d66aa4be00f58fc5489de2c087d692e978b0cacb89861ce0e8177d57e5910fc2a0d61751084c0dfcc85e317aad54aa

Download Submit
C:\Windows\twain_32\OSPPSVC.exe

Filesize
1.9MB

MD5
51ee1c43b8c4c83a1ee89f486a002e8a

SHA1
ac3559b85e9f8328fc661c4f7dc17d464aa461fa

SHA256
2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253

SHA512
3191012d5078beb815ff733c3981545858a30e5051ffbbb7b4bb1dff5bab82004809a0d407af0d8312b241c05738591d7a83ce2e01e0c9b2e8f9d325ca9649d6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kxl4h4ta\kxl4h4ta.0.cs

Filesize
363B

MD5
e1303d2308578f6aacec48cf7148870e

SHA1
5df10031c66bf74e9247865e7284c46d0535b789

SHA256
73f3bb02e8015511426da1dffae1ae26466b96837a5292a702cb95988f7d27a6

SHA512
922922299720d979ebd3865509cd7cdb398a4b692a715273e555b3bf3f02643b0c79856e412ed4861e597a068d271ee949f236c9935ffc9a91aa131859b50a1e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kxl4h4ta\kxl4h4ta.cmdline

Filesize
235B

MD5
2a0b277b054d84ec91c2e605850f5533

SHA1
e6a014d0eab20a82a9269c5bca09eb6db282a128

SHA256
0a2c4f0800c9c29df945010324bb612c0372482fd83a9157095aae2993ccb12b

SHA512
06f0e38c60d87374ca2507a1f2c846c5c87fccaa684170d02e5d1d38d0193fd5ebcf4b4f8534d3a922c555e9dbf0a2d51b5df36625512be593018f4818e2ae3c

Download Submit
\??\c:\Windows\System32\CSC959EC0EE96954B8A96CD551FAC8B9D24.TMP

Filesize
1KB

MD5
70046c6c63d509bb29450ef32b59dda3

SHA1
26802b73997ee22a7cd3d07ae77016969603cf00

SHA256
dd0e7409cd9412eafdd8f881d6094fb539ad19c7a54d76043de655a00f80f5d0

SHA512
d7b8d4ed84b8e1f5e416c378872bb7bc6d884341f0aa76f2c3b664f1ad0324a2d749c51718f3940d61663d152c35ba241ce0def03a002c6423a4d0957866c96f

Download Submit
memory/584-90-0x0000000000AA0000-0x0000000000C88000-memory.dmp

Filesize
1.9MB

Download
memory/1856-76-0x0000000002390000-0x0000000002398000-memory.dmp

Filesize
32KB

Download
memory/1856-74-0x000000001B660000-0x000000001B942000-memory.dmp

Filesize
2.9MB

Download
memory/2780-16-0x0000000000810000-0x0000000000818000-memory.dmp

Filesize
32KB

Download
memory/2780-10-0x0000000000820000-0x000000000083C000-memory.dmp

Filesize
112KB

Download
memory/2780-17-0x000007FEF53F0000-0x000007FEF5DDC000-memory.dmp

Filesize
9.9MB

Download
memory/2780-22-0x000007FEF53F0000-0x000007FEF5DDC000-memory.dmp

Filesize
9.9MB

Download
memory/2780-21-0x000007FEF53F0000-0x000007FEF5DDC000-memory.dmp

Filesize
9.9MB

Download
memory/2780-20-0x0000000000860000-0x000000000086C000-memory.dmp

Filesize
48KB

Download
memory/2780-0-0x000007FEF53F3000-0x000007FEF53F4000-memory.dmp

Filesize
4KB

Download
memory/2780-14-0x0000000000800000-0x000000000080E000-memory.dmp

Filesize
56KB

Download
memory/2780-34-0x000007FEF53F3000-0x000007FEF53F4000-memory.dmp

Filesize
4KB

Download
memory/2780-35-0x000007FEF53F0000-0x000007FEF5DDC000-memory.dmp

Filesize
9.9MB

Download
memory/2780-12-0x0000000000840000-0x0000000000858000-memory.dmp

Filesize
96KB

Download
memory/2780-18-0x000007FEF53F0000-0x000007FEF5DDC000-memory.dmp

Filesize
9.9MB

Download
memory/2780-8-0x000007FEF53F0000-0x000007FEF5DDC000-memory.dmp

Filesize
9.9MB

Download
memory/2780-6-0x00000000007F0000-0x00000000007FE000-memory.dmp

Filesize
56KB

Download
memory/2780-48-0x000007FEF53F0000-0x000007FEF5DDC000-memory.dmp

Filesize
9.9MB

Download
memory/2780-49-0x000007FEF53F0000-0x000007FEF5DDC000-memory.dmp

Filesize
9.9MB

Download
memory/2780-50-0x000007FEF53F0000-0x000007FEF5DDC000-memory.dmp

Filesize
9.9MB

Download
memory/2780-7-0x000007FEF53F0000-0x000007FEF5DDC000-memory.dmp

Filesize
9.9MB

Download
memory/2780-4-0x000007FEF53F0000-0x000007FEF5DDC000-memory.dmp

Filesize
9.9MB

Download
memory/2780-3-0x000007FEF53F0000-0x000007FEF5DDC000-memory.dmp

Filesize
9.9MB

Download
memory/2780-2-0x000007FEF53F0000-0x000007FEF5DDC000-memory.dmp

Filesize
9.9MB

Download
memory/2780-87-0x000007FEF53F0000-0x000007FEF5DDC000-memory.dmp

Filesize
9.9MB

Download
memory/2780-1-0x00000000000D0000-0x00000000002B8000-memory.dmp

Filesize
1.9MB

Download