dcrat | 300b288ab3cdc59af5984619601115862dd26973b9dea07b6b7bde9b34480870

Analysis

max time kernel
152s
max time network
160s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 22:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5958e11d8981a7fe026fb065e6e6786b.exe
Size

1.7MB
MD5

5958e11d8981a7fe026fb065e6e6786b
SHA1

83cecc4d0227f5ea92bba5ee3dad5d418f77ebbf
SHA256

300b288ab3cdc59af5984619601115862dd26973b9dea07b6b7bde9b34480870
SHA512

2a0476cd0e04868fcdb294d378743409a7e2dffd14acc6dec8104c5a465091a2d179ac8206a868d70b31f171d73b97a4a983b7e0b6a1e1200f916c61f9a8bcb7
SSDEEP

24576:Mnq11bh7jPYVwOE4XW4mUy0ht7ERTpnzh7k3AC2UkModwnnAXl6JjhgvUMW1qdDG:+q1thGwOJJyimpnzlIdxMhlGmYkdD

Score

10^/10

dcrat infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Modifies WinLogon for persistence 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

5958e11d8981a7fe026fb065e6e6786b.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\WMIADAP.exe\", \"C:\\Recovery\\c11c4da2-1a8a-11ed-8505-e0b24281b398\\spoolsv.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\fr-FR\\WmiPrvSE.exe\", \"C:\\Recovery\\c11c4da2-1a8a-11ed-8505-e0b24281b398\\spoolsv.exe\""	5958e11d8981a7fe026fb065e6e6786b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\WMIADAP.exe\""	5958e11d8981a7fe026fb065e6e6786b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\WMIADAP.exe\", \"C:\\Recovery\\c11c4da2-1a8a-11ed-8505-e0b24281b398\\spoolsv.exe\""	5958e11d8981a7fe026fb065e6e6786b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\WMIADAP.exe\", \"C:\\Recovery\\c11c4da2-1a8a-11ed-8505-e0b24281b398\\spoolsv.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\fr-FR\\WmiPrvSE.exe\""	5958e11d8981a7fe026fb065e6e6786b.exe

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1304	1108	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	516	1108	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	696	1108	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1300	1108	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	692	1108	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	1108	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	1108	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	1108	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	108	1108	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1584	1108	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	1108	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1004	1108	schtasks.exe

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/1784-54-0x00000000011E0000-0x00000000013A4000-memory.dmp	dcrat
C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\spoolsv.exe	dcrat
C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\spoolsv.exe	dcrat
behavioral1/memory/2104-105-0x00000000000D0000-0x0000000000294000-memory.dmp	dcrat

Drops file in Drivers directory 1 IoCs

Processes:

5958e11d8981a7fe026fb065e6e6786b.exe

description ioc process

File opened for modification C:\Windows\System32\drivers\etc\hosts 5958e11d8981a7fe026fb065e6e6786b.exe
Executes dropped EXE 1 IoCs

Processes:

spoolsv.exe

pid process

2104 spoolsv.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	5958e11d8981a7fe026fb065e6e6786b.exe

pid	process
2104	spoolsv.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5958e11d8981a7fe026fb065e6e6786b.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Recovery\\c11c4da2-1a8a-11ed-8505-e0b24281b398\\spoolsv.exe\""	5958e11d8981a7fe026fb065e6e6786b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Recovery\\c11c4da2-1a8a-11ed-8505-e0b24281b398\\spoolsv.exe\""	5958e11d8981a7fe026fb065e6e6786b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\fr-FR\\WmiPrvSE.exe\""	5958e11d8981a7fe026fb065e6e6786b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\fr-FR\\WmiPrvSE.exe\""	5958e11d8981a7fe026fb065e6e6786b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\WMIADAP = "\"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\WMIADAP.exe\""	5958e11d8981a7fe026fb065e6e6786b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WMIADAP = "\"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\WMIADAP.exe\""	5958e11d8981a7fe026fb065e6e6786b.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

8 ipinfo.io
9 ipinfo.io

flow	ioc
8	ipinfo.io
9	ipinfo.io

Drops file in Program Files directory 5 IoCs

Processes:

5958e11d8981a7fe026fb065e6e6786b.exe

description	ioc	process
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\WMIADAP.exe	5958e11d8981a7fe026fb065e6e6786b.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\75a57c1bdf437c	5958e11d8981a7fe026fb065e6e6786b.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\WmiPrvSE.exe	5958e11d8981a7fe026fb065e6e6786b.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\24dbde2999530e	5958e11d8981a7fe026fb065e6e6786b.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\WMIADAP.exe	5958e11d8981a7fe026fb065e6e6786b.exe

