dcrat | 08b960976b9ab83018f62874758a07d07031182b60a682141bce7599e34e5981

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
07/10/2022, 18:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cb54fe9938168c64ee9dbdc0982a9917.exe
Size

1.1MB
MD5

cb54fe9938168c64ee9dbdc0982a9917
SHA1

9b9e8e726a5b85e4e5dd1393f6d7492715ff51e5
SHA256

08b960976b9ab83018f62874758a07d07031182b60a682141bce7599e34e5981
SHA512

170c95d305a9e4a0fb855d2f84cd501551eaa6424a5a56110c4e10f092278833df670ea0cb3f8362263ebf56e513aa1bcc662dab7e616849bf876e512fcbf28f
SSDEEP

12288:qDNE5BggCqq44nBH9IB5SxyU6UD7/MoAhxEkNiwZG7Tn5jnv/7uTi3X1enGQtxRH:qDNb/JBH9e7mEhxFfGnNa/RABVKIDNG

Score

10^/10

dcrat infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Modifies WinLogon for persistence 2 TTPs 8 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\PCHEALTH\\System.exe\", \"C:\\Users\\Public\\Documents\\smss.exe\", \"C:\\MSOCache\\All Users\\taskhost.exe\", \"C:\\Recovery\\31001cc2-2a3d-11ed-9244-9c23e66b04e4\\dwm.exe\""	cb54fe9938168c64ee9dbdc0982a9917.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\PCHEALTH\\System.exe\", \"C:\\Users\\Public\\Documents\\smss.exe\", \"C:\\MSOCache\\All Users\\taskhost.exe\", \"C:\\Recovery\\31001cc2-2a3d-11ed-9244-9c23e66b04e4\\dwm.exe\", \"C:\\Program Files\\Google\\wininit.exe\""	cb54fe9938168c64ee9dbdc0982a9917.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\PCHEALTH\\System.exe\", \"C:\\Users\\Public\\Documents\\smss.exe\", \"C:\\MSOCache\\All Users\\taskhost.exe\", \"C:\\Recovery\\31001cc2-2a3d-11ed-9244-9c23e66b04e4\\dwm.exe\", \"C:\\Program Files\\Google\\wininit.exe\", \"C:\\Recovery\\31001cc2-2a3d-11ed-9244-9c23e66b04e4\\taskhost.exe\""	cb54fe9938168c64ee9dbdc0982a9917.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\PCHEALTH\\System.exe\", \"C:\\Users\\Public\\Documents\\smss.exe\", \"C:\\MSOCache\\All Users\\taskhost.exe\", \"C:\\Recovery\\31001cc2-2a3d-11ed-9244-9c23e66b04e4\\dwm.exe\", \"C:\\Program Files\\Google\\wininit.exe\", \"C:\\Recovery\\31001cc2-2a3d-11ed-9244-9c23e66b04e4\\taskhost.exe\", \"C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\smss.exe\""	cb54fe9938168c64ee9dbdc0982a9917.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\PCHEALTH\\System.exe\", \"C:\\Users\\Public\\Documents\\smss.exe\", \"C:\\MSOCache\\All Users\\taskhost.exe\", \"C:\\Recovery\\31001cc2-2a3d-11ed-9244-9c23e66b04e4\\dwm.exe\", \"C:\\Program Files\\Google\\wininit.exe\", \"C:\\Recovery\\31001cc2-2a3d-11ed-9244-9c23e66b04e4\\taskhost.exe\", \"C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\services.exe\""	cb54fe9938168c64ee9dbdc0982a9917.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\PCHEALTH\\System.exe\""	cb54fe9938168c64ee9dbdc0982a9917.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\PCHEALTH\\System.exe\", \"C:\\Users\\Public\\Documents\\smss.exe\""	cb54fe9938168c64ee9dbdc0982a9917.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\PCHEALTH\\System.exe\", \"C:\\Users\\Public\\Documents\\smss.exe\", \"C:\\MSOCache\\All Users\\taskhost.exe\""	cb54fe9938168c64ee9dbdc0982a9917.exe

