joker | 2154f77e836aba3e505e7a412d4999a5661264e16e129d84b27ed59dcc23d69e

Analysis

max time kernel
182s
max time network
185s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
12-10-2022 17:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2154f77e836aba3e505e7a412d4999a5661264e16e129d84b27ed59dcc23d69e.exe
Size

74KB
MD5

7af2a4536f2383d82d15ec747f20cf96
SHA1

e8028181a0a93a1df105a8cc0e0dc629a1b5d376
SHA256

2154f77e836aba3e505e7a412d4999a5661264e16e129d84b27ed59dcc23d69e
SHA512

2fd3472f5953c596b48fb6b9ae540d066891f92441b8a0302083720655a59a2c60a8405d463890188a1d5af3fda496f4f07501dc0fe29c4c781994a350d696f6
SSDEEP

1536:HJb7bstbnXgXSJJnxSWdXiF0x6KIiuLPjVtFi2eUNGPrbg0se:tObnISJtx7yBiUWlse

Score

10^/10

joker evasion infostealer persistence trojan

Malware Config

Signatures

joker
Joker is an Android malware that targets billing and SMS fraud.
infostealer trojan joker

Executes dropped EXE 2 IoCs

pid	Process
4556	simc.tmp
3168	smap.tmp

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1158

pid	Process
3384	attrib.exe
4844	attrib.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	2154f77e836aba3e505e7a412d4999a5661264e16e129d84b27ed59dcc23d69e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	smap.tmp

Loads dropped DLL 1 IoCs

pid	Process
2840	rundll32.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\hsdfasd = "\"C:\\PROGRA~1\\FREERA~1\\tmp.\\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}\" hh.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	rundll32.exe

Drops file in Program Files directory 17 IoCs

description	ioc	Process
File created	C:\Program Files\FreeRapid\1.bat	2154f77e836aba3e505e7a412d4999a5661264e16e129d84b27ed59dcc23d69e.exe
File created	C:\Program Files\FreeRapid\4.bat	2154f77e836aba3e505e7a412d4999a5661264e16e129d84b27ed59dcc23d69e.exe
File opened for modification	C:\PROGRA~1\FREERA~1\╠╘▒ª╣║╬∩.url	cmd.exe
File created	C:\PROGRA~1\INTERN~1\ieframe.dll	cmd.exe
File opened for modification	C:\PROGRA~1\FREERA~1\3.bat	cmd.exe
File opened for modification	C:\Program Files (x86)\TheWorld 3\TheWorld.ini	rundll32.exe
File opened for modification	C:\PROGRA~1\FREERA~1\┐┤┐┤╡τ╙░.url	cmd.exe
File opened for modification	C:\PROGRA~1\FREERA~1\░╦╪╘╔½═╝.url	cmd.exe
File opened for modification	C:\PROGRA~1\FREERA~1\1.inf	cmd.exe
File opened for modification	C:\PROGRA~1\FREERA~1\2.inf	cmd.exe
File created	C:\Program Files\FreeRapid\resv.bin	2154f77e836aba3e505e7a412d4999a5661264e16e129d84b27ed59dcc23d69e.exe
File created	C:\Program Files\FreeRapid\2.bat	2154f77e836aba3e505e7a412d4999a5661264e16e129d84b27ed59dcc23d69e.exe
File opened for modification	C:\PROGRA~1\FREERA~1\├└┼«└╓╘░.url	cmd.exe
File opened for modification	C:\PROGRA~1\FREERA~1\╟º═┼═┼╣║.url	cmd.exe
File opened for modification	C:\PROGRA~1\FREERA~1\tmp\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}	attrib.exe
File opened for modification	C:\PROGRA~1\INTERN~1\ieframe.dll	cmd.exe
File opened for modification	C:\PROGRA~1\FREERA~1\tmp	attrib.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\windows\Comres.dll	simc.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe

