dcrat | 95b1a76fab69f6b786489fdfad350b7165fba55ff478769be1a09d8e2987ddc0

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
15-10-2022 11:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3fe1aeaec6e6923437807e0bfbb189be.exe
Size

4.9MB
MD5

3fe1aeaec6e6923437807e0bfbb189be
SHA1

26c05ec60980095cd2dee6fb6d938fbf7a95150e
SHA256

95b1a76fab69f6b786489fdfad350b7165fba55ff478769be1a09d8e2987ddc0
SHA512

aa86a0632731484d730b6bb0794f0a1e4114498dcba8e2c47fac9f1ee534e125ebdef13fc9283696fee19c2ef4272c423d091b27585083ab03b70a151d2da5d7
SSDEEP

49152:rl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 33 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1236	632	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1828	632	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	824	632	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	924	632	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	848	632	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	692	632	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1412	632	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	776	632	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	632	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	632	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	632	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	632	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1108	632	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	632	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	632	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	604	632	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	632	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	308	632	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1124	632	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1568	632	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	632	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1892	632	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	632	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	668	632	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1540	632	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	832	632	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1472	632	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1236	632	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1320	632	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	544	632	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	632	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	900	632	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	632	schtasks.exe

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

sppsvc.exe3fe1aeaec6e6923437807e0bfbb189be.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3fe1aeaec6e6923437807e0bfbb189be.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	3fe1aeaec6e6923437807e0bfbb189be.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	3fe1aeaec6e6923437807e0bfbb189be.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/1724-55-0x000000001B6F0000-0x000000001B81E000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

Processes:

sppsvc.exe

pid process

2208 sppsvc.exe

pid	process
2208	sppsvc.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

3fe1aeaec6e6923437807e0bfbb189be.exesppsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3fe1aeaec6e6923437807e0bfbb189be.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3fe1aeaec6e6923437807e0bfbb189be.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

7 ipinfo.io
8 ipinfo.io

flow	ioc
7	ipinfo.io
8	ipinfo.io

Drops file in Program Files directory 12 IoCs

Processes:

3fe1aeaec6e6923437807e0bfbb189be.exe

description	ioc	process
File created	C:\Program Files\Windows Media Player\fr-FR\dwm.exe	3fe1aeaec6e6923437807e0bfbb189be.exe
File created	C:\Program Files\Windows Media Player\fr-FR\6cb0b6c459d5d3	3fe1aeaec6e6923437807e0bfbb189be.exe
File created	C:\Program Files (x86)\Windows Sidebar\fr-FR\smss.exe	3fe1aeaec6e6923437807e0bfbb189be.exe
File created	C:\Program Files (x86)\Windows Sidebar\fr-FR\69ddcba757bf72	3fe1aeaec6e6923437807e0bfbb189be.exe
File created	C:\Program Files\7-Zip\Lang\c5b4cb5e9653cc	3fe1aeaec6e6923437807e0bfbb189be.exe
File opened for modification	C:\Program Files\Windows Media Player\fr-FR\RCX3EEA.tmp	3fe1aeaec6e6923437807e0bfbb189be.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\fr-FR\smss.exe	3fe1aeaec6e6923437807e0bfbb189be.exe
File created	C:\Program Files\7-Zip\Lang\services.exe	3fe1aeaec6e6923437807e0bfbb189be.exe
File opened for modification	C:\Program Files\Windows Media Player\fr-FR\dwm.exe	3fe1aeaec6e6923437807e0bfbb189be.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\fr-FR\RCX4FBE.tmp	3fe1aeaec6e6923437807e0bfbb189be.exe
File opened for modification	C:\Program Files\7-Zip\Lang\RCX7155.tmp	3fe1aeaec6e6923437807e0bfbb189be.exe
File opened for modification	C:\Program Files\7-Zip\Lang\services.exe	3fe1aeaec6e6923437807e0bfbb189be.exe

Drops file in Windows directory 1 IoCs

Processes:

3fe1aeaec6e6923437807e0bfbb189be.exe

description	ioc	process
File created	C:\Windows\winsxs\amd64_prnhp004.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_e88ca885f82d6041\taskhost.exe	3fe1aeaec6e6923437807e0bfbb189be.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 33 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
1092	schtasks.exe
1568	schtasks.exe
1540	schtasks.exe
832	schtasks.exe
1236	schtasks.exe
1320	schtasks.exe
924	schtasks.exe
848	schtasks.exe
1108	schtasks.exe
1660	schtasks.exe
1532	schtasks.exe
604	schtasks.exe
1732	schtasks.exe
1828	schtasks.exe
1928	schtasks.exe
544	schtasks.exe
692	schtasks.exe
1992	schtasks.exe
1676	schtasks.exe
308	schtasks.exe
1892	schtasks.exe
1496	schtasks.exe
668	schtasks.exe
1472	schtasks.exe
824	schtasks.exe
776	schtasks.exe
1996	schtasks.exe
1124	schtasks.exe
900	schtasks.exe
1236	schtasks.exe
1412	schtasks.exe
1752	schtasks.exe
1596	schtasks.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

sppsvc.exe

pid process

2208 sppsvc.exe

pid	process
2208	sppsvc.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

3fe1aeaec6e6923437807e0bfbb189be.exesppsvc.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1724	3fe1aeaec6e6923437807e0bfbb189be.exe
2208	sppsvc.exe
1892	powershell.exe
1476	powershell.exe
364	powershell.exe
1932	powershell.exe
996	powershell.exe
776	powershell.exe
1720	powershell.exe
1660	powershell.exe
1168	powershell.exe
624	powershell.exe
1776	powershell.exe
1928	powershell.exe
2208	sppsvc.exe
2208	sppsvc.exe
2208	sppsvc.exe
2208	sppsvc.exe
2208	sppsvc.exe
2208	sppsvc.exe
2208	sppsvc.exe
2208	sppsvc.exe
2208	sppsvc.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	1724	3fe1aeaec6e6923437807e0bfbb189be.exe
Token: SeDebugPrivilege	2208	sppsvc.exe
Token: SeDebugPrivilege	1892	powershell.exe
Token: SeDebugPrivilege	1476	powershell.exe
Token: SeDebugPrivilege	364	powershell.exe
Token: SeDebugPrivilege	776	powershell.exe
Token: SeDebugPrivilege	1932	powershell.exe
Token: SeDebugPrivilege	996	powershell.exe
Token: SeDebugPrivilege	1720	powershell.exe
Token: SeDebugPrivilege	1660	powershell.exe
Token: SeDebugPrivilege	1168	powershell.exe
Token: SeDebugPrivilege	624	powershell.exe
Token: SeDebugPrivilege	1776	powershell.exe
Token: SeDebugPrivilege	1928	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

sppsvc.exe

pid process

2208 sppsvc.exe

pid	process
2208	sppsvc.exe

Suspicious use of WriteProcessMemory 53 IoCs

Processes:

3fe1aeaec6e6923437807e0bfbb189be.execmd.exesppsvc.exe

description	pid	process	target process
PID 1724 wrote to memory of 1476	1724	3fe1aeaec6e6923437807e0bfbb189be.exe	powershell.exe
PID 1724 wrote to memory of 1476	1724	3fe1aeaec6e6923437807e0bfbb189be.exe	powershell.exe
PID 1724 wrote to memory of 1476	1724	3fe1aeaec6e6923437807e0bfbb189be.exe	powershell.exe
PID 1724 wrote to memory of 364	1724	3fe1aeaec6e6923437807e0bfbb189be.exe	powershell.exe
PID 1724 wrote to memory of 364	1724	3fe1aeaec6e6923437807e0bfbb189be.exe	powershell.exe
PID 1724 wrote to memory of 364	1724	3fe1aeaec6e6923437807e0bfbb189be.exe	powershell.exe
PID 1724 wrote to memory of 1928	1724	3fe1aeaec6e6923437807e0bfbb189be.exe	powershell.exe
PID 1724 wrote to memory of 1928	1724	3fe1aeaec6e6923437807e0bfbb189be.exe	powershell.exe
PID 1724 wrote to memory of 1928	1724	3fe1aeaec6e6923437807e0bfbb189be.exe	powershell.exe
PID 1724 wrote to memory of 1660	1724	3fe1aeaec6e6923437807e0bfbb189be.exe	powershell.exe
PID 1724 wrote to memory of 1660	1724	3fe1aeaec6e6923437807e0bfbb189be.exe	powershell.exe
PID 1724 wrote to memory of 1660	1724	3fe1aeaec6e6923437807e0bfbb189be.exe	powershell.exe
PID 1724 wrote to memory of 776	1724	3fe1aeaec6e6923437807e0bfbb189be.exe	powershell.exe
PID 1724 wrote to memory of 776	1724	3fe1aeaec6e6923437807e0bfbb189be.exe	powershell.exe
PID 1724 wrote to memory of 776	1724	3fe1aeaec6e6923437807e0bfbb189be.exe	powershell.exe
PID 1724 wrote to memory of 996	1724	3fe1aeaec6e6923437807e0bfbb189be.exe	powershell.exe
PID 1724 wrote to memory of 996	1724	3fe1aeaec6e6923437807e0bfbb189be.exe	powershell.exe
PID 1724 wrote to memory of 996	1724	3fe1aeaec6e6923437807e0bfbb189be.exe	powershell.exe
PID 1724 wrote to memory of 1892	1724	3fe1aeaec6e6923437807e0bfbb189be.exe	powershell.exe
PID 1724 wrote to memory of 1892	1724	3fe1aeaec6e6923437807e0bfbb189be.exe	powershell.exe
PID 1724 wrote to memory of 1892	1724	3fe1aeaec6e6923437807e0bfbb189be.exe	powershell.exe
PID 1724 wrote to memory of 1720	1724	3fe1aeaec6e6923437807e0bfbb189be.exe	powershell.exe
PID 1724 wrote to memory of 1720	1724	3fe1aeaec6e6923437807e0bfbb189be.exe	powershell.exe
PID 1724 wrote to memory of 1720	1724	3fe1aeaec6e6923437807e0bfbb189be.exe	powershell.exe
PID 1724 wrote to memory of 1168	1724	3fe1aeaec6e6923437807e0bfbb189be.exe	powershell.exe
PID 1724 wrote to memory of 1168	1724	3fe1aeaec6e6923437807e0bfbb189be.exe	powershell.exe
PID 1724 wrote to memory of 1168	1724	3fe1aeaec6e6923437807e0bfbb189be.exe	powershell.exe
PID 1724 wrote to memory of 1776	1724	3fe1aeaec6e6923437807e0bfbb189be.exe	powershell.exe
PID 1724 wrote to memory of 1776	1724	3fe1aeaec6e6923437807e0bfbb189be.exe	powershell.exe
PID 1724 wrote to memory of 1776	1724	3fe1aeaec6e6923437807e0bfbb189be.exe	powershell.exe
PID 1724 wrote to memory of 624	1724	3fe1aeaec6e6923437807e0bfbb189be.exe	powershell.exe
PID 1724 wrote to memory of 624	1724	3fe1aeaec6e6923437807e0bfbb189be.exe	powershell.exe
PID 1724 wrote to memory of 624	1724	3fe1aeaec6e6923437807e0bfbb189be.exe	powershell.exe
PID 1724 wrote to memory of 1932	1724	3fe1aeaec6e6923437807e0bfbb189be.exe	powershell.exe
PID 1724 wrote to memory of 1932	1724	3fe1aeaec6e6923437807e0bfbb189be.exe	powershell.exe
PID 1724 wrote to memory of 1932	1724	3fe1aeaec6e6923437807e0bfbb189be.exe	powershell.exe
PID 1724 wrote to memory of 2120	1724	3fe1aeaec6e6923437807e0bfbb189be.exe	cmd.exe
PID 1724 wrote to memory of 2120	1724	3fe1aeaec6e6923437807e0bfbb189be.exe	cmd.exe
PID 1724 wrote to memory of 2120	1724	3fe1aeaec6e6923437807e0bfbb189be.exe	cmd.exe
PID 2120 wrote to memory of 2188	2120	cmd.exe	w32tm.exe
PID 2120 wrote to memory of 2188	2120	cmd.exe	w32tm.exe
PID 2120 wrote to memory of 2188	2120	cmd.exe	w32tm.exe
PID 2120 wrote to memory of 2208	2120	cmd.exe	sppsvc.exe
PID 2120 wrote to memory of 2208	2120	cmd.exe	sppsvc.exe
PID 2120 wrote to memory of 2208	2120	cmd.exe	sppsvc.exe
PID 2120 wrote to memory of 2208	2120	cmd.exe	sppsvc.exe
PID 2120 wrote to memory of 2208	2120	cmd.exe	sppsvc.exe
PID 2208 wrote to memory of 2584	2208	sppsvc.exe	WScript.exe
PID 2208 wrote to memory of 2584	2208	sppsvc.exe	WScript.exe
PID 2208 wrote to memory of 2584	2208	sppsvc.exe	WScript.exe
PID 2208 wrote to memory of 2604	2208	sppsvc.exe	WScript.exe
PID 2208 wrote to memory of 2604	2208	sppsvc.exe	WScript.exe
PID 2208 wrote to memory of 2604	2208	sppsvc.exe	WScript.exe

