dcrat | 87776ea65313e3647616cd5007bbacf9a7dc34b47749a82cf60fa10208e94b42

Analysis

max time kernel
146s
max time network
142s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 01:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_87776ea65313e3647616cd5007bbacf9a7dc34b47749a82cf60fa10208e94b42.exe
Size

1.3MB
MD5

b824107c0e731c4f3fa49a681aaf188a
SHA1

f927fefec8cd29112f68102f54eab742b0c83ff7
SHA256

87776ea65313e3647616cd5007bbacf9a7dc34b47749a82cf60fa10208e94b42
SHA512

31610a2ece6c1e17de44dadddfc1c95310d836af129752e2c6585e75a54c1204203f12f10c27011029bb29548a353831e0bebcb3f75c0392ecdd9722a85e5ddf
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	2784	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	2784	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1256	2784	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	2784	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	2784	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	2784	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2204	2784	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	2784	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1512	2784	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	2784	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1504	2784	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1408	2784	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1540	2784	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	764	2784	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1284	2784	schtasks.exe	34

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000015d79-12.dat	dcrat
behavioral1/memory/2752-13-0x00000000012C0000-0x00000000013D0000-memory.dmp	dcrat
behavioral1/memory/988-66-0x0000000000940000-0x0000000000A50000-memory.dmp	dcrat
behavioral1/memory/2816-125-0x00000000003F0000-0x0000000000500000-memory.dmp	dcrat
behavioral1/memory/2756-185-0x00000000002B0000-0x00000000003C0000-memory.dmp	dcrat
behavioral1/memory/328-246-0x00000000000A0000-0x00000000001B0000-memory.dmp	dcrat
behavioral1/memory/2400-306-0x00000000010E0000-0x00000000011F0000-memory.dmp	dcrat
behavioral1/memory/620-366-0x0000000001280000-0x0000000001390000-memory.dmp	dcrat
behavioral1/memory/2748-426-0x0000000000220000-0x0000000000330000-memory.dmp	dcrat
behavioral1/memory/448-487-0x0000000000DF0000-0x0000000000F00000-memory.dmp	dcrat
behavioral1/memory/2460-606-0x0000000001090000-0x00000000011A0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1900	powershell.exe
2556	powershell.exe
2112	powershell.exe
2020	powershell.exe
1656	powershell.exe
2416	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2752	DllCommonsvc.exe
988	Idle.exe
2816	Idle.exe
2756	Idle.exe
328	Idle.exe
2400	Idle.exe
620	Idle.exe
2748	Idle.exe
448	Idle.exe
1804	Idle.exe
2460	Idle.exe

Loads dropped DLL 2 IoCs

pid	Process
2352	cmd.exe
2352	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
5	raw.githubusercontent.com
12	raw.githubusercontent.com
16	raw.githubusercontent.com
26	raw.githubusercontent.com
30	raw.githubusercontent.com
4	raw.githubusercontent.com
9	raw.githubusercontent.com
19	raw.githubusercontent.com
23	raw.githubusercontent.com
34	raw.githubusercontent.com

