asyncrat | 280474eb2d29702b7026467d357d2a34d58c08c82a264c174bce9e4bf694c19b

Analysis

max time kernel
151s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
03-03-2023 13:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

1.5MB
MD5

43c3f3e2e28157583e7eda204b2b103f
SHA1

43939dc8d125df242075d47edd696f6276f7ecb7
SHA256

280474eb2d29702b7026467d357d2a34d58c08c82a264c174bce9e4bf694c19b
SHA512

6721ad923a1b5329addf034c8decd7d1aee3db800ef19064cfd7d077211d938aab6bb654751b6443cd19bb7a8b6896139787e9379522b3be5e8c5b492c75ef63
SSDEEP

12288:qP5IhyeomsP5LxH94zj9jljH0bStIswondr1fDzqJVxLsE8LX:1QYrpDzq1uL

Score

10^/10

asyncrat purecrypter redline smokeloader cheat-menu backdoor discovery downloader infostealer loader persistence rat spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

CHEAT-MENU

amrican-sport-live-stream.cc:4581

Attributes

auth_value
e948baa7e2fc2d71d02a5864e088ed36

Extracted

Family

asyncrat

Version

0.5.7B

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

smokeloader

Version

2022

http://glueberry-og.cc/

http://glueberry-og.co/

http://glueberry-og.to/

rc4.i32

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Detect PureCrypter injector 28 IoCs

loader

resource	yara_rule
behavioral2/memory/4188-330-0x000000001DE60000-0x000000001E562000-memory.dmp	family_purecrypter
behavioral2/memory/4188-331-0x000000001DE60000-0x000000001E562000-memory.dmp	family_purecrypter
behavioral2/memory/4188-333-0x000000001DE60000-0x000000001E562000-memory.dmp	family_purecrypter
behavioral2/memory/4188-335-0x000000001DE60000-0x000000001E562000-memory.dmp	family_purecrypter
behavioral2/memory/4188-337-0x000000001DE60000-0x000000001E562000-memory.dmp	family_purecrypter
behavioral2/memory/4188-339-0x000000001DE60000-0x000000001E562000-memory.dmp	family_purecrypter
behavioral2/memory/4188-342-0x000000001DE60000-0x000000001E562000-memory.dmp	family_purecrypter
behavioral2/memory/4188-345-0x000000001DE60000-0x000000001E562000-memory.dmp	family_purecrypter
behavioral2/memory/4188-350-0x000000001DE60000-0x000000001E562000-memory.dmp	family_purecrypter
behavioral2/memory/4188-352-0x000000001DE60000-0x000000001E562000-memory.dmp	family_purecrypter
behavioral2/memory/4188-354-0x000000001DE60000-0x000000001E562000-memory.dmp	family_purecrypter
behavioral2/memory/4188-356-0x000000001DE60000-0x000000001E562000-memory.dmp	family_purecrypter
behavioral2/memory/4188-358-0x000000001DE60000-0x000000001E562000-memory.dmp	family_purecrypter
behavioral2/memory/4188-360-0x000000001DE60000-0x000000001E562000-memory.dmp	family_purecrypter
behavioral2/memory/4188-362-0x000000001DE60000-0x000000001E562000-memory.dmp	family_purecrypter
behavioral2/memory/4188-364-0x000000001DE60000-0x000000001E562000-memory.dmp	family_purecrypter
behavioral2/memory/4188-366-0x000000001DE60000-0x000000001E562000-memory.dmp	family_purecrypter
behavioral2/memory/4188-368-0x000000001DE60000-0x000000001E562000-memory.dmp	family_purecrypter
behavioral2/memory/4188-370-0x000000001DE60000-0x000000001E562000-memory.dmp	family_purecrypter
behavioral2/memory/4188-372-0x000000001DE60000-0x000000001E562000-memory.dmp	family_purecrypter
behavioral2/memory/4188-374-0x000000001DE60000-0x000000001E562000-memory.dmp	family_purecrypter
behavioral2/memory/4188-376-0x000000001DE60000-0x000000001E562000-memory.dmp	family_purecrypter
behavioral2/memory/4188-378-0x000000001DE60000-0x000000001E562000-memory.dmp	family_purecrypter
behavioral2/memory/4188-380-0x000000001DE60000-0x000000001E562000-memory.dmp	family_purecrypter
behavioral2/memory/4188-382-0x000000001DE60000-0x000000001E562000-memory.dmp	family_purecrypter
behavioral2/memory/4188-384-0x000000001DE60000-0x000000001E562000-memory.dmp	family_purecrypter
behavioral2/memory/4188-386-0x000000001DE60000-0x000000001E562000-memory.dmp	family_purecrypter
behavioral2/memory/4188-388-0x000000001DE60000-0x000000001E562000-memory.dmp	family_purecrypter