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

Processes:

sppsvc.exe3fe1aeaec6e6923437807e0bfbb189be.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3fe1aeaec6e6923437807e0bfbb189be.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	3fe1aeaec6e6923437807e0bfbb189be.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	3fe1aeaec6e6923437807e0bfbb189be.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe

C:\Users\Admin\AppData\Local\Temp\3fe1aeaec6e6923437807e0bfbb189be.exe
"C:\Users\Admin\AppData\Local\Temp\3fe1aeaec6e6923437807e0bfbb189be.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1724

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1476

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:364

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1928

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1660

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:776

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:996

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1892

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1720

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1168

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1776

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:624

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1932

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oaIjstWykM.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:2120

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
3⤵
PID:2188

C:\MSOCache\All Users\sppsvc.exe
"C:\MSOCache\All Users\sppsvc.exe"
3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2208

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bd399848-de02-4f79-8113-db4035860fee.vbs"
4⤵
PID:2584

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2a374ebf-fce3-4e8c-a191-3e5cdfeb772c.vbs"
4⤵
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Templates\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Default\Templates\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Templates\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Media Player\fr-FR\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\fr-FR\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Media Player\fr-FR\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Sidebar\fr-FR\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\fr-FR\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\fr-FR\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files\7-Zip\Lang\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files\7-Zip\Lang\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1596

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\sppsvc.exe
Filesize
4.9MB

MD5
858d15dd7408aac3793d3617f3a2bd93

SHA1
7b63e42186b7a9d48030abdba9e22034b8925703

SHA256
0d9e5c4e9e515a0fc5d240013bb626bec7d4ac3f6cb21ac18973f8409ccca8cd

SHA512
460e6e974ead1a2ca34d4f16c2664cf00ecbd59d03877d4afbb001296bb2ab868418f7862ff6d22d54a89a6aaa006fdeb2fa5386287ce303cb13a18b8dceb652

Download Submit
C:\MSOCache\All Users\sppsvc.exe
Filesize
4.9MB

MD5
858d15dd7408aac3793d3617f3a2bd93

SHA1
7b63e42186b7a9d48030abdba9e22034b8925703

SHA256
0d9e5c4e9e515a0fc5d240013bb626bec7d4ac3f6cb21ac18973f8409ccca8cd

SHA512
460e6e974ead1a2ca34d4f16c2664cf00ecbd59d03877d4afbb001296bb2ab868418f7862ff6d22d54a89a6aaa006fdeb2fa5386287ce303cb13a18b8dceb652

Download Submit
C:\Users\Admin\AppData\Local\Temp\2a374ebf-fce3-4e8c-a191-3e5cdfeb772c.vbs
Filesize
484B

MD5
04b71db23af55d87cd69ec534126a7b2

SHA1
389e17692708b9cee5a58dd804e70bbb6bd83d6c

SHA256
d3f2125679e862fb5746047c648cb608dbcb5e3fe8e997f49d588f2f1372c76e

SHA512
3daf85527f058d903118946daa5a1dcaa08c2aca74b3ede0f594ce4998f8ce10009454ce30bdddf76a07e72d6ea34103f1b6e8964c9e56f993e3fd9f82da419a

Download Submit
C:\Users\Admin\AppData\Local\Temp\bd399848-de02-4f79-8113-db4035860fee.vbs
Filesize
708B

MD5
4c99e2852b2f75d6394bf8a21f235fbc

SHA1
f8a03091768956408ea6da89d419d72d1c8acfbe

SHA256
b62cf5cae03ea1b5d15b8dd64c639670f725008bc4dc0204870806c02883877a

SHA512
adb651b7e72d57d18dd20a7742c15fc817b2fd623dfd71a3c8752ccc41c6f7f2086762108f97e96054a34313735ee2f96eacf47f07c6c4b57e512fb1c791b417

Download Submit
C:\Users\Admin\AppData\Local\Temp\oaIjstWykM.bat
Filesize
197B

MD5
dc7d946fd772dd1aa8606e0ad29ba8a3

SHA1
e3fe1138c75107d3915e9437fbf3cd3597a2c28a

SHA256
ff428ecd1d56a8fdb6626b1d1628412ea7f8ca7b4d3ff738590e575a1d9eb568

SHA512
9fe1fd312f1c16b4a98485302c15a7d7189c13bea6bbc23d5a93e31fe2fdd59c67b24f25c9b18919e049d903580950c9f737eec9ed6bcb601cca9532741d031d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
794c62ad5ac67724024b702399842c0f

