dcrat | eaf877b52975baa11069f182a50c1bcda8918177a35df15bc6ef3067bd1783b7

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220721-en
resource tags

arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
submitted
25-07-2022 07:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0139f1cbe8e37310d3992ab28e97880d.exe
Size

2.7MB
MD5

0139f1cbe8e37310d3992ab28e97880d
SHA1

8f4a45d3ccf6be63cac0b3a4885796adb1591c44
SHA256

eaf877b52975baa11069f182a50c1bcda8918177a35df15bc6ef3067bd1783b7
SHA512

baba23dea6c2ecdc14294c409f86928e5d833c959629f9e7fd8c4262b77560b8a5ba82c897552c5e46ec6feae3f6bda8cc1f28709e83f47e9d95834255572376

Score

10^/10

dcrat evasion infostealer rat suricata trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4352	640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4260	640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4436	640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4316	640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4204	640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1832	640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5108	640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5020	640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1192	640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4356	640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5100	640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4148	640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	384	640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	656	640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5116	640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	232	640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	216	640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	572	640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5112	640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3752	640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3524	640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3088	640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4716	640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1448	640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3824	640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2444	640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4852	640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3540	640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4584	640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1288	640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3424	640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	904	640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3964	640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	880	640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4668	640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5072	640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4612	640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4620	640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2392	640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2360	640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4588	640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	60	640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3636	640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3372	640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3220	640	schtasks.exe

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

blockserverDhcp.exewinlogon.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	blockserverDhcp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	blockserverDhcp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	blockserverDhcp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe

suricata: ET MALWARE DCRAT Activity (GET)
suricata: ET MALWARE DCRAT Activity (GET)
suricata

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\ReviewsavesCrt\blockserverDhcp.exe	dcrat
C:\ReviewsavesCrt\blockserverDhcp.exe	dcrat
behavioral2/memory/2280-137-0x00000000007B0000-0x0000000000A16000-memory.dmp	dcrat
C:\ProgramData\WindowsHolographicDevices\winlogon.exe	dcrat
C:\Users\All Users\WindowsHolographicDevices\winlogon.exe	dcrat

Executes dropped EXE 2 IoCs

Processes:

blockserverDhcp.exewinlogon.exe

pid process

2280 blockserverDhcp.exe
3780 winlogon.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0139f1cbe8e37310d3992ab28e97880d.exeWScript.exeblockserverDhcp.exewinlogon.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation	0139f1cbe8e37310d3992ab28e97880d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation	blockserverDhcp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation	winlogon.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

blockserverDhcp.exewinlogon.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	blockserverDhcp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	blockserverDhcp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe

Drops file in Program Files directory 8 IoCs

Processes:

blockserverDhcp.exe

description	ioc	process
File created	C:\Program Files (x86)\Adobe\SearchApp.exe	blockserverDhcp.exe
File created	C:\Program Files (x86)\Adobe\38384e6a620884	blockserverDhcp.exe
File created	C:\Program Files (x86)\MSBuild\dwm.exe	blockserverDhcp.exe
File created	C:\Program Files (x86)\MSBuild\6cb0b6c459d5d3	blockserverDhcp.exe
File created	C:\Program Files\Windows Photo Viewer\fr-FR\winlogon.exe	blockserverDhcp.exe
File created	C:\Program Files\Windows Photo Viewer\fr-FR\cc11b995f2a76d	blockserverDhcp.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\cmd.exe	blockserverDhcp.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\ebf1f9fa8afd6d	blockserverDhcp.exe

Drops file in Windows directory 2 IoCs

Processes:

blockserverDhcp.exe

description	ioc	process
File created	C:\Windows\ShellExperiences\dllhost.exe	blockserverDhcp.exe
File created	C:\Windows\ShellExperiences\5940a34987c991	blockserverDhcp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
4356	schtasks.exe
656	schtasks.exe
572	schtasks.exe
1288	schtasks.exe
880	schtasks.exe
2392	schtasks.exe
4588	schtasks.exe
4260	schtasks.exe
216	schtasks.exe
5112	schtasks.exe
2360	schtasks.exe
3056	schtasks.exe
1664	schtasks.exe
3636	schtasks.exe
3752	schtasks.exe
5108	schtasks.exe
2724	schtasks.exe
4352	schtasks.exe
5100	schtasks.exe
2152	schtasks.exe
232	schtasks.exe
2136	schtasks.exe
5020	schtasks.exe
5072	schtasks.exe
1448	schtasks.exe
2868	schtasks.exe
4668	schtasks.exe
4204	schtasks.exe
3088	schtasks.exe
4316	schtasks.exe
1736	schtasks.exe
3824	schtasks.exe
4620	schtasks.exe
3220	schtasks.exe
2288	schtasks.exe
4584	schtasks.exe
4612	schtasks.exe
4852	schtasks.exe
1832	schtasks.exe
3540	schtasks.exe
3372	schtasks.exe
4436	schtasks.exe
904	schtasks.exe
3964	schtasks.exe
3524	schtasks.exe
3424	schtasks.exe
2620	schtasks.exe
4716	schtasks.exe
2268	schtasks.exe
4148	schtasks.exe
1192	schtasks.exe
384	schtasks.exe
5116	schtasks.exe
2444	schtasks.exe
2668	schtasks.exe
60	schtasks.exe
2284	schtasks.exe

