joker | 12e8ca4bcf45941c89025d441e9697f4171edacf8c487280814b92a412bada6b

Analysis

max time kernel
187s
max time network
194s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
14-10-2022 04:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

12e8ca4bcf45941c89025d441e9697f4171edacf8c487280814b92a412bada6b.exe
Size

252KB
MD5

047c156bac3a1b49b36d8654cfbfd462
SHA1

63a61c568e0e55737168627ec14430189aa17e1a
SHA256

12e8ca4bcf45941c89025d441e9697f4171edacf8c487280814b92a412bada6b
SHA512

7fbbe4dbb9d0c6465febc2869a6b854963ed7fe96110314e415ebcbef3ab3545c77a042996097fa2f8cdcfe12aaf1954b731f8a5dde988cb1b9ab88848bf4745
SSDEEP

3072:lCfFBrDkiap75bTlxPCMwy6K9MHecBQ41pBYe6:lCfFtDg9JqS0Heo6

Score

10^/10

joker evasion infostealer persistence trojan

Malware Config

Signatures

joker
Joker is an Android malware that targets billing and SMS fraud.
infostealer trojan joker

Executes dropped EXE 2 IoCs

pid	Process
1664	simc.tmp
5028	smap.tmp

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1158

pid	Process
3392	attrib.exe
2180	attrib.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	12e8ca4bcf45941c89025d441e9697f4171edacf8c487280814b92a412bada6b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	smap.tmp

Loads dropped DLL 1 IoCs

pid	Process
4516	rundll32.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\hsdfasd = "\"C:\\PROGRA~1\\FREERA~1\\tmp.\\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}\" hh.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	rundll32.exe

Drops file in Program Files directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\TheWorld 3\TheWorld.ini	rundll32.exe
File opened for modification	C:\PROGRA~1\FREERA~1\░╦╪╘╔½═╝.url	cmd.exe
File opened for modification	C:\PROGRA~1\FREERA~1\╠╘▒ª╣║╬∩.url	cmd.exe
File opened for modification	C:\PROGRA~1\FREERA~1\tmp\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}	attrib.exe
File opened for modification	C:\PROGRA~1\FREERA~1\3.bat	cmd.exe
File created	C:\Program Files\FreeRapid\2.bat	12e8ca4bcf45941c89025d441e9697f4171edacf8c487280814b92a412bada6b.exe
File opened for modification	C:\PROGRA~1\FREERA~1\╟º═┼═┼╣║.url	cmd.exe
File created	C:\PROGRA~1\INTERN~1\ieframe.dll	cmd.exe
File opened for modification	C:\PROGRA~1\FREERA~1\┐┤┐┤╡τ╙░.url	cmd.exe
File opened for modification	C:\PROGRA~1\INTERN~1\ieframe.dll	cmd.exe
File opened for modification	C:\PROGRA~1\FREERA~1\tmp	attrib.exe
File opened for modification	C:\PROGRA~1\FREERA~1\1.inf	cmd.exe
File opened for modification	C:\PROGRA~1\FREERA~1\2.inf	cmd.exe
File created	C:\Program Files\FreeRapid\resv.bin	12e8ca4bcf45941c89025d441e9697f4171edacf8c487280814b92a412bada6b.exe
File created	C:\Program Files\FreeRapid\1.bat	12e8ca4bcf45941c89025d441e9697f4171edacf8c487280814b92a412bada6b.exe
File created	C:\Program Files\FreeRapid\4.bat	12e8ca4bcf45941c89025d441e9697f4171edacf8c487280814b92a412bada6b.exe
File opened for modification	C:\PROGRA~1\FREERA~1\├└┼«└╓╘░.url	cmd.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\windows\Comres.dll	simc.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe

Modifies Internet Explorer settings 1 TTPs 59 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1174489942"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\henniu5555.site\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\cnkankan.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\cnkankan.com\Total = "63"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.henniu5555.site	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{6A9938E4-4BAC-11ED-89AC-4AA92575F981} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\cnkankan.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30990265"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1174489942"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DOMStorage\henniu5555.site	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1173396165"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30990265"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "372508934"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Size = "10"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.cnkankan.com\ = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30990265"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30990265"	iexplore.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "126"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "189"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\International\CpMRU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DOMStorage\cnkankan.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Factor = "20"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.cnkankan.com	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1173396165"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "63"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.cnkankan.com\ = "126"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.henniu5555.site\ = "63"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\henniu5555.site\Total = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\cnkankan.com\Total = "126"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Enable = "1"	IEXPLORE.EXE

