asyncrat | 280474eb2d29702b7026467d357d2a34d58c08c82a264c174bce9e4bf694c19b

Analysis

max time kernel
99s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
12-03-2023 09:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

43c3f3e2e28157583e7eda204b2b103f.exe
Size

1.5MB
MD5

43c3f3e2e28157583e7eda204b2b103f
SHA1

43939dc8d125df242075d47edd696f6276f7ecb7
SHA256

280474eb2d29702b7026467d357d2a34d58c08c82a264c174bce9e4bf694c19b
SHA512

6721ad923a1b5329addf034c8decd7d1aee3db800ef19064cfd7d077211d938aab6bb654751b6443cd19bb7a8b6896139787e9379522b3be5e8c5b492c75ef63
SSDEEP

12288:qP5IhyeomsP5LxH94zj9jljH0bStIswondr1fDzqJVxLsE8LX:1QYrpDzq1uL

Score

10^/10

asyncrat purecrypter redline smokeloader cheat-menu mova backdoor discovery downloader infostealer loader persistence rat spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

CHEAT-MENU

amrican-sport-live-stream.cc:4581

Attributes

auth_value
e948baa7e2fc2d71d02a5864e088ed36

Extracted

Family

asyncrat

Version

0.5.7B

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

smokeloader

Botnet

MovA

Extracted

Family

smokeloader

Version

2022

http://glueberry-og.cc/

http://glueberry-og.co/

http://glueberry-og.to/

rc4.i32

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Detect PureCrypter injector 28 IoCs

loader

resource	yara_rule
behavioral2/memory/4168-325-0x000000001CD00000-0x000000001D402000-memory.dmp	family_purecrypter
behavioral2/memory/4168-326-0x000000001CD00000-0x000000001D402000-memory.dmp	family_purecrypter
behavioral2/memory/4168-328-0x000000001CD00000-0x000000001D402000-memory.dmp	family_purecrypter
behavioral2/memory/4168-330-0x000000001CD00000-0x000000001D402000-memory.dmp	family_purecrypter
behavioral2/memory/4168-332-0x000000001CD00000-0x000000001D402000-memory.dmp	family_purecrypter
behavioral2/memory/4168-335-0x000000001CD00000-0x000000001D402000-memory.dmp	family_purecrypter
behavioral2/memory/4168-337-0x000000001CD00000-0x000000001D402000-memory.dmp	family_purecrypter
behavioral2/memory/4168-339-0x000000001CD00000-0x000000001D402000-memory.dmp	family_purecrypter
behavioral2/memory/4168-342-0x000000001CD00000-0x000000001D402000-memory.dmp	family_purecrypter
behavioral2/memory/4168-347-0x000000001CD00000-0x000000001D402000-memory.dmp	family_purecrypter
behavioral2/memory/4168-349-0x000000001CD00000-0x000000001D402000-memory.dmp	family_purecrypter
behavioral2/memory/4168-351-0x000000001CD00000-0x000000001D402000-memory.dmp	family_purecrypter
behavioral2/memory/4168-353-0x000000001CD00000-0x000000001D402000-memory.dmp	family_purecrypter
behavioral2/memory/4168-355-0x000000001CD00000-0x000000001D402000-memory.dmp	family_purecrypter
behavioral2/memory/4168-357-0x000000001CD00000-0x000000001D402000-memory.dmp	family_purecrypter
behavioral2/memory/4168-359-0x000000001CD00000-0x000000001D402000-memory.dmp	family_purecrypter
behavioral2/memory/4168-361-0x000000001CD00000-0x000000001D402000-memory.dmp	family_purecrypter
behavioral2/memory/4168-363-0x000000001CD00000-0x000000001D402000-memory.dmp	family_purecrypter
behavioral2/memory/4168-365-0x000000001CD00000-0x000000001D402000-memory.dmp	family_purecrypter
behavioral2/memory/4168-367-0x000000001CD00000-0x000000001D402000-memory.dmp	family_purecrypter
behavioral2/memory/4168-369-0x000000001CD00000-0x000000001D402000-memory.dmp	family_purecrypter
behavioral2/memory/4168-371-0x000000001CD00000-0x000000001D402000-memory.dmp	family_purecrypter
behavioral2/memory/4168-373-0x000000001CD00000-0x000000001D402000-memory.dmp	family_purecrypter
behavioral2/memory/4168-375-0x000000001CD00000-0x000000001D402000-memory.dmp	family_purecrypter
behavioral2/memory/4168-377-0x000000001CD00000-0x000000001D402000-memory.dmp	family_purecrypter
behavioral2/memory/4168-379-0x000000001CD00000-0x000000001D402000-memory.dmp	family_purecrypter
behavioral2/memory/4168-381-0x000000001CD00000-0x000000001D402000-memory.dmp	family_purecrypter
behavioral2/memory/4168-383-0x000000001CD00000-0x000000001D402000-memory.dmp	family_purecrypter

