arkei | be96c939b6e873c997f6d67b3c4bc1e9a9ea41899ff1152662929bea68e351e9

Analysis

max time kernel
151s
max time network
150s
platform
windows10_x64
resource
win10-en-20211104
submitted
04-12-2021 17:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

be96c939b6e873c997f6d67b3c4bc1e9a9ea41899ff1152662929bea68e351e9.exe
Size

272KB
MD5

e4494d34011d0832c3ccd66122516a6a
SHA1

c1549e91ea6424a6bdb0b6ffa5500a346baf3aee
SHA256

be96c939b6e873c997f6d67b3c4bc1e9a9ea41899ff1152662929bea68e351e9
SHA512

aa70e1197e39664016136d77384fbb3b1de9e2ad217c0a0e91bea0a052a38a8fb03dea367c41d49296ce7364d66b60955db93e76866c1dfa05b5efaf2bd5ce2b

Score

10^/10

arkei cryptbot raccoon smokeloader 8b6023dd139bdc34aab99c286fae23d1442b4956 b620be4c85b4051a92040003edbc322be4eb082d default backdoor collection discovery evasion spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://host-data-coin-11.com/

http://file-coin-host-12.com/

http://srtuiyhuali.at/

http://fufuiloirtu.com/

http://amogohuigotuli.at/

http://novohudosovu.com/

http://brutuilionust.com/

http://bubushkalioua.com/

http://dumuilistrati.at/

http://verboliatsiaeeees.com/

rc4.i32

Extracted

Family

raccoon

Version

1.8.3-hotfix

Botnet

8b6023dd139bdc34aab99c286fae23d1442b4956

Attributes

url4cnc
http://91.219.236.27/h_electricryptors2
http://5.181.156.92/h_electricryptors2
http://91.219.236.207/h_electricryptors2
http://185.225.19.18/h_electricryptors2
http://91.219.237.227/h_electricryptors2
https://t.me/h_electricryptors2

rc4.plain

Extracted

Family

raccoon

Version

1.8.3-hotfix

Botnet

b620be4c85b4051a92040003edbc322be4eb082d

Attributes

url4cnc
http://91.219.236.207/capibar
http://185.225.19.18/capibar
http://91.219.237.227/capibar
https://t.me/capibar

rc4.plain

Extracted

Family

arkei

Botnet

Default

http://153.92.210.92/lYWcN6H7B1.php

Signatures

Arkei
Arkei is an infostealer written in C++.
stealer arkei
CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Arkei Stealer Payload 3 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/4012-179-0x00000000000E0000-0x00000000005AA000-memory.dmp	family_arkei
behavioral1/memory/4012-180-0x00000000000E0000-0x00000000005AA000-memory.dmp	family_arkei
behavioral1/memory/4012-181-0x00000000000E0000-0x00000000005AA000-memory.dmp	family_arkei

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Downloads MZ/PE file
Executes dropped EXE 9 IoCs

Processes:

27D.exe27D.exe3872.exeAA09.exeAA29.exeAA09.exeBD35.exeC17C.exeF29F.exe

pid process

3512 27D.exe
3760 27D.exe
1612 3872.exe
2864 AA09.exe
2552 AA29.exe
1948 AA09.exe
1324 BD35.exe
4012 C17C.exe
3124 F29F.exe

pid	process
3512	27D.exe
3760	27D.exe
1612	3872.exe
2864	AA09.exe
2552	AA29.exe
1948	AA09.exe
1324	BD35.exe
4012	C17C.exe
3124	F29F.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

C17C.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	C17C.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	C17C.exe

Deletes itself 1 IoCs

Processes:

pid process

3024
Loads dropped DLL 3 IoCs

Processes:

C17C.exe

pid process

4012 C17C.exe
4012 C17C.exe
4012 C17C.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3024

pid	process
4012	C17C.exe
4012	C17C.exe
4012	C17C.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

C17C.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C17C.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

C17C.exe

pid process

4012 C17C.exe
4012 C17C.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	C17C.exe

pid	process
4012	C17C.exe
4012	C17C.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

be96c939b6e873c997f6d67b3c4bc1e9a9ea41899ff1152662929bea68e351e9.exe27D.exeAA09.exe

description	pid	process	target process
PID 3728 set thread context of 1852	3728	be96c939b6e873c997f6d67b3c4bc1e9a9ea41899ff1152662929bea68e351e9.exe	be96c939b6e873c997f6d67b3c4bc1e9a9ea41899ff1152662929bea68e351e9.exe
PID 3512 set thread context of 3760	3512	27D.exe	27D.exe
PID 2864 set thread context of 1948	2864	AA09.exe	AA09.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

