dcrat | 5623347388fc45acd294e716d177fcfe0a9240a118a63a1b4c1aff16decbc688

Analysis

max time kernel
35s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23-01-2023 20:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Mefolis.exe
Size

2.1MB
MD5

4cec961d70acca93a3ba9ef751a6148e
SHA1

3073d86f539283571debb31f074c8c5d657bbb61
SHA256

5623347388fc45acd294e716d177fcfe0a9240a118a63a1b4c1aff16decbc688
SHA512

e2db3e7397608d45f720f9037e2516da8769259a0be73f3847169992f9ad3fbdaef2fa4df8e5175afc8dbbdba5c07a1b23bd3d5d3347dc2822d1175f8ca19659
SSDEEP

49152:UbA30QIb95L66TpclrNsIqhXNDWm5wD5cRc8:UbsG95dp+sIqr6VDORc8

Score

10^/10

dcrat evasion infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2080	4572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4300	4572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4720	4572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	4572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4620	4572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3200	4572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4552	4572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3928	4572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	224	4572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4588	4572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	4572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2204	4572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	4572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	780	4572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4916	4572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1244	4572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3816	4572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4468	4572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5108	4572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	4572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5056	4572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4656	4572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1900	4572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3856	4572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	4572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1880	4572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	4572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1540	4572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5052	4572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3516	4572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	4572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2492	4572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4928	4572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	920	4572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3128	4572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3648	4572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3196	4572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	4572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3344	4572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	596	4572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	4572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	392	4572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1548	4572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	876	4572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4268	4572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4868	4572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3380	4572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3628	4572	schtasks.exe

UAC bypass 3 TTPs 9 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

reviewdrivercrt.exesppsvc.exesppsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	reviewdrivercrt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	reviewdrivercrt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reviewdrivercrt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\chainsaves\reviewdrivercrt.exe	dcrat
C:\chainsaves\reviewdrivercrt.exe	dcrat
behavioral2/memory/4556-141-0x0000000000870000-0x0000000000A48000-memory.dmp	dcrat
C:\Recovery\WindowsRE\sppsvc.exe	dcrat
C:\Recovery\WindowsRE\sppsvc.exe	dcrat
C:\Recovery\WindowsRE\sppsvc.exe	dcrat

Disables Task Manager via registry modification
evasion
Executes dropped EXE 3 IoCs

Processes:

reviewdrivercrt.exesppsvc.exesppsvc.exe

pid process

4556 reviewdrivercrt.exe
4880 sppsvc.exe
5024 sppsvc.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Mefolis.exeWScript.exereviewdrivercrt.exesppsvc.exesppsvc.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Mefolis.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	reviewdrivercrt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	sppsvc.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

reviewdrivercrt.exesppsvc.exesppsvc.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	reviewdrivercrt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reviewdrivercrt.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe

Drops file in Program Files directory 12 IoCs

Processes:

reviewdrivercrt.exe

description	ioc	process
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\ea1d8f6d871115	reviewdrivercrt.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\csrss.exe	reviewdrivercrt.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\886983d96e3d3e	reviewdrivercrt.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\reviewdrivercrt.exe	reviewdrivercrt.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\1ba2e1e55c49af	reviewdrivercrt.exe
File created	C:\Program Files\Windows Mail\winlogon.exe	reviewdrivercrt.exe
File created	C:\Program Files\Reference Assemblies\dllhost.exe	reviewdrivercrt.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\upfc.exe	reviewdrivercrt.exe
File created	C:\Program Files\Windows Mail\services.exe	reviewdrivercrt.exe
File created	C:\Program Files\Windows Mail\c5b4cb5e9653cc	reviewdrivercrt.exe
File created	C:\Program Files\Windows Mail\cc11b995f2a76d	reviewdrivercrt.exe
File created	C:\Program Files\Reference Assemblies\5940a34987c991	reviewdrivercrt.exe

