dcrat | 1a93d204cd4bf9b77434af18be074c47ad7fcebdd109ecc87f77d6b78a9ff2b3

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
15/10/2022, 08:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

37aa26e9208b0930fb1068d718d2e32e.exe
Size

4.9MB
MD5

37aa26e9208b0930fb1068d718d2e32e
SHA1

89a3c8a1f0288b0cb6797d0e17ddaa7961d65acc
SHA256

1a93d204cd4bf9b77434af18be074c47ad7fcebdd109ecc87f77d6b78a9ff2b3
SHA512

5c2645f16f8a0ba54c31128fc5f0f8b7b5e81ce208f42798904d39fd6de08e6f1378f9665e70412f5ba6b575dd90ca90191a8cbcdbf24511337a0ecf422d7fc8
SSDEEP

49152:bl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion infostealer rat spyware stealer trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	972	1488	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	656	1488	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	1488	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	1488	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1516	1488	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1232	1488	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	704	1488	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	1488	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	1488	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	968	1488	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	804	1488	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1040	1488	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	1488	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1888	1488	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	988	1488	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	788	1488	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	1488	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1556	1488	schtasks.exe	27

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	37aa26e9208b0930fb1068d718d2e32e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	37aa26e9208b0930fb1068d718d2e32e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	37aa26e9208b0930fb1068d718d2e32e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/1196-55-0x000000001BAF0000-0x000000001BC1E000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

pid	Process
2212	explorer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	37aa26e9208b0930fb1068d718d2e32e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	37aa26e9208b0930fb1068d718d2e32e.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	ipinfo.io
8	ipinfo.io