Modifies Internet Explorer settings 1 TTPs 46 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\cnkankan.com\Total = "63"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3417574202"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30989957"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DOMStorage\cnkankan.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.cnkankan.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.cnkankan.com\ = "126"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\cnkankan.com\Total = "126"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.henniu3333.site\ = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\henniu3333.site\Total = "63"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Enable = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "126"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Size = "10"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Factor = "20"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\cnkankan.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DOMStorage\henniu3333.site	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\cnkankan.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30989957"	iexplore.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{F5700A4D-4A78-11ED-B696-C264E7FE3618} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\International\CpMRU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\henniu3333.site\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "189"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3398354341"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.cnkankan.com\ = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3398354341"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.henniu3333.site	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30989957"	iexplore.exe

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://www.82133.com/?r"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.82133.com/?r"	reg.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command\ = "wscript -e:vbs \"C:\\PROGRA~1\\FREERA~1\\3.bat\""	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\IsShortCut	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)	reg.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\68A12DE4422589E97E1C6396FE17B5024FE0547A	simc.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\68A12DE4422589E97E1C6396FE17B5024FE0547A\Blob = 03000000010000001400000068a12de4422589e97e1c6396fe17b5024fe0547a2000000001000000600200003082025c308201c5a0030201020210a675093732e9e788423ec7ea62044de5300d06092a864886f70d01010405003036313430320603550403132b566572695369676e2054696d65205374616d70696e67205365727669636573205369676e6572202d204732301e170d3131303531393134333632345a170d3339313233313233353935395a3036313430320603550403132b566572695369676e2054696d65205374616d70696e67205365727669636573205369676e6572202d20473230819f300d06092a864886f70d010101050003818d0030818902818100ae2150b067d03ac307c1d6cfb294b8e57d1ec3335542584552a96b7926d1b95483aa79a52165c6c18b4aa502ca2f736d2ea84a299def604899f8a50b9932200c00a32c187fdfed2fb767783c1d6c27e55fee9aeb5d7b1085cb8fcc151bdebcdbecc5748cbb451b20f5ecd9e197c154e477d9d5d6a0cf8e9dabaf4e07fbf5f79f0203010001a36b306930670603551d010460305e80102128591d26a9fe32d38e84450f52f750a1383036313430320603550403132b566572695369676e2054696d65205374616d70696e67205365727669636573205369676e6572202d2047328210a675093732e9e788423ec7ea62044de5300d06092a864886f70d01010405000381810069c4dcd3b8649bd6c952a0251d6a645c98c3d94ba7a9945992ee06fdbc1d36c53f9e4c77f25f77b6ad4df7599089a7d68cf89221fc49fda540341c833f692ee6cdd740da4b599e9a902c325b2de32d3657d8cf1206883b2e8296ab9c1d4ef406603a138ce17b8ee0740c990c99774f63fe8f8d5bd35d35591d2a3d6675b49967	simc.tmp

