dcrat | bf33833d77dd74a8a7fb751d6fa5da618440f3fb5447f8dd13e1893629a5b7dd

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
09-01-2023 22:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00019eb8bdb8bd7d36ba99b7f2b3bed5.exe
Size

1.0MB
MD5

00019eb8bdb8bd7d36ba99b7f2b3bed5
SHA1

7b1630ac115dd6800e11bd3d776456d55804e6fe
SHA256

bf33833d77dd74a8a7fb751d6fa5da618440f3fb5447f8dd13e1893629a5b7dd
SHA512

1f735ee1f99a1ad28f7a4fcec1787b3aeb7c3f550b041a8f26b224999074f8d388278e086c22ae8cb2183201b8d5494c13cb893d2ea128a62942c1e7f6be207b
SSDEEP

24576:zAOEbDFEzOfXZFvokRtYp5h2ilqPMmUK5eHO8:zDEbJpFvoEYgilqPMmUKil

Score

10^/10

dcrat infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1488	2168	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	2168	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2304	2168	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	2168	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	408	2168	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3084	2168	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4716	2168	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	2168	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1172	2168	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	2168	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4412	2168	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2956	2168	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4584	2168	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1480	2168	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3360	2168	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3872	2168	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5052	2168	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2400	2168	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	2168	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	2168	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1216	2168	schtasks.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/1316-146-0x0000000000400000-0x00000000004FA000-memory.dmp	dcrat

Drops file in Drivers directory 1 IoCs

Processes:

00019eb8bdb8bd7d36ba99b7f2b3bed5.exe

description ioc process

File opened for modification C:\Windows\System32\drivers\etc\hosts 00019eb8bdb8bd7d36ba99b7f2b3bed5.exe
Executes dropped EXE 2 IoCs

Processes:

StartMenuExperienceHost.exeStartMenuExperienceHost.exe

pid process

4240 StartMenuExperienceHost.exe
2576 StartMenuExperienceHost.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	00019eb8bdb8bd7d36ba99b7f2b3bed5.exe

pid	process
4240	StartMenuExperienceHost.exe
2576	StartMenuExperienceHost.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

00019eb8bdb8bd7d36ba99b7f2b3bed5.exeStartMenuExperienceHost.exe00019eb8bdb8bd7d36ba99b7f2b3bed5.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	00019eb8bdb8bd7d36ba99b7f2b3bed5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	00019eb8bdb8bd7d36ba99b7f2b3bed5.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

00019eb8bdb8bd7d36ba99b7f2b3bed5.exeStartMenuExperienceHost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\igfx = "\"C:\\Users\\Admin\\AppData\\Roaming\\igfx.exe\""	00019eb8bdb8bd7d36ba99b7f2b3bed5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\igfx = "\"C:\\Users\\Admin\\AppData\\Roaming\\igfx.exe\""	StartMenuExperienceHost.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

00019eb8bdb8bd7d36ba99b7f2b3bed5.exeStartMenuExperienceHost.exe

description	pid	process	target process
PID 5016 set thread context of 1316	5016	00019eb8bdb8bd7d36ba99b7f2b3bed5.exe	00019eb8bdb8bd7d36ba99b7f2b3bed5.exe
PID 4240 set thread context of 2576	4240	StartMenuExperienceHost.exe	StartMenuExperienceHost.exe

Drops file in Program Files directory 7 IoCs

Processes:

00019eb8bdb8bd7d36ba99b7f2b3bed5.exe

description	ioc	process
File created	C:\Program Files\WindowsPowerShell\Configuration\Schema\5940a34987c991	00019eb8bdb8bd7d36ba99b7f2b3bed5.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\en-US\services.exe	00019eb8bdb8bd7d36ba99b7f2b3bed5.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\en-US\c5b4cb5e9653cc	00019eb8bdb8bd7d36ba99b7f2b3bed5.exe
File created	C:\Program Files (x86)\Google\Temp\explorer.exe	00019eb8bdb8bd7d36ba99b7f2b3bed5.exe
File created	C:\Program Files (x86)\Google\Temp\7a0fd90576e088	00019eb8bdb8bd7d36ba99b7f2b3bed5.exe
File created	C:\Program Files\WindowsPowerShell\Configuration\Schema\dllhost.exe	00019eb8bdb8bd7d36ba99b7f2b3bed5.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Configuration\Schema\dllhost.exe	00019eb8bdb8bd7d36ba99b7f2b3bed5.exe

