dcrat | 9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429

Analysis

max time kernel
143s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28/10/2024, 02:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
Size

3.3MB
MD5

0ad0b4a4a549230e090d712b5521bd96
SHA1

55690e0d976955e80f14c314efcaa34e3303a02b
SHA256

9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429
SHA512

b689ab2b7e3a59f760d3c6cb3b72927e3dc0eb9323aceb05c2571ca85863fc769098924b943e6e80edb1853c348451869996fd4c38a7dd10dc8e2970e5d4d027
SSDEEP

49152:dvE7aj/zSltwCUFFINtKAh/tIBs2htYmMoxqSeU843FULbiGLSkGHuIB6MlwALMV:9FzPFFIv7h/KVWYxVeE+i1FOIB6Mmkw

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	System.exe

Executes dropped EXE 13 IoCs

pid	Process
2440	System.exe
3804	System.exe
472	System.exe
3768	System.exe
3572	System.exe
3260	System.exe
3748	System.exe
1852	System.exe
3044	System.exe
1676	System.exe
848	System.exe
4312	System.exe
3624	System.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files\MSBuild\Microsoft\22eafd247d37c3	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
File created	C:\Program Files (x86)\Windows Media Player\fr-FR\RuntimeBroker.exe	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\fr-FR\RuntimeBroker.exe	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
File created	C:\Program Files (x86)\Windows Media Player\fr-FR\9e8d7a4ca61bd9	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
File created	C:\Program Files (x86)\Adobe\wininit.exe	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
File created	C:\Program Files (x86)\Adobe\56085415360792	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
File created	C:\Program Files\MSBuild\Microsoft\TextInputHost.exe	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 9 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
5068	PING.EXE
216	PING.EXE
556	PING.EXE
4444	PING.EXE
1788	PING.EXE
368	PING.EXE
388	PING.EXE
3280	PING.EXE
2152	PING.EXE