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4556	simc.tmp
4556	simc.tmp

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeBackupPrivilege	4556	simc.tmp
Token: SeRestorePrivilege	4556	simc.tmp
Token: SeIncBasePriorityPrivilege	4828	2154f77e836aba3e505e7a412d4999a5661264e16e129d84b27ed59dcc23d69e.exe
Token: SeIncBasePriorityPrivilege	3168	smap.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3852	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3852	iexplore.exe
3852	iexplore.exe
4148	IEXPLORE.EXE
4148	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4828 wrote to memory of 4556	4828	2154f77e836aba3e505e7a412d4999a5661264e16e129d84b27ed59dcc23d69e.exe	82
PID 4828 wrote to memory of 4556	4828	2154f77e836aba3e505e7a412d4999a5661264e16e129d84b27ed59dcc23d69e.exe	82
PID 4828 wrote to memory of 4556	4828	2154f77e836aba3e505e7a412d4999a5661264e16e129d84b27ed59dcc23d69e.exe	82
PID 4556 wrote to memory of 360	4556	simc.tmp	83
PID 4556 wrote to memory of 360	4556	simc.tmp	83
PID 4556 wrote to memory of 360	4556	simc.tmp	83
PID 4828 wrote to memory of 4132	4828	2154f77e836aba3e505e7a412d4999a5661264e16e129d84b27ed59dcc23d69e.exe	85
PID 4828 wrote to memory of 4132	4828	2154f77e836aba3e505e7a412d4999a5661264e16e129d84b27ed59dcc23d69e.exe	85
PID 4828 wrote to memory of 4132	4828	2154f77e836aba3e505e7a412d4999a5661264e16e129d84b27ed59dcc23d69e.exe	85
PID 4828 wrote to memory of 376	4828	2154f77e836aba3e505e7a412d4999a5661264e16e129d84b27ed59dcc23d69e.exe	87
PID 4828 wrote to memory of 376	4828	2154f77e836aba3e505e7a412d4999a5661264e16e129d84b27ed59dcc23d69e.exe	87
PID 4828 wrote to memory of 376	4828	2154f77e836aba3e505e7a412d4999a5661264e16e129d84b27ed59dcc23d69e.exe	87
PID 4132 wrote to memory of 2432	4132	cmd.exe	88
PID 4132 wrote to memory of 2432	4132	cmd.exe	88
PID 4132 wrote to memory of 2432	4132	cmd.exe	88
PID 4132 wrote to memory of 3168	4132	cmd.exe	90
PID 4132 wrote to memory of 3168	4132	cmd.exe	90
PID 4132 wrote to memory of 3168	4132	cmd.exe	90
PID 2432 wrote to memory of 3852	2432	cmd.exe	92
PID 2432 wrote to memory of 3852	2432	cmd.exe	92
PID 2432 wrote to memory of 4500	2432	cmd.exe	95
PID 2432 wrote to memory of 4500	2432	cmd.exe	95
PID 2432 wrote to memory of 4500	2432	cmd.exe	95
PID 2432 wrote to memory of 4108	2432	cmd.exe	96
PID 2432 wrote to memory of 4108	2432	cmd.exe	96
PID 2432 wrote to memory of 4108	2432	cmd.exe	96
PID 4108 wrote to memory of 3572	4108	cmd.exe	98
PID 4108 wrote to memory of 3572	4108	cmd.exe	98
PID 4108 wrote to memory of 3572	4108	cmd.exe	98
PID 4108 wrote to memory of 3656	4108	cmd.exe	99
PID 4108 wrote to memory of 3656	4108	cmd.exe	99
PID 4108 wrote to memory of 3656	4108	cmd.exe	99
PID 4108 wrote to memory of 1420	4108	cmd.exe	100
PID 4108 wrote to memory of 1420	4108	cmd.exe	100
PID 4108 wrote to memory of 1420	4108	cmd.exe	100
PID 4108 wrote to memory of 1876	4108	cmd.exe	102
PID 4108 wrote to memory of 1876	4108	cmd.exe	102
PID 4108 wrote to memory of 1876	4108	cmd.exe	102
PID 4108 wrote to memory of 4064	4108	cmd.exe	103
PID 4108 wrote to memory of 4064	4108	cmd.exe	103
PID 4108 wrote to memory of 4064	4108	cmd.exe	103
PID 4108 wrote to memory of 3384	4108	cmd.exe	104
PID 4108 wrote to memory of 3384	4108	cmd.exe	104
PID 4108 wrote to memory of 3384	4108	cmd.exe	104
PID 4108 wrote to memory of 4844	4108	cmd.exe	105
PID 4108 wrote to memory of 4844	4108	cmd.exe	105
PID 4108 wrote to memory of 4844	4108	cmd.exe	105
PID 3852 wrote to memory of 4148	3852	iexplore.exe	106
PID 3852 wrote to memory of 4148	3852	iexplore.exe	106
PID 3852 wrote to memory of 4148	3852	iexplore.exe	106
PID 4108 wrote to memory of 2420	4108	cmd.exe	107
PID 4108 wrote to memory of 2420	4108	cmd.exe	107
PID 4108 wrote to memory of 2420	4108	cmd.exe	107
PID 2420 wrote to memory of 2084	2420	rundll32.exe	108
PID 2420 wrote to memory of 2084	2420	rundll32.exe	108
PID 2420 wrote to memory of 2084	2420	rundll32.exe	108
PID 2084 wrote to memory of 1280	2084	runonce.exe	109
PID 2084 wrote to memory of 1280	2084	runonce.exe	109
PID 2084 wrote to memory of 1280	2084	runonce.exe	109
PID 3168 wrote to memory of 3624	3168	smap.tmp	116
PID 3168 wrote to memory of 3624	3168	smap.tmp	116
PID 3168 wrote to memory of 3624	3168	smap.tmp	116
PID 4132 wrote to memory of 2840	4132	cmd.exe	117
PID 4132 wrote to memory of 2840	4132	cmd.exe	117