Drops file in Windows directory 2 IoCs

Processes:

00019eb8bdb8bd7d36ba99b7f2b3bed5.exe

description	ioc	process
File created	C:\Windows\Offline Web Pages\System.exe	00019eb8bdb8bd7d36ba99b7f2b3bed5.exe
File created	C:\Windows\Offline Web Pages\27d1bcfc3c54e0	00019eb8bdb8bd7d36ba99b7f2b3bed5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
1172	schtasks.exe
2956	schtasks.exe
1924	schtasks.exe
1216	schtasks.exe
408	schtasks.exe
3084	schtasks.exe
4584	schtasks.exe
3360	schtasks.exe
2400	schtasks.exe
2304	schtasks.exe
1972	schtasks.exe
2912	schtasks.exe
4412	schtasks.exe
1480	schtasks.exe
5052	schtasks.exe
2424	schtasks.exe
1488	schtasks.exe
1696	schtasks.exe
3052	schtasks.exe
4716	schtasks.exe
3872	schtasks.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

powershell.exe00019eb8bdb8bd7d36ba99b7f2b3bed5.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeStartMenuExperienceHost.exe

pid	process
616	powershell.exe
616	powershell.exe
1316	00019eb8bdb8bd7d36ba99b7f2b3bed5.exe
1316	00019eb8bdb8bd7d36ba99b7f2b3bed5.exe
1316	00019eb8bdb8bd7d36ba99b7f2b3bed5.exe
1316	00019eb8bdb8bd7d36ba99b7f2b3bed5.exe
1316	00019eb8bdb8bd7d36ba99b7f2b3bed5.exe
1316	00019eb8bdb8bd7d36ba99b7f2b3bed5.exe
1316	00019eb8bdb8bd7d36ba99b7f2b3bed5.exe
1916	powershell.exe
1916	powershell.exe
4372	powershell.exe
4372	powershell.exe
3292	powershell.exe
3292	powershell.exe
4544	powershell.exe
4544	powershell.exe
3824	powershell.exe
3824	powershell.exe
3060	powershell.exe
3060	powershell.exe
2208	powershell.exe
2208	powershell.exe
4916	powershell.exe
4916	powershell.exe
1224	powershell.exe
1224	powershell.exe
4384	powershell.exe
4384	powershell.exe
3540	powershell.exe
3540	powershell.exe
3292	powershell.exe
4372	powershell.exe
1916	powershell.exe
4544	powershell.exe
3824	powershell.exe
3060	powershell.exe
1224	powershell.exe
2208	powershell.exe
3540	powershell.exe
4916	powershell.exe
4384	powershell.exe
4716	powershell.exe
4716	powershell.exe
4716	powershell.exe
2576	StartMenuExperienceHost.exe
2576	StartMenuExperienceHost.exe
2576	StartMenuExperienceHost.exe
2576	StartMenuExperienceHost.exe
2576	StartMenuExperienceHost.exe
2576	StartMenuExperienceHost.exe
2576	StartMenuExperienceHost.exe
2576	StartMenuExperienceHost.exe
2576	StartMenuExperienceHost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

StartMenuExperienceHost.exe

pid process

2576 StartMenuExperienceHost.exe

pid	process
2576	StartMenuExperienceHost.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

00019eb8bdb8bd7d36ba99b7f2b3bed5.exepowershell.exe00019eb8bdb8bd7d36ba99b7f2b3bed5.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeStartMenuExperienceHost.exepowershell.exepowershell.exeStartMenuExperienceHost.exe

description	pid	process
Token: SeDebugPrivilege	5016	00019eb8bdb8bd7d36ba99b7f2b3bed5.exe
Token: SeDebugPrivilege	616	powershell.exe
Token: SeDebugPrivilege	1316	00019eb8bdb8bd7d36ba99b7f2b3bed5.exe
Token: SeDebugPrivilege	1916	powershell.exe
Token: SeDebugPrivilege	4372	powershell.exe
Token: SeDebugPrivilege	3292	powershell.exe
Token: SeDebugPrivilege	4544	powershell.exe
Token: SeDebugPrivilege	3824	powershell.exe
Token: SeDebugPrivilege	3060	powershell.exe
Token: SeDebugPrivilege	2208	powershell.exe
Token: SeDebugPrivilege	4916	powershell.exe
Token: SeDebugPrivilege	1224	powershell.exe
Token: SeDebugPrivilege	4384	powershell.exe
Token: SeDebugPrivilege	4240	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	3540	powershell.exe
Token: SeDebugPrivilege	4716	powershell.exe
Token: SeDebugPrivilege	2576	StartMenuExperienceHost.exe