Drops file in Windows directory 1 IoCs

Processes:

5958e11d8981a7fe026fb065e6e6786b.exe

description ioc process

File created C:\Windows\schemas\EAPHost\wininit.exe 5958e11d8981a7fe026fb065e6e6786b.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\schemas\EAPHost\wininit.exe	5958e11d8981a7fe026fb065e6e6786b.exe

Creates scheduled task(s) 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
516	schtasks.exe
1932	schtasks.exe
2016	schtasks.exe
108	schtasks.exe
1004	schtasks.exe
2008	schtasks.exe
1304	schtasks.exe
696	schtasks.exe
1300	schtasks.exe
692	schtasks.exe
1916	schtasks.exe
1584	schtasks.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

spoolsv.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	spoolsv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

5958e11d8981a7fe026fb065e6e6786b.exespoolsv.exe

pid	process
1784	5958e11d8981a7fe026fb065e6e6786b.exe
1784	5958e11d8981a7fe026fb065e6e6786b.exe
1784	5958e11d8981a7fe026fb065e6e6786b.exe
1784	5958e11d8981a7fe026fb065e6e6786b.exe
1784	5958e11d8981a7fe026fb065e6e6786b.exe
1784	5958e11d8981a7fe026fb065e6e6786b.exe
1784	5958e11d8981a7fe026fb065e6e6786b.exe
1784	5958e11d8981a7fe026fb065e6e6786b.exe
1784	5958e11d8981a7fe026fb065e6e6786b.exe
1784	5958e11d8981a7fe026fb065e6e6786b.exe
1784	5958e11d8981a7fe026fb065e6e6786b.exe
1784	5958e11d8981a7fe026fb065e6e6786b.exe
1784	5958e11d8981a7fe026fb065e6e6786b.exe
1784	5958e11d8981a7fe026fb065e6e6786b.exe
1784	5958e11d8981a7fe026fb065e6e6786b.exe
1784	5958e11d8981a7fe026fb065e6e6786b.exe
1784	5958e11d8981a7fe026fb065e6e6786b.exe
1784	5958e11d8981a7fe026fb065e6e6786b.exe
1784	5958e11d8981a7fe026fb065e6e6786b.exe
1784	5958e11d8981a7fe026fb065e6e6786b.exe
1784	5958e11d8981a7fe026fb065e6e6786b.exe
1784	5958e11d8981a7fe026fb065e6e6786b.exe
1784	5958e11d8981a7fe026fb065e6e6786b.exe
1784	5958e11d8981a7fe026fb065e6e6786b.exe
1784	5958e11d8981a7fe026fb065e6e6786b.exe
1784	5958e11d8981a7fe026fb065e6e6786b.exe
1784	5958e11d8981a7fe026fb065e6e6786b.exe
1784	5958e11d8981a7fe026fb065e6e6786b.exe
1784	5958e11d8981a7fe026fb065e6e6786b.exe
1784	5958e11d8981a7fe026fb065e6e6786b.exe
1784	5958e11d8981a7fe026fb065e6e6786b.exe
1784	5958e11d8981a7fe026fb065e6e6786b.exe
1784	5958e11d8981a7fe026fb065e6e6786b.exe
2104	spoolsv.exe
2104	spoolsv.exe
2104	spoolsv.exe
2104	spoolsv.exe
2104	spoolsv.exe
2104	spoolsv.exe
2104	spoolsv.exe
2104	spoolsv.exe
2104	spoolsv.exe
2104	spoolsv.exe
2104	spoolsv.exe
2104	spoolsv.exe
2104	spoolsv.exe
2104	spoolsv.exe
2104	spoolsv.exe
2104	spoolsv.exe
2104	spoolsv.exe
2104	spoolsv.exe
2104	spoolsv.exe
2104	spoolsv.exe
2104	spoolsv.exe
2104	spoolsv.exe
2104	spoolsv.exe
2104	spoolsv.exe
2104	spoolsv.exe
2104	spoolsv.exe
2104	spoolsv.exe
2104	spoolsv.exe
2104	spoolsv.exe
2104	spoolsv.exe
2104	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