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
3384	attrib.exe
4844	attrib.exe

C:\Users\Admin\AppData\Local\Temp\2154f77e836aba3e505e7a412d4999a5661264e16e129d84b27ed59dcc23d69e.exe
"C:\Users\Admin\AppData\Local\Temp\2154f77e836aba3e505e7a412d4999a5661264e16e129d84b27ed59dcc23d69e.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4828
- C:\Users\Admin\AppData\Roaming\simc.tmp
  C:\Users\Admin\AppData\Roaming\simc.tmp
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4556
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c afc9fe2f418b00a0.bat
    3⤵
    PID:360
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FMAMzwbd12.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4132
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K C:\PROGRA~1\FREERA~1\1.bat
    3⤵
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:2432
  - - C:\PROGRA~1\INTERN~1\iexplore.exe
      C:\PROGRA~1\INTERN~1\IEXPLORE.EXE http://WWw.cnkankan.com/?82133
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3852
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3852 CREDAT:17410 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:4148
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\PROGRA~1\FREERA~1\1.inf
      4⤵
      PID:4500
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K C:\PROGRA~1\FREERA~1\2.bat
      4⤵
      Drops file in Program Files directory
      Suspicious use of WriteProcessMemory
      PID:4108
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?r"" /f
        5⤵
        Modifies Internet Explorer settings
        Modifies Internet Explorer start page
        
        PID:3572
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?r"" /f
        5⤵
        Modifies Internet Explorer settings
        Modifies Internet Explorer start page
        
        PID:3656
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\tmp" /v "key" /d ""http://www.82133.com/?r"" /f
        5⤵
        
        PID:1420
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}" /v "IsShortCut" /d "" /f
        5⤵
        Modifies registry class
        
        PID:1876
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command" /v "" /d "wscript -e:vbs ""C:\PROGRA~1\FREERA~1\3.bat""" /f
        5⤵
        Modifies registry class
        
        PID:4064
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h C:\PROGRA~1\FREERA~1\tmp\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}
        5⤵
        Sets file to hidden
        Drops file in Program Files directory
        Views/modifies file attributes
        
        PID:3384
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h C:\PROGRA~1\FREERA~1\tmp
        5⤵
        Sets file to hidden
        Drops file in Program Files directory
        Views/modifies file attributes
        
        PID:4844
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\PROGRA~1\FREERA~1\2.inf
        5⤵
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2420
      - C:\Windows\SysWOW64\runonce.exe
        
        "C:\Windows\system32\runonce.exe" -r
        6⤵
        Checks processor information in registry
        Suspicious use of WriteProcessMemory
        
        PID:2084
        
        C:\Windows\SysWOW64\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        7⤵
        
        PID:1280
- - C:\Users\Admin\AppData\Roaming\smap.tmp
    C:\Users\Admin\AppData\Roaming\smap.tmp
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3168
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Roaming\smap.tmp > nul
      4⤵
      PID:3624
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\PROGRA~1\FreeRapid\resv.bin,MainLoad
    3⤵
    - Loads dropped DLL
    - Drops file in Program Files directory
    PID:2840
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\2154F7~1.EXE > nul
  2⤵
  PID:376