Suspicious use of WriteProcessMemory 61 IoCs

Processes:

00019eb8bdb8bd7d36ba99b7f2b3bed5.exe00019eb8bdb8bd7d36ba99b7f2b3bed5.exeStartMenuExperienceHost.exe

description	pid	process	target process
PID 5016 wrote to memory of 616	5016	00019eb8bdb8bd7d36ba99b7f2b3bed5.exe	powershell.exe
PID 5016 wrote to memory of 616	5016	00019eb8bdb8bd7d36ba99b7f2b3bed5.exe	powershell.exe
PID 5016 wrote to memory of 616	5016	00019eb8bdb8bd7d36ba99b7f2b3bed5.exe	powershell.exe
PID 5016 wrote to memory of 1316	5016	00019eb8bdb8bd7d36ba99b7f2b3bed5.exe	00019eb8bdb8bd7d36ba99b7f2b3bed5.exe
PID 5016 wrote to memory of 1316	5016	00019eb8bdb8bd7d36ba99b7f2b3bed5.exe	00019eb8bdb8bd7d36ba99b7f2b3bed5.exe
PID 5016 wrote to memory of 1316	5016	00019eb8bdb8bd7d36ba99b7f2b3bed5.exe	00019eb8bdb8bd7d36ba99b7f2b3bed5.exe
PID 5016 wrote to memory of 1316	5016	00019eb8bdb8bd7d36ba99b7f2b3bed5.exe	00019eb8bdb8bd7d36ba99b7f2b3bed5.exe
PID 5016 wrote to memory of 1316	5016	00019eb8bdb8bd7d36ba99b7f2b3bed5.exe	00019eb8bdb8bd7d36ba99b7f2b3bed5.exe
PID 5016 wrote to memory of 1316	5016	00019eb8bdb8bd7d36ba99b7f2b3bed5.exe	00019eb8bdb8bd7d36ba99b7f2b3bed5.exe
PID 5016 wrote to memory of 1316	5016	00019eb8bdb8bd7d36ba99b7f2b3bed5.exe	00019eb8bdb8bd7d36ba99b7f2b3bed5.exe
PID 5016 wrote to memory of 1316	5016	00019eb8bdb8bd7d36ba99b7f2b3bed5.exe	00019eb8bdb8bd7d36ba99b7f2b3bed5.exe
PID 1316 wrote to memory of 1916	1316	00019eb8bdb8bd7d36ba99b7f2b3bed5.exe	powershell.exe
PID 1316 wrote to memory of 1916	1316	00019eb8bdb8bd7d36ba99b7f2b3bed5.exe	powershell.exe
PID 1316 wrote to memory of 1916	1316	00019eb8bdb8bd7d36ba99b7f2b3bed5.exe	powershell.exe
PID 1316 wrote to memory of 3292	1316	00019eb8bdb8bd7d36ba99b7f2b3bed5.exe	powershell.exe
PID 1316 wrote to memory of 3292	1316	00019eb8bdb8bd7d36ba99b7f2b3bed5.exe	powershell.exe
PID 1316 wrote to memory of 3292	1316	00019eb8bdb8bd7d36ba99b7f2b3bed5.exe	powershell.exe
PID 1316 wrote to memory of 4372	1316	00019eb8bdb8bd7d36ba99b7f2b3bed5.exe	powershell.exe
PID 1316 wrote to memory of 4372	1316	00019eb8bdb8bd7d36ba99b7f2b3bed5.exe	powershell.exe
PID 1316 wrote to memory of 4372	1316	00019eb8bdb8bd7d36ba99b7f2b3bed5.exe	powershell.exe
PID 1316 wrote to memory of 4544	1316	00019eb8bdb8bd7d36ba99b7f2b3bed5.exe	powershell.exe
PID 1316 wrote to memory of 4544	1316	00019eb8bdb8bd7d36ba99b7f2b3bed5.exe	powershell.exe
PID 1316 wrote to memory of 4544	1316	00019eb8bdb8bd7d36ba99b7f2b3bed5.exe	powershell.exe
PID 1316 wrote to memory of 3824	1316	00019eb8bdb8bd7d36ba99b7f2b3bed5.exe	powershell.exe
PID 1316 wrote to memory of 3824	1316	00019eb8bdb8bd7d36ba99b7f2b3bed5.exe	powershell.exe
PID 1316 wrote to memory of 3824	1316	00019eb8bdb8bd7d36ba99b7f2b3bed5.exe	powershell.exe
PID 1316 wrote to memory of 3060	1316	00019eb8bdb8bd7d36ba99b7f2b3bed5.exe	powershell.exe
PID 1316 wrote to memory of 3060	1316	00019eb8bdb8bd7d36ba99b7f2b3bed5.exe	powershell.exe
PID 1316 wrote to memory of 3060	1316	00019eb8bdb8bd7d36ba99b7f2b3bed5.exe	powershell.exe