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://www.71628.com/?r"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.71628.com/?r"	reg.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command\ = "wscript -e:vbs \"C:\\PROGRA~1\\FREERA~1\\3.bat\""	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\IsShortCut	reg.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\68A12DE4422589E97E1C6396FE17B5024FE0547A	simc.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\68A12DE4422589E97E1C6396FE17B5024FE0547A\Blob = 03000000010000001400000068a12de4422589e97e1c6396fe17b5024fe0547a2000000001000000600200003082025c308201c5a0030201020210a675093732e9e788423ec7ea62044de5300d06092a864886f70d01010405003036313430320603550403132b566572695369676e2054696d65205374616d70696e67205365727669636573205369676e6572202d204732301e170d3131303531393134333632345a170d3339313233313233353935395a3036313430320603550403132b566572695369676e2054696d65205374616d70696e67205365727669636573205369676e6572202d20473230819f300d06092a864886f70d010101050003818d0030818902818100ae2150b067d03ac307c1d6cfb294b8e57d1ec3335542584552a96b7926d1b95483aa79a52165c6c18b4aa502ca2f736d2ea84a299def604899f8a50b9932200c00a32c187fdfed2fb767783c1d6c27e55fee9aeb5d7b1085cb8fcc151bdebcdbecc5748cbb451b20f5ecd9e197c154e477d9d5d6a0cf8e9dabaf4e07fbf5f79f0203010001a36b306930670603551d010460305e80102128591d26a9fe32d38e84450f52f750a1383036313430320603550403132b566572695369676e2054696d65205374616d70696e67205365727669636573205369676e6572202d2047328210a675093732e9e788423ec7ea62044de5300d06092a864886f70d01010405000381810069c4dcd3b8649bd6c952a0251d6a645c98c3d94ba7a9945992ee06fdbc1d36c53f9e4c77f25f77b6ad4df7599089a7d68cf89221fc49fda540341c833f692ee6cdd740da4b599e9a902c325b2de32d3657d8cf1206883b2e8296ab9c1d4ef406603a138ce17b8ee0740c990c99774f63fe8f8d5bd35d35591d2a3d6675b49967	simc.tmp