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~1\FREERA~1\1.bat

Filesize
3KB

MD5
2b99b7f66b8ebba3071330bcbaccc022

SHA1
1a79cdcdd4dd3c9e22b45acdbc20a51da5f23e52

SHA256
3ed44f8ec4dd76cadb989353a1ed4a578d93fbba2eb0997443000384e2fb7f09

SHA512
03671ec8fbe45df652bddf47141fd017cfd86b25c034608be23eb82035b3e7504765d4fdc9c42e1bbb3de4b132476a5e7156d83fe1982be283c9ea51e9cc8671

Download Submit
C:\PROGRA~1\FREERA~1\1.inf

Filesize
492B

MD5
34c14b8530e1094e792527f7a474fe77

SHA1
f71c4e9091140256b34c18220d1dd1efab1f301d

SHA256
fe0dfb3458bfe2a3632d365e00765fa10f14d62e7dfa8b70a055c7eb9fdb6713

SHA512
25bb09b526e1e9f5c6052f1f7c36b37c956c1b5649936af8df3abfcf120c931f3d2603e17a061cb99d8c8074bfb1973a5423cce89762fca53cd46aeb3e8944a2

Download Submit
C:\PROGRA~1\FREERA~1\2.bat

Filesize
3KB

MD5
66255a9ad2f8d7deaa5577ca57942871

SHA1
8003fcd6cf3edd5b053b2765c7178ae90832f370

SHA256
553e76f0372969152c699aa8f02d0610114492cf1a0386cd425a6b6e861aa197

SHA512
895951abacd29c28e2970096db9e694626952791f4ff84a77c4f584baae80eb9ef7206fa501d671c6983c9c08cce9016a6a572b65d79fc9f5da39cea9e2d4a04

Download Submit
C:\PROGRA~1\FREERA~1\2.inf

Filesize
230B

MD5
f6dcb2862f6e7f9e69fb7d18668c59f1

SHA1
bb23dbba95d8af94ecc36a7d2dd4888af2856737

SHA256
c68fe97c64b68f00b3cc853ae6a6d324b470a558df57eac2593487978592eb2c

SHA512
eefe630b776d2144df39e9c385824374b3d546e30293d7efe10cc2d6bf6f2c932162bf80add1c8ca58afcc868ad02b3ffc104c0f111f3827f4385ee9f26f5e75

Download Submit
C:\PROGRA~1\FREERA~1\4.bat

Filesize
5.8MB

MD5
d2321b45cb34ddcdc10a82fd62722231

SHA1
42a5b57ff8c843e0dbade613c66f375f6995b8ca

SHA256
e9008d15bf3693c6438945640e0b1a3499be94eb42becb4d208ea32392cba21e

SHA512
cb0b214cda6a3516e0d6859e49f7df56eeec03ff1447e8c870197c64530d41d8cbb63b1fd39f87e0060dc4c45682e1de2672c4728160ce82bc678dc85faf30c3

Download Submit
C:\PROGRA~1\FreeRapid\resv.bin

Filesize
18.7MB

MD5
e9e6a3971c11b8fb94febcd7a9439b50

SHA1
b3871bc158cf5917046385e2563969b4349848e2

SHA256
7f57457a77e4f04f47cb6b72dc27e242548ba026a10d19ecd83a89457fb7e744

SHA512
cd7aa445ca3576a9e092025a11cc21c2c86af390d1ad3f55a7c93ffb33f2b59abfbe292a2b11d68f5a970e7df37fdd26885878c1507995d1f7b2a31694eeae78

Download Submit
C:\Program Files\FreeRapid\resv.bin

Filesize
19.9MB

MD5
59a44580752190e96517cbf636826f95

SHA1
46c1ca0c0dce9882e1debd48fd76d1cb5467ba22

SHA256
eecd84ed5dd691179d12c14c66fbd5c5867bb1a32f377d0651ca3fe87f115257

SHA512
e7ce6fc1130bb4ccbc410653059a19054c76ccb636052681c0415dc94a537a9e4b7d4e12e7a214027358018fd634cee81e29d54170122b3f1b03f955df332d7b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
957d711ef13aae49d723c4d2b1d4fa37