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1516	1212	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1356	1212	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	616	1212	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	1212	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	436	1212	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1500	1212	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	972	1212	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	1212	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1904	1212	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1148	1212	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1848	1212	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	1212	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1140	1212	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	884	1212	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1900	1212	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1832	1212	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	1212	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1256	1212	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	1212	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1056	1212	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	1212	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1300	1212	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1020	1212	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1552	1212	schtasks.exe	27

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/1324-54-0x0000000000340000-0x000000000044C000-memory.dmp	dcrat
behavioral1/memory/2216-96-0x0000000001250000-0x000000000135C000-memory.dmp	dcrat
behavioral1/files/0x00060000000143a3-93.dat	dcrat
behavioral1/files/0x00060000000143a3-90.dat	dcrat

Executes dropped EXE 1 IoCs

pid	Process
2216	services.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Windows\\PCHEALTH\\System.exe\""	cb54fe9938168c64ee9dbdc0982a9917.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\MSOCache\\All Users\\taskhost.exe\""	cb54fe9938168c64ee9dbdc0982a9917.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\Google\\wininit.exe\""	cb54fe9938168c64ee9dbdc0982a9917.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\smss.exe\""	cb54fe9938168c64ee9dbdc0982a9917.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Windows\\PCHEALTH\\System.exe\""	cb54fe9938168c64ee9dbdc0982a9917.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Users\\Public\\Documents\\smss.exe\""	cb54fe9938168c64ee9dbdc0982a9917.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\MSOCache\\All Users\\taskhost.exe\""	cb54fe9938168c64ee9dbdc0982a9917.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Recovery\\31001cc2-2a3d-11ed-9244-9c23e66b04e4\\dwm.exe\""	cb54fe9938168c64ee9dbdc0982a9917.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Recovery\\31001cc2-2a3d-11ed-9244-9c23e66b04e4\\dwm.exe\""	cb54fe9938168c64ee9dbdc0982a9917.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\Google\\wininit.exe\""	cb54fe9938168c64ee9dbdc0982a9917.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\services.exe\""	cb54fe9938168c64ee9dbdc0982a9917.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Users\\Public\\Documents\\smss.exe\""	cb54fe9938168c64ee9dbdc0982a9917.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Recovery\\31001cc2-2a3d-11ed-9244-9c23e66b04e4\\taskhost.exe\""	cb54fe9938168c64ee9dbdc0982a9917.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Recovery\\31001cc2-2a3d-11ed-9244-9c23e66b04e4\\taskhost.exe\""	cb54fe9938168c64ee9dbdc0982a9917.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\smss.exe\""	cb54fe9938168c64ee9dbdc0982a9917.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\services.exe\""	cb54fe9938168c64ee9dbdc0982a9917.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Google\wininit.exe	cb54fe9938168c64ee9dbdc0982a9917.exe
File created	C:\Program Files\Google\56085415360792	cb54fe9938168c64ee9dbdc0982a9917.exe
File created	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\smss.exe	cb54fe9938168c64ee9dbdc0982a9917.exe
File created	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\69ddcba757bf72	cb54fe9938168c64ee9dbdc0982a9917.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\PCHEALTH\System.exe	cb54fe9938168c64ee9dbdc0982a9917.exe
File opened for modification	C:\Windows\PCHEALTH\System.exe	cb54fe9938168c64ee9dbdc0982a9917.exe
File created	C:\Windows\PCHEALTH\27d1bcfc3c54e0	cb54fe9938168c64ee9dbdc0982a9917.exe

