dcrat | f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343

Analysis

max time kernel
94s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-01-2025 04:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
Size

2.7MB
MD5

4d9be74be06728c10b25ef019f7ff0b3
SHA1

10c41cfa6c5dbec839759e9fd6971e57311ea76a
SHA256

f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343
SHA512

5e5b6b7a1fe66625b95d83fa2c0c77defe75c328cea02418179ce674134de65a1a2e3fc1e281d12448ac931cd803238205f0a71be73deee473d562d5ca3fd96f
SSDEEP

49152:VRx6mfxiUnp3jfmEXD9KxZU9IaK3clnUezzuuLjaO7e:b40VJ5XQxZUyrctHNyse

Score

10^/10

dcrat evasion infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4200	1768	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	1768	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3172	1768	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1836	1768	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2068	1768	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	1768	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4172	1768	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	844	1768	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	1768	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1820	1768	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	1768	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5048	1768	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3624	1768	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	872	1768	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	448	1768	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4140	1768	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1256	1768	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5032	1768	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3720	1768	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1404	1768	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	808	1768	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3088	1768	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	1768	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1060	1768	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5000	1768	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3928	1768	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1164	1768	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4704	1768	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1416	1768	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	1768	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3584	1768	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3840	1768	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3548	1768	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	1768	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	1768	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4964	1768	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	1768	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	1768	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1520	1768	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4488	1768	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	64	1768	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4408	1768	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3156	1768	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4860	1768	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	1768	schtasks.exe	83

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/2124-1-0x0000000000760000-0x0000000000A14000-memory.dmp	dcrat
behavioral2/files/0x0007000000023c86-30.dat	dcrat
behavioral2/files/0x000c000000023cac-99.dat	dcrat
behavioral2/files/0x0007000000023cae-123.dat	dcrat
behavioral2/files/0x0009000000023c89-134.dat	dcrat
behavioral2/files/0x0008000000023caf-169.dat	dcrat
behavioral2/files/0x0009000000023c96-180.dat	dcrat
behavioral2/files/0x000b000000023c99-204.dat	dcrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe

Executes dropped EXE 1 IoCs

pid	Process
760	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Media Player\de-DE\f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_73343\RCXB05B.tmp	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_73343\Registry.exe	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
File opened for modification	C:\Program Files\Common Files\smss.exe	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\RCXBEBE.tmp	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\RCXBEBF.tmp	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\backgroundTaskHost.exe	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
File created	C:\Program Files\Common Files\69ddcba757bf72	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
File opened for modification	C:\Program Files\Common Files\RCXB785.tmp	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
File opened for modification	C:\Program Files\Common Files\RCXB803.tmp	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\de-DE\RCXBCA9.tmp	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\de-DE\f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
File created	C:\Program Files (x86)\Windows Media Player\de-DE\502aa9fc76a785	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\backgroundTaskHost.exe	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_73343\RCXB04B.tmp	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\de-DE\RCXBCAA.tmp	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
File created	C:\Program Files\Common Files\smss.exe	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
File created	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_73343\ee2ad38f3d4382	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\eddb19405b7ce1	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
File created	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_73343\Registry.exe	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File created	C:\Windows\SchCache\Idle.exe	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
File opened for modification	C:\Windows\es-ES\f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
File opened for modification	C:\Windows\bcastdvr\SppExtComObj.exe	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
File opened for modification	C:\Windows\SchCache\RCXC80D.tmp	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
File created	C:\Windows\es-ES\f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
File created	C:\Windows\SchCache\6ccacd8608530f	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
File opened for modification	C:\Windows\es-ES\RCXAE26.tmp	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
File opened for modification	C:\Windows\bcastdvr\RCXC5F8.tmp	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
File created	C:\Windows\es-ES\502aa9fc76a785	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
File opened for modification	C:\Windows\bcastdvr\RCXC5F9.tmp	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
File opened for modification	C:\Windows\SchCache\RCXC88B.tmp	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
File opened for modification	C:\Windows\SchCache\Idle.exe	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
File created	C:\Windows\bcastdvr\SppExtComObj.exe	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
File created	C:\Windows\bcastdvr\e1ef82546f0b02	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
File opened for modification	C:\Windows\es-ES\RCXAE37.tmp	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1416	schtasks.exe
3584	schtasks.exe
2968	schtasks.exe
1520	schtasks.exe
4408	schtasks.exe
4860	schtasks.exe
3624	schtasks.exe
3720	schtasks.exe
64	schtasks.exe
5032	schtasks.exe
4964	schtasks.exe
3840	schtasks.exe
3548	schtasks.exe
2680	schtasks.exe
4488	schtasks.exe
4200	schtasks.exe
1972	schtasks.exe
4140	schtasks.exe
2412	schtasks.exe
3040	schtasks.exe
844	schtasks.exe
2828	schtasks.exe
1404	schtasks.exe
808	schtasks.exe
3156	schtasks.exe
2156	schtasks.exe
5048	schtasks.exe
2708	schtasks.exe
5000	schtasks.exe
2600	schtasks.exe
4172	schtasks.exe
1820	schtasks.exe
872	schtasks.exe
448	schtasks.exe
1256	schtasks.exe
3172	schtasks.exe
2068	schtasks.exe
1164	schtasks.exe
4704	schtasks.exe
2848	schtasks.exe
3088	schtasks.exe
3928	schtasks.exe
2164	schtasks.exe
1836	schtasks.exe
1060	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2124	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
2124	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
2124	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
2124	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
2124	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
760	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2124	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
Token: SeDebugPrivilege	760	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 2940	2124	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe	136
PID 2124 wrote to memory of 2940	2124	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe	136
PID 2940 wrote to memory of 3732	2940	cmd.exe	138
PID 2940 wrote to memory of 3732	2940	cmd.exe	138
PID 2940 wrote to memory of 760	2940	cmd.exe	144
PID 2940 wrote to memory of 760	2940	cmd.exe	144

