dcrat | f7954923c8a110188d24e4d27e68e57d7d1781882644386e57fbfb183b94b366

Analysis

max time kernel
149s
max time network
153s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
28-01-2023 04:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

InstallFile.exe
Size

2.2MB
MD5

e14d3c54fb43442b8c99febfb7007d71
SHA1

5f2872a705eb75516e491b0a3e57d8fd945a23c5
SHA256

f7954923c8a110188d24e4d27e68e57d7d1781882644386e57fbfb183b94b366
SHA512

aa6942e8d434ffc3e1885832f43f18f9345ad221346def10a87ea5c19670f05c22a8f281d2de2ba53079f2114371c451fb0c53d5103a87966a3effd165ce50bf
SSDEEP

49152:JmYP7zNGoWl6NcM8HLSqHmNMZkWHkF+H:JmYzGQWJrtGI

Score

10^/10

dcrat evasion infostealer rat spyware stealer themida trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	908	1144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	336	1144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1016	1144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1312	1144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	804	1144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	1144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	360	1144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1276	1144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	1144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	1144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	572	1144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1208	1144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	624	1144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	968	1144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	1144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1552	1144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	1144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1544	1144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	1144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	1144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	616	1144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	892	1144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1340	1144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	856	1144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	520	1144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	1144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1064	1144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1204	1144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1164	1144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	1144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1048	1144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1080	1144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1124	1144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1276	1144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1468	1144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1304	1144	schtasks.exe

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/1884-57-0x0000000000910000-0x0000000000F9C000-memory.dmp	dcrat
behavioral1/memory/1884-77-0x0000000000910000-0x0000000000F9C000-memory.dmp	dcrat
behavioral1/memory/1568-90-0x0000000000DB0000-0x000000000143C000-memory.dmp	dcrat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

InstallFile.execsrss.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	InstallFile.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	csrss.exe

Executes dropped EXE 1 IoCs

Processes:

csrss.exe

pid process

1568 csrss.exe

pid	process
1568	csrss.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

InstallFile.execsrss.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	InstallFile.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	InstallFile.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	csrss.exe

Loads dropped DLL 4 IoCs

Processes:

cmd.execsrss.exe

pid process

1380 cmd.exe
1380 cmd.exe
1568 csrss.exe
1568 csrss.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1380	cmd.exe
1380	cmd.exe
1568	csrss.exe
1568	csrss.exe

Themida packer 9 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/1884-57-0x0000000000910000-0x0000000000F9C000-memory.dmp	themida
behavioral1/memory/1884-77-0x0000000000910000-0x0000000000F9C000-memory.dmp	themida
\MSOCache\All Users\csrss.exe	themida
C:\MSOCache\All Users\csrss.exe	themida
\MSOCache\All Users\csrss.exe	themida
C:\MSOCache\All Users\csrss.exe	themida
\MSOCache\All Users\csrss.exe	themida
\MSOCache\All Users\csrss.exe	themida
behavioral1/memory/1568-90-0x0000000000DB0000-0x000000000143C000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

InstallFile.execsrss.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	InstallFile.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

InstallFile.execsrss.exe

pid process

1884 InstallFile.exe
1568 csrss.exe

Drops file in Program Files directory 8 IoCs

Processes:

InstallFile.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\WMIADAP.exe	InstallFile.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\75a57c1bdf437c	InstallFile.exe
File opened for modification	C:\Program Files\DVD Maker\wininit.exe	InstallFile.exe
File created	C:\Program Files\DVD Maker\56085415360792	InstallFile.exe
File opened for modification	C:\Program Files\Microsoft Games\More Games\WmiPrvSE.exe	InstallFile.exe
File created	C:\Program Files\Microsoft Games\More Games\24dbde2999530e	InstallFile.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\de-DE\lsass.exe	InstallFile.exe
File created	C:\Program Files (x86)\Windows Mail\de-DE\6203df4a6bafc7	InstallFile.exe

