dcrat | 29de66c9068642126d3bfe2826d9b1a510837b17023f95c3de11a134b7745515

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 05:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_29de66c9068642126d3bfe2826d9b1a510837b17023f95c3de11a134b7745515.exe
Size

1.3MB
MD5

a00eb22cd47293ae2541f6454bd15c2e
SHA1

b34bff0f01b98779089b49bbc63d2324bd2b518b
SHA256

29de66c9068642126d3bfe2826d9b1a510837b17023f95c3de11a134b7745515
SHA512

4a008d378bb0e288db9fe54eeb8ab9f075c6df2d18acddd24ff1c7485df0684331d2071c8dfb4b3e4becbcd67ce2b77ab1b39212b8dbefa1f610071e62803ade
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3432	2932	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	2932	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1044	2932	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	2932	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2272	2932	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3440	2932	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4056	2932	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3436	2932	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4944	2932	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4376	2932	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3360	2932	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	2932	schtasks.exe	90

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x0007000000023cc1-10.dat	dcrat
behavioral2/memory/2632-13-0x0000000000040000-0x0000000000150000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3144	powershell.exe
4956	powershell.exe
3508	powershell.exe
4692	powershell.exe
2796	powershell.exe

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	JaffaCakes118_29de66c9068642126d3bfe2826d9b1a510837b17023f95c3de11a134b7745515.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	sysmon.exe

Executes dropped EXE 14 IoCs

pid	Process
2632	DllCommonsvc.exe
436	sysmon.exe
3200	sysmon.exe
1212	sysmon.exe
3940	sysmon.exe
3484	sysmon.exe
3196	sysmon.exe
4624	sysmon.exe
3780	sysmon.exe
4644	sysmon.exe
3600	sysmon.exe
2436	sysmon.exe
2664	sysmon.exe
3208	sysmon.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs

Web Service

T1102

flow	ioc
44	raw.githubusercontent.com
45	raw.githubusercontent.com
50	raw.githubusercontent.com
21	raw.githubusercontent.com
22	raw.githubusercontent.com
38	raw.githubusercontent.com
39	raw.githubusercontent.com
40	raw.githubusercontent.com
55	raw.githubusercontent.com
56	raw.githubusercontent.com
37	raw.githubusercontent.com
53	raw.githubusercontent.com
54	raw.githubusercontent.com