SHA1
aa818a5cfb5ce97987c05c8f20866cbbafb4bf93

SHA256
43184ac9a857febd19b97a04797528a7de0c15744ae3d540e23cc4b5f1d2641b

SHA512
f5c8fb180bba40d0755c909349bb960be5b8242de651237b9c2368d74accbf845f3cad131ff9b80f71745353dd11b53ddda7fd5cb928a2f543be217b9e975030

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
434B

MD5
feeeb80043f39a9f45a8bc05171aedc1

SHA1
e953ac1a164a35322d5f8a56a79f9d067adab062

SHA256
e3cb36745d853c52714b8d55cca2669d62a2ec2c20475521afee0fbf1265c156

SHA512
065525feecd6c61d41cc5f7fcf43441514863e556e8aee9de21909150f0e1d9a1dc4d3cf1b317e161e3b6b7a445aec6040f9e354ad3b8b6914da1a6dd66874cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\FMAMzwbd12.bat

Filesize
150B

MD5
a46b691be5eee69ff975ca45c311f018

SHA1
3b9bed578b7554252eb88f900ce398f25d01910a

SHA256
a29ce165a0fbd6c8dfec21c891ac2a4d385ef1f7b29e92ae46b131e6694628f4

SHA512
6b8acaa1871b6cb8d68bbabc48146b56f267abb329b9ac2357ac70911fd15bd668ff49260e12d54812fd4f066eed67e311414828ddbc3b9068b8b998edb9c08e

Download Submit
C:\Users\Admin\AppData\Local\Temp\afc9fe2f418b00a0.bat

Filesize
2KB

MD5
3d15f5598c7304d4620c459d16b672d6

SHA1
d5fd318f2347ef63c062aef5658c5ad5934107c6

SHA256
30d8d0e43a0eece7b003fbeb6077a07e910afe03199d3d0022fae0d4be94b7f6

SHA512
09c2b357d31851c209d078e3787407555710b2b837ad94f11f9d113259a7f8bdda199c2cea45ab6338d1a8e4ec94f0cb663f13260c4e47383886cb897e9b9a10

Download Submit
C:\Users\Admin\AppData\Local\Temp\winrar_config.tmp

Filesize
691B

MD5
97f94bb975876582715e95f7751546bb

SHA1
e1b07092d2454c2d95d8aa76bb44feedae59ce3e

SHA256
1b6df88776e4b304fe01c9f495e16fb7116a5eacea2579ea07146a6e2324f7c1

SHA512
7d1823c36abab4723094255fd98bfac8d9797f2e5d1c56930927e872ccb0f175c9046d63aaccb8ef3ebcd79adccb779c095e95cd277b383bf8c4f4ac4f2782f5

Download Submit
C:\Users\Admin\AppData\Roaming\simc.tmp

Filesize
89KB

MD5
62f5d3c8be33d02250305244362a3b7d

SHA1
22c2cc5753fd4f2543fb50e6e0091f27e465963c

SHA256
d4d0cf45d085e430e15da0cb7e9c24629d43422850f059b7f0d5b927541fdfd3

SHA512
efcc4a486771577758db35e58c91093336d83a28fd0238d39e85c3e1b94ea3fdd4625d20db60cc038eda1c03bba4f0ab03cc223412a988eef79b6b9a6cd59179

Download Submit
C:\Users\Admin\AppData\Roaming\simc.tmp

Filesize
89KB

MD5
62f5d3c8be33d02250305244362a3b7d

SHA1
22c2cc5753fd4f2543fb50e6e0091f27e465963c

SHA256
d4d0cf45d085e430e15da0cb7e9c24629d43422850f059b7f0d5b927541fdfd3

SHA512
efcc4a486771577758db35e58c91093336d83a28fd0238d39e85c3e1b94ea3fdd4625d20db60cc038eda1c03bba4f0ab03cc223412a988eef79b6b9a6cd59179