Drops file in Windows directory 4 IoCs

Processes:

InstallFile.exe

description	ioc	process
File opened for modification	C:\Windows\twain_32\spoolsv.exe	InstallFile.exe
File created	C:\Windows\twain_32\f3b6ecef712a24	InstallFile.exe
File opened for modification	C:\Windows\Tasks\services.exe	InstallFile.exe
File created	C:\Windows\Tasks\c5b4cb5e9653cc	InstallFile.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
360	schtasks.exe
1852	schtasks.exe
1204	schtasks.exe
1048	schtasks.exe
1752	schtasks.exe
1276	schtasks.exe
968	schtasks.exe
616	schtasks.exe
892	schtasks.exe
336	schtasks.exe
1544	schtasks.exe
1340	schtasks.exe
1064	schtasks.exe
1276	schtasks.exe
1468	schtasks.exe
1016	schtasks.exe
1748	schtasks.exe
2036	schtasks.exe
1984	schtasks.exe
1080	schtasks.exe
1124	schtasks.exe
1304	schtasks.exe
908	schtasks.exe
804	schtasks.exe
1164	schtasks.exe
1712	schtasks.exe
1312	schtasks.exe
572	schtasks.exe
1932	schtasks.exe
1552	schtasks.exe
1720	schtasks.exe
856	schtasks.exe
520	schtasks.exe
1208	schtasks.exe
624	schtasks.exe
2004	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0493714d932d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "381648520"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f2b988a7f206764b8c18dad6796fcbb3000000000200000000001066000000010000200000003b014bc7fa39f1a0406f448d1c428668862c945a8612da73c44fa9455866c6c4000000000e8000000002000020000000c3708f969611f3a0fcb0af18aa0f7d50de5bf83f826d943a14014076fbf0cbe320000000b362c7284006c077684575002ac50e9e971314dadc3f85b2652e5d8b5f5c1035400000005281874c5d6ddade55ab70626fbbc96f36caa2033c7e8a5caef625de3e6d2a432eae97712798c4a05c6a86597054e7da1e4b58ccf8c766bae6658b1cb2a7c587	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3656D251-9ECC-11ED-AA01-6AB3F8C7EA51} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f2b988a7f206764b8c18dad6796fcbb3000000000200000000001066000000010000200000006c01d6818d61d9b9154febfecb94ef0bfaae1dcdb14f49a6d3674770502548e6000000000e800000000200002000000095742499ebbe57199e653ced11b491d8bd7da5157683077455c15d1fa8041f9890000000b7db5e560190f1b2fdd8a42ca93d8a6d258a88ff05739099a48033e45137460e78fa6712212bee6c4cb9809297c295312a12ac2ed9edddd6006fccb2d04c5d50390014dc93b935cbc7c2d89e6ffd2f1ddb84e607f57d1fa64805065bbcfbc89e9c5f3198e0c8cadbfcd155e1edca880327ce7d3a2ec3ea842fdfd6a82d4bc32f831bdaff43410628f119a006820ad63e40000000fa0c0b9d9cff2d4c2f720fb6f086dc1167c191d679c4f726ec6198c5a9fbb8864725bf07ac06486f325749cf0ae88ec81d062224ec0fafcf9f98c64b4431b256	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

InstallFile.execsrss.exe

pid	process
1884	InstallFile.exe
1884	InstallFile.exe
1884	InstallFile.exe
1884	InstallFile.exe
1884	InstallFile.exe
1884	InstallFile.exe
1568	csrss.exe
1568	csrss.exe
1568	csrss.exe
1568	csrss.exe
1568	csrss.exe
1568	csrss.exe
1568	csrss.exe
1568	csrss.exe
1568	csrss.exe
1568	csrss.exe
1568	csrss.exe
1568	csrss.exe
1568	csrss.exe
1568	csrss.exe
1568	csrss.exe
1568	csrss.exe
1568	csrss.exe
1568	csrss.exe
1568	csrss.exe
1568	csrss.exe
1568	csrss.exe
1568	csrss.exe
1568	csrss.exe
1568	csrss.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