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\de-DE\wininit.exe	DllCommonsvc.exe
File created	C:\Windows\de-DE\56085415360792	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_29de66c9068642126d3bfe2826d9b1a510837b17023f95c3de11a134b7745515.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	JaffaCakes118_29de66c9068642126d3bfe2826d9b1a510837b17023f95c3de11a134b7745515.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	sysmon.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2272	schtasks.exe
4056	schtasks.exe
3436	schtasks.exe
4944	schtasks.exe
4376	schtasks.exe
2508	schtasks.exe
1044	schtasks.exe
2952	schtasks.exe
3440	schtasks.exe
3360	schtasks.exe
2724	schtasks.exe
3432	schtasks.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
2632	DllCommonsvc.exe
2632	DllCommonsvc.exe
2632	DllCommonsvc.exe
2632	DllCommonsvc.exe
2632	DllCommonsvc.exe
2632	DllCommonsvc.exe
2632	DllCommonsvc.exe
3508	powershell.exe
2796	powershell.exe
4956	powershell.exe
3144	powershell.exe
3508	powershell.exe
4956	powershell.exe
4692	powershell.exe
2796	powershell.exe
4692	powershell.exe
3144	powershell.exe
436	sysmon.exe
3200	sysmon.exe
1212	sysmon.exe
3940	sysmon.exe
3484	sysmon.exe
3196	sysmon.exe
4624	sysmon.exe
3780	sysmon.exe
4644	sysmon.exe
3600	sysmon.exe
2436	sysmon.exe
2664	sysmon.exe
3208	sysmon.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	2632	DllCommonsvc.exe
Token: SeDebugPrivilege	3508	powershell.exe
Token: SeDebugPrivilege	2796	powershell.exe
Token: SeDebugPrivilege	4956	powershell.exe
Token: SeDebugPrivilege	3144	powershell.exe
Token: SeDebugPrivilege	4692	powershell.exe
Token: SeDebugPrivilege	436	sysmon.exe
Token: SeDebugPrivilege	3200	sysmon.exe
Token: SeDebugPrivilege	1212	sysmon.exe
Token: SeDebugPrivilege	3940	sysmon.exe
Token: SeDebugPrivilege	3484	sysmon.exe
Token: SeDebugPrivilege	3196	sysmon.exe
Token: SeDebugPrivilege	4624	sysmon.exe
Token: SeDebugPrivilege	3780	sysmon.exe
Token: SeDebugPrivilege	4644	sysmon.exe
Token: SeDebugPrivilege	3600	sysmon.exe
Token: SeDebugPrivilege	2436	sysmon.exe
Token: SeDebugPrivilege	2664	sysmon.exe
Token: SeDebugPrivilege	3208	sysmon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4064 wrote to memory of 2372	4064	JaffaCakes118_29de66c9068642126d3bfe2826d9b1a510837b17023f95c3de11a134b7745515.exe	85
PID 4064 wrote to memory of 2372	4064	JaffaCakes118_29de66c9068642126d3bfe2826d9b1a510837b17023f95c3de11a134b7745515.exe	85
PID 4064 wrote to memory of 2372	4064	JaffaCakes118_29de66c9068642126d3bfe2826d9b1a510837b17023f95c3de11a134b7745515.exe	85
PID 2372 wrote to memory of 3804	2372	WScript.exe	87
PID 2372 wrote to memory of 3804	2372	WScript.exe	87
PID 2372 wrote to memory of 3804	2372	WScript.exe	87
PID 3804 wrote to memory of 2632	3804	cmd.exe	89
PID 3804 wrote to memory of 2632	3804	cmd.exe	89
PID 2632 wrote to memory of 4692	2632	DllCommonsvc.exe	104
PID 2632 wrote to memory of 4692	2632	DllCommonsvc.exe	104
PID 2632 wrote to memory of 2796	2632	DllCommonsvc.exe	105
PID 2632 wrote to memory of 2796	2632	DllCommonsvc.exe	105
PID 2632 wrote to memory of 3144	2632	DllCommonsvc.exe	106
PID 2632 wrote to memory of 3144	2632	DllCommonsvc.exe	106
PID 2632 wrote to memory of 4956	2632	DllCommonsvc.exe	107
PID 2632 wrote to memory of 4956	2632	DllCommonsvc.exe	107
PID 2632 wrote to memory of 3508	2632	DllCommonsvc.exe	108
PID 2632 wrote to memory of 3508	2632	DllCommonsvc.exe	108
PID 2632 wrote to memory of 2400	2632	DllCommonsvc.exe	114
PID 2632 wrote to memory of 2400	2632	DllCommonsvc.exe	114
PID 2400 wrote to memory of 1508	2400	cmd.exe	116
PID 2400 wrote to memory of 1508	2400	cmd.exe	116
PID 2400 wrote to memory of 436	2400	cmd.exe	122
PID 2400 wrote to memory of 436	2400	cmd.exe	122
PID 436 wrote to memory of 1556	436	sysmon.exe	130
PID 436 wrote to memory of 1556	436	sysmon.exe	130
PID 1556 wrote to memory of 3024	1556	cmd.exe	132
PID 1556 wrote to memory of 3024	1556	cmd.exe	132
PID 1556 wrote to memory of 3200	1556	cmd.exe	134
PID 1556 wrote to memory of 3200	1556	cmd.exe	134
PID 3200 wrote to memory of 708	3200	sysmon.exe	139
PID 3200 wrote to memory of 708	3200	sysmon.exe	139
PID 708 wrote to memory of 4264	708	cmd.exe	141
PID 708 wrote to memory of 4264	708	cmd.exe	141
PID 708 wrote to memory of 1212	708	cmd.exe	143
PID 708 wrote to memory of 1212	708	cmd.exe	143
PID 1212 wrote to memory of 1008	1212	sysmon.exe	145
PID 1212 wrote to memory of 1008	1212	sysmon.exe	145
PID 1008 wrote to memory of 3172	1008	cmd.exe	147
PID 1008 wrote to memory of 3172	1008	cmd.exe	147
PID 1008 wrote to memory of 3940	1008	cmd.exe	149
PID 1008 wrote to memory of 3940	1008	cmd.exe	149
PID 3940 wrote to memory of 4384	3940	sysmon.exe	151
PID 3940 wrote to memory of 4384	3940	sysmon.exe	151
PID 4384 wrote to memory of 4800	4384	cmd.exe	153
PID 4384 wrote to memory of 4800	4384	cmd.exe	153
PID 4384 wrote to memory of 3484	4384	cmd.exe	155
PID 4384 wrote to memory of 3484	4384	cmd.exe	155
PID 3484 wrote to memory of 1196	3484	sysmon.exe	157
PID 3484 wrote to memory of 1196	3484	sysmon.exe	157
PID 1196 wrote to memory of 32	1196	cmd.exe	159
PID 1196 wrote to memory of 32	1196	cmd.exe	159
PID 1196 wrote to memory of 3196	1196	cmd.exe	162
PID 1196 wrote to memory of 3196	1196	cmd.exe	162
PID 3196 wrote to memory of 1188	3196	sysmon.exe	164
PID 3196 wrote to memory of 1188	3196	sysmon.exe	164
PID 1188 wrote to memory of 4844	1188	cmd.exe	166
PID 1188 wrote to memory of 4844	1188	cmd.exe	166
PID 1188 wrote to memory of 4624	1188	cmd.exe	168
PID 1188 wrote to memory of 4624	1188	cmd.exe	168
PID 4624 wrote to memory of 5036	4624	sysmon.exe	170
PID 4624 wrote to memory of 5036	4624	sysmon.exe	170
PID 5036 wrote to memory of 336	5036	cmd.exe	172
PID 5036 wrote to memory of 336	5036	cmd.exe	172