Download Submit
C:\Users\Admin\AppData\Roaming\smap.tmp

Filesize
57.2MB

MD5
ffa8ba6732427c0ecfb13e4d871ef405

SHA1
9f3c2f714ba8beaf7bd88bb3b9f214f9edc54070

SHA256
b1345f5a2679cc94214c5e940900fee0bd737ed6bb7c7afcfcbfd1f6d1ca19f2

SHA512
a17d2283ab92d11fe463af1b71b85c6d5c6a3e2207bb231420e4e2ed699faad7220fa3f08f3183efb5f9ee3bcaa60924af733a9c32cbc8b92cf0b54410cbfdc0

Download Submit
C:\Users\Admin\AppData\Roaming\smap.tmp

Filesize
57.2MB

MD5
ffa8ba6732427c0ecfb13e4d871ef405

SHA1
9f3c2f714ba8beaf7bd88bb3b9f214f9edc54070

SHA256
b1345f5a2679cc94214c5e940900fee0bd737ed6bb7c7afcfcbfd1f6d1ca19f2

SHA512
a17d2283ab92d11fe463af1b71b85c6d5c6a3e2207bb231420e4e2ed699faad7220fa3f08f3183efb5f9ee3bcaa60924af733a9c32cbc8b92cf0b54410cbfdc0