Modifies WinLogon for persistence 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\bvhjvkvjer\\vvhkvkjre.exe\","	egdfcs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\Colors\\Pink.exe\","	jbcjdy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\bbeebeer\\vrvre.exe\","	43c3f3e2e28157583e7eda204b2b103f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\Meow\\Meow.exe\","	ijezak.exe

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/3668-152-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	43c3f3e2e28157583e7eda204b2b103f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	egdfcs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	jbcjdy.exe

Executes dropped EXE 5 IoCs

pid	Process
2840	Cqkmojmubiodhyrksbaqcheat-menu - reddomain-obufcastesolution.exe
3408	ijezak.exe
2296	egdfcs.exe
3328	jbcjdy.exe
4168	wjolxi.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4148 set thread context of 3668	4148	43c3f3e2e28157583e7eda204b2b103f.exe	86
PID 3408 set thread context of 4468	3408	ijezak.exe	102
PID 2296 set thread context of 524	2296	egdfcs.exe	111
PID 3328 set thread context of 2296	3328	jbcjdy.exe	122

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	RegAsm.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	RegAsm.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	RegAsm.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
524	InstallUtil.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2840	Cqkmojmubiodhyrksbaqcheat-menu - reddomain-obufcastesolution.exe
2840	Cqkmojmubiodhyrksbaqcheat-menu - reddomain-obufcastesolution.exe
3328	powershell.exe
3668	InstallUtil.exe
3328	powershell.exe
3408	ijezak.exe
3408	ijezak.exe
1088	powershell.exe
1088	powershell.exe
3668	InstallUtil.exe
4900	powershell.exe
4900	powershell.exe
2624	powershell.exe
2624	powershell.exe
3668	InstallUtil.exe
3328	jbcjdy.exe
3328	jbcjdy.exe
3876	powershell.exe
3876	powershell.exe
3328	jbcjdy.exe
4688	powershell.exe
2296	RegAsm.exe
2296	RegAsm.exe
4688	powershell.exe
3668	InstallUtil.exe
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4468	RegAsm.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2296	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	4148	43c3f3e2e28157583e7eda204b2b103f.exe
Token: SeDebugPrivilege	3668	InstallUtil.exe
Token: SeDebugPrivilege	2840	Cqkmojmubiodhyrksbaqcheat-menu - reddomain-obufcastesolution.exe
Token: SeDebugPrivilege	3328	powershell.exe
Token: SeDebugPrivilege	3408	ijezak.exe
Token: SeDebugPrivilege	1088	powershell.exe
Token: SeDebugPrivilege	2296	egdfcs.exe
Token: SeDebugPrivilege	4900	powershell.exe
Token: SeDebugPrivilege	2624	powershell.exe
Token: SeDebugPrivilege	3328	jbcjdy.exe
Token: SeDebugPrivilege	3876	powershell.exe
Token: SeDebugPrivilege	4688	powershell.exe
Token: SeShutdownPrivilege	3144	Process not Found
Token: SeCreatePagefilePrivilege	3144	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4148 wrote to memory of 2840	4148	43c3f3e2e28157583e7eda204b2b103f.exe	85
PID 4148 wrote to memory of 2840	4148	43c3f3e2e28157583e7eda204b2b103f.exe	85
PID 4148 wrote to memory of 2840	4148	43c3f3e2e28157583e7eda204b2b103f.exe	85
PID 4148 wrote to memory of 3668	4148	43c3f3e2e28157583e7eda204b2b103f.exe	86
PID 4148 wrote to memory of 3668	4148	43c3f3e2e28157583e7eda204b2b103f.exe	86