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_29de66c9068642126d3bfe2826d9b1a510837b17023f95c3de11a134b7745515.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_29de66c9068642126d3bfe2826d9b1a510837b17023f95c3de11a134b7745515.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4064
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2372
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3804
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2632
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4692
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\SearchApp.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2796
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sysmon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3144
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\fontdrvhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4956
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\de-DE\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3508
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Pbq6CI9diq.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2400
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1508
      - C:\providercommon\sysmon.exe
        
        "C:\providercommon\sysmon.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:436
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5Yw7RONjUI.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1556
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:3024
        
        C:\providercommon\sysmon.exe
        
        "C:\providercommon\sysmon.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3200
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\muCkezbCVz.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:708
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:4264
        
        C:\providercommon\sysmon.exe
        
        "C:\providercommon\sysmon.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1212
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vdJwOJplm6.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1008
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:3172
        
        C:\providercommon\sysmon.exe
        
        "C:\providercommon\sysmon.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3940
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OyPKZ08zKl.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:4384
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:4800
        
        C:\providercommon\sysmon.exe
        
        "C:\providercommon\sysmon.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3484
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oqEnL4f5pl.bat"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:1196
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:32
        
        C:\providercommon\sysmon.exe
        
        "C:\providercommon\sysmon.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3196
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Wx0Tv0d3iA.bat"
        17⤵
        Suspicious use of WriteProcessMemory
        
        PID:1188
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:4844
        
        C:\providercommon\sysmon.exe
        
        "C:\providercommon\sysmon.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4624
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dk6czFnjgV.bat"
        19⤵
        Suspicious use of WriteProcessMemory
        
        PID:5036
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:336
        
        C:\providercommon\sysmon.exe
        
        "C:\providercommon\sysmon.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3780
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6Po3x2tXZG.bat"
        21⤵
        
        PID:1508
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:3636
        
        C:\providercommon\sysmon.exe
        
        "C:\providercommon\sysmon.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4644
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oqEnL4f5pl.bat"
        23⤵
        
        PID:2020
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:4388
        
        C:\providercommon\sysmon.exe
        
        "C:\providercommon\sysmon.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3600
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\V68XQM6FdC.bat"
        25⤵
        
        PID:3420
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:32
        
        C:\providercommon\sysmon.exe
        
        "C:\providercommon\sysmon.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2436
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\moqrXfpsIj.bat"
        27⤵
        
        PID:2768
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:4836
        
        C:\providercommon\sysmon.exe
        
        "C:\providercommon\sysmon.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2664
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EOPCJ2Obyf.bat"
        29⤵
        
        PID:4408
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        30⤵
        
        PID:4648
        
        C:\providercommon\sysmon.exe
        
        "C:\providercommon\sysmon.exe"
        30⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\providercommon\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\providercommon\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\providercommon\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\providercommon\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\providercommon\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\providercommon\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\providercommon\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Windows\de-DE\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\de-DE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Windows\de-DE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sysmon.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Temp\5Yw7RONjUI.bat

