dcrat | 12b1d0212363628cb57d2379017b94d6bf91029b37b2dcee592a564952855694

Analysis

max time kernel
134s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2024 15:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

╤à╨╛╨╝╤Å╨║.exe
Size

13.5MB
MD5

a26a308a71c3fd57cd4fad9dc8d55fb1
SHA1

3722d8d2b321f72b2e207a8e1f7e408d35c7d607
SHA256

12b1d0212363628cb57d2379017b94d6bf91029b37b2dcee592a564952855694
SHA512

306868bb537ffae0a7cd4de76b0f52079b2aa5f744f50abe3a866f4bb2f17a829cb91537a30c76240798248a0e9da6d5f92591ed1e7101337e2aa0f78e764e55
SSDEEP

393216:n5BbqQ/ThnhIxo1S/Js7D+xZlwRjMAke5F:5P4xy0ADFRYAj

Score

10^/10

dcrat bootkit infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4632	2316	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	2316	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3248	2316	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2300	2316	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4904	2316	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1128	2316	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4004	2316	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4168	2316	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5032	2316	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4916	2316	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4140	2316	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1492	2316	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3100	2316	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4068	2316	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4520	2316	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3692	2316	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	748	2316	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	556	2316	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4396	2316	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	208	2316	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4568	2316	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	2316	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	2316	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4012	2316	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	2316	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1412	2316	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1020	2316	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3148	2316	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4424	2316	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4376	2316	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4540	2316	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3912	2316	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5024	2316	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	2316	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1528	2316	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1380	2316	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3064	2316	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3436	2316	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	404	2316	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4728	2316	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4236	2316	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1284	2316	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	464	2316	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	2316	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2068	2316	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	2316	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2316	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4716	2316	schtasks.exe

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\NVIDIA Container.exe	dcrat
C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe	dcrat
behavioral2/memory/4576-79-0x00000000006C0000-0x000000000082A000-memory.dmp	dcrat

Checks computer location settings 2 TTPs 11 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exeNVIDIA Container.exeNVIDIA Container.exeWScript.exeСтоны.exeNVIDIA Container.exeWScript.exeNVIDIA Container.exe╤à╨╛╨╝╤Å╨║.exeYkraine.exehitler.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	NVIDIA Container.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	NVIDIA Container.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Стоны.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	NVIDIA Container.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	NVIDIA Container.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	╤à╨╛╨╝╤Å╨║.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Ykraine.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	hitler.exe

Executes dropped EXE 11 IoCs

Processes:

hitler.exetin.exeYkraine.exeСтоны.exeNVIDIA Container.exeNVIDIA Container.exeNVIDIA Container.exeNVIDIA Container.exeNVIDIA Container.exeNVIDIA Container.exeStartMenuExperienceHost.exe

pid	process
1560	hitler.exe
1612	tin.exe
1552	Ykraine.exe
2676	Стоны.exe
544	NVIDIA Container.exe
5008	NVIDIA Container.exe
2232	NVIDIA Container.exe
4576	NVIDIA Container.exe
1540	NVIDIA Container.exe
3892	NVIDIA Container.exe
60	StartMenuExperienceHost.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

tin.exe

description ioc process

File opened for modification \??\PhysicalDrive0 tin.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	tin.exe

Drops file in Program Files directory 4 IoCs

Processes:

NVIDIA Container.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows Photo Viewer\it-IT\RuntimeBroker.exe	NVIDIA Container.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\it-IT\9e8d7a4ca61bd9	NVIDIA Container.exe
File created	C:\Program Files\Windows Mail\NVIDIA Container.exe	NVIDIA Container.exe
File created	C:\Program Files\Windows Mail\35158c38368e73	NVIDIA Container.exe

Drops file in Windows directory 6 IoCs

Processes:

NVIDIA Container.exe

description	ioc	process
File created	C:\Windows\GameBarPresenceWriter\38384e6a620884	NVIDIA Container.exe
File created	C:\Windows\SoftwareDistribution\DataStore\dllhost.exe	NVIDIA Container.exe
File created	C:\Windows\SoftwareDistribution\DataStore\5940a34987c991	NVIDIA Container.exe
File created	C:\Windows\BitLockerDiscoveryVolumeContents\TextInputHost.exe	NVIDIA Container.exe
File created	C:\Windows\BitLockerDiscoveryVolumeContents\22eafd247d37c3	NVIDIA Container.exe
File created	C:\Windows\GameBarPresenceWriter\SearchApp.exe	NVIDIA Container.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 3 IoCs

Processes:

NVIDIA Container.exeNVIDIA Container.exeNVIDIA Container.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	NVIDIA Container.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	NVIDIA Container.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	NVIDIA Container.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	process
4632	schtasks.exe
3692	schtasks.exe
208	schtasks.exe
2680	schtasks.exe
404	schtasks.exe
2732	schtasks.exe
1492	schtasks.exe
748	schtasks.exe
1628	schtasks.exe
1528	schtasks.exe
1924	schtasks.exe
4728	schtasks.exe
4236	schtasks.exe
4520	schtasks.exe
4012	schtasks.exe
1412	schtasks.exe
1020	schtasks.exe
3064	schtasks.exe
5032	schtasks.exe
2224	schtasks.exe
3148	schtasks.exe
3436	schtasks.exe
464	schtasks.exe
2776	schtasks.exe
2816	schtasks.exe
2300	schtasks.exe
4004	schtasks.exe
4916	schtasks.exe
3100	schtasks.exe
5024	schtasks.exe
1128	schtasks.exe
4140	schtasks.exe
556	schtasks.exe
4396	schtasks.exe
4540	schtasks.exe
4904	schtasks.exe
4168	schtasks.exe
4068	schtasks.exe
4716	schtasks.exe
3912	schtasks.exe
1380	schtasks.exe
1284	schtasks.exe
3248	schtasks.exe
4568	schtasks.exe
2096	schtasks.exe
4424	schtasks.exe
4376	schtasks.exe
2068	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

NVIDIA Container.exe

pid process

4576 NVIDIA Container.exe
4576 NVIDIA Container.exe
4576 NVIDIA Container.exe
4576 NVIDIA Container.exe
4576 NVIDIA Container.exe

pid	process
4576	NVIDIA Container.exe
4576	NVIDIA Container.exe
4576	NVIDIA Container.exe
4576	NVIDIA Container.exe
4576	NVIDIA Container.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

NVIDIA Container.exeNVIDIA Container.exeNVIDIA Container.exeStartMenuExperienceHost.exeAUDIODG.EXE

description	pid	process
Token: SeDebugPrivilege	4576	NVIDIA Container.exe
Token: SeDebugPrivilege	3892	NVIDIA Container.exe
Token: SeDebugPrivilege	1540	NVIDIA Container.exe
Token: SeDebugPrivilege	60	StartMenuExperienceHost.exe
Token: 33	1600	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1600	AUDIODG.EXE

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

╤à╨╛╨╝╤Å╨║.exeYkraine.exehitler.exeСтоны.exeNVIDIA Container.exeNVIDIA Container.exeNVIDIA Container.exeWScript.execmd.exeWScript.exeWScript.execmd.execmd.exeNVIDIA Container.exe