Detects Smokeloader packer 1 IoCs

resource	yara_rule
behavioral2/memory/2252-309-0x0000000000400000-0x0000000000409000-memory.dmp	family_smokeloader

Modifies WinLogon for persistence 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\bbeebeer\\vrvre.exe\","	tmp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\Meow\\Meow.exe\","	emqnig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\bvhjvkvjer\\vvhkvkjre.exe\","	qcnapd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\Colors\\Pink.exe\","	fcvkpo.exe

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/1340-152-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	fcvkpo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	tmp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	qcnapd.exe

Executes dropped EXE 5 IoCs

pid	Process
4004	Cqkmojmubiodhyrksbaqcheat-menu - reddomain-obufcastesolution.exe
4564	emqnig.exe
2224	qcnapd.exe
2632	fcvkpo.exe
4188	ykexmv.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2796 set thread context of 1340	2796	tmp.exe	87
PID 4564 set thread context of 2536	4564	emqnig.exe	98
PID 2224 set thread context of 2208	2224	qcnapd.exe	107
PID 2632 set thread context of 2252	2632	fcvkpo.exe	116

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	RegAsm.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	RegAsm.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	RegAsm.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2208	InstallUtil.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4004	Cqkmojmubiodhyrksbaqcheat-menu - reddomain-obufcastesolution.exe
4004	Cqkmojmubiodhyrksbaqcheat-menu - reddomain-obufcastesolution.exe
5016	powershell.exe
1340	InstallUtil.exe
5016	powershell.exe
4564	emqnig.exe
4564	emqnig.exe
1908	powershell.exe
1908	powershell.exe
1340	InstallUtil.exe
572	powershell.exe
572	powershell.exe
2628	powershell.exe
2628	powershell.exe
1340	InstallUtil.exe
2632	fcvkpo.exe
2632	fcvkpo.exe
4564	powershell.exe
4564	powershell.exe
2632	fcvkpo.exe
2632	fcvkpo.exe
2632	fcvkpo.exe
2252	RegAsm.exe
2252	RegAsm.exe
4468	powershell.exe
4468	powershell.exe
1340	InstallUtil.exe
3216	Process not Found
3216	Process not Found
3216	Process not Found
3216	Process not Found
3216	Process not Found
3216	Process not Found
3216	Process not Found
3216	Process not Found
3216	Process not Found
3216	Process not Found
3216	Process not Found
3216	Process not Found
3216	Process not Found
3216	Process not Found
3216	Process not Found
3216	Process not Found
3216	Process not Found
3216	Process not Found
3216	Process not Found
3216	Process not Found
3216	Process not Found
3216	Process not Found
3216	Process not Found
3216	Process not Found
3216	Process not Found
3216	Process not Found
3216	Process not Found
3216	Process not Found
3216	Process not Found
3216	Process not Found
3216	Process not Found
3216	Process not Found
3216	Process not Found
3216	Process not Found
3216	Process not Found
3216	Process not Found
3216	Process not Found