5958e11d8981a7fe026fb065e6e6786b.exespoolsv.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1784	5958e11d8981a7fe026fb065e6e6786b.exe
Token: SeDebugPrivilege	2104	spoolsv.exe
Token: SeDebugPrivilege	1064	powershell.exe
Token: SeDebugPrivilege	1596	powershell.exe
Token: SeDebugPrivilege	284	powershell.exe
Token: SeDebugPrivilege	1908	powershell.exe
Token: SeDebugPrivilege	580	powershell.exe
Token: SeDebugPrivilege	800	powershell.exe
Token: SeDebugPrivilege	1672	powershell.exe
Token: SeDebugPrivilege	584	powershell.exe
Token: SeDebugPrivilege	1496	powershell.exe
Token: SeDebugPrivilege	436	powershell.exe
Token: SeDebugPrivilege	1092	powershell.exe
Token: SeDebugPrivilege	964	powershell.exe

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

5958e11d8981a7fe026fb065e6e6786b.exespoolsv.exe

description	pid	process	target process
PID 1784 wrote to memory of 584	1784	5958e11d8981a7fe026fb065e6e6786b.exe	powershell.exe
PID 1784 wrote to memory of 584	1784	5958e11d8981a7fe026fb065e6e6786b.exe	powershell.exe
PID 1784 wrote to memory of 584	1784	5958e11d8981a7fe026fb065e6e6786b.exe	powershell.exe
PID 1784 wrote to memory of 580	1784	5958e11d8981a7fe026fb065e6e6786b.exe	powershell.exe
PID 1784 wrote to memory of 580	1784	5958e11d8981a7fe026fb065e6e6786b.exe	powershell.exe
PID 1784 wrote to memory of 580	1784	5958e11d8981a7fe026fb065e6e6786b.exe	powershell.exe
PID 1784 wrote to memory of 284	1784	5958e11d8981a7fe026fb065e6e6786b.exe	powershell.exe
PID 1784 wrote to memory of 284	1784	5958e11d8981a7fe026fb065e6e6786b.exe	powershell.exe
PID 1784 wrote to memory of 284	1784	5958e11d8981a7fe026fb065e6e6786b.exe	powershell.exe
PID 1784 wrote to memory of 800	1784	5958e11d8981a7fe026fb065e6e6786b.exe	powershell.exe
PID 1784 wrote to memory of 800	1784	5958e11d8981a7fe026fb065e6e6786b.exe	powershell.exe
PID 1784 wrote to memory of 800	1784	5958e11d8981a7fe026fb065e6e6786b.exe	powershell.exe
PID 1784 wrote to memory of 1596	1784	5958e11d8981a7fe026fb065e6e6786b.exe	powershell.exe
PID 1784 wrote to memory of 1596	1784	5958e11d8981a7fe026fb065e6e6786b.exe	powershell.exe
PID 1784 wrote to memory of 1596	1784	5958e11d8981a7fe026fb065e6e6786b.exe	powershell.exe
PID 1784 wrote to memory of 1908	1784	5958e11d8981a7fe026fb065e6e6786b.exe	powershell.exe
PID 1784 wrote to memory of 1908	1784	5958e11d8981a7fe026fb065e6e6786b.exe	powershell.exe
PID 1784 wrote to memory of 1908	1784	5958e11d8981a7fe026fb065e6e6786b.exe	powershell.exe
PID 1784 wrote to memory of 1496	1784	5958e11d8981a7fe026fb065e6e6786b.exe	powershell.exe
PID 1784 wrote to memory of 1496	1784	5958e11d8981a7fe026fb065e6e6786b.exe	powershell.exe
PID 1784 wrote to memory of 1496	1784	5958e11d8981a7fe026fb065e6e6786b.exe	powershell.exe
PID 1784 wrote to memory of 964	1784	5958e11d8981a7fe026fb065e6e6786b.exe	powershell.exe
PID 1784 wrote to memory of 964	1784	5958e11d8981a7fe026fb065e6e6786b.exe	powershell.exe
PID 1784 wrote to memory of 964	1784	5958e11d8981a7fe026fb065e6e6786b.exe	powershell.exe
PID 1784 wrote to memory of 1064	1784	5958e11d8981a7fe026fb065e6e6786b.exe	powershell.exe
PID 1784 wrote to memory of 1064	1784	5958e11d8981a7fe026fb065e6e6786b.exe	powershell.exe
PID 1784 wrote to memory of 1064	1784	5958e11d8981a7fe026fb065e6e6786b.exe	powershell.exe
PID 1784 wrote to memory of 436	1784	5958e11d8981a7fe026fb065e6e6786b.exe	powershell.exe
PID 1784 wrote to memory of 436	1784	5958e11d8981a7fe026fb065e6e6786b.exe	powershell.exe
PID 1784 wrote to memory of 436	1784	5958e11d8981a7fe026fb065e6e6786b.exe	powershell.exe
PID 1784 wrote to memory of 1672	1784	5958e11d8981a7fe026fb065e6e6786b.exe	powershell.exe
PID 1784 wrote to memory of 1672	1784	5958e11d8981a7fe026fb065e6e6786b.exe	powershell.exe
PID 1784 wrote to memory of 1672	1784	5958e11d8981a7fe026fb065e6e6786b.exe	powershell.exe
PID 1784 wrote to memory of 1092	1784	5958e11d8981a7fe026fb065e6e6786b.exe	powershell.exe
PID 1784 wrote to memory of 1092	1784	5958e11d8981a7fe026fb065e6e6786b.exe	powershell.exe
PID 1784 wrote to memory of 1092	1784	5958e11d8981a7fe026fb065e6e6786b.exe	powershell.exe
PID 1784 wrote to memory of 2104	1784	5958e11d8981a7fe026fb065e6e6786b.exe	spoolsv.exe
PID 1784 wrote to memory of 2104	1784	5958e11d8981a7fe026fb065e6e6786b.exe	spoolsv.exe
PID 1784 wrote to memory of 2104	1784	5958e11d8981a7fe026fb065e6e6786b.exe	spoolsv.exe
PID 2104 wrote to memory of 2604	2104	spoolsv.exe	WScript.exe
PID 2104 wrote to memory of 2604	2104	spoolsv.exe	WScript.exe
PID 2104 wrote to memory of 2604	2104	spoolsv.exe	WScript.exe
PID 2104 wrote to memory of 3032	2104	spoolsv.exe	WScript.exe
PID 2104 wrote to memory of 3032	2104	spoolsv.exe	WScript.exe
PID 2104 wrote to memory of 3032	2104	spoolsv.exe	WScript.exe

