dcrat | b9565d219fb7879e482bfc859721acc5e10edadb73a9bb6eb3190e58e45bea5d

Analysis

max time kernel
147s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2024 06:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

428bdccd4c240a253810e1c2a4ff8b78.exe
Size

827KB
MD5

428bdccd4c240a253810e1c2a4ff8b78
SHA1

6cb81ccde6f9cd26b0b60ce5b5d948dbda609c8c
SHA256

b9565d219fb7879e482bfc859721acc5e10edadb73a9bb6eb3190e58e45bea5d
SHA512

81619bed44fca74f7c9cd3dc7fef9d52cea24ea4d6ea5cf3eedbe25c9a3f16f12889ff30644371146f8d55a280ed2e6b730c69c50bf2b944c74cc6d7914d1a63
SSDEEP

12288:GurCqcV04iJuX03lJmrw1DMVMkNcL4uhB6lg1npjzh/Ta6:bypiJOw1D8YhB6lkpjdO6

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3968	2864	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1552	2864	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1472	2864	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1848	2864	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4088	2864	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2864	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1220	2864	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1144	2864	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1028	2864	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3712	2864	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1800	2864	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3960	2864	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	2864	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3360	2864	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	2864	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1252	2864	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4640	2864	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3628	2864	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	2864	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1556	2864	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	2864	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1564	2864	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	2864	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3452	2864	schtasks.exe

DCRat payload 2 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
rat

Processes:

resource yara_rule

behavioral2/memory/3216-1-0x00000000002D0000-0x00000000003A6000-memory.dmp dcrat
C:\Program Files (x86)\Google\Temp\fontdrvhost.exe dcrat

resource	yara_rule
behavioral2/memory/3216-1-0x00000000002D0000-0x00000000003A6000-memory.dmp	dcrat
C:\Program Files (x86)\Google\Temp\fontdrvhost.exe	dcrat

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

428bdccd4c240a253810e1c2a4ff8b78.exeRegistry.exeRegistry.exeRegistry.exeRegistry.exeRegistry.exeRegistry.exe428bdccd4c240a253810e1c2a4ff8b78.exeRegistry.exeRegistry.exeRegistry.exeRegistry.exeRegistry.exeRegistry.exeRegistry.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	428bdccd4c240a253810e1c2a4ff8b78.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	Registry.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	Registry.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	Registry.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	Registry.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	Registry.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	Registry.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	428bdccd4c240a253810e1c2a4ff8b78.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	Registry.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	Registry.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	Registry.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	Registry.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	Registry.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	Registry.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	Registry.exe

Executes dropped EXE 13 IoCs

Processes:

Registry.exeRegistry.exeRegistry.exeRegistry.exeRegistry.exeRegistry.exeRegistry.exeRegistry.exeRegistry.exeRegistry.exeRegistry.exeRegistry.exeRegistry.exe

pid	process
224	Registry.exe
1668	Registry.exe
4616	Registry.exe
868	Registry.exe
2648	Registry.exe
3252	Registry.exe
1840	Registry.exe
636	Registry.exe
464	Registry.exe
224	Registry.exe
1068	Registry.exe
2380	Registry.exe
4884	Registry.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 14 IoCs

Web Service

T1102

Processes:

flow	ioc
60	pastebin.com
61	pastebin.com
33	pastebin.com
52	pastebin.com
56	pastebin.com
64	pastebin.com
87	pastebin.com
88	pastebin.com
43	pastebin.com
48	pastebin.com
77	pastebin.com
83	pastebin.com
24	pastebin.com
25	pastebin.com

Drops file in Program Files directory 2 IoCs

Processes:

428bdccd4c240a253810e1c2a4ff8b78.exe

description	ioc	process
File created	C:\Program Files (x86)\Google\Temp\fontdrvhost.exe	428bdccd4c240a253810e1c2a4ff8b78.exe
File created	C:\Program Files (x86)\Google\Temp\5b884080fd4f94	428bdccd4c240a253810e1c2a4ff8b78.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 13 IoCs

Processes:

Registry.exeRegistry.exeRegistry.exeRegistry.exeRegistry.exeRegistry.exeRegistry.exeRegistry.exeRegistry.exeRegistry.exeRegistry.exeRegistry.exeRegistry.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings	Registry.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings	Registry.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings	Registry.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings	Registry.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings	Registry.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings	Registry.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings	Registry.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings	Registry.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings	Registry.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings	Registry.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings	Registry.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings	Registry.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings	Registry.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	process
1696	schtasks.exe
1220	schtasks.exe
1028	schtasks.exe
3712	schtasks.exe
3960	schtasks.exe
2936	schtasks.exe
4640	schtasks.exe
3628	schtasks.exe
1564	schtasks.exe
1552	schtasks.exe
1848	schtasks.exe
4088	schtasks.exe
1800	schtasks.exe
3360	schtasks.exe
2060	schtasks.exe
1668	schtasks.exe
3968	schtasks.exe
2920	schtasks.exe
1472	schtasks.exe
2648	schtasks.exe
1144	schtasks.exe
1252	schtasks.exe
1556	schtasks.exe
3452	schtasks.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

428bdccd4c240a253810e1c2a4ff8b78.exe428bdccd4c240a253810e1c2a4ff8b78.exeRegistry.exeRegistry.exeRegistry.exeRegistry.exeRegistry.exeRegistry.exeRegistry.exeRegistry.exeRegistry.exeRegistry.exeRegistry.exeRegistry.exeRegistry.exe

pid	process
3216	428bdccd4c240a253810e1c2a4ff8b78.exe
1484	428bdccd4c240a253810e1c2a4ff8b78.exe
1484	428bdccd4c240a253810e1c2a4ff8b78.exe
1484	428bdccd4c240a253810e1c2a4ff8b78.exe
1484	428bdccd4c240a253810e1c2a4ff8b78.exe
1484	428bdccd4c240a253810e1c2a4ff8b78.exe
1484	428bdccd4c240a253810e1c2a4ff8b78.exe
1484	428bdccd4c240a253810e1c2a4ff8b78.exe
224	Registry.exe
1668	Registry.exe
1668	Registry.exe
4616	Registry.exe
4616	Registry.exe
868	Registry.exe
868	Registry.exe
2648	Registry.exe
2648	Registry.exe
3252	Registry.exe
3252	Registry.exe
1840	Registry.exe
1840	Registry.exe
636	Registry.exe
636	Registry.exe
464	Registry.exe
224	Registry.exe
1068	Registry.exe
2380	Registry.exe
4884	Registry.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	3216	428bdccd4c240a253810e1c2a4ff8b78.exe
Token: SeDebugPrivilege	1484	428bdccd4c240a253810e1c2a4ff8b78.exe
Token: SeDebugPrivilege	224	Registry.exe
Token: SeDebugPrivilege	1668	Registry.exe
Token: SeDebugPrivilege	4616	Registry.exe
Token: SeDebugPrivilege	868	Registry.exe
Token: SeDebugPrivilege	2648	Registry.exe
Token: SeDebugPrivilege	3252	Registry.exe
Token: SeDebugPrivilege	1840	Registry.exe
Token: SeDebugPrivilege	636	Registry.exe
Token: SeDebugPrivilege	464	Registry.exe
Token: SeDebugPrivilege	224	Registry.exe
Token: SeDebugPrivilege	1068	Registry.exe
Token: SeDebugPrivilege	2380	Registry.exe
Token: SeDebugPrivilege	4884	Registry.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

428bdccd4c240a253810e1c2a4ff8b78.exe428bdccd4c240a253810e1c2a4ff8b78.exeRegistry.execmd.exeRegistry.execmd.exeRegistry.execmd.exeRegistry.execmd.exeRegistry.execmd.exeRegistry.execmd.exeRegistry.execmd.exeRegistry.execmd.exeRegistry.execmd.exeRegistry.execmd.exe