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\System\de-DE\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Defender\it-IT\System.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Defender\it-IT\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Program Files (x86)\Common Files\System\de-DE\csrss.exe	DllCommonsvc.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Idle.exe	DllCommonsvc.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\Idle.exe	DllCommonsvc.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\6ccacd8608530f	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_87776ea65313e3647616cd5007bbacf9a7dc34b47749a82cf60fa10208e94b42.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2848	schtasks.exe
2708	schtasks.exe
2152	schtasks.exe
1512	schtasks.exe
1408	schtasks.exe
764	schtasks.exe
2204	schtasks.exe
1664	schtasks.exe
1256	schtasks.exe
2724	schtasks.exe
1504	schtasks.exe
1540	schtasks.exe
2924	schtasks.exe
2664	schtasks.exe
1284	schtasks.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
2752	DllCommonsvc.exe
2752	DllCommonsvc.exe
2752	DllCommonsvc.exe
2416	powershell.exe
2556	powershell.exe
2020	powershell.exe
1656	powershell.exe
2112	powershell.exe
1900	powershell.exe
988	Idle.exe
2816	Idle.exe
2756	Idle.exe
328	Idle.exe
2400	Idle.exe
620	Idle.exe
2748	Idle.exe
448	Idle.exe
1804	Idle.exe
2460	Idle.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	2752	DllCommonsvc.exe
Token: SeDebugPrivilege	2416	powershell.exe
Token: SeDebugPrivilege	2556	powershell.exe
Token: SeDebugPrivilege	2020	powershell.exe
Token: SeDebugPrivilege	1656	powershell.exe
Token: SeDebugPrivilege	2112	powershell.exe
Token: SeDebugPrivilege	1900	powershell.exe
Token: SeDebugPrivilege	988	Idle.exe
Token: SeDebugPrivilege	2816	Idle.exe
Token: SeDebugPrivilege	2756	Idle.exe
Token: SeDebugPrivilege	328	Idle.exe
Token: SeDebugPrivilege	2400	Idle.exe
Token: SeDebugPrivilege	620	Idle.exe
Token: SeDebugPrivilege	2748	Idle.exe
Token: SeDebugPrivilege	448	Idle.exe
Token: SeDebugPrivilege	1804	Idle.exe
Token: SeDebugPrivilege	2460	Idle.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 2620	2128	JaffaCakes118_87776ea65313e3647616cd5007bbacf9a7dc34b47749a82cf60fa10208e94b42.exe	30
PID 2128 wrote to memory of 2620	2128	JaffaCakes118_87776ea65313e3647616cd5007bbacf9a7dc34b47749a82cf60fa10208e94b42.exe	30
PID 2128 wrote to memory of 2620	2128	JaffaCakes118_87776ea65313e3647616cd5007bbacf9a7dc34b47749a82cf60fa10208e94b42.exe	30
PID 2128 wrote to memory of 2620	2128	JaffaCakes118_87776ea65313e3647616cd5007bbacf9a7dc34b47749a82cf60fa10208e94b42.exe	30
PID 2620 wrote to memory of 2352	2620	WScript.exe	31
PID 2620 wrote to memory of 2352	2620	WScript.exe	31
PID 2620 wrote to memory of 2352	2620	WScript.exe	31
PID 2620 wrote to memory of 2352	2620	WScript.exe	31
PID 2352 wrote to memory of 2752	2352	cmd.exe	33
PID 2352 wrote to memory of 2752	2352	cmd.exe	33
PID 2352 wrote to memory of 2752	2352	cmd.exe	33
PID 2352 wrote to memory of 2752	2352	cmd.exe	33
PID 2752 wrote to memory of 1656	2752	DllCommonsvc.exe	50
PID 2752 wrote to memory of 1656	2752	DllCommonsvc.exe	50
PID 2752 wrote to memory of 1656	2752	DllCommonsvc.exe	50
PID 2752 wrote to memory of 2416	2752	DllCommonsvc.exe	51
PID 2752 wrote to memory of 2416	2752	DllCommonsvc.exe	51
PID 2752 wrote to memory of 2416	2752	DllCommonsvc.exe	51
PID 2752 wrote to memory of 1900	2752	DllCommonsvc.exe	52
PID 2752 wrote to memory of 1900	2752	DllCommonsvc.exe	52
PID 2752 wrote to memory of 1900	2752	DllCommonsvc.exe	52
PID 2752 wrote to memory of 2556	2752	DllCommonsvc.exe	53
PID 2752 wrote to memory of 2556	2752	DllCommonsvc.exe	53
PID 2752 wrote to memory of 2556	2752	DllCommonsvc.exe	53
PID 2752 wrote to memory of 2112	2752	DllCommonsvc.exe	54
PID 2752 wrote to memory of 2112	2752	DllCommonsvc.exe	54
PID 2752 wrote to memory of 2112	2752	DllCommonsvc.exe	54
PID 2752 wrote to memory of 2020	2752	DllCommonsvc.exe	55
PID 2752 wrote to memory of 2020	2752	DllCommonsvc.exe	55
PID 2752 wrote to memory of 2020	2752	DllCommonsvc.exe	55
PID 2752 wrote to memory of 1076	2752	DllCommonsvc.exe	62
PID 2752 wrote to memory of 1076	2752	DllCommonsvc.exe	62
PID 2752 wrote to memory of 1076	2752	DllCommonsvc.exe	62
PID 1076 wrote to memory of 824	1076	cmd.exe	64
PID 1076 wrote to memory of 824	1076	cmd.exe	64
PID 1076 wrote to memory of 824	1076	cmd.exe	64
PID 1076 wrote to memory of 988	1076	cmd.exe	65
PID 1076 wrote to memory of 988	1076	cmd.exe	65
PID 1076 wrote to memory of 988	1076	cmd.exe	65
PID 988 wrote to memory of 2116	988	Idle.exe	67
PID 988 wrote to memory of 2116	988	Idle.exe	67
PID 988 wrote to memory of 2116	988	Idle.exe	67
PID 2116 wrote to memory of 2464	2116	cmd.exe	69
PID 2116 wrote to memory of 2464	2116	cmd.exe	69
PID 2116 wrote to memory of 2464	2116	cmd.exe	69
PID 2116 wrote to memory of 2816	2116	cmd.exe	70
PID 2116 wrote to memory of 2816	2116	cmd.exe	70
PID 2116 wrote to memory of 2816	2116	cmd.exe	70
PID 2816 wrote to memory of 908	2816	Idle.exe	71
PID 2816 wrote to memory of 908	2816	Idle.exe	71
PID 2816 wrote to memory of 908	2816	Idle.exe	71
PID 908 wrote to memory of 2268	908	cmd.exe	73
PID 908 wrote to memory of 2268	908	cmd.exe	73
PID 908 wrote to memory of 2268	908	cmd.exe	73
PID 908 wrote to memory of 2756	908	cmd.exe	74
PID 908 wrote to memory of 2756	908	cmd.exe	74
PID 908 wrote to memory of 2756	908	cmd.exe	74
PID 2756 wrote to memory of 2752	2756	Idle.exe	75
PID 2756 wrote to memory of 2752	2756	Idle.exe	75
PID 2756 wrote to memory of 2752	2756	Idle.exe	75
PID 2752 wrote to memory of 1964	2752	cmd.exe	77
PID 2752 wrote to memory of 1964	2752	cmd.exe	77
PID 2752 wrote to memory of 1964	2752	cmd.exe	77
PID 2752 wrote to memory of 328	2752	cmd.exe	78