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2536	RegAsm.exe
3216	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2252	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2796	tmp.exe
Token: SeDebugPrivilege	1340	InstallUtil.exe
Token: SeDebugPrivilege	4004	Cqkmojmubiodhyrksbaqcheat-menu - reddomain-obufcastesolution.exe
Token: SeDebugPrivilege	5016	powershell.exe
Token: SeDebugPrivilege	4564	emqnig.exe
Token: SeDebugPrivilege	1908	powershell.exe
Token: SeDebugPrivilege	2224	qcnapd.exe
Token: SeDebugPrivilege	572	powershell.exe
Token: SeDebugPrivilege	2628	powershell.exe
Token: SeDebugPrivilege	2632	fcvkpo.exe
Token: SeDebugPrivilege	4564	powershell.exe
Token: SeDebugPrivilege	4468	powershell.exe
Token: SeShutdownPrivilege	3216	Process not Found
Token: SeCreatePagefilePrivilege	3216	Process not Found
Token: SeShutdownPrivilege	3216	Process not Found
Token: SeCreatePagefilePrivilege	3216	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2796 wrote to memory of 4004	2796	tmp.exe	86
PID 2796 wrote to memory of 4004	2796	tmp.exe	86
PID 2796 wrote to memory of 4004	2796	tmp.exe	86
PID 2796 wrote to memory of 1340	2796	tmp.exe	87
PID 2796 wrote to memory of 1340	2796	tmp.exe	87
PID 2796 wrote to memory of 1340	2796	tmp.exe	87
PID 2796 wrote to memory of 1340	2796	tmp.exe	87
PID 2796 wrote to memory of 1340	2796	tmp.exe	87
PID 2796 wrote to memory of 1340	2796	tmp.exe	87
PID 2796 wrote to memory of 1340	2796	tmp.exe	87
PID 2796 wrote to memory of 1340	2796	tmp.exe	87
PID 1340 wrote to memory of 2264	1340	InstallUtil.exe	94
PID 1340 wrote to memory of 2264	1340	InstallUtil.exe	94
PID 1340 wrote to memory of 2264	1340	InstallUtil.exe	94
PID 2264 wrote to memory of 5016	2264	cmd.exe	96
PID 2264 wrote to memory of 5016	2264	cmd.exe	96
PID 2264 wrote to memory of 5016	2264	cmd.exe	96
PID 5016 wrote to memory of 4564	5016	powershell.exe	97
PID 5016 wrote to memory of 4564	5016	powershell.exe	97
PID 4564 wrote to memory of 2536	4564	emqnig.exe	98
PID 4564 wrote to memory of 2536	4564	emqnig.exe	98
PID 4564 wrote to memory of 2536	4564	emqnig.exe	98
PID 4564 wrote to memory of 2536	4564	emqnig.exe	98
PID 4564 wrote to memory of 2536	4564	emqnig.exe	98
PID 4564 wrote to memory of 2536	4564	emqnig.exe	98
PID 4564 wrote to memory of 2536	4564	emqnig.exe	98
PID 4564 wrote to memory of 2536	4564	emqnig.exe	98
PID 4564 wrote to memory of 2536	4564	emqnig.exe	98
PID 1340 wrote to memory of 2388	1340	InstallUtil.exe	100
PID 1340 wrote to memory of 2388	1340	InstallUtil.exe	100
PID 1340 wrote to memory of 2388	1340	InstallUtil.exe	100
PID 2388 wrote to memory of 1908	2388	cmd.exe	102
PID 2388 wrote to memory of 1908	2388	cmd.exe	102
PID 2388 wrote to memory of 1908	2388	cmd.exe	102
PID 1908 wrote to memory of 2224	1908	powershell.exe	103
PID 1908 wrote to memory of 2224	1908	powershell.exe	103
PID 1908 wrote to memory of 2224	1908	powershell.exe	103
PID 2224 wrote to memory of 432	2224	qcnapd.exe	104
PID 2224 wrote to memory of 432	2224	qcnapd.exe	104
PID 2224 wrote to memory of 432	2224	qcnapd.exe	104
PID 432 wrote to memory of 572	432	cmd.exe	106
PID 432 wrote to memory of 572	432	cmd.exe	106
PID 432 wrote to memory of 572	432	cmd.exe	106
PID 2224 wrote to memory of 2208	2224	qcnapd.exe	107
PID 2224 wrote to memory of 2208	2224	qcnapd.exe	107
PID 2224 wrote to memory of 2208	2224	qcnapd.exe	107
PID 2224 wrote to memory of 2208	2224	qcnapd.exe	107
PID 2224 wrote to memory of 2208	2224	qcnapd.exe	107
PID 2224 wrote to memory of 2208	2224	qcnapd.exe	107
PID 2224 wrote to memory of 2208	2224	qcnapd.exe	107
PID 2224 wrote to memory of 2208	2224	qcnapd.exe	107
PID 1340 wrote to memory of 2368	1340	InstallUtil.exe	109
PID 1340 wrote to memory of 2368	1340	InstallUtil.exe	109
PID 1340 wrote to memory of 2368	1340	InstallUtil.exe	109
PID 2368 wrote to memory of 2628	2368	cmd.exe	111
PID 2368 wrote to memory of 2628	2368	cmd.exe	111
PID 2368 wrote to memory of 2628	2368	cmd.exe	111
PID 2628 wrote to memory of 2632	2628	powershell.exe	112
PID 2628 wrote to memory of 2632	2628	powershell.exe	112
PID 2628 wrote to memory of 2632	2628	powershell.exe	112
PID 2632 wrote to memory of 4564	2632	fcvkpo.exe	113
PID 2632 wrote to memory of 4564	2632	fcvkpo.exe	113
PID 2632 wrote to memory of 4564	2632	fcvkpo.exe	113
PID 2632 wrote to memory of 2144	2632	fcvkpo.exe	115