InstallFile.execsrss.exe

description	pid	process
Token: SeDebugPrivilege	1884	InstallFile.exe
Token: SeRestorePrivilege	1884	InstallFile.exe
Token: SeBackupPrivilege	1884	InstallFile.exe
Token: SeDebugPrivilege	1568	csrss.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

336 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

336 iexplore.exe
336 iexplore.exe
1580 IEXPLORE.EXE
1580 IEXPLORE.EXE
1580 IEXPLORE.EXE
1580 IEXPLORE.EXE

pid	process
336	iexplore.exe

pid	process
336	iexplore.exe
336	iexplore.exe
1580	IEXPLORE.EXE
1580	IEXPLORE.EXE
1580	IEXPLORE.EXE
1580	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

InstallFile.execmd.exew32tm.execsrss.exeiexplore.exe

description	pid	process	target process
PID 1884 wrote to memory of 1380	1884	InstallFile.exe	cmd.exe
PID 1884 wrote to memory of 1380	1884	InstallFile.exe	cmd.exe
PID 1884 wrote to memory of 1380	1884	InstallFile.exe	cmd.exe
PID 1884 wrote to memory of 1380	1884	InstallFile.exe	cmd.exe
PID 1884 wrote to memory of 1380	1884	InstallFile.exe	cmd.exe
PID 1884 wrote to memory of 1380	1884	InstallFile.exe	cmd.exe
PID 1884 wrote to memory of 1380	1884	InstallFile.exe	cmd.exe
PID 1380 wrote to memory of 108	1380	cmd.exe	w32tm.exe
PID 1380 wrote to memory of 108	1380	cmd.exe	w32tm.exe
PID 1380 wrote to memory of 108	1380	cmd.exe	w32tm.exe
PID 1380 wrote to memory of 108	1380	cmd.exe	w32tm.exe
PID 1380 wrote to memory of 108	1380	cmd.exe	w32tm.exe
PID 1380 wrote to memory of 108	1380	cmd.exe	w32tm.exe
PID 1380 wrote to memory of 108	1380	cmd.exe	w32tm.exe
PID 108 wrote to memory of 968	108	w32tm.exe	w32tm.exe
PID 108 wrote to memory of 968	108	w32tm.exe	w32tm.exe
PID 108 wrote to memory of 968	108	w32tm.exe	w32tm.exe
PID 108 wrote to memory of 968	108	w32tm.exe	w32tm.exe
PID 1380 wrote to memory of 1568	1380	cmd.exe	csrss.exe
PID 1380 wrote to memory of 1568	1380	cmd.exe	csrss.exe
PID 1380 wrote to memory of 1568	1380	cmd.exe	csrss.exe
PID 1380 wrote to memory of 1568	1380	cmd.exe	csrss.exe
PID 1380 wrote to memory of 1568	1380	cmd.exe	csrss.exe
PID 1380 wrote to memory of 1568	1380	cmd.exe	csrss.exe
PID 1380 wrote to memory of 1568	1380	cmd.exe	csrss.exe
PID 1568 wrote to memory of 468	1568	csrss.exe	WScript.exe
PID 1568 wrote to memory of 468	1568	csrss.exe	WScript.exe
PID 1568 wrote to memory of 468	1568	csrss.exe	WScript.exe
PID 1568 wrote to memory of 468	1568	csrss.exe	WScript.exe
PID 1568 wrote to memory of 468	1568	csrss.exe	WScript.exe
PID 1568 wrote to memory of 468	1568	csrss.exe	WScript.exe
PID 1568 wrote to memory of 468	1568	csrss.exe	WScript.exe
PID 1568 wrote to memory of 792	1568	csrss.exe	WScript.exe
PID 1568 wrote to memory of 792	1568	csrss.exe	WScript.exe
PID 1568 wrote to memory of 792	1568	csrss.exe	WScript.exe
PID 1568 wrote to memory of 792	1568	csrss.exe	WScript.exe
PID 1568 wrote to memory of 792	1568	csrss.exe	WScript.exe
PID 1568 wrote to memory of 792	1568	csrss.exe	WScript.exe
PID 1568 wrote to memory of 792	1568	csrss.exe	WScript.exe
PID 1568 wrote to memory of 336	1568	csrss.exe	iexplore.exe
PID 1568 wrote to memory of 336	1568	csrss.exe	iexplore.exe
PID 1568 wrote to memory of 336	1568	csrss.exe	iexplore.exe
PID 1568 wrote to memory of 336	1568	csrss.exe	iexplore.exe
PID 336 wrote to memory of 1580	336	iexplore.exe	IEXPLORE.EXE
PID 336 wrote to memory of 1580	336	iexplore.exe	IEXPLORE.EXE
PID 336 wrote to memory of 1580	336	iexplore.exe	IEXPLORE.EXE
PID 336 wrote to memory of 1580	336	iexplore.exe	IEXPLORE.EXE
PID 336 wrote to memory of 1580	336	iexplore.exe	IEXPLORE.EXE
PID 336 wrote to memory of 1580	336	iexplore.exe	IEXPLORE.EXE
PID 336 wrote to memory of 1580	336	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\InstallFile.exe
"C:\Users\Admin\AppData\Local\Temp\InstallFile.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1884