Filesize
193B

MD5
2452ba0b97d1ae687f4252cee1470c71

SHA1
59aa046000cbcf022424ac5419c3fa6ccadd3e7c

SHA256
47508fe2449d3976162e69f63bf9e630443d2d28ad3271038b18599e77a8fc10

SHA512
0c8bc72c2ba0925aa98322a80c0b30950aeb75f11cac0b76e0547f6c9586f1ae5a33ef82fbd15149edbf2217ac507fef1d7c0123cb754b5d01377ba4fd2342a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\6Po3x2tXZG.bat

Filesize
193B

MD5
8d65d1d2cb1aeb8343eea27078be2e1d

SHA1
51269876d07c79c34bc032eb779b4c65992cdba6

SHA256
785859850adb4c52ce50f390a7e17e743970e0a7e0629fd48edf1755b8a33606

SHA512
b96630843080f1853415d73170a9c5703ee626b549434848017aec1499441b7dc7a060812116e7b3a6e0586a8bcbd609f9bbf45ff4b2c54e6394687c5ccc92ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\EOPCJ2Obyf.bat

Filesize
193B

MD5
c91b57cb59e3f16747c3da493d795a2f

SHA1
476170c2027cd8ab53d20ca704e3e1e1c8289fa4

SHA256
481da602092191fd1661d431454ccba9fbf4d5db0cbe16bfa52f94674f1191bd

SHA512
0bb90b9559d0575e015e1cf85558f427dfbc18bf0da1cb0ce80ba0534d9264dcf0f65708a42c89b53c5252094576bcd641a7a992925f1fbc7fdf9eb1d81fca4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\OyPKZ08zKl.bat

Filesize
193B

MD5
28fa2bad3bafb0f5c491a98fc7420707

SHA1
5d5bdc2de7469a4b4a6f0f0321c7b712c9d0735d

SHA256
4ea4608a748efd43972ffe6db7641307ee66937a82c53edc28d27ed241db5096

SHA512
cb124d30cabfe01a20cea96be5b3aeffd8aff2d0e4169326ee9d23ecd394a7632718cdeb2102dafacf7560e613ccb10359cb4b41be896cd6218bbf9f46b391a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pbq6CI9diq.bat

Filesize
193B

MD5
daec84129b34ea177a9b9b13374bc73d

SHA1
aadd1b990ca00ec4abe444ef7250acb6fc9c10d3

SHA256
101dd58404beebfa56e53423244b49437327b04df5ef5d697c9601f9f2cdb6f9

SHA512
61d9217df9b8f942ef4518b6e5a3ba21fed9078d903bfea61374be4f9686a6b27618a0d741c5f9e4c4ee28fced7b4d40b5db38b8720791d2648c851b4c3464d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\V68XQM6FdC.bat

Filesize
193B

MD5
cfcccd5cdd9ec513368265a5bcd5cc05

SHA1
96f1fc0c9b70dad2a8dc7143329ca712313a65d4

SHA256
724fd1cd467140eb81dfc0cdeb6ec061c10510a30bcafb2b7dd9706d87e69e15

SHA512
84d647b11ff1a9feb32cf720546863973b49846adbfcb4998ee9a19e9c1a18a694aa13df46f95d0332fd2a4894c641c6258f694d1fe25a487ed182fbc3c362b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wx0Tv0d3iA.bat

Filesize
193B

MD5
e6ed3c9cef6d4bb3bc3329cd3eb67a39

SHA1
bbcf327eda67054c7c6364a0e0aadeaf4e0f9d61

SHA256
7d0d5fb388b3e6ed8bc3769fc18b035904bab6acf35878316e34f40a7fa1da60

SHA512
af3ec8c20f5ade479d075558cd7b3c8b866ee96ee5458f426743f86750d7aebcbae555405ef8aa64f24ff9fd6231d67a2cac0909650460429141a0fbb140205a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xxp3st4y.erh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\dk6czFnjgV.bat