description	pid	process	target process
PID 3216 wrote to memory of 1484	3216	428bdccd4c240a253810e1c2a4ff8b78.exe	428bdccd4c240a253810e1c2a4ff8b78.exe
PID 3216 wrote to memory of 1484	3216	428bdccd4c240a253810e1c2a4ff8b78.exe	428bdccd4c240a253810e1c2a4ff8b78.exe
PID 1484 wrote to memory of 224	1484	428bdccd4c240a253810e1c2a4ff8b78.exe	Registry.exe
PID 1484 wrote to memory of 224	1484	428bdccd4c240a253810e1c2a4ff8b78.exe	Registry.exe
PID 224 wrote to memory of 3712	224	Registry.exe	cmd.exe
PID 224 wrote to memory of 3712	224	Registry.exe	cmd.exe
PID 3712 wrote to memory of 1020	3712	cmd.exe	w32tm.exe
PID 3712 wrote to memory of 1020	3712	cmd.exe	w32tm.exe
PID 3712 wrote to memory of 1668	3712	cmd.exe	Registry.exe
PID 3712 wrote to memory of 1668	3712	cmd.exe	Registry.exe
PID 1668 wrote to memory of 3696	1668	Registry.exe	cmd.exe
PID 1668 wrote to memory of 3696	1668	Registry.exe	cmd.exe
PID 3696 wrote to memory of 3056	3696	cmd.exe	w32tm.exe
PID 3696 wrote to memory of 3056	3696	cmd.exe	w32tm.exe
PID 3696 wrote to memory of 4616	3696	cmd.exe	Registry.exe
PID 3696 wrote to memory of 4616	3696	cmd.exe	Registry.exe
PID 4616 wrote to memory of 1740	4616	Registry.exe	cmd.exe
PID 4616 wrote to memory of 1740	4616	Registry.exe	cmd.exe
PID 1740 wrote to memory of 1800	1740	cmd.exe	w32tm.exe
PID 1740 wrote to memory of 1800	1740	cmd.exe	w32tm.exe
PID 1740 wrote to memory of 868	1740	cmd.exe	Registry.exe
PID 1740 wrote to memory of 868	1740	cmd.exe	Registry.exe
PID 868 wrote to memory of 2672	868	Registry.exe	cmd.exe
PID 868 wrote to memory of 2672	868	Registry.exe	cmd.exe
PID 2672 wrote to memory of 620	2672	cmd.exe	w32tm.exe
PID 2672 wrote to memory of 620	2672	cmd.exe	w32tm.exe
PID 2672 wrote to memory of 2648	2672	cmd.exe	Registry.exe
PID 2672 wrote to memory of 2648	2672	cmd.exe	Registry.exe
PID 2648 wrote to memory of 2300	2648	Registry.exe	cmd.exe
PID 2648 wrote to memory of 2300	2648	Registry.exe	cmd.exe
PID 2300 wrote to memory of 5108	2300	cmd.exe	w32tm.exe
PID 2300 wrote to memory of 5108	2300	cmd.exe	w32tm.exe
PID 2300 wrote to memory of 3252	2300	cmd.exe	Registry.exe
PID 2300 wrote to memory of 3252	2300	cmd.exe	Registry.exe
PID 3252 wrote to memory of 748	3252	Registry.exe	cmd.exe
PID 3252 wrote to memory of 748	3252	Registry.exe	cmd.exe
PID 748 wrote to memory of 644	748	cmd.exe	w32tm.exe
PID 748 wrote to memory of 644	748	cmd.exe	w32tm.exe
PID 748 wrote to memory of 1840	748	cmd.exe	Registry.exe
PID 748 wrote to memory of 1840	748	cmd.exe	Registry.exe
PID 1840 wrote to memory of 380	1840	Registry.exe	cmd.exe
PID 1840 wrote to memory of 380	1840	Registry.exe	cmd.exe
PID 380 wrote to memory of 1048	380	cmd.exe	w32tm.exe
PID 380 wrote to memory of 1048	380	cmd.exe	w32tm.exe
PID 380 wrote to memory of 636	380	cmd.exe	Registry.exe
PID 380 wrote to memory of 636	380	cmd.exe	Registry.exe
PID 636 wrote to memory of 1812	636	Registry.exe	cmd.exe
PID 636 wrote to memory of 1812	636	Registry.exe	cmd.exe
PID 1812 wrote to memory of 3832	1812	cmd.exe	w32tm.exe
PID 1812 wrote to memory of 3832	1812	cmd.exe	w32tm.exe
PID 1812 wrote to memory of 464	1812	cmd.exe	Registry.exe
PID 1812 wrote to memory of 464	1812	cmd.exe	Registry.exe
PID 464 wrote to memory of 5108	464	Registry.exe	cmd.exe
PID 464 wrote to memory of 5108	464	Registry.exe	cmd.exe
PID 5108 wrote to memory of 1200	5108	cmd.exe	w32tm.exe
PID 5108 wrote to memory of 1200	5108	cmd.exe	w32tm.exe
PID 5108 wrote to memory of 224	5108	cmd.exe	Registry.exe
PID 5108 wrote to memory of 224	5108	cmd.exe	Registry.exe
PID 224 wrote to memory of 2624	224	Registry.exe	cmd.exe
PID 224 wrote to memory of 2624	224	Registry.exe	cmd.exe
PID 2624 wrote to memory of 4824	2624	cmd.exe	w32tm.exe
PID 2624 wrote to memory of 4824	2624	cmd.exe	w32tm.exe
PID 2624 wrote to memory of 1068	2624	cmd.exe	Registry.exe
PID 2624 wrote to memory of 1068	2624	cmd.exe	Registry.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\428bdccd4c240a253810e1c2a4ff8b78.exe
"C:\Users\Admin\AppData\Local\Temp\428bdccd4c240a253810e1c2a4ff8b78.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3216