Modifies registry class 3 IoCs

Processes:

0139f1cbe8e37310d3992ab28e97880d.exeblockserverDhcp.exewinlogon.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings	0139f1cbe8e37310d3992ab28e97880d.exe
Key created	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings	blockserverDhcp.exe
Key created	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings	winlogon.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

blockserverDhcp.exewinlogon.exe

pid	process
2280	blockserverDhcp.exe
2280	blockserverDhcp.exe
2280	blockserverDhcp.exe
2280	blockserverDhcp.exe
2280	blockserverDhcp.exe
2280	blockserverDhcp.exe
2280	blockserverDhcp.exe
2280	blockserverDhcp.exe
2280	blockserverDhcp.exe
2280	blockserverDhcp.exe
2280	blockserverDhcp.exe
2280	blockserverDhcp.exe
2280	blockserverDhcp.exe
2280	blockserverDhcp.exe
2280	blockserverDhcp.exe
2280	blockserverDhcp.exe
2280	blockserverDhcp.exe
2280	blockserverDhcp.exe
2280	blockserverDhcp.exe
2280	blockserverDhcp.exe
2280	blockserverDhcp.exe
2280	blockserverDhcp.exe
2280	blockserverDhcp.exe
2280	blockserverDhcp.exe
2280	blockserverDhcp.exe
2280	blockserverDhcp.exe
2280	blockserverDhcp.exe
2280	blockserverDhcp.exe
2280	blockserverDhcp.exe
2280	blockserverDhcp.exe
2280	blockserverDhcp.exe
2280	blockserverDhcp.exe
2280	blockserverDhcp.exe
2280	blockserverDhcp.exe
2280	blockserverDhcp.exe
2280	blockserverDhcp.exe
2280	blockserverDhcp.exe
3780	winlogon.exe
3780	winlogon.exe
3780	winlogon.exe
3780	winlogon.exe
3780	winlogon.exe
3780	winlogon.exe
3780	winlogon.exe
3780	winlogon.exe
3780	winlogon.exe
3780	winlogon.exe
3780	winlogon.exe
3780	winlogon.exe
3780	winlogon.exe
3780	winlogon.exe
3780	winlogon.exe
3780	winlogon.exe
3780	winlogon.exe
3780	winlogon.exe
3780	winlogon.exe
3780	winlogon.exe
3780	winlogon.exe
3780	winlogon.exe
3780	winlogon.exe
3780	winlogon.exe
3780	winlogon.exe
3780	winlogon.exe
3780	winlogon.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

winlogon.exe

pid process

3780 winlogon.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

blockserverDhcp.exewinlogon.exe

description pid process

Token: SeDebugPrivilege 2280 blockserverDhcp.exe
Token: SeDebugPrivilege 3780 winlogon.exe

pid	process
3780	winlogon.exe

description	pid	process
Token: SeDebugPrivilege	2280	blockserverDhcp.exe
Token: SeDebugPrivilege	3780	winlogon.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

0139f1cbe8e37310d3992ab28e97880d.exeWScript.execmd.exeblockserverDhcp.execmd.exewinlogon.exe

description	pid	process	target process
PID 4472 wrote to memory of 1292	4472	0139f1cbe8e37310d3992ab28e97880d.exe	WScript.exe
PID 4472 wrote to memory of 1292	4472	0139f1cbe8e37310d3992ab28e97880d.exe	WScript.exe
PID 4472 wrote to memory of 1292	4472	0139f1cbe8e37310d3992ab28e97880d.exe	WScript.exe
PID 1292 wrote to memory of 500	1292	WScript.exe	cmd.exe
PID 1292 wrote to memory of 500	1292	WScript.exe	cmd.exe
PID 1292 wrote to memory of 500	1292	WScript.exe	cmd.exe
PID 500 wrote to memory of 2280	500	cmd.exe	blockserverDhcp.exe
PID 500 wrote to memory of 2280	500	cmd.exe	blockserverDhcp.exe
PID 2280 wrote to memory of 1936	2280	blockserverDhcp.exe	cmd.exe
PID 2280 wrote to memory of 1936	2280	blockserverDhcp.exe	cmd.exe
PID 1936 wrote to memory of 4484	1936	cmd.exe	w32tm.exe
PID 1936 wrote to memory of 4484	1936	cmd.exe	w32tm.exe
PID 1936 wrote to memory of 3780	1936	cmd.exe	winlogon.exe
PID 1936 wrote to memory of 3780	1936	cmd.exe	winlogon.exe
PID 3780 wrote to memory of 2340	3780	winlogon.exe	WScript.exe
PID 3780 wrote to memory of 2340	3780	winlogon.exe	WScript.exe
PID 3780 wrote to memory of 2336	3780	winlogon.exe	WScript.exe
PID 3780 wrote to memory of 2336	3780	winlogon.exe	WScript.exe