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\M8spaUCjcR.bat"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1380

C:\Windows\SysWOW64\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
3⤵
- Suspicious use of WriteProcessMemory
PID:108

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
4⤵
PID:968

C:\MSOCache\All Users\csrss.exe
"C:\MSOCache\All Users\csrss.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1568

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\092ed056-0f96-4ecb-8981-e0a8be62c5d2.vbs"
4⤵
PID:468

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\201c6ccb-7eac-47f0-9a5b-f3618bde0f7a.vbs"
4⤵
PID:792

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://localhost:13353/
4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:336

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:336 CREDAT:275457 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Windows\Tasks\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Tasks\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Windows\Tasks\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\de-DE\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\de-DE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Mail\de-DE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Documents\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Public\Documents\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Documents\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Microsoft Help\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft Help\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Microsoft Help\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files\DVD Maker\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files\DVD Maker\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Games\More Games\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\More Games\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Games\More Games\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Windows\twain_32\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\twain_32\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Windows\twain_32\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1304

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1748

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\csrss.exe
Filesize
2.2MB

MD5
e14d3c54fb43442b8c99febfb7007d71

SHA1
5f2872a705eb75516e491b0a3e57d8fd945a23c5

SHA256
f7954923c8a110188d24e4d27e68e57d7d1781882644386e57fbfb183b94b366

SHA512
aa6942e8d434ffc3e1885832f43f18f9345ad221346def10a87ea5c19670f05c22a8f281d2de2ba53079f2114371c451fb0c53d5103a87966a3effd165ce50bf

Download Submit
C:\MSOCache\All Users\csrss.exe
Filesize
2.2MB

MD5
e14d3c54fb43442b8c99febfb7007d71

SHA1
5f2872a705eb75516e491b0a3e57d8fd945a23c5

SHA256
f7954923c8a110188d24e4d27e68e57d7d1781882644386e57fbfb183b94b366

SHA512
aa6942e8d434ffc3e1885832f43f18f9345ad221346def10a87ea5c19670f05c22a8f281d2de2ba53079f2114371c451fb0c53d5103a87966a3effd165ce50bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\092ed056-0f96-4ecb-8981-e0a8be62c5d2.vbs
Filesize
707B