924 3124 WerFault.exe F29F.exe

pid	pid_target	process	target process
924	3124	WerFault.exe	F29F.exe

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

3872.exebe96c939b6e873c997f6d67b3c4bc1e9a9ea41899ff1152662929bea68e351e9.exe27D.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3872.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3872.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	be96c939b6e873c997f6d67b3c4bc1e9a9ea41899ff1152662929bea68e351e9.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	be96c939b6e873c997f6d67b3c4bc1e9a9ea41899ff1152662929bea68e351e9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	27D.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	27D.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	27D.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	be96c939b6e873c997f6d67b3c4bc1e9a9ea41899ff1152662929bea68e351e9.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3872.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

BD35.exeC17C.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	BD35.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	BD35.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	C17C.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	C17C.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2356 timeout.exe

pid	process
2356	timeout.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

be96c939b6e873c997f6d67b3c4bc1e9a9ea41899ff1152662929bea68e351e9.exe

pid	process
1852	be96c939b6e873c997f6d67b3c4bc1e9a9ea41899ff1152662929bea68e351e9.exe
1852	be96c939b6e873c997f6d67b3c4bc1e9a9ea41899ff1152662929bea68e351e9.exe
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3024
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

be96c939b6e873c997f6d67b3c4bc1e9a9ea41899ff1152662929bea68e351e9.exe27D.exe3872.exe

pid process

1852 be96c939b6e873c997f6d67b3c4bc1e9a9ea41899ff1152662929bea68e351e9.exe
3760 27D.exe
1612 3872.exe
3024
3024
3024
3024

pid	process
3024

Suspicious use of AdjustPrivilegeToken 29 IoCs

Processes:

WerFault.exe

description	pid	process
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeRestorePrivilege	924	WerFault.exe
Token: SeBackupPrivilege	924	WerFault.exe
Token: SeDebugPrivilege	924	WerFault.exe
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024

Suspicious use of WriteProcessMemory 58 IoCs

Processes:

be96c939b6e873c997f6d67b3c4bc1e9a9ea41899ff1152662929bea68e351e9.exe27D.exeAA09.exeBD35.execmd.exe