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1664	simc.tmp
1664	simc.tmp

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeBackupPrivilege	1664	simc.tmp
Token: SeRestorePrivilege	1664	simc.tmp
Token: SeIncBasePriorityPrivilege	1048	12e8ca4bcf45941c89025d441e9697f4171edacf8c487280814b92a412bada6b.exe
Token: SeIncBasePriorityPrivilege	5028	smap.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2352	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2352	iexplore.exe
2352	iexplore.exe
1408	IEXPLORE.EXE
1408	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1048 wrote to memory of 1664	1048	12e8ca4bcf45941c89025d441e9697f4171edacf8c487280814b92a412bada6b.exe	82
PID 1048 wrote to memory of 1664	1048	12e8ca4bcf45941c89025d441e9697f4171edacf8c487280814b92a412bada6b.exe	82
PID 1048 wrote to memory of 1664	1048	12e8ca4bcf45941c89025d441e9697f4171edacf8c487280814b92a412bada6b.exe	82
PID 1664 wrote to memory of 1412	1664	simc.tmp	83
PID 1664 wrote to memory of 1412	1664	simc.tmp	83
PID 1664 wrote to memory of 1412	1664	simc.tmp	83
PID 1048 wrote to memory of 644	1048	12e8ca4bcf45941c89025d441e9697f4171edacf8c487280814b92a412bada6b.exe	86
PID 1048 wrote to memory of 644	1048	12e8ca4bcf45941c89025d441e9697f4171edacf8c487280814b92a412bada6b.exe	86
PID 1048 wrote to memory of 644	1048	12e8ca4bcf45941c89025d441e9697f4171edacf8c487280814b92a412bada6b.exe	86
PID 1048 wrote to memory of 3900	1048	12e8ca4bcf45941c89025d441e9697f4171edacf8c487280814b92a412bada6b.exe	87
PID 1048 wrote to memory of 3900	1048	12e8ca4bcf45941c89025d441e9697f4171edacf8c487280814b92a412bada6b.exe	87
PID 1048 wrote to memory of 3900	1048	12e8ca4bcf45941c89025d441e9697f4171edacf8c487280814b92a412bada6b.exe	87
PID 644 wrote to memory of 1132	644	cmd.exe	88
PID 644 wrote to memory of 1132	644	cmd.exe	88
PID 644 wrote to memory of 1132	644	cmd.exe	88
PID 1132 wrote to memory of 2352	1132	cmd.exe	91
PID 1132 wrote to memory of 2352	1132	cmd.exe	91
PID 1132 wrote to memory of 4948	1132	cmd.exe	92
PID 1132 wrote to memory of 4948	1132	cmd.exe	92
PID 1132 wrote to memory of 4948	1132	cmd.exe	92
PID 1132 wrote to memory of 2736	1132	cmd.exe	94
PID 1132 wrote to memory of 2736	1132	cmd.exe	94
PID 1132 wrote to memory of 2736	1132	cmd.exe	94
PID 2736 wrote to memory of 4192	2736	cmd.exe	95
PID 2736 wrote to memory of 4192	2736	cmd.exe	95
PID 2736 wrote to memory of 4192	2736	cmd.exe	95
PID 2736 wrote to memory of 3908	2736	cmd.exe	96
PID 2736 wrote to memory of 3908	2736	cmd.exe	96
PID 2736 wrote to memory of 3908	2736	cmd.exe	96
PID 2736 wrote to memory of 2080	2736	cmd.exe	97
PID 2736 wrote to memory of 2080	2736	cmd.exe	97
PID 2736 wrote to memory of 2080	2736	cmd.exe	97
PID 644 wrote to memory of 5028	644	cmd.exe	98
PID 644 wrote to memory of 5028	644	cmd.exe	98
PID 644 wrote to memory of 5028	644	cmd.exe	98
PID 2736 wrote to memory of 1588	2736	cmd.exe	99
PID 2736 wrote to memory of 1588	2736	cmd.exe	99
PID 2736 wrote to memory of 1588	2736	cmd.exe	99
PID 2736 wrote to memory of 4196	2736	cmd.exe	100
PID 2736 wrote to memory of 4196	2736	cmd.exe	100
PID 2736 wrote to memory of 4196	2736	cmd.exe	100
PID 2736 wrote to memory of 3392	2736	cmd.exe	101
PID 2736 wrote to memory of 3392	2736	cmd.exe	101
PID 2736 wrote to memory of 3392	2736	cmd.exe	101
PID 2736 wrote to memory of 2180	2736	cmd.exe	102
PID 2736 wrote to memory of 2180	2736	cmd.exe	102
PID 2736 wrote to memory of 2180	2736	cmd.exe	102
PID 2736 wrote to memory of 3636	2736	cmd.exe	103
PID 2736 wrote to memory of 3636	2736	cmd.exe	103
PID 2736 wrote to memory of 3636	2736	cmd.exe	103
PID 3636 wrote to memory of 2864	3636	rundll32.exe	104
PID 3636 wrote to memory of 2864	3636	rundll32.exe	104
PID 3636 wrote to memory of 2864	3636	rundll32.exe	104
PID 2352 wrote to memory of 1408	2352	iexplore.exe	105
PID 2352 wrote to memory of 1408	2352	iexplore.exe	105
PID 2352 wrote to memory of 1408	2352	iexplore.exe	105
PID 2864 wrote to memory of 4832	2864	runonce.exe	106
PID 2864 wrote to memory of 4832	2864	runonce.exe	106
PID 2864 wrote to memory of 4832	2864	runonce.exe	106
PID 5028 wrote to memory of 2140	5028	smap.tmp	113
PID 5028 wrote to memory of 2140	5028	smap.tmp	113
PID 5028 wrote to memory of 2140	5028	smap.tmp	113
PID 644 wrote to memory of 4516	644	cmd.exe	115
PID 644 wrote to memory of 4516	644	cmd.exe	115