SHA1
1f150ce515b0e4d9b2d34fda22159cdae30c7a83

SHA256
e48d1dc51b496f3ca74cca9f50eb8a33038bc15e6dcc3ef9574c6c9b897dc02b

SHA512
03e412f67440e381bd28b8c842b7000c4f006070c95e4c148b1bf6e6f38964d9587572ee8cbc566a71ee9a708cd93d796f59f24b249015a65519818ebced9899

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
794c62ad5ac67724024b702399842c0f

SHA1
1f150ce515b0e4d9b2d34fda22159cdae30c7a83

SHA256
e48d1dc51b496f3ca74cca9f50eb8a33038bc15e6dcc3ef9574c6c9b897dc02b

SHA512
03e412f67440e381bd28b8c842b7000c4f006070c95e4c148b1bf6e6f38964d9587572ee8cbc566a71ee9a708cd93d796f59f24b249015a65519818ebced9899

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
794c62ad5ac67724024b702399842c0f

SHA1
1f150ce515b0e4d9b2d34fda22159cdae30c7a83

SHA256
e48d1dc51b496f3ca74cca9f50eb8a33038bc15e6dcc3ef9574c6c9b897dc02b

SHA512
03e412f67440e381bd28b8c842b7000c4f006070c95e4c148b1bf6e6f38964d9587572ee8cbc566a71ee9a708cd93d796f59f24b249015a65519818ebced9899

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
794c62ad5ac67724024b702399842c0f

SHA1
1f150ce515b0e4d9b2d34fda22159cdae30c7a83

SHA256
e48d1dc51b496f3ca74cca9f50eb8a33038bc15e6dcc3ef9574c6c9b897dc02b

SHA512
03e412f67440e381bd28b8c842b7000c4f006070c95e4c148b1bf6e6f38964d9587572ee8cbc566a71ee9a708cd93d796f59f24b249015a65519818ebced9899

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
794c62ad5ac67724024b702399842c0f

SHA1
1f150ce515b0e4d9b2d34fda22159cdae30c7a83

SHA256
e48d1dc51b496f3ca74cca9f50eb8a33038bc15e6dcc3ef9574c6c9b897dc02b

SHA512
03e412f67440e381bd28b8c842b7000c4f006070c95e4c148b1bf6e6f38964d9587572ee8cbc566a71ee9a708cd93d796f59f24b249015a65519818ebced9899

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
794c62ad5ac67724024b702399842c0f

SHA1
1f150ce515b0e4d9b2d34fda22159cdae30c7a83

SHA256
e48d1dc51b496f3ca74cca9f50eb8a33038bc15e6dcc3ef9574c6c9b897dc02b

SHA512
03e412f67440e381bd28b8c842b7000c4f006070c95e4c148b1bf6e6f38964d9587572ee8cbc566a71ee9a708cd93d796f59f24b249015a65519818ebced9899

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
794c62ad5ac67724024b702399842c0f

SHA1
1f150ce515b0e4d9b2d34fda22159cdae30c7a83

SHA256
e48d1dc51b496f3ca74cca9f50eb8a33038bc15e6dcc3ef9574c6c9b897dc02b

SHA512
03e412f67440e381bd28b8c842b7000c4f006070c95e4c148b1bf6e6f38964d9587572ee8cbc566a71ee9a708cd93d796f59f24b249015a65519818ebced9899

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
794c62ad5ac67724024b702399842c0f

SHA1
1f150ce515b0e4d9b2d34fda22159cdae30c7a83

SHA256
e48d1dc51b496f3ca74cca9f50eb8a33038bc15e6dcc3ef9574c6c9b897dc02b

SHA512
03e412f67440e381bd28b8c842b7000c4f006070c95e4c148b1bf6e6f38964d9587572ee8cbc566a71ee9a708cd93d796f59f24b249015a65519818ebced9899

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
794c62ad5ac67724024b702399842c0f

SHA1
1f150ce515b0e4d9b2d34fda22159cdae30c7a83

SHA256
e48d1dc51b496f3ca74cca9f50eb8a33038bc15e6dcc3ef9574c6c9b897dc02b

SHA512
03e412f67440e381bd28b8c842b7000c4f006070c95e4c148b1bf6e6f38964d9587572ee8cbc566a71ee9a708cd93d796f59f24b249015a65519818ebced9899