description	pid	process	target process
PID 3728 wrote to memory of 1852	3728	be96c939b6e873c997f6d67b3c4bc1e9a9ea41899ff1152662929bea68e351e9.exe	be96c939b6e873c997f6d67b3c4bc1e9a9ea41899ff1152662929bea68e351e9.exe
PID 3728 wrote to memory of 1852	3728	be96c939b6e873c997f6d67b3c4bc1e9a9ea41899ff1152662929bea68e351e9.exe	be96c939b6e873c997f6d67b3c4bc1e9a9ea41899ff1152662929bea68e351e9.exe
PID 3728 wrote to memory of 1852	3728	be96c939b6e873c997f6d67b3c4bc1e9a9ea41899ff1152662929bea68e351e9.exe	be96c939b6e873c997f6d67b3c4bc1e9a9ea41899ff1152662929bea68e351e9.exe
PID 3728 wrote to memory of 1852	3728	be96c939b6e873c997f6d67b3c4bc1e9a9ea41899ff1152662929bea68e351e9.exe	be96c939b6e873c997f6d67b3c4bc1e9a9ea41899ff1152662929bea68e351e9.exe
PID 3728 wrote to memory of 1852	3728	be96c939b6e873c997f6d67b3c4bc1e9a9ea41899ff1152662929bea68e351e9.exe	be96c939b6e873c997f6d67b3c4bc1e9a9ea41899ff1152662929bea68e351e9.exe
PID 3728 wrote to memory of 1852	3728	be96c939b6e873c997f6d67b3c4bc1e9a9ea41899ff1152662929bea68e351e9.exe	be96c939b6e873c997f6d67b3c4bc1e9a9ea41899ff1152662929bea68e351e9.exe
PID 3024 wrote to memory of 3512	3024		27D.exe
PID 3024 wrote to memory of 3512	3024		27D.exe
PID 3024 wrote to memory of 3512	3024		27D.exe
PID 3512 wrote to memory of 3760	3512	27D.exe	27D.exe
PID 3512 wrote to memory of 3760	3512	27D.exe	27D.exe
PID 3512 wrote to memory of 3760	3512	27D.exe	27D.exe
PID 3512 wrote to memory of 3760	3512	27D.exe	27D.exe
PID 3512 wrote to memory of 3760	3512	27D.exe	27D.exe
PID 3512 wrote to memory of 3760	3512	27D.exe	27D.exe
PID 3024 wrote to memory of 1612	3024		3872.exe
PID 3024 wrote to memory of 1612	3024		3872.exe
PID 3024 wrote to memory of 1612	3024		3872.exe
PID 3024 wrote to memory of 2864	3024		AA09.exe
PID 3024 wrote to memory of 2864	3024		AA09.exe
PID 3024 wrote to memory of 2864	3024		AA09.exe
PID 3024 wrote to memory of 2552	3024		AA29.exe
PID 3024 wrote to memory of 2552	3024		AA29.exe
PID 3024 wrote to memory of 2552	3024		AA29.exe
PID 2864 wrote to memory of 1948	2864	AA09.exe	AA09.exe
PID 2864 wrote to memory of 1948	2864	AA09.exe	AA09.exe
PID 2864 wrote to memory of 1948	2864	AA09.exe	AA09.exe
PID 2864 wrote to memory of 1948	2864	AA09.exe	AA09.exe
PID 2864 wrote to memory of 1948	2864	AA09.exe	AA09.exe
PID 2864 wrote to memory of 1948	2864	AA09.exe	AA09.exe
PID 2864 wrote to memory of 1948	2864	AA09.exe	AA09.exe
PID 2864 wrote to memory of 1948	2864	AA09.exe	AA09.exe
PID 2864 wrote to memory of 1948	2864	AA09.exe	AA09.exe
PID 2864 wrote to memory of 1948	2864	AA09.exe	AA09.exe
PID 2864 wrote to memory of 1948	2864	AA09.exe	AA09.exe
PID 2864 wrote to memory of 1948	2864	AA09.exe	AA09.exe
PID 3024 wrote to memory of 1324	3024		BD35.exe
PID 3024 wrote to memory of 1324	3024		BD35.exe
PID 3024 wrote to memory of 1324	3024		BD35.exe
PID 3024 wrote to memory of 4012	3024		C17C.exe
PID 3024 wrote to memory of 4012	3024		C17C.exe
PID 3024 wrote to memory of 4012	3024		C17C.exe
PID 3024 wrote to memory of 1856	3024		explorer.exe
PID 3024 wrote to memory of 1856	3024		explorer.exe
PID 3024 wrote to memory of 1856	3024		explorer.exe
PID 3024 wrote to memory of 1856	3024		explorer.exe
PID 3024 wrote to memory of 2252	3024		explorer.exe
PID 3024 wrote to memory of 2252	3024		explorer.exe
PID 3024 wrote to memory of 2252	3024		explorer.exe
PID 3024 wrote to memory of 3124	3024		F29F.exe
PID 3024 wrote to memory of 3124	3024		F29F.exe
PID 3024 wrote to memory of 3124	3024		F29F.exe
PID 1324 wrote to memory of 3216	1324	BD35.exe	cmd.exe
PID 1324 wrote to memory of 3216	1324	BD35.exe	cmd.exe
PID 1324 wrote to memory of 3216	1324	BD35.exe	cmd.exe
PID 3216 wrote to memory of 2356	3216	cmd.exe	timeout.exe
PID 3216 wrote to memory of 2356	3216	cmd.exe	timeout.exe
PID 3216 wrote to memory of 2356	3216	cmd.exe	timeout.exe

outlook_office_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

outlook_win_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

C:\Users\Admin\AppData\Local\Temp\be96c939b6e873c997f6d67b3c4bc1e9a9ea41899ff1152662929bea68e351e9.exe
"C:\Users\Admin\AppData\Local\Temp\be96c939b6e873c997f6d67b3c4bc1e9a9ea41899ff1152662929bea68e351e9.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3728

C:\Users\Admin\AppData\Local\Temp\be96c939b6e873c997f6d67b3c4bc1e9a9ea41899ff1152662929bea68e351e9.exe
"C:\Users\Admin\AppData\Local\Temp\be96c939b6e873c997f6d67b3c4bc1e9a9ea41899ff1152662929bea68e351e9.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1852

C:\Users\Admin\AppData\Local\Temp\27D.exe
C:\Users\Admin\AppData\Local\Temp\27D.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3512

C:\Users\Admin\AppData\Local\Temp\27D.exe
C:\Users\Admin\AppData\Local\Temp\27D.exe
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3760

C:\Users\Admin\AppData\Local\Temp\3872.exe
C:\Users\Admin\AppData\Local\Temp\3872.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1612

C:\Users\Admin\AppData\Local\Temp\AA09.exe
C:\Users\Admin\AppData\Local\Temp\AA09.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2864

C:\Users\Admin\AppData\Local\Temp\AA09.exe
C:\Users\Admin\AppData\Local\Temp\AA09.exe
2⤵
- Executes dropped EXE
PID:1948