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2796
- C:\Users\Admin\AppData\Local\Temp\Cqkmojmubiodhyrksbaqcheat-menu - reddomain-obufcastesolution.exe
  "C:\Users\Admin\AppData\Local\Temp\Cqkmojmubiodhyrksbaqcheat-menu - reddomain-obufcastesolution.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4004
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1340
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\emqnig.exe"' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2264
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\emqnig.exe"'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5016
    - - C:\Users\Admin\AppData\Local\Temp\emqnig.exe
        
        "C:\Users\Admin\AppData\Local\Temp\emqnig.exe"
        5⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4564
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
        6⤵
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:2536
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\qcnapd.exe"' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2388
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\qcnapd.exe"'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1908
    - - C:\Users\Admin\AppData\Local\Temp\qcnapd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\qcnapd.exe"
        5⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2224
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:432
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:572
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        6⤵
        Suspicious behavior: AddClipboardFormatListener
        
        PID:2208
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\fcvkpo.exe"' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2368
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\fcvkpo.exe"'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2628
    - - C:\Users\Admin\AppData\Local\Temp\fcvkpo.exe
        
        "C:\Users\Admin\AppData\Local\Temp\fcvkpo.exe"
        5⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2632
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAIABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnAA==
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4564
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        6⤵
        
        PID:2144
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        6⤵
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:2252
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\ykexmv.exe"' & exit
    3⤵
    PID:3812
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\ykexmv.exe"'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4468
    - - C:\Users\Admin\AppData\Local\Temp\ykexmv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ykexmv.exe"
        5⤵
        Executes dropped EXE
        
        PID:4188

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
5315900105942deb090a358a315b06fe

SHA1
22fe5d2e1617c31afbafb91c117508d41ef0ce44

SHA256
e8bd7d8d1d0437c71aceb032f9fb08dd1147f41c048540254971cc60e95d6cd7

SHA512
77e8d15b8c34a1cb01dbee7147987e2cc25c747e0f80d254714a93937a6d2fe08cb5a772cf85ceb8fec56415bfa853234a003173718c4229ba8cfcf2ce6335a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
45463664384aea1e44c99f24942e4972

SHA1
18c21ec1832fff3250bfcfcfec09eb45da4ad625

SHA256
a5d9ebed56d07dd9e47b16ef1e73e4d8662f04eb183f8c49ab27102690f62c77

SHA512
fc0f928f8e9769d23e1b07dd1f1bdd5da2caaa7b38af2198a8757923143cd39ecdbe37b26058e9f8a1bff9c524c210e8c08939d42d442f6b4f40cb2667145e4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
719efa76db31a4ecca682a1a856e04cc

SHA1
61b1837fb637ecb0a8d6682c2d3465c807696094

SHA256
325f3aec0fe30fd9dc0f4bce21db652556c8e4272a9b78cd5b8d58cd2b2e7cc3

SHA512
b720b79e5a03bd5ca1c2a18a6d4556d877fbb4cfd16d2d30e5bac76288a5bdb4f84305a7a6d0345e99afb04384b1987a947ecd5ab76f0aa978afc372ae313031

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
48d068e8bec06c82ee463b289459b69f

SHA1
891df4359d86792e9965375343f5aebee33e6289

SHA256
f7e1fdf2487ac930893afb10f4d4803b6c6cffecfebde8db0d4f3d4d17ef6f95

SHA512
a03506a1fba827d061b548de772d35414fb981598c9480893ce8a19e0c6040663322df133375f28b0f10bad07f9c1aece46ffdd3756b14e5b9ad120cec7a87d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
3d8c8d291db5fc96cab9a89c8cf17e4b

SHA1
772210e43135f31adca8cedf87bf791511685f6e

SHA256
831f85ab25de4c007a0c0a76611b9f08f9a12b4603d26b8e30b7523c43a904e3

SHA512
64f6742d7cbc98ddcd82dcab1fb9e62e4c86d1252af312724ba4b4b6f3cd29c65a358004c1aff08ae941eb7c2e782a751db471b6116aa770ecd3fdfe3dfd4da3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
b90d19eddf7e78d3af9cab5242d4d7ef

SHA1
e10eae0843a101deb20757463122d8413915673b

SHA256
dc96bad96086a09489001cdf936eaf7af3897a976d03c078764cab1e430fd813

SHA512
148f10dd7d7f70521d7c7a642a618f62e213d95dc576f2869a2909a38f36c6cfcfef7d034bf3b3cca707ae7ebf535afea569fc2aa53bcc9f4437c55137d907e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cqkmojmubiodhyrksbaqcheat-menu - reddomain-obufcastesolution.exe