Drops file in Windows directory 2 IoCs

Processes:

reviewdrivercrt.exe

description ioc process

File created C:\Windows\de-DE\System.exe reviewdrivercrt.exe
File created C:\Windows\de-DE\27d1bcfc3c54e0 reviewdrivercrt.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\de-DE\System.exe	reviewdrivercrt.exe
File created	C:\Windows\de-DE\27d1bcfc3c54e0	reviewdrivercrt.exe

Creates scheduled task(s) 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
3128	schtasks.exe
1548	schtasks.exe
3200	schtasks.exe
3928	schtasks.exe
5056	schtasks.exe
1900	schtasks.exe
1852	schtasks.exe
4928	schtasks.exe
392	schtasks.exe
4552	schtasks.exe
4656	schtasks.exe
1880	schtasks.exe
2936	schtasks.exe
2492	schtasks.exe
2200	schtasks.exe
4868	schtasks.exe
4300	schtasks.exe
5052	schtasks.exe
920	schtasks.exe
2016	schtasks.exe
3648	schtasks.exe
2908	schtasks.exe
3344	schtasks.exe
596	schtasks.exe
3516	schtasks.exe
4588	schtasks.exe
2204	schtasks.exe
1612	schtasks.exe
780	schtasks.exe
3856	schtasks.exe
3196	schtasks.exe
876	schtasks.exe
4720	schtasks.exe
4268	schtasks.exe
4620	schtasks.exe
224	schtasks.exe
2112	schtasks.exe
1244	schtasks.exe
3816	schtasks.exe
4468	schtasks.exe
5108	schtasks.exe
2080	schtasks.exe
3628	schtasks.exe
2592	schtasks.exe
2732	schtasks.exe
1540	schtasks.exe
3380	schtasks.exe
4916	schtasks.exe

Modifies registry class 3 IoCs

Processes:

Mefolis.exesppsvc.exesppsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	Mefolis.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	sppsvc.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

4740 reg.exe

pid	process
4740	reg.exe

Suspicious behavior: EnumeratesProcesses 53 IoCs

Processes:

reviewdrivercrt.exesppsvc.exesppsvc.exe

pid	process
4556	reviewdrivercrt.exe
4556	reviewdrivercrt.exe
4556	reviewdrivercrt.exe
4556	reviewdrivercrt.exe
4556	reviewdrivercrt.exe
4556	reviewdrivercrt.exe
4556	reviewdrivercrt.exe
4556	reviewdrivercrt.exe
4556	reviewdrivercrt.exe
4556	reviewdrivercrt.exe
4556	reviewdrivercrt.exe
4556	reviewdrivercrt.exe
4556	reviewdrivercrt.exe
4556	reviewdrivercrt.exe
4556	reviewdrivercrt.exe
4556	reviewdrivercrt.exe
4556	reviewdrivercrt.exe
4880	sppsvc.exe
4880	sppsvc.exe
4880	sppsvc.exe
4880	sppsvc.exe
4880	sppsvc.exe
4880	sppsvc.exe
4880	sppsvc.exe
4880	sppsvc.exe
4880	sppsvc.exe
4880	sppsvc.exe
4880	sppsvc.exe
4880	sppsvc.exe
4880	sppsvc.exe
4880	sppsvc.exe
4880	sppsvc.exe
4880	sppsvc.exe
4880	sppsvc.exe
4880	sppsvc.exe
4880	sppsvc.exe
4880	sppsvc.exe
4880	sppsvc.exe
4880	sppsvc.exe
4880	sppsvc.exe
5024	sppsvc.exe
5024	sppsvc.exe
5024	sppsvc.exe
5024	sppsvc.exe
5024	sppsvc.exe
5024	sppsvc.exe
5024	sppsvc.exe
5024	sppsvc.exe
5024	sppsvc.exe
5024	sppsvc.exe
5024	sppsvc.exe
5024	sppsvc.exe
5024	sppsvc.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

reviewdrivercrt.exesppsvc.exesppsvc.exe

description pid process

Token: SeDebugPrivilege 4556 reviewdrivercrt.exe
Token: SeDebugPrivilege 4880 sppsvc.exe
Token: SeDebugPrivilege 5024 sppsvc.exe

description	pid	process
Token: SeDebugPrivilege	4556	reviewdrivercrt.exe
Token: SeDebugPrivilege	4880	sppsvc.exe
Token: SeDebugPrivilege	5024	sppsvc.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