C:\Users\Admin\AppData\Local\Temp\AA29.exe
C:\Users\Admin\AppData\Local\Temp\AA29.exe
1⤵
- Executes dropped EXE
PID:2552

C:\Users\Admin\AppData\Local\Temp\BD35.exe
C:\Users\Admin\AppData\Local\Temp\BD35.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1324

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\odMhFaaKfP & timeout 4 & del /f /q "C:\Users\Admin\AppData\Local\Temp\BD35.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3216

C:\Windows\SysWOW64\timeout.exe
timeout 4
3⤵
- Delays execution with timeout.exe
PID:2356

C:\Users\Admin\AppData\Local\Temp\C17C.exe
C:\Users\Admin\AppData\Local\Temp\C17C.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
PID:4012

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:1856

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2252

C:\Users\Admin\AppData\Local\Temp\F29F.exe
C:\Users\Admin\AppData\Local\Temp\F29F.exe
1⤵
- Executes dropped EXE
PID:3124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3124 -s 776
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:924

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\27D.exe
MD5
e4494d34011d0832c3ccd66122516a6a

SHA1
c1549e91ea6424a6bdb0b6ffa5500a346baf3aee

SHA256
be96c939b6e873c997f6d67b3c4bc1e9a9ea41899ff1152662929bea68e351e9

SHA512
aa70e1197e39664016136d77384fbb3b1de9e2ad217c0a0e91bea0a052a38a8fb03dea367c41d49296ce7364d66b60955db93e76866c1dfa05b5efaf2bd5ce2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\27D.exe
MD5
e4494d34011d0832c3ccd66122516a6a

SHA1
c1549e91ea6424a6bdb0b6ffa5500a346baf3aee

SHA256
be96c939b6e873c997f6d67b3c4bc1e9a9ea41899ff1152662929bea68e351e9

SHA512
aa70e1197e39664016136d77384fbb3b1de9e2ad217c0a0e91bea0a052a38a8fb03dea367c41d49296ce7364d66b60955db93e76866c1dfa05b5efaf2bd5ce2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\27D.exe
MD5
e4494d34011d0832c3ccd66122516a6a

SHA1
c1549e91ea6424a6bdb0b6ffa5500a346baf3aee

SHA256
be96c939b6e873c997f6d67b3c4bc1e9a9ea41899ff1152662929bea68e351e9

SHA512
aa70e1197e39664016136d77384fbb3b1de9e2ad217c0a0e91bea0a052a38a8fb03dea367c41d49296ce7364d66b60955db93e76866c1dfa05b5efaf2bd5ce2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3872.exe
MD5
df13fac0d8b182e4d8b9a02ba87a9571

SHA1
b2187debc6fde96e08d5014ce4f1af5cf568bce5

SHA256
af64f5b2b6c4cc63b0ca4bb48f369eba1629886d85e289a469a5c9612c4a5ee3

SHA512
bc842a80509bda8afff6e12f5b5c64ccf7f1d7360f99f63cebbc1f21936a15487ec16bde3c2acff22c49ebcedf5c426621d6f69503f4968aacc8e75611e3a816

Download Submit
C:\Users\Admin\AppData\Local\Temp\3872.exe
MD5
df13fac0d8b182e4d8b9a02ba87a9571

SHA1
b2187debc6fde96e08d5014ce4f1af5cf568bce5

SHA256
af64f5b2b6c4cc63b0ca4bb48f369eba1629886d85e289a469a5c9612c4a5ee3

SHA512
bc842a80509bda8afff6e12f5b5c64ccf7f1d7360f99f63cebbc1f21936a15487ec16bde3c2acff22c49ebcedf5c426621d6f69503f4968aacc8e75611e3a816

Download Submit
C:\Users\Admin\AppData\Local\Temp\AA09.exe
MD5
45cf4ea0f9268e7306da20dea9d14210

SHA1
3574746d1d089f9989ee2c9e2048f014a61100ca

SHA256
919ccc1f90bae8d58cc6ef51359e15af853de90a7083c640b5c2a99eb1a61281

SHA512
3996f207a4973428f7ecb419f16fdafb7fa6213cb0a9a7b48405baae10f85a4a381664291f4c59d5c6bc7158335ca07944fb712dc7dc14a3a393f9af490dfe6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\AA09.exe
MD5
45cf4ea0f9268e7306da20dea9d14210

SHA1
3574746d1d089f9989ee2c9e2048f014a61100ca

SHA256
919ccc1f90bae8d58cc6ef51359e15af853de90a7083c640b5c2a99eb1a61281

SHA512
3996f207a4973428f7ecb419f16fdafb7fa6213cb0a9a7b48405baae10f85a4a381664291f4c59d5c6bc7158335ca07944fb712dc7dc14a3a393f9af490dfe6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\AA09.exe
MD5
45cf4ea0f9268e7306da20dea9d14210