Filesize
336KB

MD5
9d590398fb10eea18dd2b45b32986999

SHA1
4d1d64c39c85727b99b2691b0c8bf5d9b73cc7a3

SHA256
826fb39eac32cf410fd29af272106d3196eb651c638e8e0409c07713bc6d85b9

SHA512
dad505a8d87925499b99bfb025203f5724a368b4f43b012dcf6a587f9810ae68e3cc8b7d9d3f1b80466bb31dbde5d92d7ce7ced9d8f438145a0f9d3ba254d6d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cqkmojmubiodhyrksbaqcheat-menu - reddomain-obufcastesolution.exe

Filesize
336KB

MD5
9d590398fb10eea18dd2b45b32986999

SHA1
4d1d64c39c85727b99b2691b0c8bf5d9b73cc7a3

SHA256
826fb39eac32cf410fd29af272106d3196eb651c638e8e0409c07713bc6d85b9

SHA512
dad505a8d87925499b99bfb025203f5724a368b4f43b012dcf6a587f9810ae68e3cc8b7d9d3f1b80466bb31dbde5d92d7ce7ced9d8f438145a0f9d3ba254d6d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cqkmojmubiodhyrksbaqcheat-menu - reddomain-obufcastesolution.exe

Filesize
336KB

MD5
9d590398fb10eea18dd2b45b32986999

SHA1
4d1d64c39c85727b99b2691b0c8bf5d9b73cc7a3

SHA256
826fb39eac32cf410fd29af272106d3196eb651c638e8e0409c07713bc6d85b9

SHA512
dad505a8d87925499b99bfb025203f5724a368b4f43b012dcf6a587f9810ae68e3cc8b7d9d3f1b80466bb31dbde5d92d7ce7ced9d8f438145a0f9d3ba254d6d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tqa3ogdn.2dh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\emqnig.exe

Filesize
828KB

MD5
494969d84ee004227da4051403cbc098

SHA1
befd216439b68c83899476ea7bf5c7eff025bdc6

SHA256
c92db9ae788154a5b6f08a648e663000803dfba5aa893cfaef69b18c06d7fc48

SHA512
ddc6d8745fb4b5c89990da7e85c5475a1fe91ece05b127258c85ad78d63a137a383bbf5a798c1b54d49d7506b53c03677bafa17ef7c8080f8f5bde1ebf552676

Download Submit
C:\Users\Admin\AppData\Local\Temp\emqnig.exe

Filesize
828KB

MD5
494969d84ee004227da4051403cbc098

SHA1
befd216439b68c83899476ea7bf5c7eff025bdc6

SHA256
c92db9ae788154a5b6f08a648e663000803dfba5aa893cfaef69b18c06d7fc48

SHA512
ddc6d8745fb4b5c89990da7e85c5475a1fe91ece05b127258c85ad78d63a137a383bbf5a798c1b54d49d7506b53c03677bafa17ef7c8080f8f5bde1ebf552676

Download Submit
C:\Users\Admin\AppData\Local\Temp\fcvkpo.exe

Filesize
2.3MB

MD5
a08e5952ddaaabe4b7deaf30e3e522d3

SHA1
d111978b9e2ea04f53ce48a36a4fde0e0e900ba3

SHA256
52e3418b1b6e40efcfe1f6509e91da1f2f87bcd4f815cae8d1e89a0ebd6be58f

SHA512
2f4433af151bf7cbf62087206a6bbc4a77dfbf4c5a873edf7828bd54997105f0f413afc21255ea628e648b75c4b82f6a1d402d00fa9f21d01a4013e504195cea

Download Submit
C:\Users\Admin\AppData\Local\Temp\fcvkpo.exe

Filesize
2.3MB

MD5
a08e5952ddaaabe4b7deaf30e3e522d3

SHA1
d111978b9e2ea04f53ce48a36a4fde0e0e900ba3

SHA256
52e3418b1b6e40efcfe1f6509e91da1f2f87bcd4f815cae8d1e89a0ebd6be58f

SHA512
2f4433af151bf7cbf62087206a6bbc4a77dfbf4c5a873edf7828bd54997105f0f413afc21255ea628e648b75c4b82f6a1d402d00fa9f21d01a4013e504195cea

