dcrat | 23036e1ac371c1c52c9508e7c1ad087da1d02b63c5f92609dafb0047e0339968

Analysis

max time kernel
51s
max time network
60s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06-01-2025 19:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

23036e1ac371c1c52c9508e7c1ad087da1d02b63c5f92609dafb0047e0339968.exe
Size

2.7MB
MD5

6820b43439b7b0b956738c547623aa7a
SHA1

0f1515df71948d13a8048b4afb6b8676c4a74298
SHA256

23036e1ac371c1c52c9508e7c1ad087da1d02b63c5f92609dafb0047e0339968
SHA512

9ea7d94280e5ebd4919fe9caf85d58a5c1c40d9ae3eac9f02acfdb2f62727b1168a353b6b91c2f09ee0ae68668cd2e0f823406d71fdc295f9c48639f87b39c34
SSDEEP

49152:sDkZWCF2T8juUND4YQxZzfllulb0fnyN27mEGnjYEhQ+QK:N4CF2sjELplCbmyN27PxEhQ+

Score

10^/10

dcrat evasion infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2700	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	2700	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	2700	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	2700	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	2700	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2544	2700	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2700	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	2700	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2484	2700	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	580	2700	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	2700	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1900	2700	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1556	2700	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	2700	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	2700	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	2700	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	304	2700	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	2700	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	2700	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	2700	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	976	2700	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	2700	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	2700	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2204	2700	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2396	2700	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1896	2700	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2700	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	2700	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	2700	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	448	2700	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	2700	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	800	2700	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	820	2700	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	2700	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	872	2700	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	2700	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	2700	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1160	2700	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	2700	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	2700	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1384	2700	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	2700	schtasks.exe	31

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	23036e1ac371c1c52c9508e7c1ad087da1d02b63c5f92609dafb0047e0339968.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	23036e1ac371c1c52c9508e7c1ad087da1d02b63c5f92609dafb0047e0339968.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	23036e1ac371c1c52c9508e7c1ad087da1d02b63c5f92609dafb0047e0339968.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe

DCRat payload 13 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/1732-1-0x0000000000250000-0x0000000000504000-memory.dmp	dcrat
behavioral1/files/0x000500000001a0a1-28.dat	dcrat
behavioral1/files/0x000500000001c757-61.dat	dcrat
behavioral1/files/0x0004000000004ed7-72.dat	dcrat
behavioral1/files/0x001100000001537c-83.dat	dcrat
behavioral1/files/0x0008000000019220-94.dat	dcrat
behavioral1/files/0x000a000000019240-105.dat	dcrat
behavioral1/files/0x00090000000194bd-116.dat	dcrat
behavioral1/files/0x000800000001a0a1-148.dat	dcrat
behavioral1/files/0x000700000001a42b-161.dat	dcrat
behavioral1/files/0x000800000001a42f-184.dat	dcrat
behavioral1/files/0x000800000001a431-198.dat	dcrat
behavioral1/memory/972-211-0x0000000001090000-0x0000000001344000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

pid	Process
972	System.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	23036e1ac371c1c52c9508e7c1ad087da1d02b63c5f92609dafb0047e0339968.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	23036e1ac371c1c52c9508e7c1ad087da1d02b63c5f92609dafb0047e0339968.exe