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
3392	attrib.exe
2180	attrib.exe

C:\Users\Admin\AppData\Local\Temp\12e8ca4bcf45941c89025d441e9697f4171edacf8c487280814b92a412bada6b.exe
"C:\Users\Admin\AppData\Local\Temp\12e8ca4bcf45941c89025d441e9697f4171edacf8c487280814b92a412bada6b.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1048
- C:\Users\Admin\AppData\Roaming\simc.tmp
  C:\Users\Admin\AppData\Roaming\simc.tmp
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1664
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c afc9fe2f418b00a0.bat
    3⤵
    PID:1412
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FMAMzwbd12.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:644
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K C:\PROGRA~1\FREERA~1\1.bat
    3⤵
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:1132
  - - C:\PROGRA~1\INTERN~1\iexplore.exe
      C:\PROGRA~1\INTERN~1\IEXPLORE.EXE http://WWw.cnkankan.com/?71628
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2352
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2352 CREDAT:17410 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1408
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\PROGRA~1\FREERA~1\1.inf
      4⤵
      PID:4948
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K C:\PROGRA~1\FREERA~1\2.bat
      4⤵
      Drops file in Program Files directory
      Suspicious use of WriteProcessMemory
      PID:2736
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.71628.com/?r"" /f
        5⤵
        Modifies Internet Explorer settings
        Modifies Internet Explorer start page
        
        PID:4192
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.71628.com/?r"" /f
        5⤵
        Modifies Internet Explorer settings
        Modifies Internet Explorer start page
        
        PID:3908
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\tmp" /v "key" /d ""http://www.71628.com/?r"" /f
        5⤵
        
        PID:2080
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}" /v "IsShortCut" /d "" /f
        5⤵
        Modifies registry class
        
        PID:1588
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command" /v "" /d "wscript -e:vbs ""C:\PROGRA~1\FREERA~1\3.bat""" /f
        5⤵
        Modifies registry class
        
        PID:4196
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h C:\PROGRA~1\FREERA~1\tmp\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}
        5⤵
        Sets file to hidden
        Drops file in Program Files directory
        Views/modifies file attributes
        
        PID:3392
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h C:\PROGRA~1\FREERA~1\tmp
        5⤵
        Sets file to hidden
        Drops file in Program Files directory
        Views/modifies file attributes
        
        PID:2180
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\PROGRA~1\FREERA~1\2.inf
        5⤵
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3636
      - C:\Windows\SysWOW64\runonce.exe
        
        "C:\Windows\system32\runonce.exe" -r
        6⤵
        Checks processor information in registry
        Suspicious use of WriteProcessMemory
        
        PID:2864
        
        C:\Windows\SysWOW64\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        7⤵
        
        PID:4832
- - C:\Users\Admin\AppData\Roaming\smap.tmp
    C:\Users\Admin\AppData\Roaming\smap.tmp
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5028
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Roaming\smap.tmp > nul
      4⤵
      PID:2140
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\PROGRA~1\FreeRapid\resv.bin,MainLoad
    3⤵
    - Loads dropped DLL
    - Drops file in Program Files directory
    PID:4516
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\12E8CA~1.EXE > nul
  2⤵
  PID:3900

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~1\FREERA~1\1.bat

Filesize
3KB

MD5
f59c020b88707c94bcfc2e0ea04071c3

SHA1
e763297568bbbf1604f78c0775c5e4c3eea0ebe9

SHA256
9f9395959e8ef547909b8926eb48829048e12b1aaee324774ff5792636329fcd

SHA512
22eecdbdb8bc2dde2c7323b35869650c5c12b32cdf8d604a28e7331fe65dcf32f0e2d443723b2a256042ef8b0ad7c840ccd8fc4b644527c645aac0a1fd2ff343

Download Submit
C:\PROGRA~1\FREERA~1\1.inf

Filesize
492B

MD5
34c14b8530e1094e792527f7a474fe77

SHA1
f71c4e9091140256b34c18220d1dd1efab1f301d

SHA256
fe0dfb3458bfe2a3632d365e00765fa10f14d62e7dfa8b70a055c7eb9fdb6713

SHA512
25bb09b526e1e9f5c6052f1f7c36b37c956c1b5649936af8df3abfcf120c931f3d2603e17a061cb99d8c8074bfb1973a5423cce89762fca53cd46aeb3e8944a2