SHA1
3574746d1d089f9989ee2c9e2048f014a61100ca

SHA256
919ccc1f90bae8d58cc6ef51359e15af853de90a7083c640b5c2a99eb1a61281

SHA512
3996f207a4973428f7ecb419f16fdafb7fa6213cb0a9a7b48405baae10f85a4a381664291f4c59d5c6bc7158335ca07944fb712dc7dc14a3a393f9af490dfe6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\AA29.exe
MD5
01d426abb43fc960b0e6fd01bc6a4150

SHA1
49a255df018f6a561525ea0db493a3131d27865a

SHA256
c55475f188b1204a72a7ecb3e02bc4a465b933b860d7d5542c61972026b8b5c7

SHA512
701d2b9d6a12e7e1a3a8104221643da0e2dfd6ad612dcd38e4112249108858a5c26d0d44406d66071557b5819ba8b0f897a194f1607f964d6a3052960b3f182c

Download Submit
C:\Users\Admin\AppData\Local\Temp\AA29.exe
MD5
01d426abb43fc960b0e6fd01bc6a4150

SHA1
49a255df018f6a561525ea0db493a3131d27865a

SHA256
c55475f188b1204a72a7ecb3e02bc4a465b933b860d7d5542c61972026b8b5c7

SHA512
701d2b9d6a12e7e1a3a8104221643da0e2dfd6ad612dcd38e4112249108858a5c26d0d44406d66071557b5819ba8b0f897a194f1607f964d6a3052960b3f182c

Download Submit
C:\Users\Admin\AppData\Local\Temp\BD35.exe
MD5
e012b696d07f55fb3d174e0dcd2b85cd

SHA1
bae615d9f3673e2727f3bf9434769c37933f3eae

SHA256
66dbda8d599480f18b263c42eeec046a325430f2506a928723c82ea3f57d8dbc

SHA512
7bc88edfd5d45848b42b3b554c4a875d485b56eca6f9ec8f9186b0fae7d970e126084554cc08bdf203577986307ba2db7c98f0b420abb3dd9d59cc97b284778b

Download Submit
C:\Users\Admin\AppData\Local\Temp\BD35.exe
MD5
e012b696d07f55fb3d174e0dcd2b85cd

SHA1
bae615d9f3673e2727f3bf9434769c37933f3eae

SHA256
66dbda8d599480f18b263c42eeec046a325430f2506a928723c82ea3f57d8dbc

SHA512
7bc88edfd5d45848b42b3b554c4a875d485b56eca6f9ec8f9186b0fae7d970e126084554cc08bdf203577986307ba2db7c98f0b420abb3dd9d59cc97b284778b

Download Submit
C:\Users\Admin\AppData\Local\Temp\C17C.exe
MD5
1b207ddcd4c46699ff46c7fa7ed2de4b

SHA1
64fe034264b3aad0c5b803a4c0e6a9ff33659a9c

SHA256
11144b039458f096d493a47411c028996236b8a75ed4264558f3edeb22af88f5

SHA512
4e51c4ea346c7ee05d7f67472efa6bd24fdb412be305ab2205ce8ae9a9813c06c4577433ad6fad115eed23f027bda69536fea69d89862b023b7924597f2ddc3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\C17C.exe
MD5
1b207ddcd4c46699ff46c7fa7ed2de4b

SHA1
64fe034264b3aad0c5b803a4c0e6a9ff33659a9c

SHA256
11144b039458f096d493a47411c028996236b8a75ed4264558f3edeb22af88f5

SHA512
4e51c4ea346c7ee05d7f67472efa6bd24fdb412be305ab2205ce8ae9a9813c06c4577433ad6fad115eed23f027bda69536fea69d89862b023b7924597f2ddc3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\F29F.exe
MD5
293d407e9b6637e6524b28b407fafe1e

SHA1
72d6003e85c3a271b6e8bd06c24a503d3a609040

SHA256
57bad7724a2683a2672f01d97aff7a5b247aca56f9e950009c1469407ee503ce

SHA512
953ab1b9ce82d6df49723df20f667a6def432d04e0714acc6130b5cd51af3d90d3600b926191b9283b0f99e7660bed0260d4a762afc2d2ebde8a57016f95a842

Download Submit
C:\Users\Admin\AppData\Local\Temp\F29F.exe
MD5
293d407e9b6637e6524b28b407fafe1e