description	pid	process	target process
PID 4608 wrote to memory of 1560	4608	╤à╨╛╨╝╤Å╨║.exe	hitler.exe
PID 4608 wrote to memory of 1560	4608	╤à╨╛╨╝╤Å╨║.exe	hitler.exe
PID 4608 wrote to memory of 1612	4608	╤à╨╛╨╝╤Å╨║.exe	tin.exe
PID 4608 wrote to memory of 1612	4608	╤à╨╛╨╝╤Å╨║.exe	tin.exe
PID 4608 wrote to memory of 1612	4608	╤à╨╛╨╝╤Å╨║.exe	tin.exe
PID 4608 wrote to memory of 1552	4608	╤à╨╛╨╝╤Å╨║.exe	Ykraine.exe
PID 4608 wrote to memory of 1552	4608	╤à╨╛╨╝╤Å╨║.exe	Ykraine.exe
PID 4608 wrote to memory of 2676	4608	╤à╨╛╨╝╤Å╨║.exe	Стоны.exe
PID 4608 wrote to memory of 2676	4608	╤à╨╛╨╝╤Å╨║.exe	Стоны.exe
PID 1552 wrote to memory of 544	1552	Ykraine.exe	NVIDIA Container.exe
PID 1552 wrote to memory of 544	1552	Ykraine.exe	NVIDIA Container.exe
PID 1552 wrote to memory of 544	1552	Ykraine.exe	NVIDIA Container.exe
PID 1560 wrote to memory of 5008	1560	hitler.exe	NVIDIA Container.exe
PID 1560 wrote to memory of 5008	1560	hitler.exe	NVIDIA Container.exe
PID 1560 wrote to memory of 5008	1560	hitler.exe	NVIDIA Container.exe
PID 2676 wrote to memory of 2232	2676	Стоны.exe	NVIDIA Container.exe
PID 2676 wrote to memory of 2232	2676	Стоны.exe	NVIDIA Container.exe
PID 2676 wrote to memory of 2232	2676	Стоны.exe	NVIDIA Container.exe
PID 544 wrote to memory of 1600	544	NVIDIA Container.exe	WScript.exe
PID 544 wrote to memory of 1600	544	NVIDIA Container.exe	WScript.exe
PID 544 wrote to memory of 1600	544	NVIDIA Container.exe	WScript.exe
PID 5008 wrote to memory of 3256	5008	NVIDIA Container.exe	WScript.exe
PID 5008 wrote to memory of 3256	5008	NVIDIA Container.exe	WScript.exe
PID 5008 wrote to memory of 3256	5008	NVIDIA Container.exe	WScript.exe
PID 2232 wrote to memory of 2276	2232	NVIDIA Container.exe	WScript.exe
PID 2232 wrote to memory of 2276	2232	NVIDIA Container.exe	WScript.exe
PID 2232 wrote to memory of 2276	2232	NVIDIA Container.exe	WScript.exe
PID 1600 wrote to memory of 2524	1600	WScript.exe	cmd.exe
PID 1600 wrote to memory of 2524	1600	WScript.exe	cmd.exe
PID 1600 wrote to memory of 2524	1600	WScript.exe	cmd.exe
PID 2524 wrote to memory of 4576	2524	cmd.exe	NVIDIA Container.exe
PID 2524 wrote to memory of 4576	2524	cmd.exe	NVIDIA Container.exe
PID 3256 wrote to memory of 3616	3256	WScript.exe	cmd.exe
PID 3256 wrote to memory of 3616	3256	WScript.exe	cmd.exe
PID 3256 wrote to memory of 3616	3256	WScript.exe	cmd.exe
PID 2276 wrote to memory of 2764	2276	WScript.exe	cmd.exe
PID 2276 wrote to memory of 2764	2276	WScript.exe	cmd.exe
PID 2276 wrote to memory of 2764	2276	WScript.exe	cmd.exe
PID 3616 wrote to memory of 1540	3616	cmd.exe	NVIDIA Container.exe
PID 3616 wrote to memory of 1540	3616	cmd.exe	NVIDIA Container.exe
PID 2764 wrote to memory of 3892	2764	cmd.exe	NVIDIA Container.exe
PID 2764 wrote to memory of 3892	2764	cmd.exe	NVIDIA Container.exe
PID 4576 wrote to memory of 60	4576	NVIDIA Container.exe	StartMenuExperienceHost.exe
PID 4576 wrote to memory of 60	4576	NVIDIA Container.exe	StartMenuExperienceHost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\╤à╨╛╨╝╤Å╨║.exe
"C:\Users\Admin\AppData\Local\Temp\╤à╨╛╨╝╤Å╨║.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4608

C:\Users\Admin\AppData\Local\Temp\hitler.exe
"C:\Users\Admin\AppData\Local\Temp\hitler.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1560

C:\Users\Admin\AppData\Local\Temp\NVIDIA Container.exe
"C:\Users\Admin\AppData\Local\Temp\NVIDIA Container.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5008

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\NVIDIA\DisplayDriver\535.21\zajaYJ4rqwpmDK2a6yrvwdV.vbe"
4⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3256

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\NVIDIA\DisplayDriver\535.21\mxJne99RtKqQDunPUGdos.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:3616

C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe
"C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe"
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1540

C:\Users\Admin\AppData\Local\Temp\tin.exe
"C:\Users\Admin\AppData\Local\Temp\tin.exe"
2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:1612

C:\Users\Admin\AppData\Local\Temp\Ykraine.exe
"C:\Users\Admin\AppData\Local\Temp\Ykraine.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1552

C:\Users\Admin\AppData\Local\Temp\NVIDIA Container.exe
"C:\Users\Admin\AppData\Local\Temp\NVIDIA Container.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:544

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\NVIDIA\DisplayDriver\535.21\zajaYJ4rqwpmDK2a6yrvwdV.vbe"
4⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\NVIDIA\DisplayDriver\535.21\mxJne99RtKqQDunPUGdos.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:2524

C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe
"C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4576

C:\Users\Default\Downloads\StartMenuExperienceHost.exe
"C:\Users\Default\Downloads\StartMenuExperienceHost.exe"
7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:60

C:\Users\Admin\AppData\Local\Temp\Стоны.exe
"C:\Users\Admin\AppData\Local\Temp\Стоны.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2676

C:\Users\Admin\AppData\Local\Temp\NVIDIA Container.exe
"C:\Users\Admin\AppData\Local\Temp\NVIDIA Container.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2232