C:\Users\Admin\AppData\Local\Temp\5958e11d8981a7fe026fb065e6e6786b.exe
"C:\Users\Admin\AppData\Local\Temp\5958e11d8981a7fe026fb065e6e6786b.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1784

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:584

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:580

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:284

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:800

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1596

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1908

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1496

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:964

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1064

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:436

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1672

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1092

C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\spoolsv.exe
"C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\spoolsv.exe"
2⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2104

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\66b6595d-2fc2-4b0b-8152-50ecf725d085.vbs"
3⤵
PID:2604

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3cff77ad-ebc1-4d06-b6bd-4c9cafd81459.vbs"
3⤵
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 11 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1004

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Winlogon Helper DLL

T1004

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\spoolsv.exe
Filesize
1.7MB

MD5
5958e11d8981a7fe026fb065e6e6786b

SHA1
83cecc4d0227f5ea92bba5ee3dad5d418f77ebbf

SHA256
300b288ab3cdc59af5984619601115862dd26973b9dea07b6b7bde9b34480870

SHA512
2a0476cd0e04868fcdb294d378743409a7e2dffd14acc6dec8104c5a465091a2d179ac8206a868d70b31f171d73b97a4a983b7e0b6a1e1200f916c61f9a8bcb7

Download Submit
C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\spoolsv.exe
Filesize
1.7MB

MD5
5958e11d8981a7fe026fb065e6e6786b

SHA1
83cecc4d0227f5ea92bba5ee3dad5d418f77ebbf

SHA256
300b288ab3cdc59af5984619601115862dd26973b9dea07b6b7bde9b34480870

SHA512
2a0476cd0e04868fcdb294d378743409a7e2dffd14acc6dec8104c5a465091a2d179ac8206a868d70b31f171d73b97a4a983b7e0b6a1e1200f916c61f9a8bcb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\3cff77ad-ebc1-4d06-b6bd-4c9cafd81459.vbs
Filesize
512B

MD5
c64157a74839827c98954e88701d2be9

SHA1
c9b85cb163987571746420831dcaeb2cb1eacf8e

SHA256
63edb8f1ff51178006d06c60944b07c78de4a192746b88de827ef169432045e0

SHA512
e94965e5018dbd862fb29f6dc83a8b6330ff72397c1423e9b746ade13a1afde3856b19e9abc4abc857584534beff024dbefcfd98199e32fa94bfce463c32a041

Download Submit
C:\Users\Admin\AppData\Local\Temp\66b6595d-2fc2-4b0b-8152-50ecf725d085.vbs
Filesize
736B