Creates scheduled task(s) 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1148	schtasks.exe
1728	schtasks.exe
1256	schtasks.exe
1020	schtasks.exe
1516	schtasks.exe
436	schtasks.exe
972	schtasks.exe
1904	schtasks.exe
1708	schtasks.exe
1832	schtasks.exe
1356	schtasks.exe
616	schtasks.exe
1964	schtasks.exe
1500	schtasks.exe
1848	schtasks.exe
884	schtasks.exe
1900	schtasks.exe
1776	schtasks.exe
1300	schtasks.exe
1620	schtasks.exe
1140	schtasks.exe
1056	schtasks.exe
1700	schtasks.exe
1552	schtasks.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
1324	cb54fe9938168c64ee9dbdc0982a9917.exe
2216	services.exe
820	powershell.exe
1512	powershell.exe
1600	powershell.exe
988	powershell.exe
1188	powershell.exe
1744	powershell.exe
1460	powershell.exe
2020	powershell.exe
1348	powershell.exe
948	powershell.exe
1336	powershell.exe
2216	services.exe
2216	services.exe
2216	services.exe
2216	services.exe
2216	services.exe
2216	services.exe
2216	services.exe
2216	services.exe
2216	services.exe
2216	services.exe
2216	services.exe
2216	services.exe
2032	powershell.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	1324	cb54fe9938168c64ee9dbdc0982a9917.exe
Token: SeDebugPrivilege	2216	services.exe
Token: SeDebugPrivilege	820	powershell.exe
Token: SeDebugPrivilege	1512	powershell.exe
Token: SeDebugPrivilege	1600	powershell.exe
Token: SeDebugPrivilege	988	powershell.exe
Token: SeDebugPrivilege	1188	powershell.exe
Token: SeDebugPrivilege	1744	powershell.exe
Token: SeDebugPrivilege	1460	powershell.exe
Token: SeDebugPrivilege	2020	powershell.exe
Token: SeDebugPrivilege	1348	powershell.exe
Token: SeDebugPrivilege	948	powershell.exe
Token: SeDebugPrivilege	1336	powershell.exe
Token: SeBackupPrivilege	2064	vssvc.exe
Token: SeRestorePrivilege	2064	vssvc.exe
Token: SeAuditPrivilege	2064	vssvc.exe
Token: SeDebugPrivilege	2032	powershell.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 1324 wrote to memory of 2032	1324	cb54fe9938168c64ee9dbdc0982a9917.exe	52
PID 1324 wrote to memory of 2032	1324	cb54fe9938168c64ee9dbdc0982a9917.exe	52
PID 1324 wrote to memory of 2032	1324	cb54fe9938168c64ee9dbdc0982a9917.exe	52
PID 1324 wrote to memory of 988	1324	cb54fe9938168c64ee9dbdc0982a9917.exe	53
PID 1324 wrote to memory of 988	1324	cb54fe9938168c64ee9dbdc0982a9917.exe	53
PID 1324 wrote to memory of 988	1324	cb54fe9938168c64ee9dbdc0982a9917.exe	53
PID 1324 wrote to memory of 1188	1324	cb54fe9938168c64ee9dbdc0982a9917.exe	54
PID 1324 wrote to memory of 1188	1324	cb54fe9938168c64ee9dbdc0982a9917.exe	54
PID 1324 wrote to memory of 1188	1324	cb54fe9938168c64ee9dbdc0982a9917.exe	54
PID 1324 wrote to memory of 1348	1324	cb54fe9938168c64ee9dbdc0982a9917.exe	56
PID 1324 wrote to memory of 1348	1324	cb54fe9938168c64ee9dbdc0982a9917.exe	56
PID 1324 wrote to memory of 1348	1324	cb54fe9938168c64ee9dbdc0982a9917.exe	56
PID 1324 wrote to memory of 1336	1324	cb54fe9938168c64ee9dbdc0982a9917.exe	58
PID 1324 wrote to memory of 1336	1324	cb54fe9938168c64ee9dbdc0982a9917.exe	58
PID 1324 wrote to memory of 1336	1324	cb54fe9938168c64ee9dbdc0982a9917.exe	58
PID 1324 wrote to memory of 1512	1324	cb54fe9938168c64ee9dbdc0982a9917.exe	61
PID 1324 wrote to memory of 1512	1324	cb54fe9938168c64ee9dbdc0982a9917.exe	61
PID 1324 wrote to memory of 1512	1324	cb54fe9938168c64ee9dbdc0982a9917.exe	61
PID 1324 wrote to memory of 1460	1324	cb54fe9938168c64ee9dbdc0982a9917.exe	62
PID 1324 wrote to memory of 1460	1324	cb54fe9938168c64ee9dbdc0982a9917.exe	62
PID 1324 wrote to memory of 1460	1324	cb54fe9938168c64ee9dbdc0982a9917.exe	62
PID 1324 wrote to memory of 820	1324	cb54fe9938168c64ee9dbdc0982a9917.exe	64
PID 1324 wrote to memory of 820	1324	cb54fe9938168c64ee9dbdc0982a9917.exe	64
PID 1324 wrote to memory of 820	1324	cb54fe9938168c64ee9dbdc0982a9917.exe	64
PID 1324 wrote to memory of 2020	1324	cb54fe9938168c64ee9dbdc0982a9917.exe	66
PID 1324 wrote to memory of 2020	1324	cb54fe9938168c64ee9dbdc0982a9917.exe	66
PID 1324 wrote to memory of 2020	1324	cb54fe9938168c64ee9dbdc0982a9917.exe	66
PID 1324 wrote to memory of 948	1324	cb54fe9938168c64ee9dbdc0982a9917.exe	68
PID 1324 wrote to memory of 948	1324	cb54fe9938168c64ee9dbdc0982a9917.exe	68
PID 1324 wrote to memory of 948	1324	cb54fe9938168c64ee9dbdc0982a9917.exe	68
PID 1324 wrote to memory of 1600	1324	cb54fe9938168c64ee9dbdc0982a9917.exe	71
PID 1324 wrote to memory of 1600	1324	cb54fe9938168c64ee9dbdc0982a9917.exe	71
PID 1324 wrote to memory of 1600	1324	cb54fe9938168c64ee9dbdc0982a9917.exe	71
PID 1324 wrote to memory of 1744	1324	cb54fe9938168c64ee9dbdc0982a9917.exe	72
PID 1324 wrote to memory of 1744	1324	cb54fe9938168c64ee9dbdc0982a9917.exe	72
PID 1324 wrote to memory of 1744	1324	cb54fe9938168c64ee9dbdc0982a9917.exe	72
PID 1324 wrote to memory of 2216	1324	cb54fe9938168c64ee9dbdc0982a9917.exe	76
PID 1324 wrote to memory of 2216	1324	cb54fe9938168c64ee9dbdc0982a9917.exe	76
PID 1324 wrote to memory of 2216	1324	cb54fe9938168c64ee9dbdc0982a9917.exe	76