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

Processes:

blockserverDhcp.exewinlogon.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	blockserverDhcp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	blockserverDhcp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	blockserverDhcp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe

C:\Users\Admin\AppData\Local\Temp\0139f1cbe8e37310d3992ab28e97880d.exe
"C:\Users\Admin\AppData\Local\Temp\0139f1cbe8e37310d3992ab28e97880d.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4472

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ReviewsavesCrt\jgogQ9VgcZ.vbe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ReviewsavesCrt\uB5AvQpgcLcFtsBotFOKvB.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:500

C:\ReviewsavesCrt\blockserverDhcp.exe
"C:\ReviewsavesCrt\blockserverDhcp.exe"
4⤵
- UAC bypass
- Executes dropped EXE
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2280

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\U5iKkAAgaA.bat"
5⤵
- Suspicious use of WriteProcessMemory
PID:1936

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
6⤵
PID:4484

C:\Users\All Users\WindowsHolographicDevices\winlogon.exe
"C:\Users\All Users\WindowsHolographicDevices\winlogon.exe"
6⤵
- UAC bypass
- Executes dropped EXE
- Checks computer location settings
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3780

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8fd2905f-fe58-44e7-8399-f897d4097746.vbs"
7⤵
PID:2340

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fc2f0725-9288-48a2-9662-8f93710b0f06.vbs"
7⤵
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\ReviewsavesCrt\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\ReviewsavesCrt\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\ReviewsavesCrt\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\ReviewsavesCrt\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\ReviewsavesCrt\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\ReviewsavesCrt\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\ReviewsavesCrt\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\ReviewsavesCrt\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\ReviewsavesCrt\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\ReviewsavesCrt\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\ReviewsavesCrt\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\ReviewsavesCrt\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\ReviewsavesCrt\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\ReviewsavesCrt\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\ReviewsavesCrt\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\ShellExperiences\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\ShellExperiences\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Windows\ShellExperiences\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Adobe\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Adobe\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\ReviewsavesCrt\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\ReviewsavesCrt\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\ReviewsavesCrt\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\MSBuild\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\odt\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Favorites\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\Default\Favorites\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Favorites\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\odt\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\WindowsHolographicDevices\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\All Users\WindowsHolographicDevices\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\WindowsHolographicDevices\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:60

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3220

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\WindowsHolographicDevices\winlogon.exe
Filesize
2.4MB

MD5
0c0193e01b40001279f3ada10e7cd3f3

SHA1
b43f2868fe79555d4c39b904ad629ea90315a579

SHA256
2682b3aabbe5d28685aa5ed273b3260e0cc87a3cae1cd29a9d212e66d16edde2

SHA512
454c376e50afaa5f8acf32470a2643f5f4efaebb52e799261508a2b089024377e878eaff9ffe4961da4a8ba6b939e18c9a3eaf5da04020a2b512dfda695fe2a0

Download Submit
C:\ReviewsavesCrt\blockserverDhcp.exe
Filesize
2.4MB

MD5
0c0193e01b40001279f3ada10e7cd3f3

SHA1
b43f2868fe79555d4c39b904ad629ea90315a579

SHA256
2682b3aabbe5d28685aa5ed273b3260e0cc87a3cae1cd29a9d212e66d16edde2

SHA512
454c376e50afaa5f8acf32470a2643f5f4efaebb52e799261508a2b089024377e878eaff9ffe4961da4a8ba6b939e18c9a3eaf5da04020a2b512dfda695fe2a0

Download Submit
C:\ReviewsavesCrt\blockserverDhcp.exe
Filesize
2.4MB

MD5
0c0193e01b40001279f3ada10e7cd3f3

SHA1
b43f2868fe79555d4c39b904ad629ea90315a579

SHA256
2682b3aabbe5d28685aa5ed273b3260e0cc87a3cae1cd29a9d212e66d16edde2

SHA512
454c376e50afaa5f8acf32470a2643f5f4efaebb52e799261508a2b089024377e878eaff9ffe4961da4a8ba6b939e18c9a3eaf5da04020a2b512dfda695fe2a0