PID 4148 wrote to memory of 3668	4148	43c3f3e2e28157583e7eda204b2b103f.exe	86
PID 4148 wrote to memory of 3668	4148	43c3f3e2e28157583e7eda204b2b103f.exe	86
PID 4148 wrote to memory of 3668	4148	43c3f3e2e28157583e7eda204b2b103f.exe	86
PID 4148 wrote to memory of 3668	4148	43c3f3e2e28157583e7eda204b2b103f.exe	86
PID 4148 wrote to memory of 3668	4148	43c3f3e2e28157583e7eda204b2b103f.exe	86
PID 4148 wrote to memory of 3668	4148	43c3f3e2e28157583e7eda204b2b103f.exe	86
PID 3668 wrote to memory of 1444	3668	InstallUtil.exe	98
PID 3668 wrote to memory of 1444	3668	InstallUtil.exe	98
PID 3668 wrote to memory of 1444	3668	InstallUtil.exe	98
PID 1444 wrote to memory of 3328	1444	cmd.exe	100
PID 1444 wrote to memory of 3328	1444	cmd.exe	100
PID 1444 wrote to memory of 3328	1444	cmd.exe	100
PID 3328 wrote to memory of 3408	3328	powershell.exe	101
PID 3328 wrote to memory of 3408	3328	powershell.exe	101
PID 3408 wrote to memory of 4468	3408	ijezak.exe	102
PID 3408 wrote to memory of 4468	3408	ijezak.exe	102
PID 3408 wrote to memory of 4468	3408	ijezak.exe	102
PID 3408 wrote to memory of 4468	3408	ijezak.exe	102
PID 3408 wrote to memory of 4468	3408	ijezak.exe	102
PID 3408 wrote to memory of 4468	3408	ijezak.exe	102
PID 3408 wrote to memory of 4468	3408	ijezak.exe	102
PID 3408 wrote to memory of 4468	3408	ijezak.exe	102
PID 3408 wrote to memory of 4468	3408	ijezak.exe	102
PID 3668 wrote to memory of 4856	3668	InstallUtil.exe	103
PID 3668 wrote to memory of 4856	3668	InstallUtil.exe	103
PID 3668 wrote to memory of 4856	3668	InstallUtil.exe	103
PID 4856 wrote to memory of 1088	4856	cmd.exe	106
PID 4856 wrote to memory of 1088	4856	cmd.exe	106
PID 4856 wrote to memory of 1088	4856	cmd.exe	106
PID 1088 wrote to memory of 2296	1088	powershell.exe	107
PID 1088 wrote to memory of 2296	1088	powershell.exe	107
PID 1088 wrote to memory of 2296	1088	powershell.exe	107
PID 2296 wrote to memory of 4544	2296	egdfcs.exe	108
PID 2296 wrote to memory of 4544	2296	egdfcs.exe	108
PID 2296 wrote to memory of 4544	2296	egdfcs.exe	108
PID 4544 wrote to memory of 4900	4544	cmd.exe	110
PID 4544 wrote to memory of 4900	4544	cmd.exe	110
PID 4544 wrote to memory of 4900	4544	cmd.exe	110
PID 2296 wrote to memory of 524	2296	egdfcs.exe	111
PID 2296 wrote to memory of 524	2296	egdfcs.exe	111
PID 2296 wrote to memory of 524	2296	egdfcs.exe	111
PID 2296 wrote to memory of 524	2296	egdfcs.exe	111
PID 2296 wrote to memory of 524	2296	egdfcs.exe	111
PID 2296 wrote to memory of 524	2296	egdfcs.exe	111
PID 2296 wrote to memory of 524	2296	egdfcs.exe	111
PID 2296 wrote to memory of 524	2296	egdfcs.exe	111
PID 3668 wrote to memory of 544	3668	InstallUtil.exe	113
PID 3668 wrote to memory of 544	3668	InstallUtil.exe	113
PID 3668 wrote to memory of 544	3668	InstallUtil.exe	113
PID 544 wrote to memory of 2624	544	cmd.exe	115
PID 544 wrote to memory of 2624	544	cmd.exe	115
PID 544 wrote to memory of 2624	544	cmd.exe	115
PID 2624 wrote to memory of 3328	2624	powershell.exe	116
PID 2624 wrote to memory of 3328	2624	powershell.exe	116
PID 2624 wrote to memory of 3328	2624	powershell.exe	116
PID 3328 wrote to memory of 3876	3328	jbcjdy.exe	117
PID 3328 wrote to memory of 3876	3328	jbcjdy.exe	117
PID 3328 wrote to memory of 3876	3328	jbcjdy.exe	117
PID 3668 wrote to memory of 1456	3668	InstallUtil.exe	119