PID 1316 wrote to memory of 5112	1316	00019eb8bdb8bd7d36ba99b7f2b3bed5.exe	powershell.exe
PID 1316 wrote to memory of 5112	1316	00019eb8bdb8bd7d36ba99b7f2b3bed5.exe	powershell.exe
PID 1316 wrote to memory of 5112	1316	00019eb8bdb8bd7d36ba99b7f2b3bed5.exe	powershell.exe
PID 1316 wrote to memory of 2208	1316	00019eb8bdb8bd7d36ba99b7f2b3bed5.exe	powershell.exe
PID 1316 wrote to memory of 2208	1316	00019eb8bdb8bd7d36ba99b7f2b3bed5.exe	powershell.exe
PID 1316 wrote to memory of 2208	1316	00019eb8bdb8bd7d36ba99b7f2b3bed5.exe	powershell.exe
PID 1316 wrote to memory of 4916	1316	00019eb8bdb8bd7d36ba99b7f2b3bed5.exe	powershell.exe
PID 1316 wrote to memory of 4916	1316	00019eb8bdb8bd7d36ba99b7f2b3bed5.exe	powershell.exe
PID 1316 wrote to memory of 4916	1316	00019eb8bdb8bd7d36ba99b7f2b3bed5.exe	powershell.exe
PID 1316 wrote to memory of 1224	1316	00019eb8bdb8bd7d36ba99b7f2b3bed5.exe	powershell.exe
PID 1316 wrote to memory of 1224	1316	00019eb8bdb8bd7d36ba99b7f2b3bed5.exe	powershell.exe
PID 1316 wrote to memory of 1224	1316	00019eb8bdb8bd7d36ba99b7f2b3bed5.exe	powershell.exe
PID 1316 wrote to memory of 4384	1316	00019eb8bdb8bd7d36ba99b7f2b3bed5.exe	powershell.exe
PID 1316 wrote to memory of 4384	1316	00019eb8bdb8bd7d36ba99b7f2b3bed5.exe	powershell.exe
PID 1316 wrote to memory of 4384	1316	00019eb8bdb8bd7d36ba99b7f2b3bed5.exe	powershell.exe
PID 1316 wrote to memory of 3540	1316	00019eb8bdb8bd7d36ba99b7f2b3bed5.exe	powershell.exe
PID 1316 wrote to memory of 3540	1316	00019eb8bdb8bd7d36ba99b7f2b3bed5.exe	powershell.exe
PID 1316 wrote to memory of 3540	1316	00019eb8bdb8bd7d36ba99b7f2b3bed5.exe	powershell.exe
PID 1316 wrote to memory of 4240	1316	00019eb8bdb8bd7d36ba99b7f2b3bed5.exe	StartMenuExperienceHost.exe
PID 1316 wrote to memory of 4240	1316	00019eb8bdb8bd7d36ba99b7f2b3bed5.exe	StartMenuExperienceHost.exe
PID 1316 wrote to memory of 4240	1316	00019eb8bdb8bd7d36ba99b7f2b3bed5.exe	StartMenuExperienceHost.exe
PID 4240 wrote to memory of 4716	4240	StartMenuExperienceHost.exe	powershell.exe
PID 4240 wrote to memory of 4716	4240	StartMenuExperienceHost.exe	powershell.exe
PID 4240 wrote to memory of 4716	4240	StartMenuExperienceHost.exe	powershell.exe
PID 4240 wrote to memory of 2576	4240	StartMenuExperienceHost.exe	StartMenuExperienceHost.exe
PID 4240 wrote to memory of 2576	4240	StartMenuExperienceHost.exe	StartMenuExperienceHost.exe
PID 4240 wrote to memory of 2576	4240	StartMenuExperienceHost.exe	StartMenuExperienceHost.exe
PID 4240 wrote to memory of 2576	4240	StartMenuExperienceHost.exe	StartMenuExperienceHost.exe
PID 4240 wrote to memory of 2576	4240	StartMenuExperienceHost.exe	StartMenuExperienceHost.exe
PID 4240 wrote to memory of 2576	4240	StartMenuExperienceHost.exe	StartMenuExperienceHost.exe
PID 4240 wrote to memory of 2576	4240	StartMenuExperienceHost.exe	StartMenuExperienceHost.exe
PID 4240 wrote to memory of 2576	4240	StartMenuExperienceHost.exe	StartMenuExperienceHost.exe