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Policies\7a0fd90576e088	37aa26e9208b0930fb1068d718d2e32e.exe
File created	C:\Program Files\Windows Media Player\de-DE\smss.exe	37aa26e9208b0930fb1068d718d2e32e.exe
File created	C:\Program Files\Windows Media Player\de-DE\69ddcba757bf72	37aa26e9208b0930fb1068d718d2e32e.exe
File opened for modification	C:\Program Files (x86)\Google\Policies\RCX193F.tmp	37aa26e9208b0930fb1068d718d2e32e.exe
File opened for modification	C:\Program Files (x86)\Google\Policies\explorer.exe	37aa26e9208b0930fb1068d718d2e32e.exe
File opened for modification	C:\Program Files\Windows Media Player\de-DE\RCX21B9.tmp	37aa26e9208b0930fb1068d718d2e32e.exe
File opened for modification	C:\Program Files\Windows Media Player\de-DE\smss.exe	37aa26e9208b0930fb1068d718d2e32e.exe
File created	C:\Program Files (x86)\Google\Policies\explorer.exe	37aa26e9208b0930fb1068d718d2e32e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1232	schtasks.exe
1040	schtasks.exe
1888	schtasks.exe
988	schtasks.exe
788	schtasks.exe
2004	schtasks.exe
1932	schtasks.exe
1724	schtasks.exe
968	schtasks.exe
1556	schtasks.exe
972	schtasks.exe
656	schtasks.exe
1796	schtasks.exe
1516	schtasks.exe
1976	schtasks.exe
1668	schtasks.exe
704	schtasks.exe
804	schtasks.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
1196	37aa26e9208b0930fb1068d718d2e32e.exe
1196	37aa26e9208b0930fb1068d718d2e32e.exe
1196	37aa26e9208b0930fb1068d718d2e32e.exe
1196	37aa26e9208b0930fb1068d718d2e32e.exe
1196	37aa26e9208b0930fb1068d718d2e32e.exe
2212	explorer.exe
964	powershell.exe
1940	powershell.exe
1960	powershell.exe
820	powershell.exe
752	powershell.exe
1704	powershell.exe
1064	powershell.exe
696	powershell.exe
616	powershell.exe
632	powershell.exe
1992	powershell.exe
1744	powershell.exe
2212	explorer.exe
2212	explorer.exe
2212	explorer.exe
2212	explorer.exe
2212	explorer.exe
2212	explorer.exe
2212	explorer.exe
2212	explorer.exe
2212	explorer.exe
2212	explorer.exe
2212	explorer.exe
2212	explorer.exe
2212	explorer.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	1196	37aa26e9208b0930fb1068d718d2e32e.exe
Token: SeDebugPrivilege	2212	explorer.exe
Token: SeDebugPrivilege	964	powershell.exe
Token: SeDebugPrivilege	1940	powershell.exe
Token: SeDebugPrivilege	1960	powershell.exe
Token: SeDebugPrivilege	820	powershell.exe
Token: SeDebugPrivilege	752	powershell.exe
Token: SeDebugPrivilege	1704	powershell.exe
Token: SeDebugPrivilege	1064	powershell.exe
Token: SeDebugPrivilege	696	powershell.exe
Token: SeDebugPrivilege	616	powershell.exe
Token: SeDebugPrivilege	632	powershell.exe
Token: SeDebugPrivilege	1992	powershell.exe
Token: SeDebugPrivilege	1744	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2212	explorer.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 1196 wrote to memory of 1704	1196	37aa26e9208b0930fb1068d718d2e32e.exe	46
PID 1196 wrote to memory of 1704	1196	37aa26e9208b0930fb1068d718d2e32e.exe	46
PID 1196 wrote to memory of 1704	1196	37aa26e9208b0930fb1068d718d2e32e.exe	46
PID 1196 wrote to memory of 752	1196	37aa26e9208b0930fb1068d718d2e32e.exe	47
PID 1196 wrote to memory of 752	1196	37aa26e9208b0930fb1068d718d2e32e.exe	47
PID 1196 wrote to memory of 752	1196	37aa26e9208b0930fb1068d718d2e32e.exe	47
PID 1196 wrote to memory of 820	1196	37aa26e9208b0930fb1068d718d2e32e.exe	50
PID 1196 wrote to memory of 820	1196	37aa26e9208b0930fb1068d718d2e32e.exe	50
PID 1196 wrote to memory of 820	1196	37aa26e9208b0930fb1068d718d2e32e.exe	50
PID 1196 wrote to memory of 1744	1196	37aa26e9208b0930fb1068d718d2e32e.exe	52
PID 1196 wrote to memory of 1744	1196	37aa26e9208b0930fb1068d718d2e32e.exe	52
PID 1196 wrote to memory of 1744	1196	37aa26e9208b0930fb1068d718d2e32e.exe	52
PID 1196 wrote to memory of 1992	1196	37aa26e9208b0930fb1068d718d2e32e.exe	53
PID 1196 wrote to memory of 1992	1196	37aa26e9208b0930fb1068d718d2e32e.exe	53
PID 1196 wrote to memory of 1992	1196	37aa26e9208b0930fb1068d718d2e32e.exe	53
PID 1196 wrote to memory of 632	1196	37aa26e9208b0930fb1068d718d2e32e.exe	54
PID 1196 wrote to memory of 632	1196	37aa26e9208b0930fb1068d718d2e32e.exe	54
PID 1196 wrote to memory of 632	1196	37aa26e9208b0930fb1068d718d2e32e.exe	54
PID 1196 wrote to memory of 696	1196	37aa26e9208b0930fb1068d718d2e32e.exe	56
PID 1196 wrote to memory of 696	1196	37aa26e9208b0930fb1068d718d2e32e.exe	56
PID 1196 wrote to memory of 696	1196	37aa26e9208b0930fb1068d718d2e32e.exe	56
PID 1196 wrote to memory of 1940	1196	37aa26e9208b0930fb1068d718d2e32e.exe	58
PID 1196 wrote to memory of 1940	1196	37aa26e9208b0930fb1068d718d2e32e.exe	58
PID 1196 wrote to memory of 1940	1196	37aa26e9208b0930fb1068d718d2e32e.exe	58
PID 1196 wrote to memory of 616	1196	37aa26e9208b0930fb1068d718d2e32e.exe	59
PID 1196 wrote to memory of 616	1196	37aa26e9208b0930fb1068d718d2e32e.exe	59
PID 1196 wrote to memory of 616	1196	37aa26e9208b0930fb1068d718d2e32e.exe	59
PID 1196 wrote to memory of 1960	1196	37aa26e9208b0930fb1068d718d2e32e.exe	60
PID 1196 wrote to memory of 1960	1196	37aa26e9208b0930fb1068d718d2e32e.exe	60
PID 1196 wrote to memory of 1960	1196	37aa26e9208b0930fb1068d718d2e32e.exe	60
PID 1196 wrote to memory of 964	1196	37aa26e9208b0930fb1068d718d2e32e.exe	65
PID 1196 wrote to memory of 964	1196	37aa26e9208b0930fb1068d718d2e32e.exe	65
PID 1196 wrote to memory of 964	1196	37aa26e9208b0930fb1068d718d2e32e.exe	65
PID 1196 wrote to memory of 1064	1196	37aa26e9208b0930fb1068d718d2e32e.exe	68
PID 1196 wrote to memory of 1064	1196	37aa26e9208b0930fb1068d718d2e32e.exe	68
PID 1196 wrote to memory of 1064	1196	37aa26e9208b0930fb1068d718d2e32e.exe	68
PID 1196 wrote to memory of 2212	1196	37aa26e9208b0930fb1068d718d2e32e.exe	70
PID 1196 wrote to memory of 2212	1196	37aa26e9208b0930fb1068d718d2e32e.exe	70
PID 1196 wrote to memory of 2212	1196	37aa26e9208b0930fb1068d718d2e32e.exe	70
PID 2212 wrote to memory of 2616	2212	explorer.exe	71
PID 2212 wrote to memory of 2616	2212	explorer.exe	71
PID 2212 wrote to memory of 2616	2212	explorer.exe	71
PID 2212 wrote to memory of 2636	2212	explorer.exe	72
PID 2212 wrote to memory of 2636	2212	explorer.exe	72
PID 2212 wrote to memory of 2636	2212	explorer.exe	72