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
794c62ad5ac67724024b702399842c0f

SHA1
1f150ce515b0e4d9b2d34fda22159cdae30c7a83

SHA256
e48d1dc51b496f3ca74cca9f50eb8a33038bc15e6dcc3ef9574c6c9b897dc02b

SHA512
03e412f67440e381bd28b8c842b7000c4f006070c95e4c148b1bf6e6f38964d9587572ee8cbc566a71ee9a708cd93d796f59f24b249015a65519818ebced9899

Download Submit
memory/364-86-0x000007FEEACD0000-0x000007FEEB6F3000-memory.dmp

Filesize
10.1MB

Download
memory/364-123-0x000007FEE91A0000-0x000007FEE9CFD000-memory.dmp

Filesize
11.4MB

Download
memory/364-181-0x000000000237B000-0x000000000239A000-memory.dmp

Filesize
124KB

Download
memory/364-70-0x0000000000000000-mapping.dmp

Download
memory/364-129-0x0000000002374000-0x0000000002377000-memory.dmp

Filesize
12KB

Download
memory/364-194-0x000000000237B000-0x000000000239A000-memory.dmp

Filesize
124KB

Download
memory/364-180-0x0000000002374000-0x0000000002377000-memory.dmp

Filesize
12KB

Download
memory/624-166-0x00000000026F4000-0x00000000026F7000-memory.dmp

Filesize
12KB

Download
memory/624-164-0x00000000026FB000-0x000000000271A000-memory.dmp

Filesize
124KB

Download
memory/624-167-0x00000000026FB000-0x000000000271A000-memory.dmp

Filesize
124KB

Download
memory/624-121-0x000007FEEACD0000-0x000007FEEB6F3000-memory.dmp

Filesize
10.1MB

Download
memory/624-138-0x00000000026F4000-0x00000000026F7000-memory.dmp

Filesize
12KB

Download
memory/624-90-0x0000000000000000-mapping.dmp

Download
memory/624-146-0x000007FEE91A0000-0x000007FEE9CFD000-memory.dmp

Filesize
11.4MB

Download
memory/624-156-0x000000001B880000-0x000000001BB7F000-memory.dmp

Filesize
3.0MB

Download
memory/776-139-0x0000000002994000-0x0000000002997000-memory.dmp

Filesize
12KB

Download
memory/776-73-0x0000000000000000-mapping.dmp

Download
memory/776-122-0x000007FEEACD0000-0x000007FEEB6F3000-memory.dmp

Filesize
10.1MB

Download
memory/776-161-0x000000001B780000-0x000000001BA7F000-memory.dmp

Filesize
3.0MB

Download
memory/776-192-0x000000000299B000-0x00000000029BA000-memory.dmp

Filesize
124KB

Download
memory/776-189-0x0000000002994000-0x0000000002997000-memory.dmp

Filesize
12KB

Download
memory/776-147-0x000007FEE91A0000-0x000007FEE9CFD000-memory.dmp

Filesize
11.4MB

Download
memory/776-177-0x000000000299B000-0x00000000029BA000-memory.dmp

Filesize
124KB

Download
memory/996-182-0x000000000238B000-0x00000000023AA000-memory.dmp

Filesize
124KB

Download
memory/996-142-0x000007FEE91A0000-0x000007FEE9CFD000-memory.dmp

Filesize
11.4MB

Download
memory/996-169-0x000000000238B000-0x00000000023AA000-memory.dmp

Filesize
124KB

Download
memory/996-158-0x000000001B760000-0x000000001BA5F000-memory.dmp

Filesize
3.0MB

Download
memory/996-74-0x0000000000000000-mapping.dmp

Download
memory/996-118-0x000007FEEACD0000-0x000007FEEB6F3000-memory.dmp

Filesize
10.1MB

Download
memory/996-184-0x0000000002384000-0x0000000002387000-memory.dmp

Filesize
12KB

Download
memory/996-135-0x0000000002384000-0x0000000002387000-memory.dmp

Filesize
12KB

Download
memory/1168-191-0x0000000002814000-0x0000000002817000-memory.dmp

Filesize
12KB

Download
memory/1168-188-0x000000000281B000-0x000000000283A000-memory.dmp

Filesize
124KB

Download
memory/1168-130-0x0000000002814000-0x0000000002817000-memory.dmp

Filesize
12KB

Download
memory/1168-125-0x000007FEE91A0000-0x000007FEE9CFD000-memory.dmp

Filesize
11.4MB