Download Submit
C:\PROGRA~1\FREERA~1\2.bat

Filesize
3KB

MD5
2b86dd7503205cc7e712ac0dd02a4058

SHA1
5926efd2c406c52f48528f8cb81299c2a31346b8

SHA256
c5b8452983f75115cf8fb4e83e64bd6f0a5521e8e80e60a8737b6b62526d655c

SHA512
b7e6326ff2ab3a8441d0c3db2fdbcfb2f28a85458d8aea6a118a7b434c4e6ed386a602d2a62589ca64c90a75d630fe11e654024bf2abef4ff967274216f0486f

Download Submit
C:\PROGRA~1\FREERA~1\2.inf

Filesize
230B

MD5
f6dcb2862f6e7f9e69fb7d18668c59f1

SHA1
bb23dbba95d8af94ecc36a7d2dd4888af2856737

SHA256
c68fe97c64b68f00b3cc853ae6a6d324b470a558df57eac2593487978592eb2c

SHA512
eefe630b776d2144df39e9c385824374b3d546e30293d7efe10cc2d6bf6f2c932162bf80add1c8ca58afcc868ad02b3ffc104c0f111f3827f4385ee9f26f5e75

Download Submit
C:\PROGRA~1\FREERA~1\4.bat

Filesize
5.8MB

MD5
4e5a0421385860aef3b2a8159604e669

SHA1
3edfe6eb2beca3f5714d9b18a205c3c26c7d8304

SHA256
345ce82c1b5deeaf3d021097c375b32e39865388e232a0fb1ee22168a4c7ea43

SHA512
c37e52f2774420a4b19d1b359605385c25614e416b42b75d43a508152b43b721abc9822ad26c7d299630ab7d156321c01d9512c2d62946dd2c520e0700d3d0d2

Download Submit
C:\PROGRA~1\FreeRapid\resv.bin

Filesize
57.2MB

MD5
939ae5384f95a1afa27005051f860130

SHA1
d26ce81d9bd2e1e854d58de6d673d490058f86c0

SHA256
67767e6e1c561ebbbda0cab8fc1ea7436b4b1df7da28492064f1b967efb827ef

SHA512
734938141521caf0213f48b85ea030e28784715ed9bfe9817ce0e1e1e87d99ac5e1f18287623e2eb9a4ce17b6b718f4d7f92a57e41ecbb38e8eb3bcc511eb04b

Download Submit
C:\Program Files\FreeRapid\resv.bin

Filesize
57.2MB

MD5
939ae5384f95a1afa27005051f860130

SHA1
d26ce81d9bd2e1e854d58de6d673d490058f86c0

SHA256
67767e6e1c561ebbbda0cab8fc1ea7436b4b1df7da28492064f1b967efb827ef

SHA512
734938141521caf0213f48b85ea030e28784715ed9bfe9817ce0e1e1e87d99ac5e1f18287623e2eb9a4ce17b6b718f4d7f92a57e41ecbb38e8eb3bcc511eb04b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\69C6F6EC64E114822DF688DC12CDD86C

Filesize
779B

MD5
fa238ec1516a0cbb877b31b975cf9051

SHA1
ee49a2e199ccb1146e5ec9596e310f6a4e3e1e27

SHA256
1991571c918d70e8cb40161acf8e62c31b085793cc272da6860a36dcf000572f

SHA512
8f0b28a0002781cc2dca26dd7ee154c6ef9a1b64e4667fc73d6c0926d55593100cf7c3ef29a76bd9b9344d2591edea60c4792e175f130ba9ee405aea4546200a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\69C6F6EC64E114822DF688DC12CDD86C

Filesize
240B

MD5
e9a1e4679dd3a8842302e97f1c062d16

SHA1
0cd380d2c0c77c12e0dddc8364f8c35dc3049a2b

SHA256
4388ca5659df679775328cc48ccbdb7ee2d4c1c1afacaad445ad297d6fd98398

SHA512
767c20ab5a5f8695b598161831858d841db9667f9fb1983836704a008be0fdac0a45c8f7f911b0a75ca5dbf43f00592125443999fb0fd79d7d6d825957847a83