MD5
a47c67eb4fadb7e2fa65bb8c33a85112

SHA1
e09d002ea67f179cde86962ab7231773aac26cb0

SHA256
9ed751005dee8888efaf52d59f2cddbcf761df64c350dde5f6291e915d8b1f6f

SHA512
6426c2ce267da0b3dea13f28a7ce9702f1c8e12b628bb6325172fa81bf9506582341bc65fbe397c2ac684197d53c3b881231267a7e9eea4d68c7097f771becd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\201c6ccb-7eac-47f0-9a5b-f3618bde0f7a.vbs
Filesize
483B

MD5
813a668bd4a8a7d272429d6caa289f0c

SHA1
fc64c8bf45162221036e8286268984a5f58f9a7e

SHA256
cfa1f75a3c54f96a5102615d886187811974701bd9249d49ee72809bd9368c60

SHA512
e8b70e31d3f537f5b7de2c3617c32965aef8ce0ed51996d7bac68cc51c72d049e36236cb1669cc2d4d036914b6338f71bde06a52e5b79b05b8aa421e68ea1b6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\M8spaUCjcR.bat
Filesize
196B

MD5
10f2099763f93714c1d5f45605ea054e

SHA1
70a6a014ac57799615b99d475f308af64c2c8d5b

SHA256
1797f1e5875bf6dd1e5851b4dce6d9db384f05c482e3943730bf50390cf32bbd

SHA512
48eea680669ff736c4587757462765ab8af31ba4397a5a7f54cc3c0ceaf13720292bdc532b618d3d6a39a29f1b6d724d766bd855526a634476e492ec7cdc9376

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\CJCHP4ZC.txt
Filesize
603B

MD5
5de23a39d9cba182c233fc98d151ac06

SHA1
20db557c0a90b786c5905325577e6b918d6ce858

SHA256
de1bfdcdd57fb55b7f67949f7c6dfa894ac429cf97179f8937e7d3ce4a9fe66e

SHA512
a8884d99ffd5a7a8ad6df3c323a3ffdcb7a8151f578a4db68fc0b813cb091db8abcba9dc8b4c47c0c52c1f80b3fa94099692581744f1296413503dd2527bde32

Download Submit
\MSOCache\All Users\csrss.exe
Filesize
2.2MB

MD5
e14d3c54fb43442b8c99febfb7007d71

SHA1
5f2872a705eb75516e491b0a3e57d8fd945a23c5

SHA256
f7954923c8a110188d24e4d27e68e57d7d1781882644386e57fbfb183b94b366

SHA512
aa6942e8d434ffc3e1885832f43f18f9345ad221346def10a87ea5c19670f05c22a8f281d2de2ba53079f2114371c451fb0c53d5103a87966a3effd165ce50bf

Download Submit
\MSOCache\All Users\csrss.exe
Filesize
2.2MB

MD5
e14d3c54fb43442b8c99febfb7007d71

SHA1
5f2872a705eb75516e491b0a3e57d8fd945a23c5

SHA256
f7954923c8a110188d24e4d27e68e57d7d1781882644386e57fbfb183b94b366

SHA512
aa6942e8d434ffc3e1885832f43f18f9345ad221346def10a87ea5c19670f05c22a8f281d2de2ba53079f2114371c451fb0c53d5103a87966a3effd165ce50bf

Download Submit
\MSOCache\All Users\csrss.exe
Filesize
2.2MB

MD5
e14d3c54fb43442b8c99febfb7007d71

SHA1
5f2872a705eb75516e491b0a3e57d8fd945a23c5

SHA256
f7954923c8a110188d24e4d27e68e57d7d1781882644386e57fbfb183b94b366

SHA512
aa6942e8d434ffc3e1885832f43f18f9345ad221346def10a87ea5c19670f05c22a8f281d2de2ba53079f2114371c451fb0c53d5103a87966a3effd165ce50bf

Download Submit
\MSOCache\All Users\csrss.exe
Filesize
2.2MB

MD5
e14d3c54fb43442b8c99febfb7007d71

SHA1
5f2872a705eb75516e491b0a3e57d8fd945a23c5

SHA256
f7954923c8a110188d24e4d27e68e57d7d1781882644386e57fbfb183b94b366

SHA512
aa6942e8d434ffc3e1885832f43f18f9345ad221346def10a87ea5c19670f05c22a8f281d2de2ba53079f2114371c451fb0c53d5103a87966a3effd165ce50bf