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	System.exe

Runs ping.exe 1 TTPs 9 IoCs

Remote System Discovery

T1018

pid	Process
556	PING.EXE
1788	PING.EXE
368	PING.EXE
2152	PING.EXE
216	PING.EXE
4444	PING.EXE
3280	PING.EXE
388	PING.EXE
5068	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3460	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3460	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3460	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3460	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3460	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3460	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3460	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3460	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3460	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3460	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3460	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3460	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3460	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3460	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3460	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3460	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3460	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3460	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3460	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3460	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3460	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3460	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3460	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3460	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3460	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3460	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3460	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3460	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3460	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3460	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3460	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3460	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3460	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3460	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3460	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3460	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3460	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3460	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3460	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3460	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3460	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3460	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3460	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3460	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3460	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3460	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3460	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3460	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3460	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3460	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3460	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3460	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3460	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3460	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3460	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3460	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3460	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3460	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3460	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3460	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3460	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3460	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3460	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3460	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	3460	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
Token: SeDebugPrivilege	2440	System.exe
Token: SeDebugPrivilege	3804	System.exe
Token: SeDebugPrivilege	472	System.exe
Token: SeDebugPrivilege	3768	System.exe
Token: SeDebugPrivilege	3572	System.exe
Token: SeDebugPrivilege	3260	System.exe
Token: SeDebugPrivilege	3748	System.exe
Token: SeDebugPrivilege	1852	System.exe
Token: SeDebugPrivilege	3044	System.exe
Token: SeDebugPrivilege	1676	System.exe
Token: SeDebugPrivilege	848	System.exe
Token: SeDebugPrivilege	4312	System.exe
Token: SeDebugPrivilege	3624	System.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3460 wrote to memory of 1832	3460	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe	87
PID 3460 wrote to memory of 1832	3460	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe	87
PID 1832 wrote to memory of 1856	1832	cmd.exe	89
PID 1832 wrote to memory of 1856	1832	cmd.exe	89
PID 1832 wrote to memory of 216	1832	cmd.exe	90
PID 1832 wrote to memory of 216	1832	cmd.exe	90
PID 1832 wrote to memory of 2440	1832	cmd.exe	96
PID 1832 wrote to memory of 2440	1832	cmd.exe	96
PID 2440 wrote to memory of 3732	2440	System.exe	99
PID 2440 wrote to memory of 3732	2440	System.exe	99
PID 3732 wrote to memory of 3840	3732	cmd.exe	101
PID 3732 wrote to memory of 3840	3732	cmd.exe	101
PID 3732 wrote to memory of 556	3732	cmd.exe	102
PID 3732 wrote to memory of 556	3732	cmd.exe	102
PID 3732 wrote to memory of 3804	3732	cmd.exe	103
PID 3732 wrote to memory of 3804	3732	cmd.exe	103
PID 3804 wrote to memory of 1000	3804	System.exe	104
PID 3804 wrote to memory of 1000	3804	System.exe	104
PID 1000 wrote to memory of 4372	1000	cmd.exe	106
PID 1000 wrote to memory of 4372	1000	cmd.exe	106
PID 1000 wrote to memory of 672	1000	cmd.exe	107
PID 1000 wrote to memory of 672	1000	cmd.exe	107
PID 1000 wrote to memory of 472	1000	cmd.exe	109
PID 1000 wrote to memory of 472	1000	cmd.exe	109
PID 472 wrote to memory of 4592	472	System.exe	112
PID 472 wrote to memory of 4592	472	System.exe	112
PID 4592 wrote to memory of 1516	4592	cmd.exe	114
PID 4592 wrote to memory of 1516	4592	cmd.exe	114
PID 4592 wrote to memory of 2776	4592	cmd.exe	115
PID 4592 wrote to memory of 2776	4592	cmd.exe	115
PID 4592 wrote to memory of 3768	4592	cmd.exe	116
PID 4592 wrote to memory of 3768	4592	cmd.exe	116
PID 3768 wrote to memory of 4964	3768	System.exe	117
PID 3768 wrote to memory of 4964	3768	System.exe	117
PID 4964 wrote to memory of 3608	4964	cmd.exe	119
PID 4964 wrote to memory of 3608	4964	cmd.exe	119
PID 4964 wrote to memory of 3616	4964	cmd.exe	120
PID 4964 wrote to memory of 3616	4964	cmd.exe	120
PID 4964 wrote to memory of 3572	4964	cmd.exe	121
PID 4964 wrote to memory of 3572	4964	cmd.exe	121
PID 3572 wrote to memory of 3720	3572	System.exe	122
PID 3572 wrote to memory of 3720	3572	System.exe	122
PID 3720 wrote to memory of 1984	3720	cmd.exe	124
PID 3720 wrote to memory of 1984	3720	cmd.exe	124
PID 3720 wrote to memory of 4444	3720	cmd.exe	125
PID 3720 wrote to memory of 4444	3720	cmd.exe	125
PID 3720 wrote to memory of 3260	3720	cmd.exe	126
PID 3720 wrote to memory of 3260	3720	cmd.exe	126
PID 3260 wrote to memory of 4748	3260	System.exe	127
PID 3260 wrote to memory of 4748	3260	System.exe	127
PID 4748 wrote to memory of 2044	4748	cmd.exe	129
PID 4748 wrote to memory of 2044	4748	cmd.exe	129
PID 4748 wrote to memory of 3280	4748	cmd.exe	130
PID 4748 wrote to memory of 3280	4748	cmd.exe	130
PID 4748 wrote to memory of 3748	4748	cmd.exe	132
PID 4748 wrote to memory of 3748	4748	cmd.exe	132
PID 3748 wrote to memory of 4076	3748	System.exe	133
PID 3748 wrote to memory of 4076	3748	System.exe	133
PID 4076 wrote to memory of 752	4076	cmd.exe	135
PID 4076 wrote to memory of 752	4076	cmd.exe	135
PID 4076 wrote to memory of 1788	4076	cmd.exe	136
PID 4076 wrote to memory of 1788	4076	cmd.exe	136
PID 4076 wrote to memory of 1852	4076	cmd.exe	137
PID 4076 wrote to memory of 1852	4076	cmd.exe	137

C:\Users\Admin\AppData\Local\Temp\9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
"C:\Users\Admin\AppData\Local\Temp\9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3460
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IIM9E92stD.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1832
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:1856
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:216
- - C:\Users\Default\Videos\System.exe
    "C:\Users\Default\Videos\System.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2440
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BD0ryYfNdr.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3732
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:3840
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:556
    - - C:\Users\Default\Videos\System.exe
        
        "C:\Users\Default\Videos\System.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3804
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Z8EFjwB7Jj.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1000
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:4372
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:672
        
        C:\Users\Default\Videos\System.exe
        
        "C:\Users\Default\Videos\System.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:472
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BXcMvhxfI2.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4592
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:1516
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2776
        