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\69C6F6EC64E114822DF688DC12CDD86C

Filesize
240B

MD5
e9a1e4679dd3a8842302e97f1c062d16

SHA1
0cd380d2c0c77c12e0dddc8364f8c35dc3049a2b

SHA256
4388ca5659df679775328cc48ccbdb7ee2d4c1c1afacaad445ad297d6fd98398

SHA512
767c20ab5a5f8695b598161831858d841db9667f9fb1983836704a008be0fdac0a45c8f7f911b0a75ca5dbf43f00592125443999fb0fd79d7d6d825957847a83

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\69C6F6EC64E114822DF688DC12CDD86C

Filesize
240B

MD5
e9a1e4679dd3a8842302e97f1c062d16

SHA1
0cd380d2c0c77c12e0dddc8364f8c35dc3049a2b

SHA256
4388ca5659df679775328cc48ccbdb7ee2d4c1c1afacaad445ad297d6fd98398

SHA512
767c20ab5a5f8695b598161831858d841db9667f9fb1983836704a008be0fdac0a45c8f7f911b0a75ca5dbf43f00592125443999fb0fd79d7d6d825957847a83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\ru1r3yf\imagestore.dat

Filesize
1KB

MD5
5032754a12fdf60e009e470331032136

SHA1
99932f26a26ef9c7df5c79f5dcfc55552e4334ca

SHA256
29bb443d57543106c4f54d8ce4feb1a9274ca2ab12eda91d3381a5d966246ec2

SHA512
8902c374246319873343d10feda1853c64c6f189f902a153f5f4720a45c519312bb42b4176047b07ba89f79131ab6016abda53fa9c5b03407156f7ce99cda8bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\FMAMzwbd12.bat

Filesize
150B

MD5
a46b691be5eee69ff975ca45c311f018

SHA1
3b9bed578b7554252eb88f900ce398f25d01910a

SHA256
a29ce165a0fbd6c8dfec21c891ac2a4d385ef1f7b29e92ae46b131e6694628f4

SHA512
6b8acaa1871b6cb8d68bbabc48146b56f267abb329b9ac2357ac70911fd15bd668ff49260e12d54812fd4f066eed67e311414828ddbc3b9068b8b998edb9c08e

Download Submit
C:\Users\Admin\AppData\Local\Temp\afc9fe2f418b00a0.bat

Filesize
2KB

MD5
3d15f5598c7304d4620c459d16b672d6

SHA1
d5fd318f2347ef63c062aef5658c5ad5934107c6

SHA256
30d8d0e43a0eece7b003fbeb6077a07e910afe03199d3d0022fae0d4be94b7f6

SHA512
09c2b357d31851c209d078e3787407555710b2b837ad94f11f9d113259a7f8bdda199c2cea45ab6338d1a8e4ec94f0cb663f13260c4e47383886cb897e9b9a10

Download Submit
C:\Users\Admin\AppData\Local\Temp\winrar_config.tmp

Filesize
691B

MD5
904b2d66b5bf080e83884f8419e1d0da

SHA1
a4d36ee888df458e7ca2c5e7e431fa173f224b98

SHA256
f3bb934abf0053d7c155b836ea4fc953c4746c6f5e238619cc5f0aeb74ab408b

SHA512
c435396982c5806379012302b0b8e68ebad2bced4866b30d1a509494576355c38625e1fb94147bfef369459fd530df250b0c53a68b7e08a88caffd2f7b24be31

Download Submit
C:\Users\Admin\AppData\Roaming\simc.tmp

Filesize
89KB

MD5
6d6b243ebc48945349f41014f10055c6

SHA1
6be0111225ab03da5001ccea5d0c42882d430d0c

SHA256
30c4662ca5ddfebd9b4c20e53a843fa5e69c9663cf40b8715b7c7bf7946f1725

SHA512
955eb150787cc10d2cb0f8f59009368d65c2b6d5cecd2914eb5a09915869f2cd6dfdbdfc387becef989567b4c195d162afabcbb6d57e8069fb43cd0ab2c00e45