SHA1
72d6003e85c3a271b6e8bd06c24a503d3a609040

SHA256
57bad7724a2683a2672f01d97aff7a5b247aca56f9e950009c1469407ee503ce

SHA512
953ab1b9ce82d6df49723df20f667a6def432d04e0714acc6130b5cd51af3d90d3600b926191b9283b0f99e7660bed0260d4a762afc2d2ebde8a57016f95a842

Download Submit
C:\Users\Admin\AppData\Local\Temp\odMhFaaKfP\DUYMNQ~1.ZIP
MD5
dd720da60be984acb1941e41a8e1f673

SHA1
fd281547be8759c672009cbfa1aeae305094b0f6

SHA256
67c7e2a0bdf2b2dea677b2022dd80aba61bcb2166a53c4c049cbfd4d65b3ec85

SHA512
64fe7d7a6a3a6d309dcd06c93926b968312393da04745ec93402c7d8bdd7458621837222b0bece0df219029ee3aff70ffd33acf77d42ce61d1fd9dfe07e47bf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\odMhFaaKfP\REJNFQ~1.ZIP
MD5
2bcdb98e93efcc8647f651b9d0468129

SHA1
03c78df98330345b618be040746d9b273a16e60c

SHA256
63e0b9d823f369c580dacbe405feb3984019af37990270a31eda9c0105646f6d

SHA512
4c502a9c5ad8bf8d551c79e9ef2d6b58b4b67967f9bd56fbbb268afc62bb93055f922d709bfa5eae649497c647920d31106b12c21a113b84456685ecbcfef05c

Download Submit
C:\Users\Admin\AppData\Local\Temp\odMhFaaKfP\_Files\_Chrome\DEFAUL~1.BIN
MD5
b963abf9a7967b3a22da64c9193fc932

SHA1
0831556392b56c00b07f04deb5474c4202c545e8

SHA256
6c0930a55e2b55dc01dbbcf1b43f4ceae3bd4b25bdde062953292427bdcb18f5

SHA512
64514a43b52786e09676bec07e15bc7224309c06c0ea5f691933ca3164c57a3e33d748fa8bd4596cf7deb64cbcd1e49ca75be4c22d79789d7ac3b1df45c19af2

Download Submit
C:\Users\Admin\AppData\Local\Temp\odMhFaaKfP\_Files\_Chrome\DEFAUL~1.DB
MD5
b608d407fc15adea97c26936bc6f03f6

SHA1
953e7420801c76393902c0d6bb56148947e41571

SHA256
b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf

SHA512
cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\odMhFaaKfP\_Files\_Chrome\DEFAUL~2.DB
MD5
055c8c5c47424f3c2e7a6fc2ee904032

SHA1
5952781d22cff35d94861fac25d89a39af6d0a87

SHA256
531b3121bd59938df4933972344d936a67e75d8b1741807a8a51c898d185dd2a

SHA512
c2772893695f49cb185add62c35284779b20d45adc01184f1912613fa8b2d70c8e785f0d7cfa3bfaf1d2d58e7cdc74f4304fd973a956601927719d6d370dd57a

Download Submit
C:\Users\Admin\AppData\Local\Temp\odMhFaaKfP\_Files\_Chrome\DEFAUL~3.DB
MD5
8ee018331e95a610680a789192a9d362

SHA1
e1fba0ac3f3d8689acf6c2ee26afdfd0c8e02df9

SHA256
94354ea6703c5ef5fa052aeb1d29715587d80300858ebc063a61c02b7e6e9575

SHA512
4b89b5adc77641e497eda7db62a48fee7b4b8dda83bff637cac850645d31deb93aafee5afeb41390e07fd16505a63f418b6cb153a1d35777c483e2d6d3f783b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\odMhFaaKfP\_Files\_INFOR~1.TXT
MD5
b134e1cb76680df802e6a0b2a8859e08

SHA1
ba797e8f4e1ac1fc5caab04df5c0bca7ea8133e8

SHA256
e1c6af9e91c3c3f34668afcdf92b896cc91074124f4ce36466fa55dcdd7c23f7

SHA512
c527aafcf6e51edd73108b539295898434d6a1b02eccfa3ff3b979b6948d25c03331ee1a1a1c002850a4998ac79330f1f12b4121480a6fdf433b5db99e8f80cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\odMhFaaKfP\_Files\_SCREE~1.JPE
MD5
7b265930249dc3bc3cedb63651603485

SHA1
268706d95c02589c9a941ecc9dec032de40442a7

SHA256
c47c0cd1516e5e7cfc91260244a69dc5ffdedf6874fe9561d29b7d62dbb820d6

SHA512
66403915b6c7fb0182c0503d6e0f15ad35cbac13f142fcc471c947c85a20a31f3072426f906f59a98b4dde955d134d0c9700e7c97b6f4ca0b46ba098e8f9bd95