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	37aa26e9208b0930fb1068d718d2e32e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	37aa26e9208b0930fb1068d718d2e32e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	37aa26e9208b0930fb1068d718d2e32e.exe

C:\Users\Admin\AppData\Local\Temp\37aa26e9208b0930fb1068d718d2e32e.exe
"C:\Users\Admin\AppData\Local\Temp\37aa26e9208b0930fb1068d718d2e32e.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1196
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1704
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:752
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:820
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1744
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1992
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:632
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:696
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1940
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:616
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1960
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:964
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1064
- C:\Program Files (x86)\Google\Policies\explorer.exe
  "C:\Program Files (x86)\Google\Policies\explorer.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2212
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3f8e6773-a8cc-45c3-9153-7068cfa0f40b.vbs"
    3⤵
    PID:2616
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7876fa1a-e8c5-4649-ba1c-840ed3130ee5.vbs"
    3⤵
    PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Local Settings\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\Local Settings\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Local Settings\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Google\Policies\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Policies\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\Policies\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Media Player\de-DE\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\de-DE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Media Player\de-DE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Recorded TV\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Public\Recorded TV\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Recorded TV\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 6 /tr "'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 13 /tr "'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1556

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Policies\explorer.exe

Filesize
4.9MB

MD5
f1cbc48ff46dd3e0705a20dedf8b377b

SHA1
b427eee6450f9b1fb5e0df7a96659cde25340a26

SHA256
de2742b8ca406eae90e4ce50bca961edcafb5f61e2df21362a59f12216880679

SHA512
5d9fd4c70a016ebd80f398ae837b205595bfe71d56c4d77b0afa0e3911cdf826e403ba6f696f5e4bd6fc7e4b1e5cd45e37e449138f0b0764078329eb40548586

Download Submit
C:\Program Files (x86)\Google\Policies\explorer.exe

Filesize
4.9MB

MD5
f1cbc48ff46dd3e0705a20dedf8b377b

SHA1
b427eee6450f9b1fb5e0df7a96659cde25340a26

SHA256
de2742b8ca406eae90e4ce50bca961edcafb5f61e2df21362a59f12216880679

SHA512
5d9fd4c70a016ebd80f398ae837b205595bfe71d56c4d77b0afa0e3911cdf826e403ba6f696f5e4bd6fc7e4b1e5cd45e37e449138f0b0764078329eb40548586

Download Submit
C:\Users\Admin\AppData\Local\Temp\3f8e6773-a8cc-45c3-9153-7068cfa0f40b.vbs

Filesize
727B

MD5
095b37ea376cf0f3ba9a1b18c818af79

SHA1
2b6718d70304f0b1b77a50bf1b0aac4ed35a02f3

SHA256
c55c738d8bad2e2e5d76ba23b72bb76642ff9b44da5de79037f8224af6496cfc

SHA512
07618dba8adaa44f53d61db7250c7632d80c9d4cdae8d638f7f3036d57ddfa3449fef51242271620a3deab41bd4a79533e01d69cdbbb78b8ec677c6d269f6f26