Mefolis.exeWScript.execmd.exereviewdrivercrt.exesppsvc.execmd.exesppsvc.execmd.exe

description	pid	process	target process
PID 4856 wrote to memory of 2240	4856	Mefolis.exe	WScript.exe
PID 4856 wrote to memory of 2240	4856	Mefolis.exe	WScript.exe
PID 4856 wrote to memory of 2240	4856	Mefolis.exe	WScript.exe
PID 4856 wrote to memory of 4708	4856	Mefolis.exe	WScript.exe
PID 4856 wrote to memory of 4708	4856	Mefolis.exe	WScript.exe
PID 4856 wrote to memory of 4708	4856	Mefolis.exe	WScript.exe
PID 2240 wrote to memory of 2128	2240	WScript.exe	cmd.exe
PID 2240 wrote to memory of 2128	2240	WScript.exe	cmd.exe
PID 2240 wrote to memory of 2128	2240	WScript.exe	cmd.exe
PID 2128 wrote to memory of 4556	2128	cmd.exe	reviewdrivercrt.exe
PID 2128 wrote to memory of 4556	2128	cmd.exe	reviewdrivercrt.exe
PID 4556 wrote to memory of 4880	4556	reviewdrivercrt.exe	sppsvc.exe
PID 4556 wrote to memory of 4880	4556	reviewdrivercrt.exe	sppsvc.exe
PID 2128 wrote to memory of 4740	2128	cmd.exe	reg.exe
PID 2128 wrote to memory of 4740	2128	cmd.exe	reg.exe
PID 2128 wrote to memory of 4740	2128	cmd.exe	reg.exe
PID 4880 wrote to memory of 2896	4880	sppsvc.exe	cmd.exe
PID 4880 wrote to memory of 2896	4880	sppsvc.exe	cmd.exe
PID 2896 wrote to memory of 3420	2896	cmd.exe	w32tm.exe
PID 2896 wrote to memory of 3420	2896	cmd.exe	w32tm.exe
PID 2896 wrote to memory of 5024	2896	cmd.exe	sppsvc.exe
PID 2896 wrote to memory of 5024	2896	cmd.exe	sppsvc.exe
PID 5024 wrote to memory of 1448	5024	sppsvc.exe	cmd.exe
PID 5024 wrote to memory of 1448	5024	sppsvc.exe	cmd.exe
PID 1448 wrote to memory of 4748	1448	cmd.exe	w32tm.exe
PID 1448 wrote to memory of 4748	1448	cmd.exe	w32tm.exe

System policy modification 1 TTPs 9 IoCs

evasion

Modify Registry

T1112

Processes:

reviewdrivercrt.exesppsvc.exesppsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	reviewdrivercrt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	reviewdrivercrt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reviewdrivercrt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe

C:\Users\Admin\AppData\Local\Temp\Mefolis.exe
"C:\Users\Admin\AppData\Local\Temp\Mefolis.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4856

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\chainsaves\T3hnwEBLwzY1iV4786K.vbe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\chainsaves\UJ38w6IDoznbEzbDyEZufw.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:2128

C:\chainsaves\reviewdrivercrt.exe
"C:\chainsaves\reviewdrivercrt.exe"
4⤵
- UAC bypass
- Executes dropped EXE
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4556

C:\Recovery\WindowsRE\sppsvc.exe
"C:\Recovery\WindowsRE\sppsvc.exe"
5⤵
- UAC bypass
- Executes dropped EXE
- Checks computer location settings
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4880

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EH4KCibIlQ.bat"
6⤵
- Suspicious use of WriteProcessMemory
PID:2896

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
7⤵
PID:3420

C:\Recovery\WindowsRE\sppsvc.exe
"C:\Recovery\WindowsRE\sppsvc.exe"
7⤵
- UAC bypass
- Executes dropped EXE
- Checks computer location settings
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5024

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\K00M4WFsUw.bat"
8⤵
- Suspicious use of WriteProcessMemory
PID:1448