Download Submit
C:\Users\Admin\AppData\Local\Temp\qcnapd.exe

Filesize
1.3MB

MD5
7bf2898f75b3974d2c53999f8d3f40fb

SHA1
c406aeef85ed1ce026b98b858af4be62da421119

SHA256
c1a074fed48daff62eefa0cadc7e5f77186dd437acac684b379946c09cc6d208

SHA512
20ec8430d1b1695ca943b1c9c759339be2facec42ff0086703a9f90ed7c684c1097dfed2a0dec9820d8949c4216c33767f9ef147aa38ba30e01cf9b5fe6f0676

Download Submit
C:\Users\Admin\AppData\Local\Temp\qcnapd.exe

Filesize
1.3MB

MD5
7bf2898f75b3974d2c53999f8d3f40fb

SHA1
c406aeef85ed1ce026b98b858af4be62da421119

SHA256
c1a074fed48daff62eefa0cadc7e5f77186dd437acac684b379946c09cc6d208

SHA512
20ec8430d1b1695ca943b1c9c759339be2facec42ff0086703a9f90ed7c684c1097dfed2a0dec9820d8949c4216c33767f9ef147aa38ba30e01cf9b5fe6f0676

Download Submit
C:\Users\Admin\AppData\Local\Temp\ykexmv.exe

Filesize
5.8MB

MD5
a4f3e603a335cbd6d8f9ff11c8f9a9c2

SHA1
a5de59863fb4acc05a9253562172f802420ed21b

SHA256
2c1b6a652a62f7fde53d2e84e1211fef21dfde9eb0d4e2879bd997733af77a3e

SHA512
659d0175f4f496f5af6846f0af20345dec842c29eec7e78870b96d96bc712a39684be7a2cff1decabb6e447a477ddf8b92a1b22a12fe6ca07b1fd762540452f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ykexmv.exe

Filesize
5.8MB

MD5
a4f3e603a335cbd6d8f9ff11c8f9a9c2

SHA1
a5de59863fb4acc05a9253562172f802420ed21b

SHA256
2c1b6a652a62f7fde53d2e84e1211fef21dfde9eb0d4e2879bd997733af77a3e

SHA512
659d0175f4f496f5af6846f0af20345dec842c29eec7e78870b96d96bc712a39684be7a2cff1decabb6e447a477ddf8b92a1b22a12fe6ca07b1fd762540452f2

Download Submit
memory/572-240-0x0000000006A70000-0x0000000006AA2000-memory.dmp

Filesize
200KB

Download
memory/572-251-0x0000000006A30000-0x0000000006A4E000-memory.dmp

Filesize
120KB

Download
memory/572-222-0x0000000002DD0000-0x0000000002DE0000-memory.dmp

Filesize
64KB

Download
memory/572-223-0x0000000002DD0000-0x0000000002DE0000-memory.dmp

Filesize
64KB

Download
memory/572-239-0x0000000002DD0000-0x0000000002DE0000-memory.dmp

Filesize
64KB

Download
memory/572-241-0x000000006F960000-0x000000006F9AC000-memory.dmp

Filesize
304KB

Download
memory/572-257-0x00000000079F0000-0x00000000079F8000-memory.dmp

Filesize
32KB

Download
memory/572-256-0x0000000007AC0000-0x0000000007ADA000-memory.dmp

Filesize
104KB

Download
memory/572-255-0x00000000079A0000-0x00000000079AE000-memory.dmp

Filesize
56KB

Download
memory/572-252-0x000000007EEF0000-0x000000007EF00000-memory.dmp

Filesize
64KB

Download
memory/572-254-0x00000000077D0000-0x00000000077DA000-memory.dmp

Filesize
40KB

Download
memory/572-253-0x0000000007DB0000-0x000000000842A000-memory.dmp

Filesize
6.5MB

Download
memory/1340-152-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1340-159-0x0000000005130000-0x0000000005140000-memory.dmp

Filesize
64KB

Download
memory/1340-169-0x0000000006C20000-0x0000000006C3E000-memory.dmp

Filesize
120KB

Download
memory/1340-173-0x0000000005130000-0x0000000005140000-memory.dmp

Filesize
64KB

Download
memory/1340-162-0x0000000005C60000-0x0000000005CFC000-memory.dmp

Filesize
624KB

Download
memory/1908-216-0x00000000049F0000-0x0000000004A00000-memory.dmp

Filesize
64KB

Download
memory/1908-215-0x00000000049F0000-0x0000000004A00000-memory.dmp

Filesize
64KB

Download
memory/2208-238-0x0000000004F30000-0x0000000004F40000-memory.dmp

Filesize
64KB

Download
memory/2208-237-0x0000000004FB0000-0x0000000004FBA000-memory.dmp

Filesize
40KB

Download
memory/2208-235-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2208-259-0x0000000004F30000-0x0000000004F40000-memory.dmp