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_87776ea65313e3647616cd5007bbacf9a7dc34b47749a82cf60fa10208e94b42.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_87776ea65313e3647616cd5007bbacf9a7dc34b47749a82cf60fa10208e94b42.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2620
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2352
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2752
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1656
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\assembly\NativeImages_v4.0.30319_64\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2416
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1900
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2556
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\it-IT\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2112
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\System\de-DE\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2020
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IfRHWD7XoS.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1076
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:824
      - C:\Windows\assembly\NativeImages_v4.0.30319_64\Idle.exe
        
        "C:\Windows\assembly\NativeImages_v4.0.30319_64\Idle.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:988
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jddtUB3Qwl.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2116
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2464
        
        C:\Windows\assembly\NativeImages_v4.0.30319_64\Idle.exe
        
        "C:\Windows\assembly\NativeImages_v4.0.30319_64\Idle.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2816
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6n1oUPmZQq.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:908
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2268
        
        C:\Windows\assembly\NativeImages_v4.0.30319_64\Idle.exe
        
        "C:\Windows\assembly\NativeImages_v4.0.30319_64\Idle.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2756
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DiMaLaQqUm.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2752
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1964
        
        C:\Windows\assembly\NativeImages_v4.0.30319_64\Idle.exe
        
        "C:\Windows\assembly\NativeImages_v4.0.30319_64\Idle.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:328
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\04VLARgLyy.bat"
        13⤵
        
        PID:2300
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2236
        
        C:\Windows\assembly\NativeImages_v4.0.30319_64\Idle.exe
        
        "C:\Windows\assembly\NativeImages_v4.0.30319_64\Idle.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2400
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qsbi9TUILn.bat"
        15⤵
        
        PID:2244
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2692
        
        C:\Windows\assembly\NativeImages_v4.0.30319_64\Idle.exe
        
        "C:\Windows\assembly\NativeImages_v4.0.30319_64\Idle.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:620
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cYhs0sn2L6.bat"
        17⤵
        
        PID:1896
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1696
        
        C:\Windows\assembly\NativeImages_v4.0.30319_64\Idle.exe
        
        "C:\Windows\assembly\NativeImages_v4.0.30319_64\Idle.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2748
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RFyBjogktz.bat"
        19⤵
        