Drops file in Program Files directory 35 IoCs

description	ioc	Process
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\42af1c969fbb7b	23036e1ac371c1c52c9508e7c1ad087da1d02b63c5f92609dafb0047e0339968.exe
File created	C:\Program Files\VideoLAN\csrss.exe	23036e1ac371c1c52c9508e7c1ad087da1d02b63c5f92609dafb0047e0339968.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\audiodg.exe	23036e1ac371c1c52c9508e7c1ad087da1d02b63c5f92609dafb0047e0339968.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\RCX218.tmp	23036e1ac371c1c52c9508e7c1ad087da1d02b63c5f92609dafb0047e0339968.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\69ddcba757bf72	23036e1ac371c1c52c9508e7c1ad087da1d02b63c5f92609dafb0047e0339968.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\RCXF1D5.tmp	23036e1ac371c1c52c9508e7c1ad087da1d02b63c5f92609dafb0047e0339968.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RCXF6B9.tmp	23036e1ac371c1c52c9508e7c1ad087da1d02b63c5f92609dafb0047e0339968.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\RCXFDA1.tmp	23036e1ac371c1c52c9508e7c1ad087da1d02b63c5f92609dafb0047e0339968.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\dwm.exe	23036e1ac371c1c52c9508e7c1ad087da1d02b63c5f92609dafb0047e0339968.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\smss.exe	23036e1ac371c1c52c9508e7c1ad087da1d02b63c5f92609dafb0047e0339968.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\69ddcba757bf72	23036e1ac371c1c52c9508e7c1ad087da1d02b63c5f92609dafb0047e0339968.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\RCXF92B.tmp	23036e1ac371c1c52c9508e7c1ad087da1d02b63c5f92609dafb0047e0339968.exe
File opened for modification	C:\Program Files\Windows Mail\es-ES\RCX48B.tmp	23036e1ac371c1c52c9508e7c1ad087da1d02b63c5f92609dafb0047e0339968.exe
File opened for modification	C:\Program Files\Windows Mail\es-ES\dwm.exe	23036e1ac371c1c52c9508e7c1ad087da1d02b63c5f92609dafb0047e0339968.exe
File created	C:\Program Files\VideoLAN\886983d96e3d3e	23036e1ac371c1c52c9508e7c1ad087da1d02b63c5f92609dafb0047e0339968.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\RCXF167.tmp	23036e1ac371c1c52c9508e7c1ad087da1d02b63c5f92609dafb0047e0339968.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RCXF64B.tmp	23036e1ac371c1c52c9508e7c1ad087da1d02b63c5f92609dafb0047e0339968.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\RCXF8BD.tmp	23036e1ac371c1c52c9508e7c1ad087da1d02b63c5f92609dafb0047e0339968.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\RCX286.tmp	23036e1ac371c1c52c9508e7c1ad087da1d02b63c5f92609dafb0047e0339968.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\6cb0b6c459d5d3	23036e1ac371c1c52c9508e7c1ad087da1d02b63c5f92609dafb0047e0339968.exe
File created	C:\Program Files\Windows Mail\es-ES\dwm.exe	23036e1ac371c1c52c9508e7c1ad087da1d02b63c5f92609dafb0047e0339968.exe
File created	C:\Program Files\Windows Mail\es-ES\6cb0b6c459d5d3	23036e1ac371c1c52c9508e7c1ad087da1d02b63c5f92609dafb0047e0339968.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsass.exe	23036e1ac371c1c52c9508e7c1ad087da1d02b63c5f92609dafb0047e0339968.exe
File opened for modification	C:\Program Files\VideoLAN\RCXFFA6.tmp	23036e1ac371c1c52c9508e7c1ad087da1d02b63c5f92609dafb0047e0339968.exe
File opened for modification	C:\Program Files\Windows Mail\es-ES\RCX48A.tmp	23036e1ac371c1c52c9508e7c1ad087da1d02b63c5f92609dafb0047e0339968.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\6203df4a6bafc7	23036e1ac371c1c52c9508e7c1ad087da1d02b63c5f92609dafb0047e0339968.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\smss.exe	23036e1ac371c1c52c9508e7c1ad087da1d02b63c5f92609dafb0047e0339968.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\smss.exe	23036e1ac371c1c52c9508e7c1ad087da1d02b63c5f92609dafb0047e0339968.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsass.exe	23036e1ac371c1c52c9508e7c1ad087da1d02b63c5f92609dafb0047e0339968.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\audiodg.exe	23036e1ac371c1c52c9508e7c1ad087da1d02b63c5f92609dafb0047e0339968.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\smss.exe	23036e1ac371c1c52c9508e7c1ad087da1d02b63c5f92609dafb0047e0339968.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\RCXFDA2.tmp	23036e1ac371c1c52c9508e7c1ad087da1d02b63c5f92609dafb0047e0339968.exe
File opened for modification	C:\Program Files\VideoLAN\RCX14.tmp	23036e1ac371c1c52c9508e7c1ad087da1d02b63c5f92609dafb0047e0339968.exe
File opened for modification	C:\Program Files\VideoLAN\csrss.exe	23036e1ac371c1c52c9508e7c1ad087da1d02b63c5f92609dafb0047e0339968.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\dwm.exe	23036e1ac371c1c52c9508e7c1ad087da1d02b63c5f92609dafb0047e0339968.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Speech\Engines\Lexicon\es-ES\csrss.exe	23036e1ac371c1c52c9508e7c1ad087da1d02b63c5f92609dafb0047e0339968.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1900	schtasks.exe
1996	schtasks.exe
304	schtasks.exe
976	schtasks.exe
2204	schtasks.exe
1632	schtasks.exe
820	schtasks.exe
2804	schtasks.exe
872	schtasks.exe
1160	schtasks.exe
2808	schtasks.exe
2544	schtasks.exe
2000	schtasks.exe
1988	schtasks.exe
1896	schtasks.exe
3048	schtasks.exe
580	schtasks.exe
1816	schtasks.exe
448	schtasks.exe
3004	schtasks.exe
2404	schtasks.exe
2712	schtasks.exe
2484	schtasks.exe
1728	schtasks.exe
1984	schtasks.exe
2208	schtasks.exe
2880	schtasks.exe
800	schtasks.exe
2660	schtasks.exe
2812	schtasks.exe
2644	schtasks.exe
2064	schtasks.exe
2396	schtasks.exe
2616	schtasks.exe
2196	schtasks.exe
2512	schtasks.exe
1964	schtasks.exe
1384	schtasks.exe
2928	schtasks.exe
1556	schtasks.exe
1612	schtasks.exe
2244	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1732	23036e1ac371c1c52c9508e7c1ad087da1d02b63c5f92609dafb0047e0339968.exe
1732	23036e1ac371c1c52c9508e7c1ad087da1d02b63c5f92609dafb0047e0339968.exe
1732	23036e1ac371c1c52c9508e7c1ad087da1d02b63c5f92609dafb0047e0339968.exe
1732	23036e1ac371c1c52c9508e7c1ad087da1d02b63c5f92609dafb0047e0339968.exe
1732	23036e1ac371c1c52c9508e7c1ad087da1d02b63c5f92609dafb0047e0339968.exe
972	System.exe
972	System.exe
972	System.exe
972	System.exe
972	System.exe
972	System.exe
972	System.exe
972	System.exe
972	System.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1732	23036e1ac371c1c52c9508e7c1ad087da1d02b63c5f92609dafb0047e0339968.exe
Token: SeDebugPrivilege	972	System.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 376	1732	23036e1ac371c1c52c9508e7c1ad087da1d02b63c5f92609dafb0047e0339968.exe	74
PID 1732 wrote to memory of 376	1732	23036e1ac371c1c52c9508e7c1ad087da1d02b63c5f92609dafb0047e0339968.exe	74
PID 1732 wrote to memory of 376	1732	23036e1ac371c1c52c9508e7c1ad087da1d02b63c5f92609dafb0047e0339968.exe	74
PID 376 wrote to memory of 3064	376	cmd.exe	76
PID 376 wrote to memory of 3064	376	cmd.exe	76
PID 376 wrote to memory of 3064	376	cmd.exe	76
PID 376 wrote to memory of 972	376	cmd.exe	77
PID 376 wrote to memory of 972	376	cmd.exe	77
PID 376 wrote to memory of 972	376	cmd.exe	77