Download Submit
C:\Users\Admin\AppData\Local\Temp\odMhFaaKfP\files_\SCREEN~1.JPG
MD5
7b265930249dc3bc3cedb63651603485

SHA1
268706d95c02589c9a941ecc9dec032de40442a7

SHA256
c47c0cd1516e5e7cfc91260244a69dc5ffdedf6874fe9561d29b7d62dbb820d6

SHA512
66403915b6c7fb0182c0503d6e0f15ad35cbac13f142fcc471c947c85a20a31f3072426f906f59a98b4dde955d134d0c9700e7c97b6f4ca0b46ba098e8f9bd95

Download Submit
C:\Users\Admin\AppData\Local\Temp\odMhFaaKfP\files_\SYSTEM~1.TXT
MD5
b134e1cb76680df802e6a0b2a8859e08

SHA1
ba797e8f4e1ac1fc5caab04df5c0bca7ea8133e8

SHA256
e1c6af9e91c3c3f34668afcdf92b896cc91074124f4ce36466fa55dcdd7c23f7

SHA512
c527aafcf6e51edd73108b539295898434d6a1b02eccfa3ff3b979b6948d25c03331ee1a1a1c002850a4998ac79330f1f12b4121480a6fdf433b5db99e8f80cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\odMhFaaKfP\files_\_Chrome\DEFAUL~1.BIN
MD5
b963abf9a7967b3a22da64c9193fc932

SHA1
0831556392b56c00b07f04deb5474c4202c545e8

SHA256
6c0930a55e2b55dc01dbbcf1b43f4ceae3bd4b25bdde062953292427bdcb18f5

SHA512
64514a43b52786e09676bec07e15bc7224309c06c0ea5f691933ca3164c57a3e33d748fa8bd4596cf7deb64cbcd1e49ca75be4c22d79789d7ac3b1df45c19af2

Download Submit
C:\Users\Admin\AppData\Local\Temp\odMhFaaKfP\files_\_Chrome\DEFAUL~1.DB
MD5
b608d407fc15adea97c26936bc6f03f6

SHA1
953e7420801c76393902c0d6bb56148947e41571

SHA256
b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf

SHA512
cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\odMhFaaKfP\files_\_Chrome\DEFAUL~2.DB
MD5
055c8c5c47424f3c2e7a6fc2ee904032

SHA1
5952781d22cff35d94861fac25d89a39af6d0a87

SHA256
531b3121bd59938df4933972344d936a67e75d8b1741807a8a51c898d185dd2a

SHA512
c2772893695f49cb185add62c35284779b20d45adc01184f1912613fa8b2d70c8e785f0d7cfa3bfaf1d2d58e7cdc74f4304fd973a956601927719d6d370dd57a

Download Submit
C:\Users\Admin\AppData\Local\Temp\odMhFaaKfP\files_\_Chrome\DEFAUL~3.DB
MD5
8ee018331e95a610680a789192a9d362

SHA1
e1fba0ac3f3d8689acf6c2ee26afdfd0c8e02df9

SHA256
94354ea6703c5ef5fa052aeb1d29715587d80300858ebc063a61c02b7e6e9575

SHA512
4b89b5adc77641e497eda7db62a48fee7b4b8dda83bff637cac850645d31deb93aafee5afeb41390e07fd16505a63f418b6cb153a1d35777c483e2d6d3f783b4

Download Submit
\ProgramData\mozglue.dll
MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
\ProgramData\nss3.dll
MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
\ProgramData\sqlite3.dll
MD5
e477a96c8f2b18d6b5c27bde49c990bf

SHA1
e980c9bf41330d1e5bd04556db4646a0210f7409

SHA256
16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

SHA512
335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

Download Submit
memory/1324-174-0x0000000001F60000-0x0000000001FA7000-memory.dmp

Filesize
284KB

Download
memory/1324-157-0x0000000000000000-mapping.dmp

Download
memory/1324-175-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1612-136-0x0000000004750000-0x0000000004759000-memory.dmp

Filesize
36KB

Download
memory/1612-132-0x0000000000000000-mapping.dmp

Download
memory/1612-137-0x0000000000400000-0x0000000002B64000-memory.dmp

Filesize
39.4MB

Download
memory/1612-135-0x0000000002DA0000-0x0000000002DA9000-memory.dmp

Filesize
36KB

Download
memory/1852-120-0x0000000000402F47-mapping.dmp

Download
memory/1852-119-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1856-182-0x0000000000000000-mapping.dmp

