dcrat | 691fc2c5c9b9effa163ffbd49bc9a8be1df6b0e6f8a792bedd4e418da3124d84

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
06-02-2025 08:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FatalityCrack/Fatality.exe
Size

4.0MB
MD5

fbd12d4ed9c24c092a1690cc37724957
SHA1

9d8709497378bb43d7d77d74b4919a36c01c895a
SHA256

27e56c30c96f880010fb2ec6151ca1176c7292541050ce3f2158b38e82f9f46c
SHA512

829c07f37b99c563065ce84b1a0d721ac93e1b2092d358c297a001c163cd278f43d4f21661dbe7001ecba9841079ba66b57229041dc0698a9a28975ca7c5c2a0
SSDEEP

98304:hBaYSF0HWypBty+P/AGcGFvK/NWIpskZHDRgx3iS:hB/Hhp6CK/Nv5kyS

Score

10^/10

dcrat defense_evasion discovery infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	2920	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	2920	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2464	2920	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4836	2920	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4808	2920	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	2920	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3080	2920	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1352	2920	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	936	2920	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3576	2920	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4900	2920	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	2920	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3596	2920	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1248	2920	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3684	2920	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1436	2920	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4356	2920	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4488	2920	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	2920	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4876	2920	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	2920	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3292	2920	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1348	2920	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4716	2920	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	2920	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4480	2920	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	672	2920	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	948	2920	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	924	2920	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1856	2920	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3400	2920	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3856	2920	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	2920	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1824	2920	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	8	2920	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	2920	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	624	2920	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	2920	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	912	2920	schtasks.exe	87

UAC bypass 3 TTPs 12 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	providerCrt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	providerCrt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	providerCrt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral6/files/0x000c000000023b06-7.dat	dcrat
behavioral6/files/0x0007000000023c5c-31.dat	dcrat
behavioral6/memory/4016-33-0x0000000000570000-0x000000000087A000-memory.dmp	dcrat

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Control Panel\International\Geo\Nation	Fatality.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Control Panel\International\Geo\Nation	Fatality2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Control Panel\International\Geo\Nation	providerCrt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Control Panel\International\Geo\Nation	csrss.exe

Executes dropped EXE 6 IoCs

pid	Process
1940	Fatality2.exe
1972	fatality.exe
4016	providerCrt.exe
4872	csrss.exe
1476	csrss.exe
4796	csrss.exe

Checks whether UAC is enabled 1 TTPs 8 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	providerCrt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	providerCrt.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
20	ip-api.com