C:\Users\Admin\AppData\Local\Temp\cb54fe9938168c64ee9dbdc0982a9917.exe
"C:\Users\Admin\AppData\Local\Temp\cb54fe9938168c64ee9dbdc0982a9917.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1324
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2032
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:988
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1188
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1348
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1336
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1512
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1460
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:820
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2020
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:948
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1600
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1744
- C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\services.exe
  "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\services.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Windows\PCHEALTH\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\PCHEALTH\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Windows\PCHEALTH\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Documents\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Public\Documents\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Documents\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Google\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Google\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Google\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1552

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2064

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Winlogon Helper DLL

T1004

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\services.exe

Filesize
1.1MB

MD5
cb54fe9938168c64ee9dbdc0982a9917

SHA1
9b9e8e726a5b85e4e5dd1393f6d7492715ff51e5

SHA256
08b960976b9ab83018f62874758a07d07031182b60a682141bce7599e34e5981

SHA512
170c95d305a9e4a0fb855d2f84cd501551eaa6424a5a56110c4e10f092278833df670ea0cb3f8362263ebf56e513aa1bcc662dab7e616849bf876e512fcbf28f

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\services.exe

Filesize
1.1MB

MD5
cb54fe9938168c64ee9dbdc0982a9917

SHA1
9b9e8e726a5b85e4e5dd1393f6d7492715ff51e5

SHA256
08b960976b9ab83018f62874758a07d07031182b60a682141bce7599e34e5981

SHA512
170c95d305a9e4a0fb855d2f84cd501551eaa6424a5a56110c4e10f092278833df670ea0cb3f8362263ebf56e513aa1bcc662dab7e616849bf876e512fcbf28f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
195af26d1a1df87432af970ff5fe1860