C:\Users\Admin\AppData\Local\Temp\00019eb8bdb8bd7d36ba99b7f2b3bed5.exe
"C:\Users\Admin\AppData\Local\Temp\00019eb8bdb8bd7d36ba99b7f2b3bed5.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5016

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAANAAxAA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:616

C:\Users\Admin\AppData\Local\Temp\00019eb8bdb8bd7d36ba99b7f2b3bed5.exe
C:\Users\Admin\AppData\Local\Temp\00019eb8bdb8bd7d36ba99b7f2b3bed5.exe
2⤵
- Drops file in Drivers directory
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1316

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1916

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3292

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4544

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4372

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3824

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3060

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
3⤵
PID:5112

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2208

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4916

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3540

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4384

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1224

C:\Users\Default\Pictures\StartMenuExperienceHost.exe
"C:\Users\Default\Pictures\StartMenuExperienceHost.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4240

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAANAAxAA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4716

C:\Users\Default\Pictures\StartMenuExperienceHost.exe
C:\Users\Default\Pictures\StartMenuExperienceHost.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files\WindowsPowerShell\Configuration\Schema\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Configuration\Schema\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\WindowsPowerShell\Configuration\Schema\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\Temp\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\Temp\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Windows\Offline Web Pages\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Windows\Offline Web Pages\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Pictures\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\Default\Pictures\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Pictures\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1216

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\00019eb8bdb8bd7d36ba99b7f2b3bed5.exe.log
Filesize
1KB

MD5
4f3fab3e5f44399e7f4162fd367eca2d

SHA1
adada0591db5f53bcc0565942047156de3464e6e

SHA256
5db52f2a6a0fbfaa29e27418a1b72b660298dfa58a12ac0f12897a06e557caef

SHA512
d8c3fe3a91e572627e31a44d88a71fc3072786b074d04484ff6aacfeab43e0d29ec88bf6ad2af2a5f8e70f0c0eea95dcea59a8159adf4c642e5f8fd5fc632db7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\StartMenuExperienceHost.exe.log
Filesize
1KB

MD5
4f3fab3e5f44399e7f4162fd367eca2d

SHA1
adada0591db5f53bcc0565942047156de3464e6e

SHA256
5db52f2a6a0fbfaa29e27418a1b72b660298dfa58a12ac0f12897a06e557caef

SHA512
d8c3fe3a91e572627e31a44d88a71fc3072786b074d04484ff6aacfeab43e0d29ec88bf6ad2af2a5f8e70f0c0eea95dcea59a8159adf4c642e5f8fd5fc632db7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
1KB