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Photo Viewer\uk-UA\886983d96e3d3e	providerCrt.exe
File created	C:\Program Files (x86)\Windows Portable Devices\upfc.exe	providerCrt.exe
File created	C:\Program Files (x86)\Windows Media Player\fontdrvhost.exe	providerCrt.exe
File created	C:\Program Files (x86)\Adobe\SppExtComObj.exe	providerCrt.exe
File created	C:\Program Files\Windows Photo Viewer\uk-UA\csrss.exe	providerCrt.exe
File created	C:\Program Files (x86)\Windows Media Player\5b884080fd4f94	providerCrt.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\MoUsoCoreWorker.exe	providerCrt.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\1f93f77a7f4778	providerCrt.exe
File created	C:\Program Files (x86)\Adobe\e1ef82546f0b02	providerCrt.exe
File created	C:\Program Files (x86)\Windows Portable Devices\ea1d8f6d871115	providerCrt.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fatality.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fatality2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000_Classes\Local Settings	Fatality2.exe
Key created	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000_Classes\Local Settings	providerCrt.exe
Key created	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000_Classes\Local Settings	csrss.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3684	schtasks.exe
1856	schtasks.exe
2464	schtasks.exe
4876	schtasks.exe
2000	schtasks.exe
1348	schtasks.exe
1696	schtasks.exe
4480	schtasks.exe
2364	schtasks.exe
1860	schtasks.exe
1436	schtasks.exe
1664	schtasks.exe
3068	schtasks.exe
672	schtasks.exe
1824	schtasks.exe
2268	schtasks.exe
924	schtasks.exe
3856	schtasks.exe
3596	schtasks.exe
4836	schtasks.exe
3080	schtasks.exe
4900	schtasks.exe
3292	schtasks.exe
3400	schtasks.exe
2284	schtasks.exe
4716	schtasks.exe
948	schtasks.exe
8	schtasks.exe
2924	schtasks.exe
1352	schtasks.exe
1752	schtasks.exe
4356	schtasks.exe
624	schtasks.exe
912	schtasks.exe
4808	schtasks.exe
3576	schtasks.exe
1248	schtasks.exe
4488	schtasks.exe
936	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4016	providerCrt.exe
4016	providerCrt.exe
4016	providerCrt.exe
4016	providerCrt.exe
4016	providerCrt.exe
4016	providerCrt.exe
4016	providerCrt.exe
4016	providerCrt.exe
4016	providerCrt.exe
4016	providerCrt.exe
4016	providerCrt.exe
4016	providerCrt.exe
4016	providerCrt.exe
4016	providerCrt.exe
4016	providerCrt.exe
4872	csrss.exe
4872	csrss.exe
4872	csrss.exe
4872	csrss.exe
4872	csrss.exe
4872	csrss.exe
4872	csrss.exe
4872	csrss.exe
4872	csrss.exe
4872	csrss.exe
4872	csrss.exe
4872	csrss.exe
4872	csrss.exe
4872	csrss.exe
4872	csrss.exe
4872	csrss.exe
4872	csrss.exe
4872	csrss.exe
4872	csrss.exe
4872	csrss.exe
4872	csrss.exe
4872	csrss.exe
4872	csrss.exe
4872	csrss.exe
4872	csrss.exe
4872	csrss.exe
4872	csrss.exe
4872	csrss.exe
4872	csrss.exe
4872	csrss.exe
4872	csrss.exe
4872	csrss.exe
4872	csrss.exe
4872	csrss.exe
4872	csrss.exe
4872	csrss.exe
4872	csrss.exe
4872	csrss.exe
4872	csrss.exe
4872	csrss.exe
4872	csrss.exe
4872	csrss.exe
4872	csrss.exe
4872	csrss.exe
4872	csrss.exe
4872	csrss.exe
4872	csrss.exe
4872	csrss.exe
4872	csrss.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1776	Fatality.exe
Token: SeDebugPrivilege	4016	providerCrt.exe
Token: SeDebugPrivilege	4872	csrss.exe
Token: SeDebugPrivilege	1476	csrss.exe
Token: SeDebugPrivilege	4796	csrss.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1776 wrote to memory of 1940	1776	Fatality.exe	88
PID 1776 wrote to memory of 1940	1776	Fatality.exe	88
PID 1776 wrote to memory of 1940	1776	Fatality.exe	88
PID 1776 wrote to memory of 1972	1776	Fatality.exe	89
PID 1776 wrote to memory of 1972	1776	Fatality.exe	89
PID 1776 wrote to memory of 1972	1776	Fatality.exe	89
PID 1940 wrote to memory of 4340	1940	Fatality2.exe	90
PID 1940 wrote to memory of 4340	1940	Fatality2.exe	90
PID 1940 wrote to memory of 4340	1940	Fatality2.exe	90
PID 4340 wrote to memory of 2988	4340	WScript.exe	96
PID 4340 wrote to memory of 2988	4340	WScript.exe	96
PID 4340 wrote to memory of 2988	4340	WScript.exe	96
PID 2988 wrote to memory of 4016	2988	cmd.exe	98
PID 2988 wrote to memory of 4016	2988	cmd.exe	98
PID 4016 wrote to memory of 5056	4016	providerCrt.exe	139
PID 4016 wrote to memory of 5056	4016	providerCrt.exe	139
PID 5056 wrote to memory of 1372	5056	cmd.exe	141
PID 5056 wrote to memory of 1372	5056	cmd.exe	141
PID 5056 wrote to memory of 4872	5056	cmd.exe	142
PID 5056 wrote to memory of 4872	5056	cmd.exe	142
PID 4872 wrote to memory of 772	4872	csrss.exe	143
PID 4872 wrote to memory of 772	4872	csrss.exe	143
PID 4872 wrote to memory of 4004	4872	csrss.exe	144
PID 4872 wrote to memory of 4004	4872	csrss.exe	144
PID 772 wrote to memory of 1476	772	WScript.exe	149
PID 772 wrote to memory of 1476	772	WScript.exe	149
PID 1476 wrote to memory of 4016	1476	csrss.exe	150
PID 1476 wrote to memory of 4016	1476	csrss.exe	150
PID 1476 wrote to memory of 3644	1476	csrss.exe	151
PID 1476 wrote to memory of 3644	1476	csrss.exe	151
PID 4016 wrote to memory of 4796	4016	WScript.exe	159
PID 4016 wrote to memory of 4796	4016	WScript.exe	159
PID 4796 wrote to memory of 4772	4796	csrss.exe	160
PID 4796 wrote to memory of 4772	4796	csrss.exe	160
PID 4796 wrote to memory of 2404	4796	csrss.exe	162
PID 4796 wrote to memory of 2404	4796	csrss.exe	162