Download Submit
memory/2840-250-0x00000000739C0000-0x00000000739CA000-memory.dmp

Filesize
40KB

Download
memory/3168-149-0x00000000005E0000-0x00000000005E9000-memory.dmp

Filesize
36KB

Download
memory/3852-180-0x00007FFD0BC10000-0x00007FFD0BC7E000-memory.dmp

Filesize
440KB

Download
memory/3852-198-0x00007FFD0BC10000-0x00007FFD0BC7E000-memory.dmp

Filesize
440KB

Download
memory/3852-169-0x00007FFD0BC10000-0x00007FFD0BC7E000-memory.dmp

Filesize
440KB

Download
memory/3852-172-0x00007FFD0BC10000-0x00007FFD0BC7E000-memory.dmp

Filesize
440KB

Download
memory/3852-166-0x00007FFD0BC10000-0x00007FFD0BC7E000-memory.dmp

Filesize
440KB

Download
memory/3852-164-0x00007FFD0BC10000-0x00007FFD0BC7E000-memory.dmp

Filesize
440KB

Download
memory/3852-163-0x00007FFD0BC10000-0x00007FFD0BC7E000-memory.dmp

Filesize
440KB

Download
memory/3852-162-0x00007FFD0BC10000-0x00007FFD0BC7E000-memory.dmp

Filesize
440KB

Download
memory/3852-160-0x00007FFD0BC10000-0x00007FFD0BC7E000-memory.dmp

Filesize
440KB

Download
memory/3852-178-0x00007FFD0BC10000-0x00007FFD0BC7E000-memory.dmp

Filesize
440KB

Download
memory/3852-161-0x00007FFD0BC10000-0x00007FFD0BC7E000-memory.dmp

Filesize
440KB

Download
memory/3852-181-0x00007FFD0BC10000-0x00007FFD0BC7E000-memory.dmp

Filesize
440KB

Download
memory/3852-182-0x00007FFD0BC10000-0x00007FFD0BC7E000-memory.dmp

Filesize
440KB

Download
memory/3852-156-0x00007FFD0BC10000-0x00007FFD0BC7E000-memory.dmp

Filesize
440KB

Download
memory/3852-184-0x00007FFD0BC10000-0x00007FFD0BC7E000-memory.dmp

Filesize
440KB

Download
memory/3852-186-0x00007FFD0BC10000-0x00007FFD0BC7E000-memory.dmp

Filesize
440KB

Download
memory/3852-152-0x00007FFD0BC10000-0x00007FFD0BC7E000-memory.dmp

Filesize
440KB

Download
memory/3852-229-0x00007FFD0BC10000-0x00007FFD0BC7E000-memory.dmp

Filesize
440KB

Download
memory/3852-189-0x00007FFD0BC10000-0x00007FFD0BC7E000-memory.dmp

Filesize
440KB

Download
memory/3852-190-0x00007FFD0BC10000-0x00007FFD0BC7E000-memory.dmp

Filesize
440KB

Download
memory/3852-191-0x00007FFD0BC10000-0x00007FFD0BC7E000-memory.dmp

Filesize
440KB

Download
memory/3852-193-0x00007FFD0BC10000-0x00007FFD0BC7E000-memory.dmp

Filesize
440KB

Download
memory/3852-158-0x00007FFD0BC10000-0x00007FFD0BC7E000-memory.dmp

Filesize
440KB

Download
memory/3852-157-0x00007FFD0BC10000-0x00007FFD0BC7E000-memory.dmp

Filesize
440KB

Download
memory/3852-196-0x00007FFD0BC10000-0x00007FFD0BC7E000-memory.dmp

Filesize
440KB

Download
memory/3852-228-0x00007FFD0BC10000-0x00007FFD0BC7E000-memory.dmp

Filesize
440KB

Download
memory/3852-197-0x00007FFD0BC10000-0x00007FFD0BC7E000-memory.dmp

Filesize
440KB

Download
memory/3852-168-0x00007FFD0BC10000-0x00007FFD0BC7E000-memory.dmp

Filesize
440KB

Download
memory/3852-199-0x00007FFD0BC10000-0x00007FFD0BC7E000-memory.dmp

Filesize
440KB

Download
memory/3852-200-0x00007FFD0BC10000-0x00007FFD0BC7E000-memory.dmp

Filesize
440KB

Download
memory/3852-204-0x00007FFD0BC10000-0x00007FFD0BC7E000-memory.dmp

Filesize
440KB

Download
memory/3852-205-0x00007FFD0BC10000-0x00007FFD0BC7E000-memory.dmp

Filesize
440KB

Download
memory/3852-206-0x00007FFD0BC10000-0x00007FFD0BC7E000-memory.dmp

Filesize
440KB

Download
memory/3852-154-0x00007FFD0BC10000-0x00007FFD0BC7E000-memory.dmp

Filesize
440KB

Download
memory/3852-208-0x00007FFD0BC10000-0x00007FFD0BC7E000-memory.dmp

Filesize
440KB

Download
memory/3852-209-0x00007FFD0BC10000-0x00007FFD0BC7E000-memory.dmp

Filesize
440KB

Download
memory/3852-214-0x00007FFD0BC10000-0x00007FFD0BC7E000-memory.dmp

Filesize
440KB

Download
memory/3852-215-0x00007FFD0BC10000-0x00007FFD0BC7E000-memory.dmp

Filesize
440KB

Download
memory/3852-216-0x00007FFD0BC10000-0x00007FFD0BC7E000-memory.dmp

Filesize
440KB

Download
memory/3852-217-0x00007FFD0BC10000-0x00007FFD0BC7E000-memory.dmp

Filesize
440KB

Download
memory/3852-218-0x00007FFD0BC10000-0x00007FFD0BC7E000-memory.dmp

Filesize
440KB

Download
memory/3852-219-0x00007FFD0BC10000-0x00007FFD0BC7E000-memory.dmp

Filesize
440KB

Download
memory/3852-221-0x00007FFD0BC10000-0x00007FFD0BC7E000-memory.dmp

Filesize
440KB

Download
memory/3852-222-0x00007FFD0BC10000-0x00007FFD0BC7E000-memory.dmp

Filesize
440KB

Download
memory/3852-223-0x00007FFD0BC10000-0x00007FFD0BC7E000-memory.dmp

Filesize
440KB

Download
memory/4828-139-0x0000000000480000-0x00000000004BC000-memory.dmp

Filesize
240KB

Download
memory/4828-133-0x0000000000E70000-0x0000000000E73000-memory.dmp

Filesize
12KB

Download
memory/4828-132-0x0000000000480000-0x00000000004BC000-memory.dmp

Filesize
240KB

Download