Download Submit
C:\Users\Admin\AppData\Local\Temp\7876fa1a-e8c5-4649-ba1c-840ed3130ee5.vbs

Filesize
503B

MD5
579068cdfeb484ffb953bd412329cd53

SHA1
d7bcfc457889298e91bcc079eb5b98457fbccaba

SHA256
47350408841c090ce9534707fbc92135051709e23485ef4d6ef08d620ee4602f

SHA512
c439632c14e1afe88cf343fc86ffa0f8da7715c53d59b212b9d639176d17440e7e743b3c3dadbff77bcbdfb9b2203a23638e70760cb2e2010f737425266f2ba9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7ece50daa6f8820eada3c764ad11b117

SHA1
93550e1b4bf98f98eaedee8055a64744323d614f

SHA256
8adeb1e24dcf5968a84859c5dc324b9b1a34d446a3f5557f3ff7e3f0a6c09d57

SHA512
76a66fbb5077732f05f9582e9d41f571ccc4e1e657712f9bc7dac3ac21671940b21d7619158264eab39ced1e2cbcfa5da4798c47b04ae24704bdea7b581d9beb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7ece50daa6f8820eada3c764ad11b117

SHA1
93550e1b4bf98f98eaedee8055a64744323d614f

SHA256
8adeb1e24dcf5968a84859c5dc324b9b1a34d446a3f5557f3ff7e3f0a6c09d57

SHA512
76a66fbb5077732f05f9582e9d41f571ccc4e1e657712f9bc7dac3ac21671940b21d7619158264eab39ced1e2cbcfa5da4798c47b04ae24704bdea7b581d9beb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7ece50daa6f8820eada3c764ad11b117

SHA1
93550e1b4bf98f98eaedee8055a64744323d614f

SHA256
8adeb1e24dcf5968a84859c5dc324b9b1a34d446a3f5557f3ff7e3f0a6c09d57

SHA512
76a66fbb5077732f05f9582e9d41f571ccc4e1e657712f9bc7dac3ac21671940b21d7619158264eab39ced1e2cbcfa5da4798c47b04ae24704bdea7b581d9beb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7ece50daa6f8820eada3c764ad11b117

SHA1
93550e1b4bf98f98eaedee8055a64744323d614f

SHA256
8adeb1e24dcf5968a84859c5dc324b9b1a34d446a3f5557f3ff7e3f0a6c09d57

SHA512
76a66fbb5077732f05f9582e9d41f571ccc4e1e657712f9bc7dac3ac21671940b21d7619158264eab39ced1e2cbcfa5da4798c47b04ae24704bdea7b581d9beb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7ece50daa6f8820eada3c764ad11b117

SHA1
93550e1b4bf98f98eaedee8055a64744323d614f

SHA256
8adeb1e24dcf5968a84859c5dc324b9b1a34d446a3f5557f3ff7e3f0a6c09d57

SHA512
76a66fbb5077732f05f9582e9d41f571ccc4e1e657712f9bc7dac3ac21671940b21d7619158264eab39ced1e2cbcfa5da4798c47b04ae24704bdea7b581d9beb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7ece50daa6f8820eada3c764ad11b117

SHA1
93550e1b4bf98f98eaedee8055a64744323d614f

SHA256
8adeb1e24dcf5968a84859c5dc324b9b1a34d446a3f5557f3ff7e3f0a6c09d57

SHA512
76a66fbb5077732f05f9582e9d41f571ccc4e1e657712f9bc7dac3ac21671940b21d7619158264eab39ced1e2cbcfa5da4798c47b04ae24704bdea7b581d9beb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7ece50daa6f8820eada3c764ad11b117

SHA1
93550e1b4bf98f98eaedee8055a64744323d614f

SHA256
8adeb1e24dcf5968a84859c5dc324b9b1a34d446a3f5557f3ff7e3f0a6c09d57

SHA512
76a66fbb5077732f05f9582e9d41f571ccc4e1e657712f9bc7dac3ac21671940b21d7619158264eab39ced1e2cbcfa5da4798c47b04ae24704bdea7b581d9beb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7ece50daa6f8820eada3c764ad11b117

SHA1
93550e1b4bf98f98eaedee8055a64744323d614f

SHA256
8adeb1e24dcf5968a84859c5dc324b9b1a34d446a3f5557f3ff7e3f0a6c09d57

SHA512
76a66fbb5077732f05f9582e9d41f571ccc4e1e657712f9bc7dac3ac21671940b21d7619158264eab39ced1e2cbcfa5da4798c47b04ae24704bdea7b581d9beb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7ece50daa6f8820eada3c764ad11b117