System policy modification 1 TTPs 12 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	providerCrt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	providerCrt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	providerCrt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\FatalityCrack\Fatality.exe
"C:\Users\Admin\AppData\Local\Temp\FatalityCrack\Fatality.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1776
- C:\Users\Admin\AppData\Local\Temp\Fatality2.exe
  "C:\Users\Admin\AppData\Local\Temp\Fatality2.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1940
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\comSavesCommon\sc70IAxKPvTolc.vbe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4340
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\comSavesCommon\0DO98.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2988
    - - C:\comSavesCommon\providerCrt.exe
        
        "C:\comSavesCommon\providerCrt.exe"
        5⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Drops file in Program Files directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4016
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\n8jnNCGY4K.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:5056
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1372
        
        C:\Program Files\Windows Photo Viewer\uk-UA\csrss.exe
        
        "C:\Program Files\Windows Photo Viewer\uk-UA\csrss.exe"
        7⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4872
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\259673c0-ff7d-48c7-81d6-a0b8cc2e42fb.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:772
        
        C:\Program Files\Windows Photo Viewer\uk-UA\csrss.exe
        
        "C:\Program Files\Windows Photo Viewer\uk-UA\csrss.exe"
        9⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1476
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\db11eb64-8037-4ff4-a435-d2c77c49c3d7.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:4016
        
        C:\Program Files\Windows Photo Viewer\uk-UA\csrss.exe
        
        "C:\Program Files\Windows Photo Viewer\uk-UA\csrss.exe"
        11⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4796
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ac9d4817-4763-4dab-bc70-6d7e1f417a7d.vbs"
        12⤵
        
        PID:4772
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3144040e-b30d-4236-aa46-ef50d30c8415.vbs"
        12⤵
        
        PID:2404
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b4a85e0f-74e3-48e7-91ce-cb66269e81c5.vbs"
        10⤵
        
        PID:3644
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8b0cd363-8b19-4f73-9d84-8525189c4cf1.vbs"
        8⤵
        
        PID:4004
- C:\Users\Admin\AppData\Local\Temp\fatality.exe
  "C:\Users\Admin\AppData\Local\Temp\fatality.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\comSavesCommon\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\comSavesCommon\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\comSavesCommon\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Adobe\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Adobe\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Photo Viewer\uk-UA\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\uk-UA\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Photo Viewer\uk-UA\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Portable Devices\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Media Player\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Media Player\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\comSavesCommon\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\comSavesCommon\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\comSavesCommon\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\AppData\LocalLow\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\AppData\LocalLow\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\AppData\LocalLow\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\MoUsoCoreWorker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MoUsoCoreWorker" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\MoUsoCoreWorker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\MoUsoCoreWorker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Users\Public\AccountPictures\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:8

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Users\Public\AccountPictures\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\csrss.exe.log

Filesize
1KB

MD5
49b64127208271d8f797256057d0b006

SHA1
b99bd7e2b4e9ed24de47fb3341ea67660b84cca1

SHA256
2a5d403a2e649d8eceef8f785eeb0f6d33888ec6bbf251b3c347e34cb32b1e77

SHA512
f7c728923c893dc9bc88ad2159e0abcda41e1b40ff7e7756e6252d135ed238a2248a2662b3392449836dd1b0b580f0c866cc33e409527484fe4602e3d3f10e3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\259673c0-ff7d-48c7-81d6-a0b8cc2e42fb.vbs

Filesize
729B

MD5
f1d8af4b007eb6e4b664d68444ca9b0a

SHA1
ae173b62ad6d4b85922c717353b896039958e669

SHA256
595feed2999de01db95434f9782710406c5dbb8b4605e828ab04a3885e4ab155

SHA512
24e86c00fd860f7de08141e428a41df99a10f301490d46d7fbfb88645e7207307ad50abc4413702ca0d3c139677a985b11523e593aa7bb6c75aca2ba14be0488

Download Submit
C:\Users\Admin\AppData\Local\Temp\8b0cd363-8b19-4f73-9d84-8525189c4cf1.vbs