C:\Users\Admin\AppData\Local\Temp\428bdccd4c240a253810e1c2a4ff8b78.exe
"C:\Users\Admin\AppData\Local\Temp\428bdccd4c240a253810e1c2a4ff8b78.exe"
2⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1484

C:\Recovery\WindowsRE\Registry.exe
"C:\Recovery\WindowsRE\Registry.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:224

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FBcCl1WGSV.bat"
4⤵
- Suspicious use of WriteProcessMemory
PID:3712

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
5⤵
PID:1020

C:\Recovery\WindowsRE\Registry.exe
"C:\Recovery\WindowsRE\Registry.exe"
5⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1668

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IJ9EkrtYDM.bat"
6⤵
- Suspicious use of WriteProcessMemory
PID:3696

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
7⤵
PID:3056

C:\Recovery\WindowsRE\Registry.exe
"C:\Recovery\WindowsRE\Registry.exe"
7⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4616

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TDlQnvRVvY.bat"
8⤵
- Suspicious use of WriteProcessMemory
PID:1740

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
9⤵
PID:1800

C:\Recovery\WindowsRE\Registry.exe
"C:\Recovery\WindowsRE\Registry.exe"
9⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:868

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FBcCl1WGSV.bat"
10⤵
- Suspicious use of WriteProcessMemory
PID:2672

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
11⤵
PID:620

C:\Recovery\WindowsRE\Registry.exe
"C:\Recovery\WindowsRE\Registry.exe"
11⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2648

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7Xe7C8pmPD.bat"
12⤵
- Suspicious use of WriteProcessMemory
PID:2300

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
13⤵
PID:5108

C:\Recovery\WindowsRE\Registry.exe
"C:\Recovery\WindowsRE\Registry.exe"
13⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3252

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4WSxKcEorb.bat"
14⤵
- Suspicious use of WriteProcessMemory
PID:748

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
15⤵
PID:644

C:\Recovery\WindowsRE\Registry.exe
"C:\Recovery\WindowsRE\Registry.exe"
15⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1840

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UyITBGB0nG.bat"
16⤵
- Suspicious use of WriteProcessMemory
PID:380

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
17⤵
PID:1048

C:\Recovery\WindowsRE\Registry.exe
"C:\Recovery\WindowsRE\Registry.exe"
17⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:636

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\S2GQUB77UU.bat"
18⤵
- Suspicious use of WriteProcessMemory
PID:1812

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
19⤵
PID:3832

C:\Recovery\WindowsRE\Registry.exe
"C:\Recovery\WindowsRE\Registry.exe"
19⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:464

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\K3fI8Bd254.bat"
20⤵
- Suspicious use of WriteProcessMemory
PID:5108

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
21⤵
PID:1200

C:\Recovery\WindowsRE\Registry.exe
"C:\Recovery\WindowsRE\Registry.exe"
21⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:224

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\esvfELjyVS.bat"
22⤵
- Suspicious use of WriteProcessMemory
PID:2624

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
23⤵
PID:4824

C:\Recovery\WindowsRE\Registry.exe
"C:\Recovery\WindowsRE\Registry.exe"
23⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1068

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yTtrehocny.bat"
24⤵
PID:4008

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
25⤵
PID:2528

C:\Recovery\WindowsRE\Registry.exe
"C:\Recovery\WindowsRE\Registry.exe"
25⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2380

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\H7eFR6a9mI.bat"
26⤵
PID:1728

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
27⤵
PID:3044

C:\Recovery\WindowsRE\Registry.exe
"C:\Recovery\WindowsRE\Registry.exe"
27⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4884

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tcplHXgq9Q.bat"
28⤵
PID:4904