C:\Users\Admin\AppData\Local\Temp\43c3f3e2e28157583e7eda204b2b103f.exe
"C:\Users\Admin\AppData\Local\Temp\43c3f3e2e28157583e7eda204b2b103f.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4148
- C:\Users\Admin\AppData\Local\Temp\Cqkmojmubiodhyrksbaqcheat-menu - reddomain-obufcastesolution.exe
  "C:\Users\Admin\AppData\Local\Temp\Cqkmojmubiodhyrksbaqcheat-menu - reddomain-obufcastesolution.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2840
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3668
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\ijezak.exe"' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1444
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\ijezak.exe"'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3328
    - - C:\Users\Admin\AppData\Local\Temp\ijezak.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ijezak.exe"
        5⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3408
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
        6⤵
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:4468
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\egdfcs.exe"' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4856
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\egdfcs.exe"'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1088
    - - C:\Users\Admin\AppData\Local\Temp\egdfcs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\egdfcs.exe"
        5⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2296
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4544
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4900
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        6⤵
        Suspicious behavior: AddClipboardFormatListener
        
        PID:524
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\jbcjdy.exe"' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:544
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\jbcjdy.exe"'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2624
    - - C:\Users\Admin\AppData\Local\Temp\jbcjdy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\jbcjdy.exe"
        5⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3328
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAIABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnAA==
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3876
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        6⤵
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:2296
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\wjolxi.exe"' & exit
    3⤵
    PID:1456
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\wjolxi.exe"'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4688
    - - C:\Users\Admin\AppData\Local\Temp\wjolxi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wjolxi.exe"
        5⤵
        Executes dropped EXE
        
        PID:4168

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
def65711d78669d7f8e69313be4acf2e

SHA1
6522ebf1de09eeb981e270bd95114bc69a49cda6

SHA256
aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c

SHA512
05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
d7bb5be310ff57424cb1dc95b6f96aa7

SHA1
0c3e93c6622c1a9f537dd6f677720eb1ffb9750d

SHA256
a003b5deae5c68b3445bd1dc8707dcbc56ffc78bc97bb9fee8b6797f5f032e28

SHA512
5dd029f1f64f7960813b4e2faf186c5b94e19a6fc0d762da3e43cc0b1699c1023d4a7c69f529cfaf87e303038e227f0c0a20789c3a96f36c7edc3701f6c29010

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
75ea7aeb7eb26fe9dfa61ca0929ac367

SHA1
1a231baf968870d91da158e8109dfdde3e239c00

SHA256
8866e5c86e299655c4d51b192cff246bb5806a263eab375ab729a80ffd7f39b0

SHA512
30d6dc836815249b08bba5ca36b3ef764f955f464c58329b50d1d2c6c018caa4951417d5511795a9ba6a74e1c482266e555f3f053865990427a433a609946b41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
a1c3775a82d9f018f220338c131a22cd

SHA1
5449a853464d6fe3d06cb054a0f7aef455c2551e

SHA256
4fdb0933922427012197b9e13e3d440cab89b6332ebc522ed3e90b4e50cd4d08

SHA512
8d778f690da348553777a3a99db6861c1f2667ea9c13e54c58a4dc9f28cd3d7c1757cd992f7e115d843a6a83156931dbb81b058494f323494be09ad382f718cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
fe87fe1028c3c30d877543e3d873e7a2

SHA1
d42f8fbc1ed14c6d5d895da484f25302017127b0

SHA256
20a51945cd43906da7315ce1b2a926676c4d845dd2987409cf7287ec1199339e

SHA512
d5d12b9d0aba852cf5e4d9b461836e1a161cfbf28270a0a216c76ab5003d39029c95321ef2e2ee88f8999c703b17e345849961beb044db1d98bd2a49d15293fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
594e1a6f497ced55b1ac9bb3c28f526f

SHA1
7665c87ea7a39d5f8755e093c719421e5363ac4b

SHA256
f756a570233563a563f76bbb92e1f5939daeceaf745bfecbf5af5e85f2177ec4

SHA512
b0e35c4f352009cb3b774927a66a35cd5b19287d55cf94d3b9629c6d627a208e149e7c5e461eaa3a9fe25914a33594c9c42e0b3fd63c9554a5dcb50845cc3131

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cqkmojmubiodhyrksbaqcheat-menu - reddomain-obufcastesolution.exe