SHA1
e5e80bf5fa202054315d08628b9b684f4c0ef203

SHA256
aad59acc80ee2078ddd3789094fd7cb6716e7be9b7dba13832b96e69e9e4eb16

SHA512
dac6f1f5a0baefcd1139b6fb8d208aae0cec89bfd9f6287f1630ad88dda5d68e55e709186338c7d42f31702a68fa27772e5d41011ea9b804ec80f9eacde09954

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
195af26d1a1df87432af970ff5fe1860

SHA1
e5e80bf5fa202054315d08628b9b684f4c0ef203

SHA256
aad59acc80ee2078ddd3789094fd7cb6716e7be9b7dba13832b96e69e9e4eb16

SHA512
dac6f1f5a0baefcd1139b6fb8d208aae0cec89bfd9f6287f1630ad88dda5d68e55e709186338c7d42f31702a68fa27772e5d41011ea9b804ec80f9eacde09954

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
195af26d1a1df87432af970ff5fe1860

SHA1
e5e80bf5fa202054315d08628b9b684f4c0ef203

SHA256
aad59acc80ee2078ddd3789094fd7cb6716e7be9b7dba13832b96e69e9e4eb16

SHA512
dac6f1f5a0baefcd1139b6fb8d208aae0cec89bfd9f6287f1630ad88dda5d68e55e709186338c7d42f31702a68fa27772e5d41011ea9b804ec80f9eacde09954

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
195af26d1a1df87432af970ff5fe1860

SHA1
e5e80bf5fa202054315d08628b9b684f4c0ef203

SHA256
aad59acc80ee2078ddd3789094fd7cb6716e7be9b7dba13832b96e69e9e4eb16

SHA512
dac6f1f5a0baefcd1139b6fb8d208aae0cec89bfd9f6287f1630ad88dda5d68e55e709186338c7d42f31702a68fa27772e5d41011ea9b804ec80f9eacde09954

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
195af26d1a1df87432af970ff5fe1860

SHA1
e5e80bf5fa202054315d08628b9b684f4c0ef203

SHA256
aad59acc80ee2078ddd3789094fd7cb6716e7be9b7dba13832b96e69e9e4eb16

SHA512
dac6f1f5a0baefcd1139b6fb8d208aae0cec89bfd9f6287f1630ad88dda5d68e55e709186338c7d42f31702a68fa27772e5d41011ea9b804ec80f9eacde09954

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
195af26d1a1df87432af970ff5fe1860

SHA1
e5e80bf5fa202054315d08628b9b684f4c0ef203

SHA256
aad59acc80ee2078ddd3789094fd7cb6716e7be9b7dba13832b96e69e9e4eb16

SHA512
dac6f1f5a0baefcd1139b6fb8d208aae0cec89bfd9f6287f1630ad88dda5d68e55e709186338c7d42f31702a68fa27772e5d41011ea9b804ec80f9eacde09954

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
195af26d1a1df87432af970ff5fe1860

SHA1
e5e80bf5fa202054315d08628b9b684f4c0ef203

SHA256
aad59acc80ee2078ddd3789094fd7cb6716e7be9b7dba13832b96e69e9e4eb16

SHA512
dac6f1f5a0baefcd1139b6fb8d208aae0cec89bfd9f6287f1630ad88dda5d68e55e709186338c7d42f31702a68fa27772e5d41011ea9b804ec80f9eacde09954

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
195af26d1a1df87432af970ff5fe1860

SHA1
e5e80bf5fa202054315d08628b9b684f4c0ef203

SHA256
aad59acc80ee2078ddd3789094fd7cb6716e7be9b7dba13832b96e69e9e4eb16

SHA512
dac6f1f5a0baefcd1139b6fb8d208aae0cec89bfd9f6287f1630ad88dda5d68e55e709186338c7d42f31702a68fa27772e5d41011ea9b804ec80f9eacde09954