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	23036e1ac371c1c52c9508e7c1ad087da1d02b63c5f92609dafb0047e0339968.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	23036e1ac371c1c52c9508e7c1ad087da1d02b63c5f92609dafb0047e0339968.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	23036e1ac371c1c52c9508e7c1ad087da1d02b63c5f92609dafb0047e0339968.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\23036e1ac371c1c52c9508e7c1ad087da1d02b63c5f92609dafb0047e0339968.exe
"C:\Users\Admin\AppData\Local\Temp\23036e1ac371c1c52c9508e7c1ad087da1d02b63c5f92609dafb0047e0339968.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1732
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EmuzDlGAME.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:376
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:3064
- - C:\MSOCache\All Users\System.exe
    "C:\MSOCache\All Users\System.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Downloads\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Admin\Downloads\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Downloads\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\VideoLAN\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\VideoLAN\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Mail\es-ES\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\es-ES\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Mail\es-ES\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\System.exe

Filesize
2.7MB

MD5
36fa49ff6840cf5b7ba34ef0a854de93

SHA1
5cd26d987d812060f42f35c32ad1d70f0aac2e6e

SHA256
cb80cab3c7399467377ff65cfc49c2afc17f9b7971eea570fc14e4b5585d11e3

SHA512
cc14ca8a5fa09198f8d286784f82586236d2b943cc0f8845aabf40ab85a0ea004204a10a7e4ce84087a3ba24958ef5f5127c104c7ef9759a9361f9c208dbfb19