MD5
5bcb247a7e074e05fc147e3c6a4d44ff

SHA1
c17564a812f3635f8c8220f3b48d98a314f713b1

SHA256
09b54f2b1a89cd2f3c26fbfa80ae087b59d18c5eec0771e875b7912a7b3f7aa4

SHA512
59d08a1ebcbaf7551a45b8479bcd8885083416de02331cbc713173851f3a5e7ae9c5b2823ab0b23214518298aa1f7cdc6986e39b65c24c4768b6b7800147bb12

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
ecf2b76d591f4f4abc0f62d99ca8f52c

SHA1
f137de69a94d7a6e52c9bef3608cd3324643c369

SHA256
1ee81a51aba249ecca65ecf823a89bc60ab67bbf0692acad12958b69b6a08f7d

SHA512
fba7979811b572e5fbf97e1d842750c5ce63544f32b769c00a6393a881ea19219c97d10a101e82b1295d0934a997f799616fefd2351dee5a09247aa4a0b456d5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
ecf2b76d591f4f4abc0f62d99ca8f52c

SHA1
f137de69a94d7a6e52c9bef3608cd3324643c369

SHA256
1ee81a51aba249ecca65ecf823a89bc60ab67bbf0692acad12958b69b6a08f7d

SHA512
fba7979811b572e5fbf97e1d842750c5ce63544f32b769c00a6393a881ea19219c97d10a101e82b1295d0934a997f799616fefd2351dee5a09247aa4a0b456d5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
ecf2b76d591f4f4abc0f62d99ca8f52c

SHA1
f137de69a94d7a6e52c9bef3608cd3324643c369

SHA256
1ee81a51aba249ecca65ecf823a89bc60ab67bbf0692acad12958b69b6a08f7d

SHA512
fba7979811b572e5fbf97e1d842750c5ce63544f32b769c00a6393a881ea19219c97d10a101e82b1295d0934a997f799616fefd2351dee5a09247aa4a0b456d5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
ecf2b76d591f4f4abc0f62d99ca8f52c

SHA1
f137de69a94d7a6e52c9bef3608cd3324643c369

SHA256
1ee81a51aba249ecca65ecf823a89bc60ab67bbf0692acad12958b69b6a08f7d

SHA512
fba7979811b572e5fbf97e1d842750c5ce63544f32b769c00a6393a881ea19219c97d10a101e82b1295d0934a997f799616fefd2351dee5a09247aa4a0b456d5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
ecf2b76d591f4f4abc0f62d99ca8f52c

SHA1
f137de69a94d7a6e52c9bef3608cd3324643c369

SHA256
1ee81a51aba249ecca65ecf823a89bc60ab67bbf0692acad12958b69b6a08f7d

SHA512
fba7979811b572e5fbf97e1d842750c5ce63544f32b769c00a6393a881ea19219c97d10a101e82b1295d0934a997f799616fefd2351dee5a09247aa4a0b456d5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
ecf2b76d591f4f4abc0f62d99ca8f52c

SHA1
f137de69a94d7a6e52c9bef3608cd3324643c369

SHA256
1ee81a51aba249ecca65ecf823a89bc60ab67bbf0692acad12958b69b6a08f7d

SHA512
fba7979811b572e5fbf97e1d842750c5ce63544f32b769c00a6393a881ea19219c97d10a101e82b1295d0934a997f799616fefd2351dee5a09247aa4a0b456d5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
ecf2b76d591f4f4abc0f62d99ca8f52c

SHA1
f137de69a94d7a6e52c9bef3608cd3324643c369

SHA256
1ee81a51aba249ecca65ecf823a89bc60ab67bbf0692acad12958b69b6a08f7d

SHA512
fba7979811b572e5fbf97e1d842750c5ce63544f32b769c00a6393a881ea19219c97d10a101e82b1295d0934a997f799616fefd2351dee5a09247aa4a0b456d5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
ecf2b76d591f4f4abc0f62d99ca8f52c

SHA1
f137de69a94d7a6e52c9bef3608cd3324643c369

SHA256
1ee81a51aba249ecca65ecf823a89bc60ab67bbf0692acad12958b69b6a08f7d

SHA512
fba7979811b572e5fbf97e1d842750c5ce63544f32b769c00a6393a881ea19219c97d10a101e82b1295d0934a997f799616fefd2351dee5a09247aa4a0b456d5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
ecf2b76d591f4f4abc0f62d99ca8f52c