Download
memory/1856-184-0x0000000002AA0000-0x0000000002B14000-memory.dmp

Filesize
464KB

Download
memory/1856-185-0x0000000002A30000-0x0000000002A9B000-memory.dmp

Filesize
428KB

Download
memory/1948-151-0x0000000000401E7A-mapping.dmp

Download
memory/1948-147-0x0000000000400000-0x0000000002BB9000-memory.dmp

Filesize
39.7MB

Download
memory/1948-154-0x0000000000400000-0x0000000002BB9000-memory.dmp

Filesize
39.7MB

Download
memory/1948-155-0x0000000002BC0000-0x0000000002C6E000-memory.dmp

Filesize
696KB

Download
memory/1948-156-0x0000000004900000-0x000000000498F000-memory.dmp

Filesize
572KB

Download
memory/1948-160-0x0000000000400000-0x0000000002BB9000-memory.dmp

Filesize
39.7MB

Download
memory/1948-153-0x0000000000400000-0x0000000002BB9000-memory.dmp

Filesize
39.7MB

Download
memory/2252-187-0x0000000000300000-0x000000000030C000-memory.dmp

Filesize
48KB

Download
memory/2252-183-0x0000000000000000-mapping.dmp

Download
memory/2252-186-0x0000000000310000-0x0000000000317000-memory.dmp

Filesize
28KB

Download
memory/2356-211-0x0000000000000000-mapping.dmp

Download
memory/2552-150-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2552-149-0x0000000000730000-0x00000000007BF000-memory.dmp

Filesize
572KB

Download
memory/2552-146-0x00000000007F8000-0x0000000000847000-memory.dmp

Filesize
316KB

Download
memory/2552-142-0x0000000000000000-mapping.dmp

Download
memory/2864-139-0x0000000000000000-mapping.dmp

Download
memory/2864-148-0x0000000000550000-0x00000000005FE000-memory.dmp

Filesize
696KB

Download
memory/3024-131-0x0000000002D70000-0x0000000002D86000-memory.dmp

Filesize
88KB

Download
memory/3024-138-0x0000000003430000-0x0000000003446000-memory.dmp

Filesize
88KB

Download
memory/3024-122-0x0000000001340000-0x0000000001356000-memory.dmp

Filesize
88KB

Download
memory/3124-188-0x0000000000000000-mapping.dmp

Download
memory/3124-191-0x0000000000EE0000-0x0000000000EE1000-memory.dmp

Filesize
4KB

Download
memory/3216-196-0x0000000000000000-mapping.dmp

Download
memory/3512-130-0x00000000004A0000-0x00000000004A9000-memory.dmp

Filesize
36KB

Download
memory/3512-123-0x0000000000000000-mapping.dmp

Download
memory/3728-118-0x0000000000719000-0x0000000000722000-memory.dmp

Filesize
36KB

Download
memory/3728-121-0x0000000000450000-0x000000000059A000-memory.dmp

Filesize
1.3MB

Download
memory/3760-128-0x0000000000402F47-mapping.dmp

Download
memory/4012-170-0x00000000000E0000-0x00000000005AA000-memory.dmp

Filesize
4.8MB

Download
memory/4012-161-0x0000000000000000-mapping.dmp

Download
memory/4012-164-0x00000000000E0000-0x00000000005AA000-memory.dmp

Filesize
4.8MB

Download
memory/4012-165-0x00000000000E0000-0x00000000005AA000-memory.dmp

Filesize
4.8MB

Download
memory/4012-166-0x00000000000E0000-0x00000000005AA000-memory.dmp

Filesize
4.8MB

Download
memory/4012-167-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/4012-168-0x0000000076B90000-0x0000000076D52000-memory.dmp

Filesize
1.8MB

Download
memory/4012-169-0x0000000000990000-0x0000000000A3E000-memory.dmp

Filesize
696KB

Download
memory/4012-173-0x00000000000E0000-0x00000000005AA000-memory.dmp

Filesize
4.8MB

Download
memory/4012-171-0x00000000000E0000-0x00000000005AA000-memory.dmp

Filesize
4.8MB

Download
memory/4012-181-0x00000000000E0000-0x00000000005AA000-memory.dmp

Filesize
4.8MB

Download
memory/4012-180-0x00000000000E0000-0x00000000005AA000-memory.dmp

Filesize
4.8MB

Download
memory/4012-178-0x00000000000E0000-0x00000000005AA000-memory.dmp

Filesize
4.8MB

Download
memory/4012-179-0x00000000000E0000-0x00000000005AA000-memory.dmp

Filesize
4.8MB

Download
memory/4012-177-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/4012-176-0x00000000000E0000-0x00000000005AA000-memory.dmp

Filesize
4.8MB

Download