Filesize
336KB

MD5
9d590398fb10eea18dd2b45b32986999

SHA1
4d1d64c39c85727b99b2691b0c8bf5d9b73cc7a3

SHA256
826fb39eac32cf410fd29af272106d3196eb651c638e8e0409c07713bc6d85b9

SHA512
dad505a8d87925499b99bfb025203f5724a368b4f43b012dcf6a587f9810ae68e3cc8b7d9d3f1b80466bb31dbde5d92d7ce7ced9d8f438145a0f9d3ba254d6d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cqkmojmubiodhyrksbaqcheat-menu - reddomain-obufcastesolution.exe

Filesize
336KB

MD5
9d590398fb10eea18dd2b45b32986999

SHA1
4d1d64c39c85727b99b2691b0c8bf5d9b73cc7a3

SHA256
826fb39eac32cf410fd29af272106d3196eb651c638e8e0409c07713bc6d85b9

SHA512
dad505a8d87925499b99bfb025203f5724a368b4f43b012dcf6a587f9810ae68e3cc8b7d9d3f1b80466bb31dbde5d92d7ce7ced9d8f438145a0f9d3ba254d6d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cqkmojmubiodhyrksbaqcheat-menu - reddomain-obufcastesolution.exe

Filesize
336KB

MD5
9d590398fb10eea18dd2b45b32986999

SHA1
4d1d64c39c85727b99b2691b0c8bf5d9b73cc7a3

SHA256
826fb39eac32cf410fd29af272106d3196eb651c638e8e0409c07713bc6d85b9

SHA512
dad505a8d87925499b99bfb025203f5724a368b4f43b012dcf6a587f9810ae68e3cc8b7d9d3f1b80466bb31dbde5d92d7ce7ced9d8f438145a0f9d3ba254d6d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bzkjaswi.aj3.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\egdfcs.exe

Filesize
1.3MB

MD5
7bf2898f75b3974d2c53999f8d3f40fb

SHA1
c406aeef85ed1ce026b98b858af4be62da421119

SHA256
c1a074fed48daff62eefa0cadc7e5f77186dd437acac684b379946c09cc6d208

SHA512
20ec8430d1b1695ca943b1c9c759339be2facec42ff0086703a9f90ed7c684c1097dfed2a0dec9820d8949c4216c33767f9ef147aa38ba30e01cf9b5fe6f0676

Download Submit
C:\Users\Admin\AppData\Local\Temp\egdfcs.exe

Filesize
1.3MB

MD5
7bf2898f75b3974d2c53999f8d3f40fb

SHA1
c406aeef85ed1ce026b98b858af4be62da421119

SHA256
c1a074fed48daff62eefa0cadc7e5f77186dd437acac684b379946c09cc6d208

SHA512
20ec8430d1b1695ca943b1c9c759339be2facec42ff0086703a9f90ed7c684c1097dfed2a0dec9820d8949c4216c33767f9ef147aa38ba30e01cf9b5fe6f0676

Download Submit
C:\Users\Admin\AppData\Local\Temp\ijezak.exe

Filesize
828KB

MD5
494969d84ee004227da4051403cbc098

SHA1
befd216439b68c83899476ea7bf5c7eff025bdc6

SHA256
c92db9ae788154a5b6f08a648e663000803dfba5aa893cfaef69b18c06d7fc48

SHA512
ddc6d8745fb4b5c89990da7e85c5475a1fe91ece05b127258c85ad78d63a137a383bbf5a798c1b54d49d7506b53c03677bafa17ef7c8080f8f5bde1ebf552676

Download Submit
C:\Users\Admin\AppData\Local\Temp\ijezak.exe

Filesize
828KB

MD5
494969d84ee004227da4051403cbc098

SHA1
befd216439b68c83899476ea7bf5c7eff025bdc6

SHA256
c92db9ae788154a5b6f08a648e663000803dfba5aa893cfaef69b18c06d7fc48

SHA512
ddc6d8745fb4b5c89990da7e85c5475a1fe91ece05b127258c85ad78d63a137a383bbf5a798c1b54d49d7506b53c03677bafa17ef7c8080f8f5bde1ebf552676

Download Submit
C:\Users\Admin\AppData\Local\Temp\jbcjdy.exe

Filesize
2.3MB

MD5
a08e5952ddaaabe4b7deaf30e3e522d3

SHA1
d111978b9e2ea04f53ce48a36a4fde0e0e900ba3

SHA256
52e3418b1b6e40efcfe1f6509e91da1f2f87bcd4f815cae8d1e89a0ebd6be58f

SHA512
2f4433af151bf7cbf62087206a6bbc4a77dfbf4c5a873edf7828bd54997105f0f413afc21255ea628e648b75c4b82f6a1d402d00fa9f21d01a4013e504195cea