SHA1
f137de69a94d7a6e52c9bef3608cd3324643c369

SHA256
1ee81a51aba249ecca65ecf823a89bc60ab67bbf0692acad12958b69b6a08f7d

SHA512
fba7979811b572e5fbf97e1d842750c5ce63544f32b769c00a6393a881ea19219c97d10a101e82b1295d0934a997f799616fefd2351dee5a09247aa4a0b456d5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
ecf2b76d591f4f4abc0f62d99ca8f52c

SHA1
f137de69a94d7a6e52c9bef3608cd3324643c369

SHA256
1ee81a51aba249ecca65ecf823a89bc60ab67bbf0692acad12958b69b6a08f7d

SHA512
fba7979811b572e5fbf97e1d842750c5ce63544f32b769c00a6393a881ea19219c97d10a101e82b1295d0934a997f799616fefd2351dee5a09247aa4a0b456d5

Download Submit
memory/284-182-0x0000000002854000-0x0000000002857000-memory.dmp

Filesize
12KB

Download
memory/284-167-0x000000000285B000-0x000000000287A000-memory.dmp

Filesize
124KB

Download
memory/284-160-0x0000000002854000-0x0000000002857000-memory.dmp

Filesize
12KB

Download
memory/284-81-0x000007FEFC421000-0x000007FEFC423000-memory.dmp

Filesize
8KB

Download
memory/284-72-0x0000000000000000-mapping.dmp

Download
memory/284-131-0x000007FEEADD0000-0x000007FEEB92D000-memory.dmp

Filesize
11.4MB

Download
memory/284-188-0x000000000285B000-0x000000000287A000-memory.dmp

Filesize
124KB

Download
memory/284-113-0x000007FEEC380000-0x000007FEECDA3000-memory.dmp

Filesize
10.1MB

Download
memory/284-152-0x000000001B880000-0x000000001BB7F000-memory.dmp

Filesize
3.0MB

Download
memory/284-138-0x0000000002854000-0x0000000002857000-memory.dmp

Filesize
12KB

Download
memory/436-145-0x000007FEEADD0000-0x000007FEEB92D000-memory.dmp

Filesize
11.4MB

Download
memory/436-79-0x0000000000000000-mapping.dmp

Download
memory/436-139-0x0000000002794000-0x0000000002797000-memory.dmp

Filesize
12KB

Download
memory/436-180-0x000000000279B000-0x00000000027BA000-memory.dmp

Filesize
124KB

Download
memory/436-161-0x0000000002794000-0x0000000002797000-memory.dmp

Filesize
12KB

Download
memory/436-118-0x000007FEEC380000-0x000007FEECDA3000-memory.dmp

Filesize
10.1MB

Download
memory/436-183-0x0000000002794000-0x0000000002797000-memory.dmp

Filesize
12KB

Download
memory/580-136-0x00000000022B4000-0x00000000022B7000-memory.dmp

Filesize
12KB

Download
memory/580-148-0x000000001B830000-0x000000001BB2F000-memory.dmp

Filesize
3.0MB

Download
memory/580-158-0x00000000022B4000-0x00000000022B7000-memory.dmp

Filesize
12KB

Download
memory/580-129-0x000007FEEADD0000-0x000007FEEB92D000-memory.dmp

Filesize
11.4MB

Download
memory/580-71-0x0000000000000000-mapping.dmp

Download
memory/580-114-0x000007FEEC380000-0x000007FEECDA3000-memory.dmp

Filesize
10.1MB

Download
memory/580-171-0x00000000022BB000-0x00000000022DA000-memory.dmp

Filesize
124KB

Download
memory/584-162-0x0000000002864000-0x0000000002867000-memory.dmp

Filesize
12KB

Download
memory/584-95-0x000007FEEC380000-0x000007FEECDA3000-memory.dmp

Filesize
10.1MB

Download
memory/584-178-0x000000000286B000-0x000000000288A000-memory.dmp

Filesize
124KB

Download
memory/584-70-0x0000000000000000-mapping.dmp

Download
memory/584-185-0x0000000002864000-0x0000000002867000-memory.dmp

Filesize
12KB

Download
memory/584-165-0x000000001B800000-0x000000001BAFF000-memory.dmp

Filesize
3.0MB

Download
memory/584-143-0x000007FEEADD0000-0x000007FEEB92D000-memory.dmp

Filesize
11.4MB

Download
memory/584-140-0x0000000002864000-0x0000000002867000-memory.dmp

Filesize
12KB

Download
memory/800-73-0x0000000000000000-mapping.dmp

Download