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\NVIDIA\DisplayDriver\535.21\zajaYJ4rqwpmDK2a6yrvwdV.vbe"
4⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2276

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\NVIDIA\DisplayDriver\535.21\mxJne99RtKqQDunPUGdos.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:2764

C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe
"C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe"
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Default User\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "NVIDIA ContainerN" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Mail\NVIDIA Container.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "NVIDIA Container" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\NVIDIA Container.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "NVIDIA ContainerN" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Mail\NVIDIA Container.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Users\Default\My Documents\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Default\My Documents\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Users\Default\My Documents\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Downloads\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\Default\Downloads\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Downloads\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\NVIDIA\DisplayDriver\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\NVIDIA\DisplayDriver\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\NVIDIA\DisplayDriver\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Downloads\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Users\Admin\Downloads\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Downloads\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\NVIDIA\DisplayDriver\535.21\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\NVIDIA\DisplayDriver\535.21\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\NVIDIA\DisplayDriver\535.21\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 14 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Saved Games\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\Saved Games\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Saved Games\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Windows\GameBarPresenceWriter\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\GameBarPresenceWriter\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Windows\GameBarPresenceWriter\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\NVIDIA\DisplayDriver\535.21\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\NVIDIA\DisplayDriver\535.21\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\NVIDIA\DisplayDriver\535.21\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 12 /tr "'C:\NVIDIA\DisplayDriver\535.21\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\NVIDIA\DisplayDriver\535.21\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\NVIDIA\DisplayDriver\535.21\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\NVIDIA\DisplayDriver\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\NVIDIA\DisplayDriver\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\NVIDIA\DisplayDriver\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Windows\SoftwareDistribution\DataStore\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\DataStore\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Windows\SoftwareDistribution\DataStore\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4716

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4e0 0x500
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1600

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe
Filesize
1.4MB

MD5
4a591f46c87b49a7de93f5ac771cd4ab

SHA1
e0992350818e5c56d3f2e3a6db340d1f5b8f3314

SHA256
b495e22042b08f27b690da18986ec74d5054a65d05d5cf41fdecd5751482ccbd

SHA512
b498445d1e427853690250aebff35cbd7e28e85a89ad868e3483930b16ec13198357cfcd5feb45567b1bc8f3d9f97c5ecf2d242c8a5e9d758a536d0498ba7955

Download Submit
C:\NVIDIA\DisplayDriver\535.21\mxJne99RtKqQDunPUGdos.bat
Filesize
53B

MD5
7784d810f5ff3afa8df50e360eb90e7d

SHA1
f04802a991ff6461aa1c35b7c0f68e43d5a114c6

SHA256
0385dbf94fc27705560cf0b6b04e9a37181db486ee8f7573c5ad2217d18f4ca0

SHA512
80038ae2bfd5f8ca3f4812ab5c342878f98978007125c9dca5edb915701a5383916131cdc3082c054c49c508cd210aff70319ac0fc498cbdd6cee776df672cac

Download Submit
C:\NVIDIA\DisplayDriver\535.21\zajaYJ4rqwpmDK2a6yrvwdV.vbe
Filesize
225B

MD5
d7df2670ad0c6c7b9cc48122f20f086c

SHA1
e69bf8c214d8c4b768125ca03e402e1c871cc233

SHA256
d3bf5c54de984dd2d1d779494deb8a995cc062eb5f25c465d0de78d99b8cc52b

SHA512
05ed88410790bf74dc7ab880f893e555c4859c133e79a89f28b5e1a68c36f4a4f28d3b7b6532953c04b6d23a21faf53e60107efde9e6acb492a9235d48943f03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\NVIDIA Container.exe.log
Filesize
1KB

MD5
7800fca2323a4130444c572374a030f4

SHA1
40c9b8e0e5e7d72a5293f4010f2ccf21e637b4aa

SHA256
29f5645ac14353ac460858f52c856548f3aeb144b09eef672a6b4849bafe742e

SHA512
c8a7ad930b8c07007c7a67d8c32a2a4a401dcc34ab966e0e80901655fcbe1f5c95b72a195e6381b1de56c2c987eeab093d8e89891bec9e9684785c5d824b3554

Download Submit
C:\Users\Admin\AppData\Local\Temp\NVIDIA Container.exe
Filesize
1.8MB

MD5
531bf67134a7c1fb4096113ca58cc648

SHA1
99e0fc1fb7a07c0685e426b327921d3e6c34498c

SHA256
67942630366d114efa35f3f4a79741a4a4eb2c3b0c8ffaac07af527f84d4489a

SHA512
8facae8335a4f33f54e48c64814946eb8b480800b4453612fffcef64117946a35d493f433d4e27186ee864603da756319f816e70c3bfc08b8bb1861fc7030ff4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ykraine.exe
Filesize
1.4MB