Download Submit
C:\Users\Admin\AppData\Local\Temp\jbcjdy.exe

Filesize
2.3MB

MD5
a08e5952ddaaabe4b7deaf30e3e522d3

SHA1
d111978b9e2ea04f53ce48a36a4fde0e0e900ba3

SHA256
52e3418b1b6e40efcfe1f6509e91da1f2f87bcd4f815cae8d1e89a0ebd6be58f

SHA512
2f4433af151bf7cbf62087206a6bbc4a77dfbf4c5a873edf7828bd54997105f0f413afc21255ea628e648b75c4b82f6a1d402d00fa9f21d01a4013e504195cea

Download Submit
C:\Users\Admin\AppData\Local\Temp\wjolxi.exe

Filesize
5.8MB

MD5
a4f3e603a335cbd6d8f9ff11c8f9a9c2

SHA1
a5de59863fb4acc05a9253562172f802420ed21b

SHA256
2c1b6a652a62f7fde53d2e84e1211fef21dfde9eb0d4e2879bd997733af77a3e

SHA512
659d0175f4f496f5af6846f0af20345dec842c29eec7e78870b96d96bc712a39684be7a2cff1decabb6e447a477ddf8b92a1b22a12fe6ca07b1fd762540452f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\wjolxi.exe

Filesize
5.8MB

MD5
a4f3e603a335cbd6d8f9ff11c8f9a9c2

SHA1
a5de59863fb4acc05a9253562172f802420ed21b

SHA256
2c1b6a652a62f7fde53d2e84e1211fef21dfde9eb0d4e2879bd997733af77a3e

SHA512
659d0175f4f496f5af6846f0af20345dec842c29eec7e78870b96d96bc712a39684be7a2cff1decabb6e447a477ddf8b92a1b22a12fe6ca07b1fd762540452f2

Download Submit
memory/524-233-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/524-257-0x0000000005A40000-0x0000000005A50000-memory.dmp

Filesize
64KB

Download
memory/524-248-0x0000000005A40000-0x0000000005A50000-memory.dmp

Filesize
64KB

Download
memory/524-235-0x0000000005830000-0x000000000583A000-memory.dmp

Filesize
40KB

Download
memory/1088-214-0x00000000045D0000-0x00000000045E0000-memory.dmp

Filesize
64KB

Download
memory/1088-213-0x00000000045D0000-0x00000000045E0000-memory.dmp

Filesize
64KB

Download
memory/2296-219-0x0000000005200000-0x0000000005210000-memory.dmp

Filesize
64KB

Download
memory/2296-306-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2296-218-0x00000000007F0000-0x0000000000940000-memory.dmp