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
29⤵
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Videos\MusNotification.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotification" /sc ONLOGON /tr "'C:\Users\Public\Videos\MusNotification.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Videos\MusNotification.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\Temp\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\Temp\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Users\Default\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Users\Default\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Users\Default\AppData\Local\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default\AppData\Local\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Users\Default\AppData\Local\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3452

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4308,i,3671441404766730751,12082497324212183132,262144 --variations-seed-version --mojo-platform-channel-handle=4056 /prefetch:8
1⤵
PID:3044

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Temp\fontdrvhost.exe
Filesize
827KB

MD5
428bdccd4c240a253810e1c2a4ff8b78

SHA1
6cb81ccde6f9cd26b0b60ce5b5d948dbda609c8c

SHA256
b9565d219fb7879e482bfc859721acc5e10edadb73a9bb6eb3190e58e45bea5d

SHA512
81619bed44fca74f7c9cd3dc7fef9d52cea24ea4d6ea5cf3eedbe25c9a3f16f12889ff30644371146f8d55a280ed2e6b730c69c50bf2b944c74cc6d7914d1a63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\428bdccd4c240a253810e1c2a4ff8b78.exe.log
Filesize
1KB

MD5
7f3c0ae41f0d9ae10a8985a2c327b8fb

SHA1
d58622bf6b5071beacf3b35bb505bde2000983e3

SHA256
519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900

SHA512
8a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Registry.exe.log
Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Temp\4WSxKcEorb.bat
Filesize
199B

MD5
74a63e6c6009eeddfa1caab3219b7207

SHA1
bd45db185b72e4a4752af0f9e31ab326748b746a

SHA256
aa71205f028f8f827ff28c48e22b645f7569e0d7ffa78416d870cfef3dc7eb54

SHA512
335f2b10033e51f0a3ff3a7cb3467066c8edd1ac89f8114589d8509085627b7ebcba34a5eff9a7be97c63e63e0b9fd21127384f22122dc6fb4796b89f93b1354

Download Submit
C:\Users\Admin\AppData\Local\Temp\7Xe7C8pmPD.bat
Filesize
199B

MD5
4eff98c1fec59ac6e79cb9a5f64d191c

SHA1
6b3bd45e592f87d71ac4d5af98addeb2db6d76bf

SHA256
f0aabaa938674d517987560d1c5f75bd72660d0d5ac2b8f81cf4792072b1abd4

SHA512
131e36d02660d9dc904c2c003de237a7f37df9eef37f858fc66e79e9e16d43ee10016e2724ffae22150f974273e8ea349d51c0962077882a36fad08d2d814bd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\FBcCl1WGSV.bat
Filesize
199B

MD5
0d48b01068a3fd380abb7a1919dbbce8

SHA1
f07d3930e4ebac51bb40ab768ff42779466a20f6

SHA256
5fcedbb185f7bc02852453b48631efe955cee0b5c0ac68fa7f7ac69217ceea88

SHA512
1c98261265c25273664cdb5df7d44298a10f5b14dcd72832a5d6d705306162753aa8e02f20c143087c533828cb12007dda311929e4d823678bc8c50961fb38f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\H7eFR6a9mI.bat
Filesize
199B

MD5
2a67b36a6b27c82a8756d73fbb486e59

SHA1
ca2d3ab1e0af6d9ebf12833785a6aa5c4217127f

SHA256
7896fa360ca8cdedc9165a6f010c66b07cca0df9b99c63f438866741046cbbe8

SHA512
1e1a4c97421338338b509358872fb3ab716ffbb67434560881a98fbe85d8f6bd2d6ba4f55bb44d289ccd9eb89c7deaccaad3c72ad5e2580ea4ef5806be104262

Download Submit
C:\Users\Admin\AppData\Local\Temp\IJ9EkrtYDM.bat
Filesize
199B

MD5
ebc4991d022b535c7365be3232ec5440

SHA1
cbf3a6b483809382aae694d22300d368cfe44292

SHA256
75c233b37b86f90bf062ab85927e1c830e0184b903480b10f74ee4628a96b606

SHA512
c680e7d0b3780749033d6e6957a4e6764a6641687b82f7266e62598ff9b462f8c9b99e44a7a0a82de29c98de09f22dd14224810ec9b015931b6f604bd0ac233f