        PID:2572
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1244
        
        C:\Windows\assembly\NativeImages_v4.0.30319_64\Idle.exe
        
        "C:\Windows\assembly\NativeImages_v4.0.30319_64\Idle.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:448
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hGpPWS23Hw.bat"
        21⤵
        
        PID:752
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:112
        
        C:\Windows\assembly\NativeImages_v4.0.30319_64\Idle.exe
        
        "C:\Windows\assembly\NativeImages_v4.0.30319_64\Idle.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1804
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\O1BWw2qr2X.bat"
        23⤵
        
        PID:2412
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2320
        
        C:\Windows\assembly\NativeImages_v4.0.30319_64\Idle.exe
        
        "C:\Windows\assembly\NativeImages_v4.0.30319_64\Idle.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Windows\assembly\NativeImages_v4.0.30319_64\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\assembly\NativeImages_v4.0.30319_64\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Windows\assembly\NativeImages_v4.0.30319_64\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\it-IT\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Common Files\System\de-DE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\System\de-DE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Common Files\System\de-DE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5d1f4015bd50905a1ee08dd2770252a4

SHA1
7269254180ab926f5f2f10c4e43bbf776bd1f9b9

SHA256
3bc496fd61e7831bc5d8a393ed424e7361c7952b30628f5c24161d363ffe9832

SHA512
6d5cf193c7ef6bc5b8410fbc6e8c6d62a5034f1be0f6055f3958277ee7ce1d1e0cb2c46bb4c25599796522f8366456ebe24942194a2e9101695a0ce04acfd4cb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
29a6b430318dc58732a8baf4cbfcb578

SHA1
14354cbc05c5176435eb13bc515f7254291d4b90

SHA256
e34e7f167d5e8d2cb7c57003448cd2caa7a00ae8c42a147b29b47a7889033bdf

SHA512
222fe79e0086d804f34b94aa901be0d2a858e6cb14253d2905b27e10f079904314890eedf5a7c5aa2000cfea85f272bc2304dfc3426c9ec32d3ef1e6aa37739d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
719862098138572e8f9633b952fb66e7

SHA1
eb876a1f36013ba6772125e7e47e671aff2f1492

SHA256
90fb3bfcea1c21982e2f0d705e1c08eebcdf8e3bad8c1e1d1bfa2470d755c584

SHA512
eaca9f568138d4fceabf59ef3d73c326a2bb44a1a846b06caa870e3969fca9c8ed4c36e2ac2c7c2505b7e08788173ef0eea0b3fb81e61639f8dcd5792f85d9fe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d50efafdd0e2b3a32d6e213c7df95a49

SHA1
301ba04293788d12d1b72a74d2236427a18dbcf1

SHA256
48ede79c9ed9a38ebd0a0841a6f7b511594e1fc3c44cc2a25767ab2574b07dff

SHA512
fa7d489a91189e2178bb7ad7319fae5114ad7a719c53b9984c7e1c3ad7be1c1a592456d42bc2645a901bef55405fc2ba8c16ea46c7529dd72b3100825a26a157

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b5a88102ab67ae8aa3d17b5ea852b643

SHA1
e4e47b3d722fa49901be33f6815b950c577a520b

SHA256
cec6ceb86712bffb37caa3d4e32e9072c8687365f85c4377ae920fe1965c7d36

SHA512
9a6dd98f4312eaeca57322379b8e8443b69b2bc2d766ba73b2ae86426445dc2699c9f69070e9f4a0d51431fbd1e573c703ce1a20357d1cf530c80116b3955fcb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
65980f0ce4cd243c96b36c2178e4d5db

SHA1
50aab0476c71d37142622e7e6ad8f0b893b29aa0

SHA256
63bf33b7a027ac6101e6075f679c74ac4b3478c4b773f035fbd8727591350157

SHA512
2d89d31d2ca279a12c6c3f32c5ca4edb4afcc848ae548aaa53f15baf91aa2e0f625d760c3f4f30f90d8a9e7644e062e319396f9e4efb12bf6ae70c00d6f8f5c5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7d60b6b0dc929673b58888d81271e6ae

SHA1
06557eb88944b14ab0d813f2769ab809ce7a50bd

SHA256
f9304aaa2a40bffaa1db5eff004b26ee9c8ef657275492bf91525da3f852bdae

SHA512
1eca07e3ef97571ef80240b2969aeef2ced8ab593e65681e86701e56f90c49de7fb4527501c657a1c94e88666802cb71356ef8b4c1074c567cff881adb527090