memory/800-117-0x000007FEEC380000-0x000007FEECDA3000-memory.dmp

Filesize
10.1MB

Download
memory/800-132-0x0000000002824000-0x0000000002827000-memory.dmp

Filesize
12KB

Download
memory/800-154-0x0000000002824000-0x0000000002827000-memory.dmp

Filesize
12KB

Download
memory/800-125-0x000007FEEADD0000-0x000007FEEB92D000-memory.dmp

Filesize
11.4MB

Download
memory/800-177-0x000000000282B000-0x000000000284A000-memory.dmp

Filesize
124KB

Download
memory/800-153-0x000000001B920000-0x000000001BC1F000-memory.dmp

Filesize
3.0MB

Download
memory/964-77-0x0000000000000000-mapping.dmp

Download
memory/964-203-0x000007FEECDD0000-0x000007FEED7F3000-memory.dmp

Filesize
10.1MB

Download
memory/964-204-0x000007FEE9540000-0x000007FEEA09D000-memory.dmp

Filesize
11.4MB

Download
memory/1064-189-0x0000000002724000-0x0000000002727000-memory.dmp

Filesize
12KB

Download
memory/1064-128-0x000007FEEADD0000-0x000007FEEB92D000-memory.dmp

Filesize
11.4MB

Download
memory/1064-147-0x000000001B8F0000-0x000000001BBEF000-memory.dmp

Filesize
3.0MB

Download
memory/1064-119-0x000007FEEC380000-0x000007FEECDA3000-memory.dmp

Filesize
10.1MB

Download
memory/1064-176-0x000000000272B000-0x000000000274A000-memory.dmp

Filesize
124KB

Download
memory/1064-157-0x0000000002724000-0x0000000002727000-memory.dmp

Filesize
12KB

Download
memory/1064-78-0x0000000000000000-mapping.dmp

Download
memory/1064-135-0x0000000002724000-0x0000000002727000-memory.dmp

Filesize
12KB

Download
memory/1092-164-0x00000000027D4000-0x00000000027D7000-memory.dmp

Filesize
12KB

Download
memory/1092-92-0x0000000000000000-mapping.dmp

Download
memory/1092-179-0x00000000027DB000-0x00000000027FA000-memory.dmp

Filesize
124KB

Download
memory/1092-190-0x00000000027DB000-0x00000000027FA000-memory.dmp

Filesize
124KB

Download
memory/1092-184-0x00000000027D4000-0x00000000027D7000-memory.dmp

Filesize
12KB

Download
memory/1092-120-0x000007FEEC380000-0x000007FEECDA3000-memory.dmp

Filesize
10.1MB

Download
memory/1092-142-0x00000000027D4000-0x00000000027D7000-memory.dmp

Filesize
12KB

Download
memory/1092-146-0x000007FEEADD0000-0x000007FEEB92D000-memory.dmp

Filesize
11.4MB

Download
memory/1496-115-0x000007FEEC380000-0x000007FEECDA3000-memory.dmp

Filesize
10.1MB

Download
memory/1496-141-0x0000000002854000-0x0000000002857000-memory.dmp

Filesize
12KB

Download
memory/1496-76-0x0000000000000000-mapping.dmp

Download
memory/1496-163-0x0000000002854000-0x0000000002857000-memory.dmp

Filesize
12KB

Download
memory/1496-181-0x000000000285B000-0x000000000287A000-memory.dmp

Filesize
124KB

Download
memory/1496-144-0x000007FEEADD0000-0x000007FEEB92D000-memory.dmp

Filesize
11.4MB

Download
memory/1596-169-0x000000000284B000-0x000000000286A000-memory.dmp

Filesize
124KB

Download
memory/1596-74-0x0000000000000000-mapping.dmp

Download
memory/1596-150-0x000000001B7C0000-0x000000001BABF000-memory.dmp

Filesize
3.0MB

Download
memory/1596-130-0x000007FEEADD0000-0x000007FEEB92D000-memory.dmp

Filesize
11.4MB

Download
memory/1596-96-0x000007FEEC380000-0x000007FEECDA3000-memory.dmp

Filesize
10.1MB

Download
memory/1596-137-0x0000000002844000-0x0000000002847000-memory.dmp

Filesize
12KB

Download
memory/1596-186-0x0000000002844000-0x0000000002847000-memory.dmp

Filesize
12KB

Download
memory/1596-159-0x0000000002844000-0x0000000002847000-memory.dmp

Filesize
12KB

Download
memory/1672-80-0x0000000000000000-mapping.dmp