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
"C:\Users\Admin\AppData\Local\Temp\f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2124
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2rmp5bpWKI.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2940
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:3732
- - C:\Windows\es-ES\f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
    "C:\Windows\es-ES\f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Documents\My Pictures\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Pictures\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Documents\My Pictures\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343f" /sc MINUTE /mo 8 /tr "'C:\Windows\es-ES\f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343" /sc ONLOGON /tr "'C:\Windows\es-ES\f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343f" /sc MINUTE /mo 9 /tr "'C:\Windows\es-ES\f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_73343\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_73343\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_73343\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files\Common Files\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Common Files\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files\Common Files\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343f" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Media Player\de-DE\f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\de-DE\f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343f" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Media Player\de-DE\f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Start Menu\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\Start Menu\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Start Menu\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Windows\bcastdvr\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\bcastdvr\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Windows\bcastdvr\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Windows\SchCache\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\SchCache\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Windows\SchCache\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\Default User\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:64

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\smss.exe

Filesize
2.7MB

MD5
7b53a218d03d66725f516e9b03f731b1

SHA1
8c4b3e3c6116e37ae258a14ad405e0eb0ad1d08f

SHA256
75b409706d755a4f4aa8cc6e9496793667720d9ca9d3713212f032235a84be12

SHA512
e508af94ff0ba41896df27915d3740c7495006297a799a57d45a925aa5bbe0c7a823e83e7822882f3959ffc82c6aa1705db607d72c7d6abee3e0bcf634f86a77

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\fontdrvhost.exe

Filesize
2.7MB

MD5
4d9be74be06728c10b25ef019f7ff0b3

SHA1
10c41cfa6c5dbec839759e9fd6971e57311ea76a

SHA256
f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343

SHA512
5e5b6b7a1fe66625b95d83fa2c0c77defe75c328cea02418179ce674134de65a1a2e3fc1e281d12448ac931cd803238205f0a71be73deee473d562d5ca3fd96f

Download Submit
C:\Recovery\WindowsRE\csrss.exe

Filesize
2.7MB

MD5
8b1cac8b37c701c599fa78d5d0f482c6

SHA1
0cd6b250072f7337c66285b2f05ea64c54571a84

SHA256
b032d51c17eeb365152a0e06035ef380aacf266019db86f9034acd559aad7ba7

SHA512
3e5eb611c94cdd80681d31c2995213cddd7be67243502d1116000f6a81670208046405172afd7265f1b01af8095bcd0b6c5e481df9c9b9e968794035cca32480

Download Submit
C:\Recovery\WindowsRE\winlogon.exe

Filesize
2.7MB

MD5
28db9a5d843dd9859331ec3701b0a0ee

SHA1
6120b4c7eb3ded984725b6f71ac59c4e746db7d6

SHA256
02fa9cb2fd58ae87d96ad33ed1d8d6a981e3c47a6130f14f862a5d215286d81d

SHA512
278eb1564126b021aa7e07f179b73e3bc0101589b51db9af142a606d92c79382f2a09a967a07cadc5db15d2965fba96da62f14387d1611953f2fb0c4b370d666

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe.log

Filesize
1KB

MD5
bbb951a34b516b66451218a3ec3b0ae1

SHA1
7393835a2476ae655916e0a9687eeaba3ee876e9

SHA256
eb70c64ae99d14ac2588b7a84854fbf3c420532d7fe4dfd49c7b5a70c869943a

SHA512
63bcbfcf8e7421c66855c487c31b2991a989bdea0c1edd4c40066b52fa3eb3d9d37db1cd21b8eb4f33dd5870cc20532c8f485eab9c0b4f6b0793a35c077f2d6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\2rmp5bpWKI.bat

Filesize
250B

MD5
2c4d7b43b063c668334b39eb567dab46

SHA1
681b9cc1969a7c41e7a40b423c427c9d58162645

SHA256
2829aa18776cc6fef9e6923c7b9cd8b9b602a7a0689810130abb268c4b29468e

SHA512
926acab51ddddb54c26857e7d4b2ab30b9f8c66bd98bf49adc3e9a688eea1407cd7eeb68165ad25a97e11074f05c8daa44174fa5a71e72caf957e34f240a02e4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\dllhost.exe