        C:\Users\Default\Videos\System.exe
        
        "C:\Users\Default\Videos\System.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3768
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LsjJJiW2rn.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:4964
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:3608
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:3616
        
        C:\Users\Default\Videos\System.exe
        
        "C:\Users\Default\Videos\System.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3572
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D1HctEwNfs.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:3720
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:1984
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4444
        
        C:\Users\Default\Videos\System.exe
        
        "C:\Users\Default\Videos\System.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3260
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\G9JNvaemPW.bat"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:4748
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:2044
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3280
        
        C:\Users\Default\Videos\System.exe
        
        "C:\Users\Default\Videos\System.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3748
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\84x6wBxxuC.bat"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:4076
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:752
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1788
        
        C:\Users\Default\Videos\System.exe
        
        "C:\Users\Default\Videos\System.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1852
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BD0ryYfNdr.bat"
        18⤵
        
        PID:224
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:3272
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:368
        
        C:\Users\Default\Videos\System.exe
        
        "C:\Users\Default\Videos\System.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3044
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fkvHkpsFQE.bat"
        20⤵
        
        PID:3940
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:1632
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:388
        
        C:\Users\Default\Videos\System.exe
        
        "C:\Users\Default\Videos\System.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1676
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\b2RsHXtgrT.bat"
        22⤵
        
        PID:4052
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:4548
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:1984
        
        C:\Users\Default\Videos\System.exe
        
        "C:\Users\Default\Videos\System.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:848
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SiGToND0AD.bat"
        24⤵
        
        PID:2996
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:2744
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        25⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5068
        
        C:\Users\Default\Videos\System.exe
        
        "C:\Users\Default\Videos\System.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4312
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BXcMvhxfI2.bat"
        26⤵
        
        PID:2568
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:3840
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:4248
        
        C:\Users\Default\Videos\System.exe
        
        "C:\Users\Default\Videos\System.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3624
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Qp3qGlURdT.bat"
        28⤵
        
        PID:1744
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:1584
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        29⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\System.exe.log

Filesize
1KB

MD5
8ee01a9d8d8d1ecf515b687bf5e354ca

SHA1
c3b943dce30e425ae34e6737c7d5c3cdd92f79c5

SHA256
c45f52a36b283b46aae313b5a4fcbfbfb67b3c5ac4ee3ecd921087ddadb691a1

SHA512
6cb43253ddb3d2e5bdedcf76bc299e91ce970c6ccc53a2d9df7ba621435a6a704ce3990bdf59d939e513e609bab3daf8f110c1cca8485e1a9fe8536a67d41dda

Download Submit
C:\Users\Admin\AppData\Local\Temp\84x6wBxxuC.bat

Filesize
162B

MD5
c89810aa71ac6900f51c52969cb80874

SHA1
6ebd2b47b7ba391c0bbb911ed03e529e8ef7f4ab

SHA256
e9de2fe3f6843f0fccd7a2cd9b211d9632fee2bd5bc15d9b989b613eb6156157

SHA512
0a3b206d3d1cb47e51028180032802897e0a34118c2fe64e5127472a091a4502286e1e8e48c2a070b5a5802575025a711b4255c8011b2c235fe609541cbb1330

Download Submit
C:\Users\Admin\AppData\Local\Temp\BD0ryYfNdr.bat

Filesize
162B

MD5
1b28302006aa6cce835ad07c971bb6d2

SHA1
ee630cf8b4383ce3701b40d8c5b0ef0f6ce52d72

SHA256
f31e5e46839eac1e98e2f5a6ea83a4c11b35c28e00d4e352a85458add6339f49

SHA512
fdc455bacc2a58a3df33efbad08e1983d324ecf48af202f44d943ba7677ec6134a7cce41d717e351a01f0c33502b1d250b1c030b5de976ddd465864c171f38ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\BXcMvhxfI2.bat

Filesize
210B

MD5
44d632cc4ef6155c23b0f9aa840a7d54

SHA1
4dcbe204821933fd06bc6039c4a0180d7228eb6f

SHA256
4bfb9e64f0f12568647d82cc025ba1a630e771644d1de85e424235a561b08eb7

SHA512
37eda995c750cfcbc9b7c4829f295873358f7ec368f46e32dd1141863fde71b6686002809eff9ca1b187060a8129cbee0a48f94f4941b4337a45a3455cc137c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\D1HctEwNfs.bat