MD5
4280e36a29fa31c01e4d8b2ba726a0d8

SHA1
c485c2c9ce0a99747b18d899b71dfa9a64dabe32

SHA256
e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359

SHA512
494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
16KB

MD5
5e766ef1896ef81f3c0ee93c38309a69

SHA1
bb9412a7c81762edcdf5c3b7cfc1e265b1b8b89b

SHA256
ec75db7064b5cce70920e1a3b6566ce01cb3291fa8e4ea9ae7a57c84becad021

SHA512
52ae626ef3a11f0cfb2a1871d86827136941a6f7a75187792dc8c11878836bb545d1b109c2b830d15e8d80c5f92a398d631fe2c813ef78cdcf97b06f2a72732f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
c1ab1bea25eac25a08d9df9e7d12ea27

SHA1
c09d4303c19eb3bb46703f345c2d93f5304be78f

SHA256
d8704d2c5b1bbf8be07e56a58977147ad2543a305e53aa616fc9f80a971d895f

SHA512
dee536b496f195ae60b12270b6389abef24b8ae947357e1921221e105d1c9b534931facdcb3dcbe705752ca63c7955091505a781fd67f637af158694debf2f4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
c1ab1bea25eac25a08d9df9e7d12ea27

SHA1
c09d4303c19eb3bb46703f345c2d93f5304be78f

SHA256
d8704d2c5b1bbf8be07e56a58977147ad2543a305e53aa616fc9f80a971d895f

SHA512
dee536b496f195ae60b12270b6389abef24b8ae947357e1921221e105d1c9b534931facdcb3dcbe705752ca63c7955091505a781fd67f637af158694debf2f4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
6798e14c010097ef2863d2696f1b58bd

SHA1
d9e3e381fecb4ae0f1691e5427d492424efdecab

SHA256
f6e4616120bacde5b64ba379b5cc6006a7654aa02a7c0ea2eca850bc592ef74e

SHA512
c85ab614a1dae0d766b92d2de018765384b3c6133a45715f04c7b0a01ff15623d01c718d4f6c6bc0b1283411c210537a8b7c964ad852de2804bfb0ee187a8d41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
c5795ad8fa5adb4cc7bf12897ce7db5e

SHA1
a3f9bf47e9df034fe26d778e3086609854fb9bf2

SHA256
80224d53845416e7a71792941a25b34bf7ea19a8d99f28d716df53932e0725de

SHA512
07b11866a0d83d50f34318aaed43d38cbc594b107ddb2a43b0d5847489a5825e0f6244a78a26949586892c495a1ed9aa69b232b4430d8d5da1399c193e2fb707

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
cb7792943b804cf446aa14dd940bdeb4

SHA1
2efff8308bb2c0f1af9234a596df6a00df4cb6f5

SHA256
a28f6f614049c1bdb1ffa18d6f029dbd6ab47172500b14f447dce13821519e67

SHA512
9ed9304d9caf0cb425b094310b9fcaa3c31a813e0ab218b52e3465f12cf1c2ef12dae058fdbb2188bf242ef8402e8b8ddc7187ff8af14650c2f11793ea3dcca6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
4a406533d15e02df48546fc482d493fa

SHA1
ba357bb817fa5788f7242078bdc7efdb01a51fe1

SHA256
391b4762bcaeb2473622c51e93bd3951e65d38315f0b65331abaed9420b321dc

SHA512
18bc4b8eb926458de03d166d852a13f67f832807347cf1e3d34f3d7c3df691e163fdbfd6d57d06ff118fce59679b6474e65a72515713611b2f19f8ff3be7610b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
c5795ad8fa5adb4cc7bf12897ce7db5e

SHA1
a3f9bf47e9df034fe26d778e3086609854fb9bf2

SHA256
80224d53845416e7a71792941a25b34bf7ea19a8d99f28d716df53932e0725de

SHA512
07b11866a0d83d50f34318aaed43d38cbc594b107ddb2a43b0d5847489a5825e0f6244a78a26949586892c495a1ed9aa69b232b4430d8d5da1399c193e2fb707

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
4a406533d15e02df48546fc482d493fa

SHA1
ba357bb817fa5788f7242078bdc7efdb01a51fe1

SHA256
391b4762bcaeb2473622c51e93bd3951e65d38315f0b65331abaed9420b321dc

SHA512
18bc4b8eb926458de03d166d852a13f67f832807347cf1e3d34f3d7c3df691e163fdbfd6d57d06ff118fce59679b6474e65a72515713611b2f19f8ff3be7610b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
c6290ee3b7785c720997ee9430e9d0c1