Filesize
1.3MB

Download
memory/2624-270-0x0000000002150000-0x0000000002160000-memory.dmp

Filesize
64KB

Download
memory/2624-269-0x0000000002150000-0x0000000002160000-memory.dmp

Filesize
64KB

Download
memory/2840-158-0x000000000A570000-0x000000000A5AC000-memory.dmp

Filesize
240KB

Download
memory/2840-157-0x0000000004D80000-0x0000000004D90000-memory.dmp

Filesize
64KB

Download
memory/2840-156-0x000000000A510000-0x000000000A522000-memory.dmp

Filesize
72KB

Download
memory/2840-162-0x000000000C4C0000-0x000000000C9EC000-memory.dmp

Filesize
5.2MB

Download
memory/2840-161-0x000000000BDC0000-0x000000000BF82000-memory.dmp

Filesize
1.8MB

Download
memory/2840-155-0x000000000A5E0000-0x000000000A6EA000-memory.dmp

Filesize
1.0MB

Download
memory/2840-154-0x000000000AA70000-0x000000000B088000-memory.dmp

Filesize
6.1MB

Download
memory/2840-150-0x00000000003E0000-0x000000000043A000-memory.dmp

Filesize
360KB

Download
memory/2840-166-0x0000000004D80000-0x0000000004D90000-memory.dmp

Filesize
64KB

Download
memory/2840-164-0x000000000BD40000-0x000000000BD90000-memory.dmp

Filesize
320KB

Download
memory/2840-163-0x000000000BCC0000-0x000000000BD36000-memory.dmp

Filesize
472KB

Download
memory/3144-340-0x0000000002B70000-0x0000000002B86000-memory.dmp

Filesize
88KB

Download
memory/3328-173-0x0000000005BA0000-0x0000000005C06000-memory.dmp

Filesize
408KB

Download
memory/3328-171-0x0000000004D60000-0x0000000004D70000-memory.dmp

Filesize
64KB

Download
memory/3328-172-0x0000000004D60000-0x0000000004D70000-memory.dmp

Filesize
64KB

Download
memory/3328-275-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

Filesize
64KB

Download
memory/3328-169-0x0000000004CE0000-0x0000000004D16000-memory.dmp

Filesize
216KB

Download
memory/3328-289-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

Filesize
64KB

Download
memory/3328-274-0x00000000002B0000-0x0000000000506000-memory.dmp

Filesize
2.3MB

Download
memory/3328-183-0x00000000062A0000-0x00000000062BE000-memory.dmp

Filesize
120KB

Download
memory/3328-187-0x00000000067D0000-0x00000000067F2000-memory.dmp

Filesize
136KB

Download
memory/3328-186-0x0000000006780000-0x000000000679A000-memory.dmp

Filesize
104KB

Download
memory/3328-185-0x0000000006800000-0x0000000006896000-memory.dmp

Filesize
600KB

Download
memory/3328-170-0x00000000053A0000-0x00000000059C8000-memory.dmp

Filesize
6.2MB

Download
memory/3408-194-0x000000001AFB0000-0x000000001AFC0000-memory.dmp

Filesize
64KB

Download
memory/3408-192-0x00000000000B0000-0x0000000000182000-memory.dmp

Filesize
840KB

Download
memory/3408-193-0x00000000023B0000-0x00000000023D2000-memory.dmp

Filesize
136KB

Download
memory/3668-184-0x00000000055C0000-0x00000000055D0000-memory.dmp

Filesize
64KB

Download
memory/3668-165-0x0000000007090000-0x00000000070AE000-memory.dmp

Filesize
120KB

Download
memory/3668-152-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3668-159-0x00000000055C0000-0x00000000055D0000-memory.dmp