Filesize
505B

MD5
19f4a043ed737d2cd8cc00798d591707

SHA1
629a7893686b20b0e505cb30d18ceb276e9970a4

SHA256
40ce50d0be017ed712a7a35aa2130de62efa8753a488da57539f7d843b091c3b

SHA512
1706249ad593f5ec0082d2b437170a3bc78da3a4f27058a829aa4191e6eb117db399eb1e5a411042b4fcb20d3ede077dd9814985e04cbee6db073eb682b62655

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fatality2.exe

Filesize
3.3MB

MD5
d7a497c51a219967de0636c63d0b6ff7

SHA1
b2a027f0139135dca65c417ee9d1f5963c965825

SHA256
3f7dbeb177934d53205b93a27b9f4262fe0f46aaf090326cb8e2069d90d0414c

SHA512
728a0ce0e6e2e60f3bc69786f7d69939b171279d07aafcc37720156954bd96d707a035bffe0497463bb0483c82a03c57c5b33624a3114526d12dd43fa509c921

Download Submit
C:\Users\Admin\AppData\Local\Temp\ac9d4817-4763-4dab-bc70-6d7e1f417a7d.vbs

Filesize
729B

MD5
b76f828858405a0da870e1e3311876e8

SHA1
e761c68751efd0de8ae2360da9e6af8cb3b20adb

SHA256
781ba3ca6de2d5001605f4d163b37901fb49b63f3d370193be4ec93c55a76760

SHA512
5ad7f27edfb145719f4b12ae50da323813f907b333580a6b90af851db336b4cb264f2337da6e456e392481faae450180b5964b19a391f77c99ed642ebd204934

Download Submit
C:\Users\Admin\AppData\Local\Temp\db11eb64-8037-4ff4-a435-d2c77c49c3d7.vbs

Filesize
729B

MD5
a016653390c01039fd7a1320e6e972d7

SHA1
f95f6d576f35e032733ca8b32b215f5e391cae44

SHA256
21b2085de96888be910a8af148a12a77cdcb511f6633012a35b60b092a20b4ef

SHA512
7b361bad37c33dc8214d83beeb7bddf649cc76098c5aa8c7e29fd6afa13958581870d823d594daeea3d24518b2952de8f374b4da3ad88d8b785224d7354e67cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\fatality.exe

Filesize
2.0MB

MD5
b5ae62edbf81a0dec30fedcc6d136245

SHA1
9f89cca56f20cb73503e068f5bb115fdda0cf272

SHA256
5cd7137393dddb5cd41a55429871f443dcf6c2791eeaaade4fdb43f7a07c8865

SHA512
3e525757ca541897e3766f73e53f21ac4ba1147ee33cc5df2117131808de8e6a3c576d8799e22dc3c76afe163102cc8517a3834388c1f06365e892a389166cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\n8jnNCGY4K.bat

Filesize
218B

MD5
edc89c56659384fc351a08a1b942fe2f

SHA1
fe96821c8f7915b210b940496d5212637b791f91

SHA256
76191e109e9cb806f9689d500d9f9e53c54137ce2ca355e9d29bbb332cd0c783

SHA512
748a9816c25c4332d69ffcbfda401c2c3a541ea49607b1c0dc992ad68882ec118e7bf9c318e11cfbcd034c3ade6c891e78299cde691f5b2275384e5679e9ae73

Download Submit
C:\comSavesCommon\0DO98.bat

Filesize
35B

MD5
287a1d2eb08c19f2c25d7f2ae9f2514c

SHA1
02848644d030ea07622280f44c4de07a995ee18e

SHA256
a1c6a60f1b7ddb527a30dad1c3073916f7068a2fdbb2b15598f3905b42cbb52a

SHA512
e5a31793fb0f147fd10344caf7527a1a827a5aaab9b8f12c18d6fb067312b43346b4f82f099450158a5aa1552cfbe9dc811d801861fe4c8f61e0c493f32f428b

Download Submit
C:\comSavesCommon\providerCrt.exe

Filesize
3.0MB

MD5
d6ad419407e01490a6423c86dc133a2b

SHA1
3f281e19055eb89000bccdffe11243663134c762

SHA256
9055ac76247c7b28a3f66bef41ec65e280b5a729862bc36789fa41e5ae7c53ce

SHA512
6da8a0e699a922f9e7f335467540f92fadc79ea7bd840ebc2d86e9be3909421c9c494da7df5c72ad5ef2a818f718ca67886de7b45da93e6cb050ebefb0a6119d