SHA1
4ad0ed23d8fe26d1724341ae82765501467b0534

SHA256
5eaffaecaf4e0bf0551535ba93306f6ee8cc1bcdb7ee37d340ca798ad275cc21

SHA512
1755c55ba36030a71bfa8d4abc859a9411405e6ed5ec271695860a24dd563427eee459c254dfbe18e3a643f493dcaed3da0b8b18636ac807cc3b6ccaad794cd7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
c6290ee3b7785c720997ee9430e9d0c1

SHA1
4ad0ed23d8fe26d1724341ae82765501467b0534

SHA256
5eaffaecaf4e0bf0551535ba93306f6ee8cc1bcdb7ee37d340ca798ad275cc21

SHA512
1755c55ba36030a71bfa8d4abc859a9411405e6ed5ec271695860a24dd563427eee459c254dfbe18e3a643f493dcaed3da0b8b18636ac807cc3b6ccaad794cd7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
ab389399788f1ab7f3279aa10b50858c

SHA1
76153570c67a3fd8933b579c3ed935443a2de8fd

SHA256
b3a3c0964e9b55b7cd3d80c4729ffb9f476b052ad10bb79278f3dfc65f1a0b05

SHA512
3a5f3f2b27a3aa7f50a1297ddf24dfbf819dfaf2c4293bc29c72d8b4268862212155c05e6d5667df30d94cfcf17a9e929c1fbef992940071d4c057c842abcc9f

Download Submit
C:\Users\Admin\AppData\Roaming\igfx.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Default\Pictures\StartMenuExperienceHost.exe
Filesize
1.0MB

MD5
00019eb8bdb8bd7d36ba99b7f2b3bed5

SHA1
7b1630ac115dd6800e11bd3d776456d55804e6fe

SHA256
bf33833d77dd74a8a7fb751d6fa5da618440f3fb5447f8dd13e1893629a5b7dd

SHA512
1f735ee1f99a1ad28f7a4fcec1787b3aeb7c3f550b041a8f26b224999074f8d388278e086c22ae8cb2183201b8d5494c13cb893d2ea128a62942c1e7f6be207b

Download Submit
C:\Users\Default\Pictures\StartMenuExperienceHost.exe
Filesize
1.0MB

MD5
00019eb8bdb8bd7d36ba99b7f2b3bed5

SHA1
7b1630ac115dd6800e11bd3d776456d55804e6fe

SHA256
bf33833d77dd74a8a7fb751d6fa5da618440f3fb5447f8dd13e1893629a5b7dd

SHA512
1f735ee1f99a1ad28f7a4fcec1787b3aeb7c3f550b041a8f26b224999074f8d388278e086c22ae8cb2183201b8d5494c13cb893d2ea128a62942c1e7f6be207b

Download Submit
C:\Users\Default\Pictures\StartMenuExperienceHost.exe
Filesize
1.0MB

MD5
00019eb8bdb8bd7d36ba99b7f2b3bed5

SHA1
7b1630ac115dd6800e11bd3d776456d55804e6fe

SHA256
bf33833d77dd74a8a7fb751d6fa5da618440f3fb5447f8dd13e1893629a5b7dd

SHA512
1f735ee1f99a1ad28f7a4fcec1787b3aeb7c3f550b041a8f26b224999074f8d388278e086c22ae8cb2183201b8d5494c13cb893d2ea128a62942c1e7f6be207b