Filesize
162B

MD5
f847bbbed6809ae78231bf3f7ac35163

SHA1
0e0682bd06ea5a32d3fd3b15ee00c0b5b62299aa

SHA256
9ea319843d651da293aff2c6f2a34e73bbc3d20c3df8e3023dd27a81e1308a7c

SHA512
212174dbed03d0f22ff7cbc2667b0bcffb22ac7d8a2431da9de7b875ae580e66705c0b16e29200823b3c547b38f7d6bfb6ae0e11795ec292463ef5baa1dcf9c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\G9JNvaemPW.bat

Filesize
162B

MD5
590129611fdc2901d60f5b6b62d61dba

SHA1
2d7b4464fb12056d228f0c015a4dd6905dc4efb6

SHA256
032e1a2ff3dc2828cf88bdd82368bbe65220fc262c84178bb403d4a50d622607

SHA512
48d9d5b299d6cccbcb50ee159b56a45ae22049becfda7d533baebb79d341d7b6c3afc9e9fc1b51de168c1e1c293fcd55d5c937e114a80cb9ed0d2e3d44fb8228

Download Submit
C:\Users\Admin\AppData\Local\Temp\IIM9E92stD.bat

Filesize
162B

MD5
e98e42ec9be2d5e8865d19560384bf29

SHA1
d3aeb6cc8373055768ee7235eeb3eb570825a4f1

SHA256
5d5dfc20f04e3d147c7745b5d785a36362adafedac3b2a4ab962abbd66ec4e74

SHA512
7e1e090ec55ad3998562fedbc158468f094a04116e85a27ac2bd20f5495b8bb1bfbd2f5fcc0bcc123a074faae32c8936333492e60b2e61e2e3bbd2eccbedda44

Download Submit
C:\Users\Admin\AppData\Local\Temp\LsjJJiW2rn.bat

Filesize
210B

MD5
e8f2c8e00797cde8569ba46f5ed25139

SHA1
681ff487b3e2b35018fa12aa580b1623be0f5fb1

SHA256
dd15bf85af1b9f2ce926f06c1d0c2905be4b25a9b1bb0cb72c0db41345211f13

SHA512
f9ba64cd32077753b31c65d2f037e514ecb72bafff58fe9a6d8b8b1a837331bbbe022926c594743a4b0c464dcc5affd5c13a8cb8251299e12c94bba1cef3b8d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qp3qGlURdT.bat

Filesize
162B

MD5
9f55cf10e6482f9062b85bc5b6c75267

SHA1
67961dc4bf96731fcac2e8c97dec6b0083bc5c03

SHA256
d42778d65befd6b984b173c87cc737dd193ab866f401ab205c7e6bf3df60a15e

SHA512
db3774f9a4a9c6f6b80a219c00f298cb51653a84f5059beb50861d92450a3a58a9649f2120a8c3a920e324f9f7790012313735a3adb86931884d1b2a54209ac3

Download Submit
C:\Users\Admin\AppData\Local\Temp\SiGToND0AD.bat

Filesize
162B

MD5
4d36ca35fec18d22704f9a20f00102f0

SHA1
68339ad0210e1c716b0e74fdc769fe75362159ca

SHA256
b16cebb1f12789ba710ed0da6520870958b1ed4c48f39b410deadc711dd0a8b8

SHA512
700a9b9265e8992f5a42974ba5718ee47e7a68800a77d587fcc423caae890c17a4c87af90e3a57e83741c5d6d72589bc584efc3274e928ff91219680b8323f9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Z8EFjwB7Jj.bat

Filesize
210B

MD5
b923c6faa550456a6b87676c86201b03

SHA1
e69108b7a5b2180c40d0ae53ee37030f1951d637

SHA256
074e640e7252b90d221a13b8d39ecc3ef72f7148cc4a8617fa09b40fc466eb75

SHA512
d5e1cab247b6a951a3863ec2ceda5075f6265bdacd5c5b1093175fd751e8608261c583ebbc3dec8d75996220c236e73864745e9b2a427b0626073414302d2371