Download Submit
C:\MSOCache\All Users\dwm.exe

Filesize
2.7MB

MD5
f4049196e753bb60ca966a3e493d2f81

SHA1
666ca7f1113abecad240e89e178a3b37f053b574

SHA256
65ec65f435d352dcaaba0f535705ca9ac781d73f6426fd3463b0cc6354b04cba

SHA512
54fb147479b8646f5b871fb25cda7b0a36ddd965705420177fe61dfb1493008ab164aef6d4ad04221b4f5a07200b6c2903f0797437017f6bcc1259e2e7d62e69

Download Submit
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\taskhost.exe

Filesize
2.7MB

MD5
2a42153434fb5bd1e8c68447ab16256c

SHA1
59f39ea17e806d942b0291258683951701b5cfd8

SHA256
9389a646f0ea9cac5f30a441f13b8a477500239fd902e81849c25ff5b5606c51

SHA512
6628445c5fb99dfec8a4cdbb90fabaed771d3f1bc9e2760a31b2a5e48940720205bccc4a43008588fbd4b2f0d55e79fe13919215375aa58f840c0d28aeb7f394

Download Submit
C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\dwm.exe

Filesize
2.7MB

MD5
b57c7ccae3cf7eb6bf2ff7d16ae9c47f

SHA1
7281aeadc2068af11ce63f52d62b7ea137d5af22

SHA256
04fb6f5b26b005ab6d9f2986649c1b13af463d33eeab9a12d9f2b535da35ce52

SHA512
c62f84024b4acbbe9e51b333b5876a2664a9786caf8bac38f275067a4628d527a5cc643d94feb0c7e50ecb2cefb727844f04af5e4eb3fe972099882c452a8e0b

Download Submit
C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsass.exe

Filesize
2.7MB

MD5
cdb68a4878469737ab8d95f2f60c7dd0

SHA1
622b97c9ca04e8a7102a1407743dedcad17302c5

SHA256
d49931aebe070fc93a14ea47a0799ce7717960f6bf2779c55b3eb694dfac1630

SHA512
e4b7d75b1da63bf7d8f51f34c2b782f2d1f472158f99ac4660ebdeb594d97d3850e2e24545921c4088b38b96b4453ed8a2b83f58fd5050282b3e0f9ba62bbda0

Download Submit
C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\smss.exe

Filesize
2.7MB

MD5
6820b43439b7b0b956738c547623aa7a

SHA1
0f1515df71948d13a8048b4afb6b8676c4a74298

SHA256
23036e1ac371c1c52c9508e7c1ad087da1d02b63c5f92609dafb0047e0339968

SHA512
9ea7d94280e5ebd4919fe9caf85d58a5c1c40d9ae3eac9f02acfdb2f62727b1168a353b6b91c2f09ee0ae68668cd2e0f823406d71fdc295f9c48639f87b39c34

Download Submit
C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\smss.exe

Filesize
2.7MB

MD5
c9765bada5c6f89a590b871cc35ae3e5

SHA1
b8013edffae607ccf23ecf04a2a6786f805aaa2a

SHA256
566be04d95bc12d9c73dd111f5a1b4ee25a3a936309c400e0f96690eb875e79a

SHA512
1f95080b2643aeec72a80b4f4b7269788d38bf949237e35820bafc006af6886e713debd4d54628c3144cde6048eb3e0183b54e851012b58d7e54bb7f5854406f

Download Submit
C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\smss.exe

Filesize
2.7MB

MD5
7d42938b250faa8ed7ab1496cfb610de

SHA1
1ee3f32e59b65184cbeb05e52fb5cf45a28d8f52

SHA256
8bf25692f48347800ca6e0fea6ba419e6f356db8c67ac5f6416a547e9efebfdb

SHA512
60b2c9267174b3695e735ef0e9bf04db1edc8ef7610fb697085883a3833482df839d8db7016f4853f7711c1841d76fd36f73262383438753439a931232fbec43

Download Submit
C:\Program Files\VideoLAN\csrss.exe

Filesize
2.7MB

MD5
75688c4b0d1d9325853792fcc8e1bfc4

SHA1
683e7eb4c26cdcd6856ee29226a75eed5f29f170

SHA256
1b573675a77c80757a9cc4879090d53ebbb077031934e079badeb4286709ca85

SHA512
6442e81bc06152ddedfffd5bc53e6efe84a6f141461bb23e90c49151471206e17b55a63d9dd48423c732133602930a280799dff58c6c9dbfb787d43d1c5282f5