Download Submit
C:\comSavesCommon\sc70IAxKPvTolc.vbe

Filesize
197B

MD5
b0e77cae01fcf490ba345155c34c462d

SHA1
8b1a27868b122c54db4b55a1f9bb11ae1f9a8d9b

SHA256
aabe1b22990d934e5723fdd4199bb2a22d5b58c25151698f66a83646e86fb278

SHA512
b1f8519895d6c5c92acdf124c82530debedaa9c0f673b92babc92ceceb4f8c579f8060f093bbe6c20bbc6358ce29735dcca5d0338a9deafe508a43b160b25363

Download Submit
memory/1776-20-0x00007FF8DB110000-0x00007FF8DBBD1000-memory.dmp

Filesize
10.8MB

Download
memory/1776-0-0x00007FF8DB113000-0x00007FF8DB115000-memory.dmp

Filesize
8KB

Download
memory/1776-2-0x00007FF8DB110000-0x00007FF8DBBD1000-memory.dmp

Filesize
10.8MB

Download
memory/1776-1-0x0000000000680000-0x0000000000A80000-memory.dmp

Filesize
4.0MB

Download
memory/4016-46-0x000000001BBE0000-0x000000001BBEC000-memory.dmp

Filesize
48KB

Download
memory/4016-55-0x000000001BF80000-0x000000001BF8C000-memory.dmp

Filesize
48KB

Download
memory/4016-39-0x000000001BAD0000-0x000000001BAD8000-memory.dmp

Filesize
32KB

Download
memory/4016-42-0x000000001BB10000-0x000000001BB1A000-memory.dmp

Filesize
40KB

Download
memory/4016-43-0x000000001BB70000-0x000000001BBC6000-memory.dmp

Filesize
344KB

Download
memory/4016-44-0x000000001BBC0000-0x000000001BBCC000-memory.dmp

Filesize
48KB

Download
memory/4016-45-0x000000001BBD0000-0x000000001BBD8000-memory.dmp

Filesize
32KB

Download
memory/4016-40-0x000000001BAE0000-0x000000001BAF6000-memory.dmp

Filesize
88KB

Download
memory/4016-47-0x000000001BBF0000-0x000000001BBF8000-memory.dmp

Filesize
32KB

Download
memory/4016-48-0x000000001BC00000-0x000000001BC12000-memory.dmp

Filesize
72KB

Download
memory/4016-49-0x000000001C160000-0x000000001C688000-memory.dmp

Filesize
5.2MB

Download
memory/4016-50-0x000000001BC30000-0x000000001BC3C000-memory.dmp

Filesize
48KB

Download
memory/4016-51-0x000000001BC40000-0x000000001BC48000-memory.dmp

Filesize
32KB

Download
memory/4016-52-0x000000001BC50000-0x000000001BC5C000-memory.dmp

Filesize
48KB

Download
memory/4016-53-0x000000001BC60000-0x000000001BC6C000-memory.dmp

Filesize
48KB

Download
memory/4016-41-0x000000001BB00000-0x000000001BB0C000-memory.dmp

Filesize
48KB

Download
memory/4016-54-0x000000001BE70000-0x000000001BE78000-memory.dmp

Filesize
32KB

Download
memory/4016-57-0x000000001BE90000-0x000000001BE9E000-memory.dmp

Filesize
56KB

Download
memory/4016-56-0x000000001BE80000-0x000000001BE8A000-memory.dmp

Filesize
40KB

Download
memory/4016-58-0x000000001BEA0000-0x000000001BEAE000-memory.dmp

Filesize
56KB

Download
memory/4016-60-0x000000001BF30000-0x000000001BF3A000-memory.dmp

Filesize
40KB

Download
memory/4016-59-0x000000001BF20000-0x000000001BF28000-memory.dmp

Filesize
32KB

Download
memory/4016-61-0x000000001BF40000-0x000000001BF4C000-memory.dmp

Filesize
48KB

Download
memory/4016-38-0x000000001BB20000-0x000000001BB70000-memory.dmp

Filesize
320KB

Download
memory/4016-37-0x000000001BAB0000-0x000000001BACC000-memory.dmp

Filesize
112KB

Download
memory/4016-36-0x000000001BAA0000-0x000000001BAA8000-memory.dmp

Filesize
32KB

Download
memory/4016-35-0x000000001B440000-0x000000001B44E000-memory.dmp

Filesize
56KB

Download
memory/4016-34-0x00000000028F0000-0x00000000028FE000-memory.dmp

Filesize
56KB

Download
memory/4016-33-0x0000000000570000-0x000000000087A000-memory.dmp

Filesize
3.0MB

Download