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
195af26d1a1df87432af970ff5fe1860

SHA1
e5e80bf5fa202054315d08628b9b684f4c0ef203

SHA256
aad59acc80ee2078ddd3789094fd7cb6716e7be9b7dba13832b96e69e9e4eb16

SHA512
dac6f1f5a0baefcd1139b6fb8d208aae0cec89bfd9f6287f1630ad88dda5d68e55e709186338c7d42f31702a68fa27772e5d41011ea9b804ec80f9eacde09954

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
195af26d1a1df87432af970ff5fe1860

SHA1
e5e80bf5fa202054315d08628b9b684f4c0ef203

SHA256
aad59acc80ee2078ddd3789094fd7cb6716e7be9b7dba13832b96e69e9e4eb16

SHA512
dac6f1f5a0baefcd1139b6fb8d208aae0cec89bfd9f6287f1630ad88dda5d68e55e709186338c7d42f31702a68fa27772e5d41011ea9b804ec80f9eacde09954

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
195af26d1a1df87432af970ff5fe1860

SHA1
e5e80bf5fa202054315d08628b9b684f4c0ef203

SHA256
aad59acc80ee2078ddd3789094fd7cb6716e7be9b7dba13832b96e69e9e4eb16

SHA512
dac6f1f5a0baefcd1139b6fb8d208aae0cec89bfd9f6287f1630ad88dda5d68e55e709186338c7d42f31702a68fa27772e5d41011ea9b804ec80f9eacde09954