Download Submit
C:\Users\Admin\AppData\Roaming\simc.tmp

Filesize
89KB

MD5
6d6b243ebc48945349f41014f10055c6

SHA1
6be0111225ab03da5001ccea5d0c42882d430d0c

SHA256
30c4662ca5ddfebd9b4c20e53a843fa5e69c9663cf40b8715b7c7bf7946f1725

SHA512
955eb150787cc10d2cb0f8f59009368d65c2b6d5cecd2914eb5a09915869f2cd6dfdbdfc387becef989567b4c195d162afabcbb6d57e8069fb43cd0ab2c00e45

Download Submit
C:\Users\Admin\AppData\Roaming\smap.tmp

Filesize
57.2MB

MD5
977088bd930c47bade6ae4616288d60b

SHA1
32531e9574c43349636f477158d5daca37ff8f7f

SHA256
d94b9e323d60a7daccd63b1752701bcef0146c1e2d18bd1cc79ee6e579ab5605

SHA512
7ca9c5aeaae5d37c3d3a2584aa22e460127ce7bd2c562d2f70fa3e125ef8ddd3fa7246debb2b0282cb19f0c9f7e08f886fdc88deb536027d438c08b03d3ca59a

Download Submit
C:\Users\Admin\AppData\Roaming\smap.tmp

Filesize
57.2MB

MD5
977088bd930c47bade6ae4616288d60b

SHA1
32531e9574c43349636f477158d5daca37ff8f7f

SHA256
d94b9e323d60a7daccd63b1752701bcef0146c1e2d18bd1cc79ee6e579ab5605

SHA512
7ca9c5aeaae5d37c3d3a2584aa22e460127ce7bd2c562d2f70fa3e125ef8ddd3fa7246debb2b0282cb19f0c9f7e08f886fdc88deb536027d438c08b03d3ca59a

Download Submit
memory/1048-132-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1048-140-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2352-215-0x00007FFE87EB0000-0x00007FFE87F1E000-memory.dmp