Download Submit
C:\Users\Admin\AppData\Local\Temp\b2RsHXtgrT.bat

Filesize
210B

MD5
1bdc9f7bf2d2b4cf447d95bcc863c459

SHA1
3bff1de98c0284baf29a98a0a22c61eed0a5b748

SHA256
4a2d977d50dccc2f9f669f3a760a4f73481c88cbebd4fab63e2b60ef25a75aea

SHA512
a391685c27f250c32402ac558f527d620afe6aa086a20377dcdaa1cb6d6ffd53f02b564627ceba77d15ed2a47ade108457f6f57d06236114360e5ae3eef0fbb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\fkvHkpsFQE.bat

Filesize
162B

MD5
35e7a280cc637cbfc6c4d9bdf2ba2685

SHA1
64dd0b6fa0f9f8e508701677b521209ef5d83c1a

SHA256
fa687baed543233d63dffca5b49b982b4313915350686bf5eb5eb868e6aa5eac

SHA512
37930258d7368f466d106f4a9c2d622330cfb68c8d0a183976fba6cd30a7fb24e31e36e422a742ffa4855a46013e823798b078a9042d842698e6c75430921479

Download Submit
C:\Users\Default\Videos\System.exe

Filesize
3.3MB

MD5
0ad0b4a4a549230e090d712b5521bd96

SHA1
55690e0d976955e80f14c314efcaa34e3303a02b

SHA256
9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429

SHA512
b689ab2b7e3a59f760d3c6cb3b72927e3dc0eb9323aceb05c2571ca85863fc769098924b943e6e80edb1853c348451869996fd4c38a7dd10dc8e2970e5d4d027