Download Submit
C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\System.exe

Filesize
2.7MB

MD5
b8fd14a13ad1c9f89be11a3329d91272

SHA1
7e2b86d69cab1ad2a6016df28aaccb586a886971

SHA256
1e4cda8a71137d84de5fb8a5d5d7f5a8847acec74406eb8c06fb373c772b29f9

SHA512
9cf6a3b4469323680e5a4b518c209c821f49068f1abef9b1b9f29c402723f064beb7fbecc653992eec377d02200ae640f94f5700447de886b0aeb2fc5af2faff

Download Submit
C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\audiodg.exe

Filesize
2.7MB

MD5
6a0e78512c50fade62e1fd5219321119

SHA1
23f30bed321a206c2aeed890015ccbe4cec3daf0

SHA256
f347a3b97086e38e608e043cfe54e47c827844aaf0b97228df24c71fdc9df7ac

SHA512
2e00dcc131bd7b47f8c2aa4246e58f37eefee9322bb829497b2a659ae46cf3b67b3bd537a8a790d857361c44f2a108a0d751e211acaee5969370137e56da316b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EmuzDlGAME.bat

Filesize
197B

MD5
203fbf50dda938e2d72e647f4600d977

SHA1
11b37d73b9d13d5ccfeeb716261a620d1fb3de51

SHA256
a9ff0b3ef3f14fc6925e87789987d2f6e52bee6c3b4e9d7c4ab4f80307c1e98a

SHA512
e094b8b35d8a51e6693de5586671ff2ef0607156bb028b6feea84dc551322c1460c009ebb18a386b592954f200c41ccf6b3e332b22459a3e4f7351ddd3f9be67

Download Submit
memory/972-211-0x0000000001090000-0x0000000001344000-memory.dmp

Filesize
2.7MB

Download
memory/972-212-0x00000000007A0000-0x00000000007B2000-memory.dmp

Filesize
72KB

Download
memory/1732-9-0x0000000000790000-0x000000000079A000-memory.dmp

Filesize
40KB

Download
memory/1732-0-0x000007FEF55E3000-0x000007FEF55E4000-memory.dmp

Filesize
4KB

Download
memory/1732-16-0x0000000002360000-0x000000000236E000-memory.dmp

Filesize
56KB

Download
memory/1732-17-0x0000000002370000-0x000000000237C000-memory.dmp

Filesize
48KB

Download
memory/1732-18-0x0000000002400000-0x000000000240A000-memory.dmp

Filesize
40KB

Download
memory/1732-19-0x0000000002410000-0x000000000241C000-memory.dmp

Filesize
48KB

Download
memory/1732-14-0x0000000002340000-0x0000000002348000-memory.dmp

Filesize
32KB

Download
memory/1732-13-0x0000000002330000-0x0000000002338000-memory.dmp

Filesize
32KB

Download
memory/1732-12-0x00000000007A0000-0x00000000007B2000-memory.dmp

Filesize
72KB

Download
memory/1732-11-0x0000000000780000-0x0000000000788000-memory.dmp

Filesize
32KB

Download
memory/1732-10-0x00000000022C0000-0x0000000002316000-memory.dmp

Filesize
344KB

Download
memory/1732-15-0x0000000002350000-0x000000000235C000-memory.dmp

Filesize
48KB

Download
memory/1732-8-0x00000000005D0000-0x00000000005D8000-memory.dmp

Filesize
32KB

Download
memory/1732-7-0x0000000000760000-0x0000000000776000-memory.dmp

Filesize
88KB

Download
memory/1732-6-0x00000000005C0000-0x00000000005D0000-memory.dmp

Filesize
64KB

Download
memory/1732-5-0x0000000000510000-0x0000000000518000-memory.dmp

Filesize
32KB

Download
memory/1732-189-0x000007FEF55E3000-0x000007FEF55E4000-memory.dmp

Filesize
4KB

Download
memory/1732-4-0x00000000005A0000-0x00000000005BC000-memory.dmp

Filesize
112KB

Download
memory/1732-201-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

Filesize
9.9MB

Download
memory/1732-3-0x0000000000240000-0x000000000024E000-memory.dmp

Filesize
56KB

Download
memory/1732-208-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

Filesize
9.9MB

Download
memory/1732-2-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

Filesize
9.9MB

Download
memory/1732-1-0x0000000000250000-0x0000000000504000-memory.dmp

Filesize
2.7MB

Download