Filesize
440KB

Download
memory/2352-197-0x00007FFE87EB0000-0x00007FFE87F1E000-memory.dmp

Filesize
440KB

Download
memory/2352-161-0x00007FFE87EB0000-0x00007FFE87F1E000-memory.dmp

Filesize
440KB

Download
memory/2352-168-0x00007FFE87EB0000-0x00007FFE87F1E000-memory.dmp

Filesize
440KB

Download
memory/2352-162-0x00007FFE87EB0000-0x00007FFE87F1E000-memory.dmp

Filesize
440KB

Download
memory/2352-157-0x00007FFE87EB0000-0x00007FFE87F1E000-memory.dmp

Filesize
440KB

Download
memory/2352-159-0x00007FFE87EB0000-0x00007FFE87F1E000-memory.dmp

Filesize
440KB

Download
memory/2352-233-0x00007FFE87EB0000-0x00007FFE87F1E000-memory.dmp

Filesize
440KB

Download
memory/2352-172-0x00007FFE87EB0000-0x00007FFE87F1E000-memory.dmp

Filesize
440KB

Download
memory/2352-151-0x00007FFE87EB0000-0x00007FFE87F1E000-memory.dmp

Filesize
440KB

Download
memory/2352-176-0x00007FFE87EB0000-0x00007FFE87F1E000-memory.dmp

Filesize
440KB

Download
memory/2352-158-0x00007FFE87EB0000-0x00007FFE87F1E000-memory.dmp

Filesize
440KB

Download
memory/2352-179-0x00007FFE87EB0000-0x00007FFE87F1E000-memory.dmp

Filesize
440KB

Download
memory/2352-177-0x00007FFE87EB0000-0x00007FFE87F1E000-memory.dmp

Filesize
440KB

Download
memory/2352-171-0x00007FFE87EB0000-0x00007FFE87F1E000-memory.dmp

Filesize
440KB

Download
memory/2352-152-0x00007FFE87EB0000-0x00007FFE87F1E000-memory.dmp

Filesize
440KB

Download
memory/2352-183-0x00007FFE87EB0000-0x00007FFE87F1E000-memory.dmp

Filesize
440KB

Download
memory/2352-228-0x00007FFE87EB0000-0x00007FFE87F1E000-memory.dmp

Filesize
440KB

Download
memory/2352-182-0x00007FFE87EB0000-0x00007FFE87F1E000-memory.dmp

Filesize
440KB

Download
memory/2352-156-0x00007FFE87EB0000-0x00007FFE87F1E000-memory.dmp

Filesize
440KB

Download
memory/2352-227-0x00007FFE87EB0000-0x00007FFE87F1E000-memory.dmp

Filesize
440KB

Download
memory/2352-187-0x00007FFE87EB0000-0x00007FFE87F1E000-memory.dmp

Filesize
440KB

Download
memory/2352-189-0x00007FFE87EB0000-0x00007FFE87F1E000-memory.dmp

Filesize
440KB

Download
memory/2352-192-0x00007FFE87EB0000-0x00007FFE87F1E000-memory.dmp

Filesize
440KB

Download
memory/2352-194-0x00007FFE87EB0000-0x00007FFE87F1E000-memory.dmp

Filesize
440KB

Download
memory/2352-193-0x00007FFE87EB0000-0x00007FFE87F1E000-memory.dmp

Filesize
440KB

Download
memory/2352-195-0x00007FFE87EB0000-0x00007FFE87F1E000-memory.dmp

Filesize
440KB

Download
memory/2352-196-0x00007FFE87EB0000-0x00007FFE87F1E000-memory.dmp

Filesize
440KB

Download
memory/2352-198-0x00007FFE87EB0000-0x00007FFE87F1E000-memory.dmp

Filesize
440KB

Download
memory/2352-199-0x00007FFE87EB0000-0x00007FFE87F1E000-memory.dmp

Filesize
440KB

Download
memory/2352-164-0x00007FFE87EB0000-0x00007FFE87F1E000-memory.dmp

Filesize
440KB

Download
memory/2352-203-0x00007FFE87EB0000-0x00007FFE87F1E000-memory.dmp

Filesize
440KB

Download
memory/2352-226-0x00007FFE87EB0000-0x00007FFE87F1E000-memory.dmp

Filesize
440KB

Download
memory/2352-205-0x00007FFE87EB0000-0x00007FFE87F1E000-memory.dmp

Filesize
440KB

Download
memory/2352-206-0x00007FFE87EB0000-0x00007FFE87F1E000-memory.dmp

Filesize
440KB

Download
memory/2352-207-0x00007FFE87EB0000-0x00007FFE87F1E000-memory.dmp

Filesize
440KB

Download
memory/2352-208-0x00007FFE87EB0000-0x00007FFE87F1E000-memory.dmp

Filesize
440KB

Download
memory/2352-213-0x00007FFE87EB0000-0x00007FFE87F1E000-memory.dmp

Filesize
440KB

Download
memory/2352-214-0x00007FFE87EB0000-0x00007FFE87F1E000-memory.dmp

Filesize
440KB

Download
memory/2352-154-0x00007FFE87EB0000-0x00007FFE87F1E000-memory.dmp

Filesize
440KB

Download
memory/2352-217-0x00007FFE87EB0000-0x00007FFE87F1E000-memory.dmp

Filesize
440KB

Download
memory/2352-218-0x00007FFE87EB0000-0x00007FFE87F1E000-memory.dmp

Filesize
440KB

Download
memory/2352-216-0x00007FFE87EB0000-0x00007FFE87F1E000-memory.dmp

Filesize
440KB

Download
memory/2352-220-0x00007FFE87EB0000-0x00007FFE87F1E000-memory.dmp

Filesize
440KB

Download
memory/2352-221-0x00007FFE87EB0000-0x00007FFE87F1E000-memory.dmp

Filesize
440KB

Download
memory/2352-222-0x00007FFE87EB0000-0x00007FFE87F1E000-memory.dmp

Filesize
440KB

Download
memory/2352-223-0x00007FFE87EB0000-0x00007FFE87F1E000-memory.dmp

Filesize
440KB

Download
memory/2352-225-0x00007FFE87EB0000-0x00007FFE87F1E000-memory.dmp

Filesize
440KB

Download
memory/4516-249-0x0000000075920000-0x000000007592A000-memory.dmp

Filesize
40KB

Download
memory/5028-181-0x0000000000FD0000-0x0000000000FD9000-memory.dmp

Filesize
36KB

Download