MD5
da5341ed73474db53c94c38f66e210ae

SHA1
49d8d239ac77cde765c8f516be1e52c3d2d37a2e

SHA256
bae4b959e9f74d9d085067b57a805654c86cc45f8c7cd32b9711874504ae59dd

SHA512
c2c5cf298aa6476b043e9afcd2ca4a2e685b8a96187d69b834f9f3761aa1d525a4b032d19ea03d349ef32a3ba699c3126bc359cb7f117395f5303ebebf310572

Download Submit
C:\Users\Admin\AppData\Local\Temp\hitler.exe
Filesize
10.4MB

MD5
3a1733f19b9ca74fe793df23700c3519

SHA1
31cf4474f0ac00d45c19b7e31e7dc9fde3054091

SHA256
1b2a026beda12eff88e2397931018031e4358de05aa449e3441434e6cf5dad6c

SHA512
0cd23dce1880c0b11d19f7d58102020baba7033e828aee233f8ed6b7d11c622d1dcec38c4a3e6c4691e07f7a1609fe550a30517e662236e164e550e87bea777b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tin.exe
Filesize
439KB

MD5
b3edc0708fb191e2d3016c68585ed31e

SHA1
ab1ce0cb2a819b82206dc1e922e97b284b585d17

SHA256
c9fffa589040d8a6d22285255604948ff3bb3efa7077c776b6b09272bc293b7d

SHA512
77b67f4cf6344f56e20172357831497c6ae4ff57c5a852762437419a7e5819805e10098dc87f90e937cf7603b72a94e6cf66681e1602974355fae8644b2a42dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Стоны.exe
Filesize
1.5MB

MD5
90132dd5e5a65801d56cb0b20c92d724

SHA1
bec1e6ef261f88b0aca2cb0aca2ea1eaf5f9aae7

SHA256
8e9e6d72b2a39b62c7341bdc0f529a070f25b2c33bfefe5b6cc6e5d3c86590e9

SHA512
e8c0bb9a9390558a117bdf5518a136a41b84417b01b835d092202b3e2d644bf997bd344e2a3f2a971aae5b5bcdeb85865250be5fcf86e840d854cbc7791e5f33

Download Submit
memory/1552-39-0x0000000000DE0000-0x0000000000F58000-memory.dmp

Filesize
1.5MB

Download
memory/1560-24-0x00007FF917AA0000-0x00007FF918561000-memory.dmp

Filesize
10.8MB

Download
memory/1560-25-0x0000000000590000-0x0000000000FF0000-memory.dmp

Filesize
10.4MB

Download
memory/1560-71-0x00007FF917AA0000-0x00007FF918561000-memory.dmp

Filesize
10.8MB

Download
memory/1612-26-0x0000000000480000-0x000000000051D000-memory.dmp

Filesize
628KB

Download
memory/2676-48-0x0000000000690000-0x0000000000818000-memory.dmp

Filesize
1.5MB

Download
memory/4576-79-0x00000000006C0000-0x000000000082A000-memory.dmp

Filesize
1.4MB

Download
memory/4576-80-0x000000001B940000-0x000000001B95C000-memory.dmp

Filesize
112KB

Download
memory/4576-81-0x000000001B9B0000-0x000000001BA00000-memory.dmp

Filesize
320KB

Download
memory/4576-83-0x000000001B980000-0x000000001B990000-memory.dmp

Filesize
64KB

Download
memory/4576-82-0x000000001B960000-0x000000001B976000-memory.dmp

Filesize
88KB

Download
memory/4576-84-0x000000001B990000-0x000000001B99E000-memory.dmp

Filesize
56KB

Download
memory/4576-85-0x000000001B9A0000-0x000000001B9AE000-memory.dmp

Filesize
56KB

Download
memory/4576-86-0x000000001BA00000-0x000000001BA0C000-memory.dmp

Filesize
48KB

Download
memory/4608-52-0x00007FF917AA0000-0x00007FF918561000-memory.dmp

Filesize
10.8MB

Download
memory/4608-5-0x00007FF917AA0000-0x00007FF918561000-memory.dmp

Filesize
10.8MB

Download
memory/4608-0-0x00007FF917AA3000-0x00007FF917AA5000-memory.dmp

Filesize
8KB

Download
memory/4608-1-0x0000000000D80000-0x0000000001B0A000-memory.dmp

Filesize
13.5MB

Download