Filesize
2.7MB

MD5
2530628212e3ff3a834f70f879823619

SHA1
27abb5cfc6cb4385c3eec7d30fa304c7b5aafb4f

SHA256
c74d7d8aa9c2c91f6ff4268b967aeb2af64a789662b9d1f919dbbf75ca09a4a1

SHA512
32abef1f6ef899d16577e878c56c3b17c844630780801b842161a64df3a6ef19c6273a62567b70f94f293c9e0b2e8eed6fc50639d507cae3a5c8b7772941530f

Download Submit
C:\Users\Default\sppsvc.exe

Filesize
2.7MB

MD5
0473bf5d001fdb96fb5fbd5dbf2ee44d

SHA1
51f2cf068a2b3615aea8a0ea8e8cc297ad7e869b

SHA256
016785b831b514f8a59428a7692e6d4279124c6ef1d554b9b3652ab884309903

SHA512
dbf3a7caa304fd60d13fdfec1d88a84b2490191d6d50631c61e676df32e6ad7ee5faa25569fe2a9d5186c99586a0965f58b2a8658df384296495180c71fcf1d4

Download Submit
C:\Windows\SchCache\Idle.exe

Filesize
2.7MB

MD5
d4677ddd57a1e02870e722f571c4ceb2

SHA1
c76ca9cbcc8942b66093c74588373ca4356afa71

SHA256
dd790ec850bf35a7af1b22b7ad4310d2f00882263b985e7df417f11976a78496

SHA512
ab4605b087f8b69b7f4f8047ea20ab214d3f7972beaea507500b2b9b4f8530f02aa592ed900713177239cd0b6c51fd2c659ef7340a6893480bf0f38244c471c2

Download Submit
memory/760-244-0x0000000003270000-0x0000000003282000-memory.dmp

Filesize
72KB

Download
memory/2124-8-0x0000000002B70000-0x0000000002B86000-memory.dmp

Filesize
88KB

Download
memory/2124-9-0x0000000002CA0000-0x0000000002CA8000-memory.dmp

Filesize
32KB

Download
memory/2124-12-0x0000000002CC0000-0x0000000002CC8000-memory.dmp

Filesize
32KB

Download
memory/2124-13-0x0000000002CD0000-0x0000000002CE2000-memory.dmp

Filesize
72KB

Download
memory/2124-15-0x0000000002CE0000-0x0000000002CE8000-memory.dmp

Filesize
32KB

Download
memory/2124-19-0x000000001BDE0000-0x000000001BDEC000-memory.dmp

Filesize
48KB

Download
memory/2124-18-0x000000001BDD0000-0x000000001BDDE000-memory.dmp

Filesize
56KB

Download
memory/2124-17-0x000000001B7B0000-0x000000001B7BC000-memory.dmp

Filesize
48KB

Download
memory/2124-21-0x000000001BE00000-0x000000001BE0C000-memory.dmp

Filesize
48KB

Download
memory/2124-20-0x000000001BDF0000-0x000000001BDFA000-memory.dmp

Filesize
40KB

Download
memory/2124-16-0x000000001B7A0000-0x000000001B7A8000-memory.dmp

Filesize
32KB

Download
memory/2124-14-0x000000001C300000-0x000000001C828000-memory.dmp

Filesize
5.2MB

Download
memory/2124-10-0x0000000002CB0000-0x0000000002CBA000-memory.dmp

Filesize
40KB

Download
memory/2124-11-0x000000001B750000-0x000000001B7A6000-memory.dmp

Filesize
344KB

Download
memory/2124-0-0x00007FFCCB7F3000-0x00007FFCCB7F5000-memory.dmp

Filesize
8KB

Download
memory/2124-6-0x0000000002B50000-0x0000000002B58000-memory.dmp

Filesize
32KB

Download
memory/2124-7-0x0000000002B60000-0x0000000002B70000-memory.dmp

Filesize
64KB

Download
memory/2124-5-0x000000001B6D0000-0x000000001B720000-memory.dmp

Filesize
320KB

Download
memory/2124-195-0x00007FFCCB7F3000-0x00007FFCCB7F5000-memory.dmp

Filesize
8KB

Download
memory/2124-4-0x0000000002B30000-0x0000000002B4C000-memory.dmp

Filesize
112KB

Download
memory/2124-207-0x00007FFCCB7F0000-0x00007FFCCC2B1000-memory.dmp

Filesize
10.8MB

Download
memory/2124-239-0x00007FFCCB7F0000-0x00007FFCCC2B1000-memory.dmp

Filesize
10.8MB

Download
memory/2124-3-0x0000000002B20000-0x0000000002B2E000-memory.dmp

Filesize
56KB

Download
memory/2124-2-0x00007FFCCB7F0000-0x00007FFCCC2B1000-memory.dmp

Filesize
10.8MB

Download
memory/2124-1-0x0000000000760000-0x0000000000A14000-memory.dmp

Filesize
2.7MB

Download