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6e9f8dc0db7fcd3857e074814b46e60e

SHA1
592434a32271063c16e186cf33aff1dfab698555

SHA256
7c1edad5e61bab6c61cb31de08a51d118e77333b4e94573279830df6a5c9d4a8

SHA512
564a02f82a595a84b68b55326968391230bb3badaa976dfe499448bb0d6eac222f6130db02fd2e439efe3749f98629d1f170f1f79e963ae4bcd42e9b32dcc7f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\04VLARgLyy.bat

Filesize
220B

MD5
89412160975648a1147a3d97bb498a3f

SHA1
4327afae7d3c224a60f3dc67c7f8d56120fda8d9

SHA256
a99fd108b66d5c29a110149468530e33c42802417f511d3886ced571de27e38a

SHA512
c6b3974e45bd9079ba8f79e95af9e2f659cc68895bcf50b31a364c68cb46a541bee3781c7508f397d5457e846bef2f898ac73c776b864567bceb766ee8c099d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\6n1oUPmZQq.bat

Filesize
220B

MD5
82c9cf4f316af9cfc4b354ed2c4b0965

SHA1
bfdedb9937e33ce5647a7a45861099087d24d91a

SHA256
ded0cdead2d5f5bf915ad91217e594f54403a158a544f57d099e05f6fbc0330a

SHA512
218f8da67c327b25ecfe2329fbb59ae672a3ecf56127a85bdfe8d2cf11468a68af1f8561e27bd9be3910429c71094568780c46324167375fb44010383bf4dbba

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE3FB.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DiMaLaQqUm.bat

Filesize
220B

MD5
f49bccdd5dc692e46dfea638834d204c

SHA1
db5ba502ec7d7102e908cbf63f998a5fec85bbb7

SHA256
5bcc6669a0b115ed722dc0f95010e310052bbcff3e25e350a095e5c24dd57275

SHA512
f15219168a64d5d8101d435a661737caabae55e3269941ded5d142d76d3cf46e3eb8e1852ebd87a7afffb3c7a4c2f7286a407307a278e43599d4c32efe3d145a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IfRHWD7XoS.bat

Filesize
220B

MD5
28c3c4d6f0e3218d5633b9a70d4e26a1

SHA1
17adc24705f84378615c60092c5fff20292cb7a5

SHA256
9835b846b73b1ccca0a73627aa724c9084dd01d297cf5d125636f0e6268f94fb

SHA512
65169ab50a5465647dc95b88a33ae1c416ec69a253a3a3ddb02e1bc85f32cc0214bc3554c5c9b91f0e554962a9608ca0fe4e35e1b8f1fa9975e2f67a50f68db7

Download Submit
C:\Users\Admin\AppData\Local\Temp\O1BWw2qr2X.bat

Filesize
220B

MD5
f0be0697004d11ed9526d77bf9d8c275

SHA1
f29e7d592aae0d72db690271fc56bdf6c22daa8a

SHA256
869e767d5d4667f4c137b5a13c61bbc67c03505b48ea54b33f2aa70feeaea1f0

SHA512
7eb4b3f856a8384f223a1ffb54d9cc5e466694616025a9bdb389417dadd4e1ba8bef8637fe3841e988ec1782eb6a78b1c953e5071239c388eab3266c60f1dde6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RFyBjogktz.bat

Filesize
220B

MD5
9342921cc4f971883fab37d19546b17f

SHA1
97c90ee07da6c03bee09bda0cd5aa1d194d51d19

SHA256
d750c7ab881ddf81671f2b21a671c5faeb5ccf98c8acc9947c4ea484f745a937

SHA512
753e34e920df4e81c5f927b92da37b8a725d1e62f839891307924169403b3b1c9379f773b336fd5d58767b142b61f75816b27b7438a5a88d6cf567c56b6ffb18

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE41D.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cYhs0sn2L6.bat

Filesize
220B

MD5
04cfdd3938d283008fd484c7b85a9681

SHA1
fc283f062e64010a1ba3ffd77d8cc654c0d6b569

SHA256
e635fcad6488d555c4d3bbbb9d6beb77b607bdc0fa486d0929c9279940ee06b3

SHA512
8453dea46635f554ebe3f8b7a62d6334cdad7e421ce27260d035367dc908915aadb8e3ec656a9fe729deb45c0de80e20ea573087fcd8d9d2c61c2524389aba52