Download Submit
memory/108-74-0x0000000000000000-mapping.dmp

Download
memory/468-95-0x0000000000000000-mapping.dmp

Download
memory/792-97-0x0000000000000000-mapping.dmp

Download
memory/968-76-0x0000000000000000-mapping.dmp

Download
memory/1380-71-0x0000000000000000-mapping.dmp

Download
memory/1568-91-0x0000000000DB0000-0x000000000143C000-memory.dmp

Filesize
6.5MB

Download
memory/1568-89-0x0000000077A60000-0x0000000077BE0000-memory.dmp

Filesize
1.5MB

Download
memory/1568-92-0x0000000001620000-0x0000000001CAC000-memory.dmp

Filesize
6.5MB

Download
memory/1568-93-0x0000000001620000-0x0000000001CAC000-memory.dmp

Filesize
6.5MB

Download
memory/1568-90-0x0000000000DB0000-0x000000000143C000-memory.dmp

Filesize
6.5MB

Download
memory/1568-94-0x0000000000770000-0x0000000000782000-memory.dmp

Filesize
72KB

Download
memory/1568-101-0x0000000077A60000-0x0000000077BE0000-memory.dmp

Filesize
1.5MB

Download
memory/1568-102-0x0000000000DB0000-0x000000000143C000-memory.dmp

Filesize
6.5MB

Download
memory/1568-82-0x0000000000000000-mapping.dmp

Download
memory/1568-104-0x0000000001620000-0x0000000001CAC000-memory.dmp

Filesize
6.5MB

Download
memory/1568-103-0x0000000001620000-0x0000000001CAC000-memory.dmp

Filesize
6.5MB

Download
memory/1884-66-0x00000000026E0000-0x00000000026EC000-memory.dmp

Filesize
48KB

Download
memory/1884-78-0x0000000077A60000-0x0000000077BE0000-memory.dmp

Filesize
1.5MB

Download
memory/1884-77-0x0000000000910000-0x0000000000F9C000-memory.dmp

Filesize
6.5MB

Download
memory/1884-70-0x0000000002B50000-0x0000000002B5E000-memory.dmp

Filesize
56KB

Download
memory/1884-69-0x0000000002B40000-0x0000000002B4A000-memory.dmp

Filesize
40KB

Download
memory/1884-68-0x0000000002AB0000-0x0000000002ABC000-memory.dmp

Filesize
48KB

Download
memory/1884-67-0x0000000002A80000-0x0000000002A8C000-memory.dmp

Filesize
48KB

Download
memory/1884-54-0x0000000075E31000-0x0000000075E33000-memory.dmp

Filesize
8KB

Download
memory/1884-65-0x00000000026D0000-0x00000000026E0000-memory.dmp

Filesize
64KB

Download
memory/1884-64-0x0000000001130000-0x0000000001142000-memory.dmp

Filesize
72KB

Download
memory/1884-63-0x00000000026B0000-0x00000000026C6000-memory.dmp

Filesize
88KB

Download
memory/1884-62-0x00000000005C0000-0x00000000005DC000-memory.dmp

Filesize
112KB

Download
memory/1884-61-0x0000000077A60000-0x0000000077BE0000-memory.dmp

Filesize
1.5MB

Download
memory/1884-60-0x0000000001390000-0x0000000001A1C000-memory.dmp

Filesize
6.5MB

Download
memory/1884-59-0x0000000001390000-0x0000000001A1C000-memory.dmp

Filesize
6.5MB

Download
memory/1884-58-0x0000000001390000-0x0000000001A1C000-memory.dmp

Filesize
6.5MB

Download
memory/1884-57-0x0000000000910000-0x0000000000F9C000-memory.dmp

Filesize
6.5MB

Download