SHA1
93550e1b4bf98f98eaedee8055a64744323d614f

SHA256
8adeb1e24dcf5968a84859c5dc324b9b1a34d446a3f5557f3ff7e3f0a6c09d57

SHA512
76a66fbb5077732f05f9582e9d41f571ccc4e1e657712f9bc7dac3ac21671940b21d7619158264eab39ced1e2cbcfa5da4798c47b04ae24704bdea7b581d9beb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7ece50daa6f8820eada3c764ad11b117

SHA1
93550e1b4bf98f98eaedee8055a64744323d614f

SHA256
8adeb1e24dcf5968a84859c5dc324b9b1a34d446a3f5557f3ff7e3f0a6c09d57

SHA512
76a66fbb5077732f05f9582e9d41f571ccc4e1e657712f9bc7dac3ac21671940b21d7619158264eab39ced1e2cbcfa5da4798c47b04ae24704bdea7b581d9beb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7ece50daa6f8820eada3c764ad11b117

SHA1
93550e1b4bf98f98eaedee8055a64744323d614f

SHA256
8adeb1e24dcf5968a84859c5dc324b9b1a34d446a3f5557f3ff7e3f0a6c09d57

SHA512
76a66fbb5077732f05f9582e9d41f571ccc4e1e657712f9bc7dac3ac21671940b21d7619158264eab39ced1e2cbcfa5da4798c47b04ae24704bdea7b581d9beb