Filesize
64KB

Download
memory/3668-160-0x00000000060F0000-0x000000000618C000-memory.dmp

Filesize
624KB

Download
memory/3876-287-0x0000000005050000-0x0000000005060000-memory.dmp

Filesize
64KB

Download
memory/3876-288-0x0000000005050000-0x0000000005060000-memory.dmp

Filesize
64KB

Download
memory/3876-290-0x0000000005050000-0x0000000005060000-memory.dmp

Filesize
64KB

Download
memory/3876-286-0x0000000005050000-0x0000000005060000-memory.dmp

Filesize
64KB

Download
memory/3876-291-0x00000000704D0000-0x000000007051C000-memory.dmp

Filesize
304KB

Download
memory/3876-301-0x0000000005050000-0x0000000005060000-memory.dmp

Filesize
64KB

Download
memory/4148-133-0x00000000004B0000-0x0000000000636000-memory.dmp

Filesize
1.5MB

Download
memory/4148-138-0x0000000038500000-0x0000000038AA4000-memory.dmp

Filesize
5.6MB

Download
memory/4148-137-0x0000000037EB0000-0x0000000037F42000-memory.dmp

Filesize
584KB

Download
memory/4148-136-0x0000000005180000-0x0000000005190000-memory.dmp

Filesize
64KB

Download
memory/4148-135-0x0000000037A20000-0x0000000037A86000-memory.dmp

Filesize
408KB

Download
memory/4148-134-0x00000000050D0000-0x00000000050F2000-memory.dmp

Filesize
136KB

Download
memory/4168-339-0x000000001CD00000-0x000000001D402000-memory.dmp

Filesize
7.0MB

Download
memory/4168-359-0x000000001CD00000-0x000000001D402000-memory.dmp

Filesize
7.0MB

Download
memory/4168-383-0x000000001CD00000-0x000000001D402000-memory.dmp

Filesize
7.0MB

Download
memory/4168-381-0x000000001CD00000-0x000000001D402000-memory.dmp

Filesize
7.0MB

Download
memory/4168-379-0x000000001CD00000-0x000000001D402000-memory.dmp

Filesize
7.0MB

Download
memory/4168-377-0x000000001CD00000-0x000000001D402000-memory.dmp

Filesize
7.0MB

Download
memory/4168-375-0x000000001CD00000-0x000000001D402000-memory.dmp

Filesize
7.0MB

Download
memory/4168-373-0x000000001CD00000-0x000000001D402000-memory.dmp

Filesize
7.0MB

Download
memory/4168-371-0x000000001CD00000-0x000000001D402000-memory.dmp

Filesize
7.0MB

Download
memory/4168-369-0x000000001CD00000-0x000000001D402000-memory.dmp

Filesize
7.0MB

Download
memory/4168-367-0x000000001CD00000-0x000000001D402000-memory.dmp

Filesize
7.0MB

Download
memory/4168-365-0x000000001CD00000-0x000000001D402000-memory.dmp

Filesize
7.0MB

Download
memory/4168-363-0x000000001CD00000-0x000000001D402000-memory.dmp

Filesize
7.0MB

Download
memory/4168-361-0x000000001CD00000-0x000000001D402000-memory.dmp

Filesize
7.0MB

Download
memory/4168-357-0x000000001CD00000-0x000000001D402000-memory.dmp

Filesize
7.0MB

Download
memory/4168-325-0x000000001CD00000-0x000000001D402000-memory.dmp

Filesize
7.0MB

Download
memory/4168-326-0x000000001CD00000-0x000000001D402000-memory.dmp

Filesize
7.0MB

Download
memory/4168-328-0x000000001CD00000-0x000000001D402000-memory.dmp

Filesize
7.0MB

Download
memory/4168-330-0x000000001CD00000-0x000000001D402000-memory.dmp

Filesize
7.0MB

Download
memory/4168-332-0x000000001CD00000-0x000000001D402000-memory.dmp

Filesize
7.0MB

Download
memory/4168-335-0x000000001CD00000-0x000000001D402000-memory.dmp

Filesize
7.0MB

Download
memory/4168-337-0x000000001CD00000-0x000000001D402000-memory.dmp

Filesize
7.0MB

Download
memory/4168-355-0x000000001CD00000-0x000000001D402000-memory.dmp

Filesize
7.0MB

Download
memory/4168-342-0x000000001CD00000-0x000000001D402000-memory.dmp

Filesize
7.0MB

Download
memory/4168-353-0x000000001CD00000-0x000000001D402000-memory.dmp

Filesize
7.0MB

Download
memory/4168-347-0x000000001CD00000-0x000000001D402000-memory.dmp

Filesize
7.0MB

Download
memory/4168-349-0x000000001CD00000-0x000000001D402000-memory.dmp

Filesize
7.0MB

Download
memory/4168-351-0x000000001CD00000-0x000000001D402000-memory.dmp

Filesize
7.0MB

Download
memory/4468-196-0x0000000140000000-0x00000001400D9000-memory.dmp

Filesize
868KB

Download
memory/4468-199-0x0000000140000000-0x00000001400D9000-memory.dmp

Filesize
868KB

Download
memory/4468-198-0x0000000140000000-0x00000001400D9000-memory.dmp

Filesize
868KB

Download
memory/4468-200-0x0000000140000000-0x00000001400D9000-memory.dmp

Filesize
868KB

Download
memory/4900-237-0x0000000071030000-0x000000007107C000-memory.dmp

Filesize
304KB

Download
memory/4900-229-0x0000000005230000-0x0000000005240000-memory.dmp

Filesize
64KB

Download
memory/4900-230-0x0000000005230000-0x0000000005240000-memory.dmp

Filesize
64KB

Download
memory/4900-236-0x0000000006BF0000-0x0000000006C22000-memory.dmp

Filesize
200KB

Download
memory/4900-255-0x0000000007C60000-0x0000000007C68000-memory.dmp

Filesize
32KB

Download
memory/4900-247-0x0000000006BD0000-0x0000000006BEE000-memory.dmp

Filesize
120KB

Download
memory/4900-249-0x0000000005230000-0x0000000005240000-memory.dmp

Filesize
64KB

Download
memory/4900-250-0x000000007F100000-0x000000007F110000-memory.dmp

Filesize
64KB

Download
memory/4900-251-0x0000000007F70000-0x00000000085EA000-memory.dmp

Filesize
6.5MB

Download
memory/4900-252-0x00000000079B0000-0x00000000079BA000-memory.dmp

Filesize
40KB

Download
memory/4900-253-0x0000000007B70000-0x0000000007B7E000-memory.dmp

Filesize
56KB

Download
memory/4900-254-0x0000000007C80000-0x0000000007C9A000-memory.dmp

Filesize
104KB

Download