Filesize
64KB

Download
memory/2224-221-0x0000000005030000-0x0000000005040000-memory.dmp

Filesize
64KB

Download
memory/2224-220-0x00000000005D0000-0x0000000000720000-memory.dmp

Filesize
1.3MB

Download
memory/2252-309-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2536-202-0x0000000140000000-0x00000001400D9000-memory.dmp

Filesize
868KB

Download
memory/2536-201-0x0000000140000000-0x00000001400D9000-memory.dmp

Filesize
868KB

Download
memory/2536-200-0x0000000140000000-0x00000001400D9000-memory.dmp

Filesize
868KB

Download
memory/2536-198-0x0000000140000000-0x00000001400D9000-memory.dmp

Filesize
868KB

Download
memory/2628-272-0x0000000004E80000-0x0000000004E90000-memory.dmp

Filesize
64KB

Download
memory/2628-274-0x0000000004E80000-0x0000000004E90000-memory.dmp

Filesize
64KB

Download
memory/2628-271-0x0000000004E80000-0x0000000004E90000-memory.dmp

Filesize
64KB

Download
memory/2632-278-0x00000000054E0000-0x00000000054F0000-memory.dmp

Filesize
64KB

Download
memory/2632-277-0x0000000000940000-0x0000000000B96000-memory.dmp

Filesize
2.3MB

Download
memory/2632-292-0x00000000054E0000-0x00000000054F0000-memory.dmp

Filesize
64KB

Download
memory/2796-136-0x0000000004CD0000-0x0000000004CE0000-memory.dmp

Filesize
64KB

Download
memory/2796-137-0x0000000037240000-0x00000000372D2000-memory.dmp

Filesize
584KB

Download
memory/2796-135-0x0000000036DA0000-0x0000000036E06000-memory.dmp

Filesize
408KB

Download
memory/2796-138-0x0000000037890000-0x0000000037E34000-memory.dmp

Filesize
5.6MB

Download
memory/2796-134-0x0000000004D80000-0x0000000004DA2000-memory.dmp

Filesize
136KB

Download
memory/2796-133-0x0000000000010000-0x0000000000196000-memory.dmp

Filesize
1.5MB

Download
memory/3216-344-0x00000000003B0000-0x00000000003C6000-memory.dmp

Filesize
88KB

Download
memory/4004-165-0x0000000009430000-0x00000000095F2000-memory.dmp

Filesize
1.8MB

Download
memory/4004-150-0x0000000000E00000-0x0000000000E5A000-memory.dmp

Filesize
360KB

Download
memory/4004-163-0x0000000006970000-0x00000000069E6000-memory.dmp

Filesize
472KB

Download
memory/4004-158-0x0000000005840000-0x000000000587C000-memory.dmp

Filesize
240KB

Download
memory/4004-164-0x00000000069F0000-0x0000000006A40000-memory.dmp

Filesize
320KB

Download
memory/4004-156-0x00000000058D0000-0x00000000059DA000-memory.dmp

Filesize
1.0MB

Download
memory/4004-155-0x0000000005DE0000-0x00000000063F8000-memory.dmp

Filesize
6.1MB

Download
memory/4004-167-0x00000000057B0000-0x00000000057C0000-memory.dmp

Filesize
64KB

Download
memory/4004-166-0x0000000009D40000-0x000000000A26C000-memory.dmp

Filesize
5.2MB

Download
memory/4004-157-0x00000000057E0000-0x00000000057F2000-memory.dmp

Filesize
72KB

Download
memory/4004-154-0x00000000057B0000-0x00000000057C0000-memory.dmp

Filesize
64KB

Download
memory/4188-378-0x000000001DE60000-0x000000001E562000-memory.dmp

Filesize
7.0MB

Download
memory/4188-366-0x000000001DE60000-0x000000001E562000-memory.dmp

Filesize
7.0MB

Download
memory/4188-382-0x000000001DE60000-0x000000001E562000-memory.dmp

Filesize
7.0MB

Download
memory/4188-384-0x000000001DE60000-0x000000001E562000-memory.dmp

Filesize
7.0MB

Download
memory/4188-386-0x000000001DE60000-0x000000001E562000-memory.dmp

Filesize
7.0MB

Download
memory/4188-374-0x000000001DE60000-0x000000001E562000-memory.dmp

Filesize
7.0MB

Download
memory/4188-364-0x000000001DE60000-0x000000001E562000-memory.dmp

Filesize
7.0MB

Download