Download Submit
C:\Users\Admin\AppData\Local\Temp\K3fI8Bd254.bat
Filesize
199B

MD5
abe42e2566e2f2953906ae69b332f387

SHA1
e3c097674b33efc55509a86e7e4f45a7da7e018d

SHA256
9a8df1144a4a4893df45d1a4d7a52d3272a35d147fc90f26e933481caebfcf6d

SHA512
e2b0a96457ab8ef6fe3c708eff75e8d61c15e44ae89f5044356b56564dcc1db3cbd8b8923a3fdd1d85de1dc72670ae6684951230f73d50cd3a30dff6a0afaa0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\S2GQUB77UU.bat
Filesize
199B

MD5
891d8cf7eaba4286688efcf489ccaddc

SHA1
bb269010fbef88b3bdd623c65d4a31061dd2c407

SHA256
f9896e8b89a8128c63e4e5416e2d9c09ca3bafde937fa9380313807ce478c69a

SHA512
c35820e2a2487f918d13a2e158e0cb514866942dabcaa8dead97a8a14ff56fdca4dbfc153c0b9cde0d6cfe6d7a648bdf1c4ecaa9e53c4d6d18779767e78d63df

Download Submit
C:\Users\Admin\AppData\Local\Temp\TDlQnvRVvY.bat
Filesize
199B

MD5
cd935c7f502951f314c1ca9e834d7a49

SHA1
85ec1abc9456cb281d038beffea05fac817e94bd

SHA256
be0d3494168e5e2e0b1cdfbc9c369a3236d09ee3ad9feb8d4ef6578d288dc9c3

SHA512
2caf63563eebc91df14aeb2102a58399522b7b5521591890b972e8f14fcb6e189931fb19f7397e54b400fb67a9462ab2e1cb344c9e597e0f8ffb40fb4b9587e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\UyITBGB0nG.bat
Filesize
199B

MD5
e4e9ea5596945320b4211ee179c12169

SHA1
3dd41676f8c6cf93a3489296696216a3b5ec662c

SHA256
ec5c883d402f6941976c0b26c9f295afadb3e90397ff1845bd3fd0710d99ae2f

SHA512
00b28de59e5407a185a99898e2f52559de1f1b192e774d8e352d6d9c1b2b8817a82b4fa5718d6f2ed8204ff548640e2945975473415ac4a8b7862c29e217c4e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\esvfELjyVS.bat
Filesize
199B

MD5
be7cd03f05167cedf755984a46e1cd42

SHA1
8a972a732cae462a982c138b0056d433bd37eb6d

SHA256
3acac9785b29141b353104686df4b05ff509e389bfead93e01c8b4a39aeda7f9

SHA512
aab52c409f55c1a597c8a043f1594a1071e6464e6218ccc98d9bee4ed0001ecd83563cb80dbdcaf0a35b43a4727c2ca6783ee4c0db234940246672221ee642d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tcplHXgq9Q.bat
Filesize
199B

MD5
c709a91207e1854585fba21aedfa498e

SHA1
fe65d9f3cf8569c9725ff17229c50e9d3da437a1

SHA256
be407d45cbc8dad97f1dd930937b83669325a5a2460443539e3459979b2c72a3

SHA512
f23feaf3ecb9bcc018fcb862b1bf42d774737644ee1f6436ec90d1ebae8e97987dbb1b5a101900e5a6f52a37649bdde831b623bd28c87368cde5521e72f41f67

Download Submit
C:\Users\Admin\AppData\Local\Temp\yTtrehocny.bat
Filesize
199B

MD5
68d55114482cf03ad9fffb891ffc97eb

SHA1
d28b86bf8aaf2d73c14f466e2414fcce20081b0e

SHA256
ac3c36084fd4b4e405269c245df3ab200852973c43fe6298d862b38fdfe3879a

SHA512
f25b65ea9d8f16d2567cabcb536a1c21eab5a391dd695b3ed4bc4beb8aff31f829afeb9c82feca520ae593a1afcbfa851a605ae1d72d026e94d0f616f8162dc3

Download Submit
memory/3216-0-0x00007FFD3B923000-0x00007FFD3B925000-memory.dmp

Filesize
8KB

Download
memory/3216-11-0x00007FFD3B920000-0x00007FFD3C3E1000-memory.dmp

Filesize
10.8MB

Download
memory/3216-4-0x00007FFD3B920000-0x00007FFD3C3E1000-memory.dmp

Filesize
10.8MB

Download
memory/3216-1-0x00000000002D0000-0x00000000003A6000-memory.dmp

Filesize
856KB

Download