Download
memory/1672-170-0x000000000242B000-0x000000000244A000-memory.dmp

Filesize
124KB

Download
memory/1672-187-0x0000000002424000-0x0000000002427000-memory.dmp

Filesize
12KB

Download
memory/1672-156-0x0000000002424000-0x0000000002427000-memory.dmp

Filesize
12KB

Download
memory/1672-116-0x000007FEEC380000-0x000007FEECDA3000-memory.dmp

Filesize
10.1MB

Download
memory/1672-134-0x0000000002424000-0x0000000002427000-memory.dmp

Filesize
12KB

Download
memory/1672-149-0x000000001B850000-0x000000001BB4F000-memory.dmp

Filesize
3.0MB

Download
memory/1672-127-0x000007FEEADD0000-0x000007FEEB92D000-memory.dmp

Filesize
11.4MB

Download
memory/1784-64-0x0000000001170000-0x000000000117C000-memory.dmp

Filesize
48KB

Download
memory/1784-65-0x0000000001180000-0x000000000118A000-memory.dmp

Filesize
40KB

Download
memory/1784-94-0x000000001B0A6000-0x000000001B0C5000-memory.dmp

Filesize
124KB

Download
memory/1784-55-0x00000000003C0000-0x00000000003CE000-memory.dmp

Filesize
56KB

Download
memory/1784-56-0x00000000003D0000-0x00000000003EC000-memory.dmp

Filesize
112KB

Download
memory/1784-57-0x00000000005B0000-0x00000000005C6000-memory.dmp

Filesize
88KB

Download
memory/1784-58-0x00000000003F0000-0x0000000000402000-memory.dmp

Filesize
72KB

Download
memory/1784-59-0x00000000005D0000-0x00000000005E0000-memory.dmp

Filesize
64KB

Download
memory/1784-69-0x00000000011C0000-0x00000000011CC000-memory.dmp

Filesize
48KB

Download
memory/1784-110-0x000000001B0A6000-0x000000001B0C5000-memory.dmp

Filesize
124KB

Download
memory/1784-60-0x0000000000590000-0x000000000059C000-memory.dmp

Filesize
48KB

Download
memory/1784-68-0x00000000011B0000-0x00000000011B8000-memory.dmp

Filesize
32KB

Download
memory/1784-61-0x00000000005E0000-0x00000000005E8000-memory.dmp

Filesize
32KB

Download
memory/1784-67-0x00000000011A0000-0x00000000011AC000-memory.dmp

Filesize
48KB

Download
memory/1784-66-0x0000000001190000-0x000000000119E000-memory.dmp

Filesize
56KB

Download
memory/1784-54-0x00000000011E0000-0x00000000013A4000-memory.dmp

Filesize
1.8MB

Download
memory/1784-62-0x0000000000C70000-0x0000000000C7C000-memory.dmp

Filesize
48KB

Download
memory/1784-63-0x000000001B0A6000-0x000000001B0C5000-memory.dmp

Filesize
124KB

Download
memory/1908-166-0x0000000001EE0000-0x0000000001F60000-memory.dmp

Filesize
512KB

Download
memory/1908-133-0x0000000001EE0000-0x0000000001F60000-memory.dmp

Filesize
512KB

Download
memory/1908-151-0x000000001B7F0000-0x000000001BAEF000-memory.dmp

Filesize
3.0MB

Download
memory/1908-126-0x000007FEEADD0000-0x000007FEEB92D000-memory.dmp

Filesize
11.4MB

Download
memory/1908-155-0x0000000001EE0000-0x0000000001F60000-memory.dmp

Filesize
512KB

Download
memory/1908-121-0x000007FEEC380000-0x000007FEECDA3000-memory.dmp

Filesize
10.1MB

Download
memory/1908-75-0x0000000000000000-mapping.dmp

Download
memory/2104-105-0x00000000000D0000-0x0000000000294000-memory.dmp

Filesize
1.8MB

Download
memory/2104-112-0x000000001AFA6000-0x000000001AFC5000-memory.dmp

Filesize
124KB

Download
memory/2104-111-0x0000000000660000-0x0000000000672000-memory.dmp

Filesize
72KB

Download
memory/2104-122-0x000000001AFA6000-0x000000001AFC5000-memory.dmp

Filesize
124KB

Download
memory/2104-97-0x0000000000000000-mapping.dmp

Download
memory/2604-123-0x0000000000000000-mapping.dmp

Download
memory/3032-173-0x0000000000000000-mapping.dmp

Download