Download
memory/1168-163-0x000000001B870000-0x000000001BB6F000-memory.dmp

Filesize
3.0MB

Download
memory/1168-116-0x000007FEEACD0000-0x000007FEEB6F3000-memory.dmp

Filesize
10.1MB

Download
memory/1168-186-0x000000000281B000-0x000000000283A000-memory.dmp

Filesize
124KB

Download
memory/1168-80-0x0000000000000000-mapping.dmp

Download
memory/1476-75-0x000007FEFB9E1000-0x000007FEFB9E3000-memory.dmp

Filesize
8KB

Download
memory/1476-120-0x000007FEE91A0000-0x000007FEE9CFD000-memory.dmp

Filesize
11.4MB

Download
memory/1476-69-0x0000000000000000-mapping.dmp

Download
memory/1476-128-0x0000000002574000-0x0000000002577000-memory.dmp

Filesize
12KB

Download
memory/1476-152-0x000000001B850000-0x000000001BB4F000-memory.dmp

Filesize
3.0MB

Download
memory/1476-108-0x000007FEEACD0000-0x000007FEEB6F3000-memory.dmp

Filesize
10.1MB

Download
memory/1476-175-0x0000000002574000-0x0000000002577000-memory.dmp

Filesize
12KB

Download
memory/1476-172-0x000000000257B000-0x000000000259A000-memory.dmp

Filesize
124KB

Download
memory/1476-168-0x000000000257B000-0x000000000259A000-memory.dmp

Filesize
124KB

Download
memory/1660-157-0x000000001B8C0000-0x000000001BBBF000-memory.dmp

Filesize
3.0MB

Download
memory/1660-173-0x000000000288B000-0x00000000028AA000-memory.dmp

Filesize
124KB

Download
memory/1660-72-0x0000000000000000-mapping.dmp

Download
memory/1660-185-0x000000000288B000-0x00000000028AA000-memory.dmp

Filesize
124KB

Download
memory/1660-187-0x0000000002884000-0x0000000002887000-memory.dmp

Filesize
12KB

Download
memory/1660-132-0x0000000002884000-0x0000000002887000-memory.dmp

Filesize
12KB

Download
memory/1660-127-0x000007FEE91A0000-0x000007FEE9CFD000-memory.dmp

Filesize
11.4MB

Download
memory/1660-114-0x000007FEEACD0000-0x000007FEEB6F3000-memory.dmp

Filesize
10.1MB

Download
memory/1720-190-0x00000000025D4000-0x00000000025D7000-memory.dmp

Filesize
12KB

Download
memory/1720-193-0x00000000025DB000-0x00000000025FA000-memory.dmp

Filesize
124KB

Download
memory/1720-79-0x0000000000000000-mapping.dmp

Download
memory/1720-162-0x000000001B970000-0x000000001BC6F000-memory.dmp

Filesize
3.0MB

Download
memory/1720-137-0x00000000025D4000-0x00000000025D7000-memory.dmp

Filesize
12KB

Download
memory/1720-183-0x00000000025DB000-0x00000000025FA000-memory.dmp

Filesize
124KB

Download
memory/1720-141-0x000007FEE91A0000-0x000007FEE9CFD000-memory.dmp

Filesize
11.4MB

Download
memory/1720-113-0x000007FEEACD0000-0x000007FEEB6F3000-memory.dmp

Filesize
10.1MB

Download
memory/1724-54-0x0000000001000000-0x00000000014F4000-memory.dmp

Filesize
5.0MB

Download
memory/1724-59-0x00000000004B0000-0x00000000004C6000-memory.dmp

Filesize
88KB

Download
memory/1724-64-0x00000000006D0000-0x00000000006DE000-memory.dmp

Filesize
56KB

Download
memory/1724-57-0x0000000000460000-0x0000000000468000-memory.dmp

Filesize
32KB

Download
memory/1724-65-0x00000000006E0000-0x00000000006EE000-memory.dmp

Filesize
56KB

Download
memory/1724-66-0x00000000006F0000-0x00000000006F8000-memory.dmp

Filesize
32KB

Download
memory/1724-58-0x00000000004A0000-0x00000000004B0000-memory.dmp

Filesize
64KB

Download
memory/1724-67-0x0000000000700000-0x0000000000708000-memory.dmp

Filesize
32KB

Download
memory/1724-63-0x0000000000540000-0x000000000054A000-memory.dmp

Filesize
40KB

Download
memory/1724-68-0x0000000000710000-0x000000000071C000-memory.dmp