Download Submit
memory/472-146-0x000000001B960000-0x000000001B9CB000-memory.dmp

Filesize
428KB

Download
memory/472-145-0x000000001B7B0000-0x000000001B859000-memory.dmp

Filesize
676KB

Download
memory/848-346-0x000000001BE60000-0x000000001BECB000-memory.dmp

Filesize
428KB

Download
memory/848-345-0x000000001BCB0000-0x000000001BD59000-memory.dmp

Filesize
676KB

Download
memory/1676-321-0x000000001B960000-0x000000001B9CB000-memory.dmp

Filesize
428KB

Download
memory/1676-320-0x000000001B7B0000-0x000000001B859000-memory.dmp

Filesize
676KB

Download
memory/1852-270-0x000000001C490000-0x000000001C539000-memory.dmp

Filesize
676KB

Download
memory/1852-271-0x000000001C640000-0x000000001C6AB000-memory.dmp

Filesize
428KB

Download
memory/2440-95-0x000000001C2A0000-0x000000001C30B000-memory.dmp

Filesize
428KB

Download
memory/2440-94-0x000000001C0F0000-0x000000001C199000-memory.dmp

Filesize
676KB

Download
memory/3044-296-0x000000001B910000-0x000000001B97B000-memory.dmp

Filesize
428KB

Download
memory/3044-295-0x000000001B760000-0x000000001B809000-memory.dmp

Filesize
676KB

Download
memory/3260-220-0x000000001BBC0000-0x000000001BC69000-memory.dmp

Filesize
676KB

Download
memory/3260-221-0x000000001BD70000-0x000000001BDDB000-memory.dmp

Filesize
428KB

Download
memory/3460-10-0x0000000001130000-0x000000000113E000-memory.dmp

Filesize
56KB

Download
memory/3460-12-0x0000000002AA0000-0x0000000002ABC000-memory.dmp

Filesize
112KB

Download
memory/3460-43-0x00007FFFAC460000-0x00007FFFACF21000-memory.dmp

Filesize
10.8MB

Download
memory/3460-47-0x000000001BAD0000-0x000000001BADC000-memory.dmp

Filesize
48KB

Download
memory/3460-49-0x000000001BBD0000-0x000000001BC1E000-memory.dmp

Filesize
312KB

Download
memory/3460-32-0x00007FFFAC460000-0x00007FFFACF21000-memory.dmp

Filesize
10.8MB

Download
memory/3460-66-0x000000001C870000-0x000000001C919000-memory.dmp

Filesize
676KB

Download
memory/3460-68-0x00007FFFAC460000-0x00007FFFACF21000-memory.dmp

Filesize
10.8MB

Download
memory/3460-39-0x000000001BB20000-0x000000001BB7A000-memory.dmp

Filesize
360KB

Download
memory/3460-37-0x00007FFFAC460000-0x00007FFFACF21000-memory.dmp

Filesize
10.8MB

Download
memory/3460-34-0x000000001B4D0000-0x000000001B4E0000-memory.dmp

Filesize
64KB

Download
memory/3460-36-0x000000001B4E0000-0x000000001B4F0000-memory.dmp

Filesize
64KB

Download
memory/3460-1-0x00000000005D0000-0x0000000000916000-memory.dmp

Filesize
3.3MB

Download
memory/3460-2-0x00007FFFAC460000-0x00007FFFACF21000-memory.dmp

Filesize
10.8MB

Download
memory/3460-3-0x00007FFFAC460000-0x00007FFFACF21000-memory.dmp

Filesize
10.8MB

Download
memory/3460-29-0x000000001BFF0000-0x000000001C518000-memory.dmp

Filesize
5.2MB

Download
memory/3460-26-0x00007FFFAC460000-0x00007FFFACF21000-memory.dmp

Filesize
10.8MB

Download
memory/3460-28-0x000000001BAA0000-0x000000001BAB2000-memory.dmp

Filesize
72KB

Download
memory/3460-24-0x000000001B570000-0x000000001B586000-memory.dmp

Filesize
88KB

Download
memory/3460-4-0x00007FFFAC460000-0x00007FFFACF21000-memory.dmp

Filesize
10.8MB

Download
memory/3460-6-0x0000000002A50000-0x0000000002A76000-memory.dmp

Filesize
152KB

Download
memory/3460-25-0x00007FFFAC460000-0x00007FFFACF21000-memory.dmp

Filesize
10.8MB

Download
memory/3460-45-0x000000001BAC0000-0x000000001BACE000-memory.dmp

Filesize
56KB

Download
memory/3460-31-0x0000000002A90000-0x0000000002A9E000-memory.dmp

Filesize
56KB

Download
memory/3460-17-0x0000000001140000-0x0000000001150000-memory.dmp

Filesize
64KB

Download
memory/3460-0-0x00007FFFAC463000-0x00007FFFAC465000-memory.dmp

Filesize
8KB

Download
memory/3460-40-0x00007FFFAC460000-0x00007FFFACF21000-memory.dmp

Filesize
10.8MB

Download
memory/3460-18-0x00007FFFAC460000-0x00007FFFACF21000-memory.dmp

Filesize
10.8MB

Download
memory/3460-7-0x00007FFFAC460000-0x00007FFFACF21000-memory.dmp

Filesize
10.8MB

Download
memory/3460-8-0x00007FFFAC460000-0x00007FFFACF21000-memory.dmp

Filesize
10.8MB

Download
memory/3460-20-0x0000000002A80000-0x0000000002A8E000-memory.dmp

Filesize
56KB

Download
memory/3460-22-0x000000001B4F0000-0x000000001B502000-memory.dmp

Filesize
72KB

Download
memory/3460-15-0x0000000002AC0000-0x0000000002AD8000-memory.dmp

Filesize
96KB

Download
memory/3460-13-0x000000001B520000-0x000000001B570000-memory.dmp

Filesize
320KB

Download
memory/3460-42-0x000000001B510000-0x000000001B520000-memory.dmp

Filesize
64KB

Download
memory/3572-195-0x000000001BBF0000-0x000000001BC99000-memory.dmp

Filesize
676KB

Download
memory/3572-196-0x000000001BDA0000-0x000000001BE0B000-memory.dmp

Filesize
428KB

Download
memory/3624-396-0x000000001BC50000-0x000000001BCBB000-memory.dmp

Filesize
428KB

Download
memory/3624-395-0x000000001BAA0000-0x000000001BB49000-memory.dmp

Filesize
676KB

Download
memory/3748-245-0x000000001BEA0000-0x000000001BF49000-memory.dmp

Filesize
676KB

Download
memory/3748-246-0x000000001C050000-0x000000001C0BB000-memory.dmp

Filesize
428KB

Download
memory/3768-170-0x000000001B9A0000-0x000000001BA49000-memory.dmp

Filesize
676KB

Download
memory/3768-171-0x000000001BB50000-0x000000001BBBB000-memory.dmp

Filesize
428KB

Download
memory/3804-121-0x000000001BC30000-0x000000001BC9B000-memory.dmp

Filesize
428KB

Download
memory/3804-120-0x000000001BA80000-0x000000001BB29000-memory.dmp

Filesize
676KB

Download
memory/4312-370-0x000000001B7B0000-0x000000001B859000-memory.dmp

Filesize
676KB

Download
memory/4312-371-0x000000001B960000-0x000000001B9CB000-memory.dmp

Filesize
428KB

Download