Download Submit
memory/616-144-0x0000000006950000-0x000000000696A000-memory.dmp

Filesize
104KB

Download
memory/616-141-0x00000000055E0000-0x0000000005646000-memory.dmp

Filesize
408KB

Download
memory/616-140-0x00000000053C0000-0x0000000005426000-memory.dmp

Filesize
408KB

Download
memory/616-143-0x0000000007AE0000-0x000000000815A000-memory.dmp

Filesize
6.5MB

Download
memory/616-142-0x0000000006450000-0x000000000646E000-memory.dmp

Filesize
120KB

Download
memory/616-137-0x0000000000000000-mapping.dmp

Download
memory/616-139-0x0000000005710000-0x0000000005D38000-memory.dmp

Filesize
6.2MB

Download
memory/616-138-0x0000000002E50000-0x0000000002E86000-memory.dmp

Filesize
216KB

Download
memory/1224-158-0x0000000000000000-mapping.dmp

Download
memory/1224-176-0x0000000070000000-0x000000007004C000-memory.dmp

Filesize
304KB

Download
memory/1316-145-0x0000000000000000-mapping.dmp

Download
memory/1316-146-0x0000000000400000-0x00000000004FA000-memory.dmp

Filesize
1000KB

Download
memory/1316-147-0x0000000005DE0000-0x0000000005E30000-memory.dmp

Filesize
320KB

Download
memory/1916-183-0x0000000005CA0000-0x0000000005CAE000-memory.dmp

Filesize
56KB

Download
memory/1916-173-0x0000000070000000-0x000000007004C000-memory.dmp

Filesize
304KB

Download
memory/1916-148-0x0000000000000000-mapping.dmp

Download
memory/2208-155-0x0000000000000000-mapping.dmp

Download
memory/2208-177-0x0000000070000000-0x000000007004C000-memory.dmp

Filesize
304KB

Download
memory/2576-198-0x0000000000000000-mapping.dmp

Download
memory/2576-202-0x0000000008F50000-0x0000000009112000-memory.dmp

Filesize
1.8MB

Download
memory/3060-153-0x0000000000000000-mapping.dmp

Download
memory/3060-175-0x0000000070000000-0x000000007004C000-memory.dmp

Filesize
304KB

Download
memory/3292-149-0x0000000000000000-mapping.dmp

Download
memory/3292-181-0x00000000074F0000-0x00000000074FA000-memory.dmp

Filesize
40KB

Download
memory/3292-182-0x00000000076E0000-0x0000000007776000-memory.dmp

Filesize
600KB

Download
memory/3292-171-0x0000000070000000-0x000000007004C000-memory.dmp

Filesize
304KB

Download
memory/3540-185-0x0000000007E00000-0x0000000007E08000-memory.dmp

Filesize
32KB

Download
memory/3540-160-0x0000000000000000-mapping.dmp

Download
memory/3540-178-0x0000000070000000-0x000000007004C000-memory.dmp

Filesize
304KB

Download
memory/3540-184-0x0000000007E20000-0x0000000007E3A000-memory.dmp

Filesize
104KB

Download
memory/3824-152-0x0000000000000000-mapping.dmp

Download
memory/3824-174-0x0000000070000000-0x000000007004C000-memory.dmp

Filesize
304KB

Download
memory/4240-161-0x0000000000000000-mapping.dmp

Download
memory/4372-168-0x0000000006290000-0x00000000062C2000-memory.dmp

Filesize
200KB

Download
memory/4372-169-0x0000000070000000-0x000000007004C000-memory.dmp

Filesize
304KB

Download
memory/4372-170-0x0000000006270000-0x000000000628E000-memory.dmp

Filesize
120KB

Download
memory/4372-150-0x0000000000000000-mapping.dmp

Download
memory/4384-180-0x0000000070000000-0x000000007004C000-memory.dmp

Filesize
304KB

Download
memory/4384-159-0x0000000000000000-mapping.dmp

Download
memory/4544-151-0x0000000000000000-mapping.dmp

Download
memory/4544-172-0x0000000070000000-0x000000007004C000-memory.dmp

Filesize
304KB

Download
memory/4716-166-0x0000000000000000-mapping.dmp

Download
memory/4916-179-0x0000000070000000-0x000000007004C000-memory.dmp

Filesize
304KB

Download
memory/4916-156-0x0000000000000000-mapping.dmp

Download
memory/5016-136-0x0000000007C10000-0x0000000007C32000-memory.dmp

Filesize
136KB

Download
memory/5016-132-0x0000000000A00000-0x0000000000B0C000-memory.dmp

Filesize
1.0MB

Download
memory/5016-135-0x0000000005520000-0x000000000552A000-memory.dmp

Filesize
40KB

Download
memory/5016-134-0x0000000005370000-0x0000000005402000-memory.dmp

Filesize
584KB

Download
memory/5016-133-0x0000000005880000-0x0000000005E24000-memory.dmp

Filesize
5.6MB

Download
memory/5112-154-0x0000000000000000-mapping.dmp

Download