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
9⤵
PID:4748

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
4⤵
- Modifies registry key
PID:4740

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\chainsaves\file.vbs"
2⤵
PID:4708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\Default User\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\odt\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\odt\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\odt\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Mail\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Mail\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\odt\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\chainsaves\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\chainsaves\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\chainsaves\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "reviewdrivercrtr" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\reviewdrivercrt.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "reviewdrivercrt" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\reviewdrivercrt.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "reviewdrivercrtr" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\reviewdrivercrt.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\odt\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\odt\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\odt\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Windows\de-DE\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\de-DE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Windows\de-DE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Mail\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Mail\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Reference Assemblies\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Reference Assemblies\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3628

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:1056

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\sppsvc.exe
Filesize
1.8MB

MD5
c60b6a683bc811d16519bbc5876d88c3

SHA1
498e939c524a60e7d1f6e38845d7bd69bd684ce8

SHA256
fbdf55f11b0d81367a18b9c6f289c478d675ee36546545976d9b6924ff54671a

SHA512
0767d7d538dc57922ff22d44277bc14e654eec1af58c391275786721dc039cc152e06d53c7bcde84c37dab1a3a23506704d28ce280015c4076a2b69f9107025c

Download Submit
C:\Recovery\WindowsRE\sppsvc.exe
Filesize
1.8MB

MD5
c60b6a683bc811d16519bbc5876d88c3

SHA1
498e939c524a60e7d1f6e38845d7bd69bd684ce8

SHA256
fbdf55f11b0d81367a18b9c6f289c478d675ee36546545976d9b6924ff54671a

SHA512
0767d7d538dc57922ff22d44277bc14e654eec1af58c391275786721dc039cc152e06d53c7bcde84c37dab1a3a23506704d28ce280015c4076a2b69f9107025c

Download Submit
C:\Recovery\WindowsRE\sppsvc.exe
Filesize
1.8MB

MD5
c60b6a683bc811d16519bbc5876d88c3

SHA1
498e939c524a60e7d1f6e38845d7bd69bd684ce8

SHA256
fbdf55f11b0d81367a18b9c6f289c478d675ee36546545976d9b6924ff54671a

SHA512
0767d7d538dc57922ff22d44277bc14e654eec1af58c391275786721dc039cc152e06d53c7bcde84c37dab1a3a23506704d28ce280015c4076a2b69f9107025c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sppsvc.exe.log
Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\EH4KCibIlQ.bat
Filesize
197B

MD5
717a8026d081ca4ba759635538f74887

SHA1
748c5ee970c274d09f51254ac559c84ef3123cc9

SHA256
3e03975781bde4ba61e56345ec56ef0618d1154dd57bb602e864874c20ec47ca

SHA512
68949865b87f05c24664959a60a51a89b374b0da8c6ba5741f4327f3f732dc610a9793b1677f075843774bfe019a94761ab5268688c333c664232789da903886

Download Submit
C:\Users\Admin\AppData\Local\Temp\K00M4WFsUw.bat
Filesize
197B

MD5
9070e94210c8b4f874d6a484c7b0c752

SHA1
b71346bd4640daf8bcf9af71764c3cb2c8dd9a1f

SHA256
2244b7c12ad720cf7c99319ba8e1d398d12dda46096ead67e5c578f19327c4fd

SHA512
4a4f6df31eea4854e44cf5968200200a6dc24207053d4a343229f3a10f110c985f2ed99df55986df8fe38d3ec87e76382a99b3b5f88fafc566097e82b137b2e4

Download Submit
C:\chainsaves\T3hnwEBLwzY1iV4786K.vbe
Filesize
209B

MD5
1e7572afe328d5dc133c5e3c5909b7ee

SHA1
da485b56354961d514863f1e4fa91dc38b83abec

SHA256
fe44ecb0464c7877ee0e30b9bcae1de4e73153427fb60dd4a8a170eb6ea58768

SHA512
443b05b686b3a41613dee1064618f459b43f2d61951bcd04e23b08d60c064a2f07ec4a007a9fa5fcde02c3c9290653891395bc206d947b74eb31854fde5eaaf8