Filesize
48KB

Download
memory/1724-62-0x0000000000530000-0x0000000000542000-memory.dmp

Filesize
72KB

Download
memory/1724-56-0x0000000000480000-0x000000000049C000-memory.dmp

Filesize
112KB

Download
memory/1724-55-0x000000001B6F0000-0x000000001B81E000-memory.dmp

Filesize
1.2MB

Download
memory/1724-61-0x0000000000520000-0x000000000052A000-memory.dmp

Filesize
40KB

Download
memory/1724-60-0x00000000004D0000-0x00000000004E0000-memory.dmp

Filesize
64KB

Download
memory/1776-154-0x000000001B950000-0x000000001BC4F000-memory.dmp

Filesize
3.0MB

Download
memory/1776-178-0x0000000002604000-0x0000000002607000-memory.dmp

Filesize
12KB

Download
memory/1776-87-0x0000000000000000-mapping.dmp

Download
memory/1776-145-0x000007FEE91A0000-0x000007FEE9CFD000-memory.dmp

Filesize
11.4MB

Download
memory/1776-119-0x000007FEEACD0000-0x000007FEEB6F3000-memory.dmp

Filesize
10.1MB

Download
memory/1776-165-0x000000000260B000-0x000000000262A000-memory.dmp

Filesize
124KB

Download
memory/1776-134-0x0000000002604000-0x0000000002607000-memory.dmp

Filesize
12KB

Download
memory/1776-171-0x000000000260B000-0x000000000262A000-memory.dmp

Filesize
124KB

Download
memory/1892-78-0x0000000000000000-mapping.dmp

Download
memory/1892-115-0x000007FEEACD0000-0x000007FEEB6F3000-memory.dmp

Filesize
10.1MB

Download
memory/1892-140-0x000007FEE91A0000-0x000007FEE9CFD000-memory.dmp

Filesize
11.4MB

Download
memory/1892-143-0x0000000002250000-0x00000000022D0000-memory.dmp

Filesize
512KB

Download
memory/1892-133-0x0000000002250000-0x00000000022D0000-memory.dmp

Filesize
512KB

Download
memory/1892-153-0x0000000002250000-0x00000000022D0000-memory.dmp

Filesize
512KB

Download
memory/1928-176-0x00000000025FB000-0x000000000261A000-memory.dmp

Filesize
124KB

Download
memory/1928-170-0x00000000025F4000-0x00000000025F7000-memory.dmp

Filesize
12KB

Download
memory/1928-131-0x00000000025F4000-0x00000000025F7000-memory.dmp

Filesize
12KB

Download
memory/1928-82-0x000007FEEACD0000-0x000007FEEB6F3000-memory.dmp

Filesize
10.1MB

Download
memory/1928-126-0x000007FEE91A0000-0x000007FEE9CFD000-memory.dmp

Filesize
11.4MB

Download
memory/1928-71-0x0000000000000000-mapping.dmp

Download
memory/1928-160-0x000000001B7B0000-0x000000001BAAF000-memory.dmp

Filesize
3.0MB

Download
memory/1932-179-0x0000000002A2B000-0x0000000002A4A000-memory.dmp

Filesize
124KB

Download
memory/1932-159-0x000000001B7F0000-0x000000001BAEF000-memory.dmp

Filesize
3.0MB

Download
memory/1932-144-0x000007FEE91A0000-0x000007FEE9CFD000-memory.dmp

Filesize
11.4MB

Download
memory/1932-124-0x000007FEEACD0000-0x000007FEEB6F3000-memory.dmp

Filesize
10.1MB

Download
memory/1932-174-0x0000000002A24000-0x0000000002A27000-memory.dmp

Filesize
12KB

Download
memory/1932-92-0x0000000000000000-mapping.dmp

Download
memory/1932-136-0x0000000002A24000-0x0000000002A27000-memory.dmp

Filesize
12KB

Download
memory/2120-103-0x0000000000000000-mapping.dmp

Download
memory/2188-107-0x0000000000000000-mapping.dmp

Download
memory/2208-109-0x0000000000000000-mapping.dmp

Download
memory/2208-112-0x0000000000110000-0x0000000000604000-memory.dmp

Filesize
5.0MB

Download
memory/2208-117-0x0000000002470000-0x0000000002482000-memory.dmp

Filesize
72KB

Download
memory/2584-148-0x0000000000000000-mapping.dmp

Download
memory/2604-149-0x0000000000000000-mapping.dmp

Download