Download Submit
C:\Users\Admin\AppData\Local\Temp\hGpPWS23Hw.bat

Filesize
220B

MD5
23bbff855d3912e70fd854606411f8f1

SHA1
2e1001c8e6423beef964871cc1d3e30bd553df3c

SHA256
c0ba5fd60fb56188f2c52427c72a79569bb0569a0c7bc779d479eb8f185728e7

SHA512
8d168edf865c965998687846557d325546b3c296cc366b052650c8e867da13bd8cb4672e53db8520402da64c4930575cb23de172e16caaf9ed8477f44d90aa0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jddtUB3Qwl.bat

Filesize
220B

MD5
b092e3a174697ab38b7301143ea77bc3

SHA1
aa54d78916ffc754d89d2335981643cc9bff4103

SHA256
6be3de9827f865f562e37424c8deb24b9469ce20b893b42f0c79241b33fd7b4d

SHA512
29415dbdfd91a1dbf3765fa3523efb995cb4b227ff60872715581fa50de4500305bfc75a4da956c8de62d22ab7eef39009dd105d97d1a9f9ec6fcc2a595a0ce9

Download Submit
C:\Users\Admin\AppData\Local\Temp\qsbi9TUILn.bat

Filesize
220B

MD5
8bdefb1e1f659cd2fdfa0babf299b632

SHA1
cde9f12900b8c722eafb0cf0d3eaebf8796ecd97

SHA256
87db9cec7de6195b2f8882514db0dd1810af659f2f73c00f1254548aa97dc5e5

SHA512
d6d71d0d198ef27555d2582123f1c23933820a9400e651d9dd3f56a8c85578507c7186debb5854f2c42fade5c02729a1941938aa3af27eff01816cb89a05be21

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
dee62e2d838b8054ded03188ca272b64

SHA1
912ca7e73d5540dfc99d076ceea51f4d924f7d13

SHA256
32a9ec8dc92e8b5709d28ff83957e8895a79bd070f89cb3d5a1da2cb3d2f27f3

SHA512
0fe0c2c2601b97c98d554e1941f0fe1972b11ef00d30418bd9ebc647966e7bb5c45b11c771b7615b86e4c975e8d5a1e4f135b277115cde26ffe01eb18295f9ae

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/328-246-0x00000000000A0000-0x00000000001B0000-memory.dmp

Filesize
1.1MB

Download
memory/448-487-0x0000000000DF0000-0x0000000000F00000-memory.dmp

Filesize
1.1MB

Download
memory/620-366-0x0000000001280000-0x0000000001390000-memory.dmp

Filesize
1.1MB

Download
memory/988-66-0x0000000000940000-0x0000000000A50000-memory.dmp

Filesize
1.1MB

Download
memory/2400-306-0x00000000010E0000-0x00000000011F0000-memory.dmp

Filesize
1.1MB

Download
memory/2416-62-0x000000001B6B0000-0x000000001B992000-memory.dmp

Filesize
2.9MB

Download
memory/2416-63-0x0000000001FD0000-0x0000000001FD8000-memory.dmp

Filesize
32KB

Download
memory/2460-606-0x0000000001090000-0x00000000011A0000-memory.dmp

Filesize
1.1MB

Download
memory/2748-426-0x0000000000220000-0x0000000000330000-memory.dmp

Filesize
1.1MB

Download
memory/2748-427-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/2752-17-0x0000000000570000-0x000000000057C000-memory.dmp

Filesize
48KB

Download
memory/2752-16-0x0000000000550000-0x000000000055C000-memory.dmp

Filesize
48KB

Download
memory/2752-15-0x0000000000560000-0x000000000056C000-memory.dmp

Filesize
48KB

Download
memory/2752-14-0x0000000000540000-0x0000000000552000-memory.dmp

Filesize
72KB

Download
memory/2752-13-0x00000000012C0000-0x00000000013D0000-memory.dmp

Filesize
1.1MB

Download
memory/2756-186-0x00000000004D0000-0x00000000004E2000-memory.dmp

Filesize
72KB

Download
memory/2756-185-0x00000000002B0000-0x00000000003C0000-memory.dmp

Filesize
1.1MB

Download
memory/2816-125-0x00000000003F0000-0x0000000000500000-memory.dmp

Filesize
1.1MB

Download