Download Submit
memory/616-182-0x00000000028C4000-0x00000000028C7000-memory.dmp

Filesize
12KB

Download
memory/616-140-0x000007FEED730000-0x000007FEEE28D000-memory.dmp

Filesize
11.4MB

Download
memory/616-188-0x00000000028CB000-0x00000000028EA000-memory.dmp

Filesize
124KB

Download
memory/616-162-0x000000001B830000-0x000000001BB2F000-memory.dmp

Filesize
3.0MB

Download
memory/616-131-0x00000000028C4000-0x00000000028C7000-memory.dmp

Filesize
12KB

Download
memory/616-105-0x000007FEEB1D0000-0x000007FEEBBF3000-memory.dmp

Filesize
10.1MB

Download
memory/632-144-0x0000000002240000-0x00000000022C0000-memory.dmp

Filesize
512KB

Download
memory/632-165-0x0000000002240000-0x00000000022C0000-memory.dmp

Filesize
512KB

Download
memory/632-114-0x000007FEEB1D0000-0x000007FEEBBF3000-memory.dmp

Filesize
10.1MB

Download
memory/632-127-0x0000000002240000-0x00000000022C0000-memory.dmp

Filesize
512KB

Download
memory/632-155-0x000000001B870000-0x000000001BB6F000-memory.dmp

Filesize
3.0MB

Download
memory/632-122-0x000007FEED730000-0x000007FEEE28D000-memory.dmp

Filesize
11.4MB

Download
memory/696-180-0x0000000002924000-0x0000000002927000-memory.dmp

Filesize
12KB

Download
memory/696-137-0x000007FEED730000-0x000007FEEE28D000-memory.dmp

Filesize
11.4MB

Download
memory/696-176-0x000000000292B000-0x000000000294A000-memory.dmp

Filesize
124KB

Download
memory/696-130-0x0000000002924000-0x0000000002927000-memory.dmp

Filesize
12KB

Download
memory/696-112-0x000007FEEB1D0000-0x000007FEEBBF3000-memory.dmp

Filesize
10.1MB

Download
memory/696-163-0x000000001B900000-0x000000001BBFF000-memory.dmp

Filesize
3.0MB

Download
memory/752-154-0x00000000029DB000-0x00000000029FA000-memory.dmp

Filesize
124KB

Download
memory/752-169-0x00000000029DB000-0x00000000029FA000-memory.dmp

Filesize
124KB

Download
memory/752-167-0x00000000029D4000-0x00000000029D7000-memory.dmp

Filesize
12KB

Download
memory/752-146-0x000000001B810000-0x000000001BB0F000-memory.dmp

Filesize
3.0MB

Download
memory/752-121-0x000007FEED730000-0x000007FEEE28D000-memory.dmp

Filesize
11.4MB

Download
memory/752-126-0x00000000029D4000-0x00000000029D7000-memory.dmp

Filesize
12KB

Download
memory/752-113-0x000007FEEB1D0000-0x000007FEEBBF3000-memory.dmp

Filesize
10.1MB

Download
memory/820-115-0x000007FEEB1D0000-0x000007FEEBBF3000-memory.dmp

Filesize
10.1MB

Download
memory/820-178-0x00000000026FB000-0x000000000271A000-memory.dmp

Filesize
124KB

Download
memory/820-173-0x00000000026F4000-0x00000000026F7000-memory.dmp

Filesize
12KB

Download
memory/820-147-0x000000001B8D0000-0x000000001BBCF000-memory.dmp

Filesize
3.0MB

Download
memory/820-159-0x00000000026FB000-0x000000000271A000-memory.dmp

Filesize
124KB

Download
memory/820-129-0x00000000026F4000-0x00000000026F7000-memory.dmp

Filesize
12KB

Download
memory/820-139-0x000007FEED730000-0x000007FEEE28D000-memory.dmp

Filesize
11.4MB

Download
memory/964-135-0x00000000024D4000-0x00000000024D7000-memory.dmp

Filesize
12KB

Download
memory/964-106-0x000007FEEB1D0000-0x000007FEEBBF3000-memory.dmp

Filesize
10.1MB

Download
memory/964-156-0x00000000024DB000-0x00000000024FA000-memory.dmp

Filesize
124KB

Download
memory/964-145-0x000000001B910000-0x000000001BC0F000-memory.dmp

Filesize
3.0MB

Download
memory/964-170-0x00000000024DB000-0x00000000024FA000-memory.dmp

Filesize
124KB

Download
memory/964-168-0x00000000024D4000-0x00000000024D7000-memory.dmp

Filesize
12KB

Download
memory/964-124-0x000007FEED730000-0x000007FEEE28D000-memory.dmp

Filesize
11.4MB

Download
memory/1064-132-0x0000000002984000-0x0000000002987000-memory.dmp

Filesize
12KB

Download
memory/1064-116-0x000007FEEB1D0000-0x000007FEEBBF3000-memory.dmp

Filesize
10.1MB

Download
memory/1064-142-0x000007FEED730000-0x000007FEEE28D000-memory.dmp

Filesize
11.4MB

Download
memory/1064-179-0x000000000298B000-0x00000000029AA000-memory.dmp

Filesize
124KB

Download
memory/1064-175-0x0000000002984000-0x0000000002987000-memory.dmp

Filesize
12KB

Download
memory/1196-54-0x00000000011A0000-0x0000000001694000-memory.dmp

Filesize
5.0MB

Download
memory/1196-63-0x0000000000600000-0x000000000060A000-memory.dmp

Filesize
40KB

Download
memory/1196-59-0x00000000004A0000-0x00000000004B6000-memory.dmp

Filesize
88KB

Download
memory/1196-65-0x0000000000830000-0x000000000083E000-memory.dmp