Filesize
193B

MD5
01535253da2f0e92171d658271aa9a15

SHA1
415b83afe155c735c57d43332eeb52f869a421f9

SHA256
f4262c88d1d1e878be0ad1422f7ff1976e745f42fef8839b5ad69078a4f09012

SHA512
929b7e3f5e4c2239a18f0a9fa29d0e4d6ed1afc2d54a4c510e57d63199da2f2b4ef9e2b2ffc5a3027683c77d97d501e86a4503a13376f31ce9cbe25d22940d92

Download Submit
C:\Users\Admin\AppData\Local\Temp\moqrXfpsIj.bat

Filesize
193B

MD5
eef06ff840ffc625835a6ff674280fa3

SHA1
a4d0697d8d5bffded418f4802e91ad777d5a414f

SHA256
0fe08d71ac2d1cb7333aee018368340213b94a8ed540e3255eeb7ed0d3077f49

SHA512
7e87d0bb2a0f7948d47bec27d30be0fc5d1a10420b895252e93a377efe0a6879f1d2f8929a349060464bc8f3b33530fc551fca960a79a76d46145dfc00f7e71d

Download Submit
C:\Users\Admin\AppData\Local\Temp\muCkezbCVz.bat

Filesize
193B

MD5
411f2f02c9d380afae789bd13689c547

SHA1
479c318f6fd1be66361bfc862049d5124ec9cd9f

SHA256
ee3edb506ce5b606cbc0a5bd3f54c8761990253f90aba4cf9be7acffc4068238

SHA512
76fda25dfc7dac8d50bda219fe2cc21f9af244b19161bd4615eae5eea2dac13a30d4f616461eec14271907003b9d1cd2929045e27c6d36a1a6245628f93cbbd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\oqEnL4f5pl.bat

Filesize
193B

MD5
8c536828083a31854d5e4fab0209e027

SHA1
be9c66871f2199320ba659be7fb66866dcbf9a09

SHA256
8b14b4b20dd5c066b5b04ef4bfa14e95b9a5edceb52ea9cda79acbd343705ec3

SHA512
395161ecbc9a0832589c55b1164251e7366768780fb0aca3b670e6d81821f3fc322596449ba431844f515915932936e4405997815d49cdfe77d3da2a660e1922

Download Submit
C:\Users\Admin\AppData\Local\Temp\vdJwOJplm6.bat

Filesize
193B

MD5
284543f8342a27dc619bb3bdb10ac869

SHA1
32671543cff7c57deabec1fd967a78e50af4e700

SHA256
846a845a175dd016483bd7e05a203ada72cc6c7595ca38dfc7ac39ef220ea253

SHA512
14704ccb38ebf06dbe665efc52d8e2746af3c0bdcbc83a57f3b44229202df9785f74d0645d7b9d0e785f51b99f9d5a06e34b2fd6a0b476b031fada42fc13ec42

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/2436-158-0x0000000002C70000-0x0000000002C82000-memory.dmp

Filesize
72KB

Download
memory/2632-17-0x0000000002290000-0x000000000229C000-memory.dmp

Filesize
48KB

Download
memory/2632-15-0x0000000002270000-0x000000000227C000-memory.dmp

Filesize
48KB

Download
memory/2632-14-0x0000000002260000-0x0000000002272000-memory.dmp

Filesize
72KB

Download
memory/2632-13-0x0000000000040000-0x0000000000150000-memory.dmp

Filesize
1.1MB

Download
memory/2632-12-0x00007FF9759B3000-0x00007FF9759B5000-memory.dmp

Filesize
8KB

Download
memory/2632-16-0x0000000002280000-0x000000000228C000-memory.dmp

Filesize
48KB

Download
memory/2664-169-0x000000001C520000-0x000000001C622000-memory.dmp

Filesize
1.0MB

Download
memory/3196-125-0x0000000002E70000-0x0000000002E82000-memory.dmp

Filesize
72KB

Download
memory/3208-172-0x0000000000EA0000-0x0000000000EB2000-memory.dmp

Filesize
72KB

Download
memory/3484-118-0x0000000002F10000-0x0000000002F22000-memory.dmp

Filesize
72KB

Download
memory/3508-36-0x000002227A910000-0x000002227A932000-memory.dmp

Filesize
136KB

Download
memory/3600-151-0x0000000000D40000-0x0000000000D52000-memory.dmp

Filesize
72KB

Download
memory/4644-144-0x0000000000C10000-0x0000000000C22000-memory.dmp

Filesize
72KB

Download