Download Submit
memory/820-105-0x000007FEEC3B0000-0x000007FEECDD3000-memory.dmp

Filesize
10.1MB

Download
memory/820-142-0x000000001B790000-0x000000001BA8F000-memory.dmp

Filesize
3.0MB

Download
memory/820-163-0x0000000002654000-0x0000000002657000-memory.dmp

Filesize
12KB

Download
memory/820-121-0x0000000002654000-0x0000000002657000-memory.dmp

Filesize
12KB

Download
memory/820-166-0x000000000265B000-0x000000000267A000-memory.dmp

Filesize
124KB

Download
memory/820-136-0x000007FEEAFC0000-0x000007FEEBB1D000-memory.dmp

Filesize
11.4MB

Download
memory/948-127-0x00000000028F4000-0x00000000028F7000-memory.dmp

Filesize
12KB

Download
memory/948-135-0x000007FEEAFC0000-0x000007FEEBB1D000-memory.dmp

Filesize
11.4MB

Download
memory/948-138-0x00000000028F4000-0x00000000028F7000-memory.dmp

Filesize
12KB

Download
memory/948-114-0x000007FEEC3B0000-0x000007FEECDD3000-memory.dmp

Filesize
10.1MB

Download
memory/948-139-0x00000000028FB000-0x000000000291A000-memory.dmp

Filesize
124KB

Download
memory/988-161-0x00000000023CB000-0x00000000023EA000-memory.dmp

Filesize
124KB

Download
memory/988-137-0x000000001B8A0000-0x000000001BB9F000-memory.dmp

Filesize
3.0MB

Download
memory/988-122-0x00000000023C4000-0x00000000023C7000-memory.dmp

Filesize
12KB

Download
memory/988-77-0x000007FEFC001000-0x000007FEFC003000-memory.dmp

Filesize
8KB

Download
memory/988-160-0x00000000023C4000-0x00000000023C7000-memory.dmp

Filesize
12KB

Download
memory/988-130-0x000007FEEAFC0000-0x000007FEEBB1D000-memory.dmp

Filesize
11.4MB

Download
memory/988-108-0x000007FEEC3B0000-0x000007FEECDD3000-memory.dmp

Filesize
10.1MB

Download
memory/1188-157-0x00000000025EB000-0x000000000260A000-memory.dmp

Filesize
124KB

Download
memory/1188-156-0x00000000025E4000-0x00000000025E7000-memory.dmp

Filesize
12KB

Download
memory/1188-147-0x000000001B6E0000-0x000000001B9DF000-memory.dmp

Filesize
3.0MB

Download
memory/1188-132-0x000007FEEAFC0000-0x000007FEEBB1D000-memory.dmp

Filesize
11.4MB

Download
memory/1188-106-0x000007FEEC3B0000-0x000007FEECDD3000-memory.dmp

Filesize
10.1MB

Download
memory/1188-152-0x00000000025EB000-0x000000000260A000-memory.dmp

Filesize
124KB

Download
memory/1188-125-0x00000000025E4000-0x00000000025E7000-memory.dmp

Filesize
12KB

Download
memory/1324-64-0x00000000007A0000-0x00000000007AC000-memory.dmp

Filesize
48KB

Download
memory/1324-62-0x0000000000600000-0x0000000000608000-memory.dmp

Filesize
32KB

Download
memory/1324-57-0x0000000000200000-0x0000000000208000-memory.dmp

Filesize
32KB

Download
memory/1324-56-0x0000000000310000-0x0000000000326000-memory.dmp

Filesize
88KB

Download
memory/1324-58-0x0000000000330000-0x0000000000342000-memory.dmp

Filesize
72KB

Download
memory/1324-54-0x0000000000340000-0x000000000044C000-memory.dmp

Filesize
1.0MB

Download
memory/1324-59-0x00000000005D0000-0x00000000005E0000-memory.dmp

Filesize
64KB

Download
memory/1324-55-0x00000000001D0000-0x00000000001EC000-memory.dmp

Filesize
112KB

Download
memory/1324-60-0x00000000005E0000-0x00000000005EC000-memory.dmp

Filesize
48KB

Download
memory/1324-63-0x0000000000610000-0x000000000061E000-memory.dmp

Filesize
56KB

Download
memory/1324-61-0x00000000005F0000-0x00000000005FE000-memory.dmp

Filesize
56KB

Download
memory/1336-128-0x00000000027A4000-0x00000000027A7000-memory.dmp

Filesize
12KB

Download
memory/1336-165-0x00000000027A4000-0x00000000027A7000-memory.dmp

Filesize
12KB

Download
memory/1336-144-0x000000001B7F0000-0x000000001BAEF000-memory.dmp

Filesize
3.0MB

Download
memory/1336-131-0x000007FEEAFC0000-0x000007FEEBB1D000-memory.dmp

Filesize
11.4MB

Download
memory/1336-112-0x000007FEEC3B0000-0x000007FEECDD3000-memory.dmp

Filesize
10.1MB

Download
memory/1336-162-0x00000000027AB000-0x00000000027CA000-memory.dmp

Filesize
124KB

Download
memory/1348-107-0x000007FEEC3B0000-0x000007FEECDD3000-memory.dmp

Filesize
10.1MB

Download
memory/1348-164-0x0000000002904000-0x0000000002907000-memory.dmp