memory/4188-362-0x000000001DE60000-0x000000001E562000-memory.dmp

Filesize
7.0MB

Download
memory/4188-376-0x000000001DE60000-0x000000001E562000-memory.dmp

Filesize
7.0MB

Download
memory/4188-388-0x000000001DE60000-0x000000001E562000-memory.dmp

Filesize
7.0MB

Download
memory/4188-360-0x000000001DE60000-0x000000001E562000-memory.dmp

Filesize
7.0MB

Download
memory/4188-358-0x000000001DE60000-0x000000001E562000-memory.dmp

Filesize
7.0MB

Download
memory/4188-356-0x000000001DE60000-0x000000001E562000-memory.dmp

Filesize
7.0MB

Download
memory/4188-380-0x000000001DE60000-0x000000001E562000-memory.dmp

Filesize
7.0MB

Download
memory/4188-368-0x000000001DE60000-0x000000001E562000-memory.dmp

Filesize
7.0MB

Download
memory/4188-370-0x000000001DE60000-0x000000001E562000-memory.dmp

Filesize
7.0MB

Download
memory/4188-330-0x000000001DE60000-0x000000001E562000-memory.dmp

Filesize
7.0MB

Download
memory/4188-331-0x000000001DE60000-0x000000001E562000-memory.dmp

Filesize
7.0MB

Download
memory/4188-333-0x000000001DE60000-0x000000001E562000-memory.dmp

Filesize
7.0MB

Download
memory/4188-335-0x000000001DE60000-0x000000001E562000-memory.dmp

Filesize
7.0MB

Download
memory/4188-337-0x000000001DE60000-0x000000001E562000-memory.dmp

Filesize
7.0MB

Download
memory/4188-339-0x000000001DE60000-0x000000001E562000-memory.dmp

Filesize
7.0MB

Download
memory/4188-342-0x000000001DE60000-0x000000001E562000-memory.dmp

Filesize
7.0MB

Download
memory/4188-372-0x000000001DE60000-0x000000001E562000-memory.dmp

Filesize
7.0MB

Download
memory/4188-345-0x000000001DE60000-0x000000001E562000-memory.dmp

Filesize
7.0MB

Download
memory/4188-350-0x000000001DE60000-0x000000001E562000-memory.dmp

Filesize
7.0MB

Download
memory/4188-352-0x000000001DE60000-0x000000001E562000-memory.dmp

Filesize
7.0MB

Download
memory/4188-354-0x000000001DE60000-0x000000001E562000-memory.dmp

Filesize
7.0MB

Download
memory/4564-291-0x00000000050F0000-0x0000000005100000-memory.dmp

Filesize
64KB

Download
memory/4564-294-0x00000000050F0000-0x0000000005100000-memory.dmp

Filesize
64KB

Download
memory/4564-293-0x00000000050F0000-0x0000000005100000-memory.dmp

Filesize
64KB

Download
memory/4564-290-0x00000000050F0000-0x0000000005100000-memory.dmp

Filesize
64KB

Download
memory/4564-289-0x00000000050F0000-0x0000000005100000-memory.dmp

Filesize
64KB

Download
memory/4564-196-0x000000001BBD0000-0x000000001BBE0000-memory.dmp

Filesize
64KB

Download
memory/4564-195-0x00000000024E0000-0x0000000002502000-memory.dmp

Filesize
136KB

Download
memory/4564-194-0x0000000000280000-0x0000000000352000-memory.dmp

Filesize
840KB

Download
memory/5016-185-0x0000000006890000-0x00000000068AE000-memory.dmp

Filesize
120KB

Download
memory/5016-175-0x00000000060B0000-0x0000000006116000-memory.dmp

Filesize
408KB

Download
memory/5016-186-0x0000000002F70000-0x0000000002F80000-memory.dmp

Filesize
64KB

Download
memory/5016-187-0x0000000007860000-0x00000000078F6000-memory.dmp

Filesize
600KB

Download
memory/5016-188-0x0000000006D80000-0x0000000006D9A000-memory.dmp

Filesize
104KB

Download
memory/5016-189-0x0000000006DD0000-0x0000000006DF2000-memory.dmp

Filesize
136KB

Download
memory/5016-174-0x0000000002F70000-0x0000000002F80000-memory.dmp

Filesize
64KB

Download
memory/5016-172-0x0000000005A80000-0x00000000060A8000-memory.dmp

Filesize
6.2MB

Download
memory/5016-171-0x0000000002FC0000-0x0000000002FF6000-memory.dmp

Filesize
216KB

Download