Download Submit
C:\chainsaves\UJ38w6IDoznbEzbDyEZufw.bat
Filesize
147B

MD5
8393784eddc0edc62252a93088c0e7a9

SHA1
2e104246e3c2156048750e51b9e1595558549b0e

SHA256
21adb6247b28b0bbf3a6ebdd0d8b0a5aebccaf2f56998982db8ee3de964a48f4

SHA512
0b9ed725e1761993e98fb55e8a0add5a742064a4a8a62c3f2cb060746ca67ca95bf14c3bf002a2829124526bc8ae8b09f85c9fa8f6f50436aa3f8215f4dc1980

Download Submit
C:\chainsaves\file.vbs
Filesize
34B

MD5
677cc4360477c72cb0ce00406a949c61

SHA1
b679e8c3427f6c5fc47c8ac46cd0e56c9424de05

SHA256
f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b

SHA512
7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a

Download Submit
C:\chainsaves\reviewdrivercrt.exe
Filesize
1.8MB

MD5
c60b6a683bc811d16519bbc5876d88c3

SHA1
498e939c524a60e7d1f6e38845d7bd69bd684ce8

SHA256
fbdf55f11b0d81367a18b9c6f289c478d675ee36546545976d9b6924ff54671a

SHA512
0767d7d538dc57922ff22d44277bc14e654eec1af58c391275786721dc039cc152e06d53c7bcde84c37dab1a3a23506704d28ce280015c4076a2b69f9107025c

Download Submit
C:\chainsaves\reviewdrivercrt.exe
Filesize
1.8MB

MD5
c60b6a683bc811d16519bbc5876d88c3

SHA1
498e939c524a60e7d1f6e38845d7bd69bd684ce8

SHA256
fbdf55f11b0d81367a18b9c6f289c478d675ee36546545976d9b6924ff54671a

SHA512
0767d7d538dc57922ff22d44277bc14e654eec1af58c391275786721dc039cc152e06d53c7bcde84c37dab1a3a23506704d28ce280015c4076a2b69f9107025c

Download Submit
memory/1448-159-0x0000000000000000-mapping.dmp

Download
memory/2128-137-0x0000000000000000-mapping.dmp

Download
memory/2240-132-0x0000000000000000-mapping.dmp

Download
memory/2896-151-0x0000000000000000-mapping.dmp

Download
memory/3420-154-0x0000000000000000-mapping.dmp

Download
memory/4556-142-0x00007FFD3D0E0000-0x00007FFD3DBA1000-memory.dmp

Filesize
10.8MB

Download
memory/4556-148-0x00007FFD3D0E0000-0x00007FFD3DBA1000-memory.dmp

Filesize
10.8MB

Download
memory/4556-144-0x000000001D410000-0x000000001D938000-memory.dmp

Filesize
5.2MB

Download
memory/4556-143-0x000000001B6C0000-0x000000001B710000-memory.dmp

Filesize
320KB

Download
memory/4556-141-0x0000000000870000-0x0000000000A48000-memory.dmp

Filesize
1.8MB

Download
memory/4556-138-0x0000000000000000-mapping.dmp

Download
memory/4708-133-0x0000000000000000-mapping.dmp

Download
memory/4740-150-0x0000000000000000-mapping.dmp

Download
memory/4748-162-0x0000000000000000-mapping.dmp

Download
memory/4880-149-0x00007FFD3D0E0000-0x00007FFD3DBA1000-memory.dmp

Filesize
10.8MB

Download
memory/4880-152-0x00007FFD3D0E0000-0x00007FFD3DBA1000-memory.dmp

Filesize
10.8MB

Download
memory/4880-145-0x0000000000000000-mapping.dmp

Download
memory/5024-158-0x00007FFD3CD90000-0x00007FFD3D851000-memory.dmp

Filesize
10.8MB

Download
memory/5024-155-0x0000000000000000-mapping.dmp

Download
memory/5024-160-0x00007FFD3CD90000-0x00007FFD3D851000-memory.dmp

Filesize
10.8MB

Download