Download Submit
C:\ReviewsavesCrt\jgogQ9VgcZ.vbe
Filesize
213B

MD5
632664809b1ef04d083a775173868970

SHA1
e5b81aa5e157369b5f53e1c0e08c184df96a4664

SHA256
ce2d3dfd20417f55d2b9754cb0057a2d2d397764d434c714a126766d5b2c6e0d

SHA512
5677a1c80444d060b16a8f3c5b6d51bdaacdb919c0d1700ce59d9d7541dfe829fa0ece3edf6ad36b299e1b63d887b502c18f050ca039515900c6a4bc56732aa4

Download Submit
C:\ReviewsavesCrt\uB5AvQpgcLcFtsBotFOKvB.bat
Filesize
39B

MD5
78068471e3409ae0d1a40b1b4484bb61

SHA1
d96d4bee4a3c6832359370fbe9c37a5ff3e3be10

SHA256
891505589d1764f01608bb3d8cc40d46adf6309d8fc83946a450fe85471ec36c

SHA512
9b9975d5b64b9ee0ab332194ccce15a32b66605f167d73b2c99af17484671818dc31cd153e8a5f60c2dfdaec5b55ee8ebf9467133e3c9a23a09c5d605cb6b520

Download Submit
C:\Users\Admin\AppData\Local\Temp\8fd2905f-fe58-44e7-8399-f897d4097746.vbs
Filesize
733B

MD5
3b10c75efba7b9871034365ff690ae21

SHA1
be7ea7c4f678836704239e17585e0ccdbe1fe882

SHA256
0d44a2ff464fe786e8b17fc67bcbc1c901670736e5df791798b98760bbfc3460

SHA512
c70a4ea6fd9c2ceb68ae514f74b0e66644fe3f9b4b405222804e7537d651168de920daa243989471b29be1cdf56b816ba3903c185f4de94029be7455aa958760

Download Submit
C:\Users\Admin\AppData\Local\Temp\U5iKkAAgaA.bat
Filesize
222B

MD5
330bce1b6bebd29f9ab55bc9b1b2cd15

SHA1
544a95b83a25e68774d31afaf05d2f6059356058

SHA256
936dab2cd4f852d6c31dcdff84850988468f178e1e7539d2d2136249260a5645

SHA512
072fad69bc3f932af8355e5eecc1cba61193e8d0d561005eabbc1eac4bee184fde079c23d8ac44a9dd1afe03d071edbe95fddf4351b8386766b26c001d4245b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\fc2f0725-9288-48a2-9662-8f93710b0f06.vbs
Filesize
509B

MD5
a726aea0ec4f456994be645dfb6c3392

SHA1
42a7aba3156c315aba0a57a59aca811782bd2c4b

SHA256
8e5535233b578ccf93999a50874a9b5b3328a22978c068f2f3f74f2085880618

SHA512
932c2afd6dd8976322f50415112480965e77bc25041823a2015d4ce1033329ebf9c69356b385ae84581e80bdcc707202a00edcae3157dc4cb3e90f5d208350a8

Download Submit
C:\Users\All Users\WindowsHolographicDevices\winlogon.exe
Filesize
2.4MB

MD5
0c0193e01b40001279f3ada10e7cd3f3

SHA1
b43f2868fe79555d4c39b904ad629ea90315a579

SHA256
2682b3aabbe5d28685aa5ed273b3260e0cc87a3cae1cd29a9d212e66d16edde2

SHA512
454c376e50afaa5f8acf32470a2643f5f4efaebb52e799261508a2b089024377e878eaff9ffe4961da4a8ba6b939e18c9a3eaf5da04020a2b512dfda695fe2a0

Download Submit
memory/500-133-0x0000000000000000-mapping.dmp

Download
memory/1292-130-0x0000000000000000-mapping.dmp

Download
memory/1936-140-0x0000000000000000-mapping.dmp

Download
memory/2280-137-0x00000000007B0000-0x0000000000A16000-memory.dmp

Filesize
2.4MB

Download
memory/2280-139-0x000000001C6E0000-0x000000001C730000-memory.dmp

Filesize
320KB

Download
memory/2280-143-0x00007FF867DE0000-0x00007FF8688A1000-memory.dmp

Filesize
10.8MB

Download
memory/2280-138-0x00007FF867DE0000-0x00007FF8688A1000-memory.dmp

Filesize
10.8MB

Download
memory/2280-134-0x0000000000000000-mapping.dmp

Download
memory/2336-149-0x0000000000000000-mapping.dmp

Download
memory/2340-148-0x0000000000000000-mapping.dmp

Download
memory/3780-144-0x0000000000000000-mapping.dmp

Download
memory/3780-152-0x00007FF867DE0000-0x00007FF8688A1000-memory.dmp

Filesize
10.8MB

Download
memory/3780-147-0x00007FF867DE0000-0x00007FF8688A1000-memory.dmp

Filesize
10.8MB

Download
memory/4484-142-0x0000000000000000-mapping.dmp

Download