Filesize
56KB

Download
memory/1196-56-0x0000000000460000-0x000000000047C000-memory.dmp

Filesize
112KB

Download
memory/1196-57-0x0000000000480000-0x0000000000488000-memory.dmp

Filesize
32KB

Download
memory/1196-61-0x00000000005E0000-0x00000000005EA000-memory.dmp

Filesize
40KB

Download
memory/1196-58-0x0000000000490000-0x00000000004A0000-memory.dmp

Filesize
64KB

Download
memory/1196-62-0x00000000005F0000-0x0000000000602000-memory.dmp

Filesize
72KB

Download
memory/1196-66-0x0000000000840000-0x0000000000848000-memory.dmp

Filesize
32KB

Download
memory/1196-67-0x0000000000850000-0x0000000000858000-memory.dmp

Filesize
32KB

Download
memory/1196-60-0x00000000004C0000-0x00000000004D0000-memory.dmp

Filesize
64KB

Download
memory/1196-64-0x0000000000610000-0x000000000061E000-memory.dmp

Filesize
56KB

Download
memory/1196-68-0x0000000000A00000-0x0000000000A0C000-memory.dmp

Filesize
48KB

Download
memory/1196-55-0x000000001BAF0000-0x000000001BC1E000-memory.dmp

Filesize
1.2MB

Download
memory/1704-161-0x000000001B860000-0x000000001BB5F000-memory.dmp

Filesize
3.0MB

Download
memory/1704-184-0x000000000251B000-0x000000000253A000-memory.dmp

Filesize
124KB

Download
memory/1704-187-0x0000000002514000-0x0000000002517000-memory.dmp

Filesize
12KB

Download
memory/1704-118-0x000007FEEB1D0000-0x000007FEEBBF3000-memory.dmp

Filesize
10.1MB

Download
memory/1704-138-0x000007FEED730000-0x000007FEEE28D000-memory.dmp

Filesize
11.4MB

Download
memory/1704-133-0x0000000002514000-0x0000000002517000-memory.dmp

Filesize
12KB

Download
memory/1744-174-0x000000000295B000-0x000000000297A000-memory.dmp

Filesize
124KB

Download
memory/1744-134-0x0000000002954000-0x0000000002957000-memory.dmp

Filesize
12KB

Download
memory/1744-171-0x0000000002954000-0x0000000002957000-memory.dmp

Filesize
12KB

Download
memory/1744-117-0x000007FEEB1D0000-0x000007FEEBBF3000-memory.dmp

Filesize
10.1MB

Download
memory/1744-143-0x000007FEED730000-0x000007FEEE28D000-memory.dmp

Filesize
11.4MB

Download
memory/1744-153-0x000000001B850000-0x000000001BB4F000-memory.dmp

Filesize
3.0MB

Download
memory/1744-164-0x000000000295B000-0x000000000297A000-memory.dmp

Filesize
124KB

Download
memory/1940-111-0x000007FEEB1D0000-0x000007FEEBBF3000-memory.dmp

Filesize
10.1MB

Download
memory/1940-158-0x000000001B7A0000-0x000000001BA9F000-memory.dmp

Filesize
3.0MB

Download
memory/1940-120-0x000007FEED730000-0x000007FEEE28D000-memory.dmp

Filesize
11.4MB

Download
memory/1940-181-0x0000000002514000-0x0000000002517000-memory.dmp

Filesize
12KB

Download
memory/1940-183-0x000000000251B000-0x000000000253A000-memory.dmp

Filesize
124KB

Download
memory/1940-123-0x0000000002514000-0x0000000002517000-memory.dmp

Filesize
12KB

Download
memory/1960-136-0x00000000026C4000-0x00000000026C7000-memory.dmp

Filesize
12KB

Download
memory/1960-150-0x000000001B7C0000-0x000000001BABF000-memory.dmp

Filesize
3.0MB

Download
memory/1960-177-0x00000000026CB000-0x00000000026EA000-memory.dmp

Filesize
124KB

Download
memory/1960-141-0x000007FEED730000-0x000007FEEE28D000-memory.dmp

Filesize
11.4MB

Download
memory/1960-172-0x00000000026C4000-0x00000000026C7000-memory.dmp

Filesize
12KB

Download
memory/1960-119-0x000007FEEB1D0000-0x000007FEEBBF3000-memory.dmp

Filesize
10.1MB

Download
memory/1960-157-0x00000000026CB000-0x00000000026EA000-memory.dmp

Filesize
124KB

Download
memory/1992-81-0x000007FEFC161000-0x000007FEFC163000-memory.dmp

Filesize
8KB

Download
memory/1992-84-0x000007FEEB1D0000-0x000007FEEBBF3000-memory.dmp

Filesize
10.1MB

Download
memory/1992-185-0x000000000240B000-0x000000000242A000-memory.dmp

Filesize
124KB

Download
memory/1992-160-0x000000001B8B0000-0x000000001BBAF000-memory.dmp

Filesize
3.0MB

Download
memory/1992-186-0x0000000002404000-0x0000000002407000-memory.dmp

Filesize
12KB

Download
memory/1992-125-0x000007FEED730000-0x000007FEEE28D000-memory.dmp

Filesize
11.4MB

Download
memory/1992-128-0x0000000002404000-0x0000000002407000-memory.dmp

Filesize
12KB

Download
memory/2212-110-0x0000000000CB0000-0x00000000011A4000-memory.dmp

Filesize
5.0MB

Download
memory/2212-189-0x000000001B537000-0x000000001B556000-memory.dmp

Filesize
124KB

Download
memory/2212-190-0x000000001B537000-0x000000001B556000-memory.dmp

Filesize
124KB

Download