Filesize
12KB

Download
memory/1348-168-0x000000000290B000-0x000000000292A000-memory.dmp

Filesize
124KB

Download
memory/1348-141-0x000000001B820000-0x000000001BB1F000-memory.dmp

Filesize
3.0MB

Download
memory/1348-134-0x000007FEEAFC0000-0x000007FEEBB1D000-memory.dmp

Filesize
11.4MB

Download
memory/1348-126-0x0000000002904000-0x0000000002907000-memory.dmp

Filesize
12KB

Download
memory/1460-146-0x000000001B780000-0x000000001BA7F000-memory.dmp

Filesize
3.0MB

Download
memory/1460-159-0x000000000283B000-0x000000000285A000-memory.dmp

Filesize
124KB

Download
memory/1460-158-0x0000000002834000-0x0000000002837000-memory.dmp

Filesize
12KB

Download
memory/1460-97-0x000007FEEC3B0000-0x000007FEECDD3000-memory.dmp

Filesize
10.1MB

Download
memory/1460-116-0x000007FEEAFC0000-0x000007FEEBB1D000-memory.dmp

Filesize
11.4MB

Download
memory/1460-119-0x0000000002834000-0x0000000002837000-memory.dmp

Filesize
12KB

Download
memory/1512-167-0x000000000284B000-0x000000000286A000-memory.dmp

Filesize
124KB

Download
memory/1512-129-0x000007FEEAFC0000-0x000007FEEBB1D000-memory.dmp

Filesize
11.4MB

Download
memory/1512-169-0x0000000002844000-0x0000000002847000-memory.dmp

Filesize
12KB

Download
memory/1512-123-0x0000000002844000-0x0000000002847000-memory.dmp

Filesize
12KB

Download
memory/1512-143-0x000000001B730000-0x000000001BA2F000-memory.dmp

Filesize
3.0MB

Download
memory/1512-110-0x000007FEEC3B0000-0x000007FEECDD3000-memory.dmp

Filesize
10.1MB

Download
memory/1600-120-0x0000000002664000-0x0000000002667000-memory.dmp

Filesize
12KB

Download
memory/1600-109-0x000007FEEC3B0000-0x000007FEECDD3000-memory.dmp

Filesize
10.1MB

Download
memory/1600-149-0x0000000002664000-0x0000000002667000-memory.dmp

Filesize
12KB

Download
memory/1600-148-0x000000000266B000-0x000000000268A000-memory.dmp

Filesize
124KB

Download
memory/1600-117-0x000007FEEAFC0000-0x000007FEEBB1D000-memory.dmp

Filesize
11.4MB

Download
memory/1600-150-0x000000000266B000-0x000000000268A000-memory.dmp

Filesize
124KB

Download
memory/1744-151-0x000000000261B000-0x000000000263A000-memory.dmp

Filesize
124KB

Download
memory/1744-145-0x000000001B870000-0x000000001BB6F000-memory.dmp

Filesize
3.0MB

Download
memory/1744-118-0x0000000002614000-0x0000000002617000-memory.dmp

Filesize
12KB

Download
memory/1744-115-0x000007FEEAFC0000-0x000007FEEBB1D000-memory.dmp

Filesize
11.4MB

Download
memory/1744-179-0x000000000261B000-0x000000000263A000-memory.dmp

Filesize
124KB

Download
memory/1744-113-0x000007FEEC3B0000-0x000007FEECDD3000-memory.dmp

Filesize
10.1MB

Download
memory/1744-153-0x0000000002614000-0x0000000002617000-memory.dmp

Filesize
12KB

Download
memory/2020-111-0x000007FEEC3B0000-0x000007FEECDD3000-memory.dmp

Filesize
10.1MB

Download
memory/2020-154-0x000000000257B000-0x000000000259A000-memory.dmp

Filesize
124KB

Download
memory/2020-133-0x000007FEEAFC0000-0x000007FEEBB1D000-memory.dmp

Filesize
11.4MB

Download
memory/2020-124-0x0000000002574000-0x0000000002577000-memory.dmp

Filesize
12KB

Download
memory/2020-155-0x0000000002574000-0x0000000002577000-memory.dmp

Filesize
12KB

Download
memory/2032-172-0x000007FEEC3B0000-0x000007FEECDD3000-memory.dmp

Filesize
10.1MB

Download
memory/2032-173-0x000007FEEAFC0000-0x000007FEEBB1D000-memory.dmp

Filesize
11.4MB

Download
memory/2032-174-0x0000000002654000-0x0000000002657000-memory.dmp

Filesize
12KB

Download
memory/2032-175-0x000000001B770000-0x000000001BA6F000-memory.dmp

Filesize
3.0MB

Download
memory/2032-176-0x000000000265B000-0x000000000267A000-memory.dmp

Filesize
124KB

Download
memory/2032-178-0x000000000265B000-0x000000000267A000-memory.dmp

Filesize
124KB

Download
memory/2032-177-0x0000000002654000-0x0000000002657000-memory.dmp

Filesize
12KB

Download
memory/2216-104-0x0000000000500000-0x0000000000512000-memory.dmp

Filesize
72KB

Download
memory/2216-96-0x0000000001250000-0x000000000135C000-memory.dmp

Filesize
1.0MB

Download