darkgate | 1eff3c163f78ac2db6b1b3140f2c8995d60eb305698fde906628f7baee6628ba

Analysis

max time kernel
1792s
max time network
1227s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
01-02-2024 15:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

refurefy.msi
Size

4.2MB
MD5

e0e692aebaa2da2506ed840863673a8c
SHA1

8d2410aa0e2bc6b62cd4ef8a4278434661e62561
SHA256

1eff3c163f78ac2db6b1b3140f2c8995d60eb305698fde906628f7baee6628ba
SHA512

1521b7611f502fb1fec3667b26bff5b39d13e55cb942d2123bf90e28120782e9665de501b68d968b66a448c9a4a426be3431fbe287f2294010ab5273ef98acd5
SSDEEP

49152:npUPF9qhCxzT+WKjSX1ZzLVI4QWqyipO4+JtbjeYvd403NX9tmH3b3zB37irrrri:npoCQ1lLe7Wz1Jtbj9403NX9tmH3bjH

Score

10^/10

darkgate discovery stealer

Malware Config

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate

Detect DarkGate stealer 3 IoCs

resource	yara_rule
behavioral2/memory/880-87-0x0000000006A90000-0x0000000006DDE000-memory.dmp	family_darkgate_v6
behavioral2/memory/5116-105-0x0000000003940000-0x00000000040E2000-memory.dmp	family_darkgate_v6
behavioral2/memory/880-110-0x0000000006A90000-0x0000000006DDE000-memory.dmp	family_darkgate_v6

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2272	ICACLS.EXE
4984	ICACLS.EXE

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	Autoit3.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\e57762a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI76D6.tmp	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	EXPAND.EXE
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	EXPAND.EXE
File created	C:\Windows\Installer\e57762a.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\SourceHash{294A282C-18F8-47AC-8642-42D8BE1F09CF}	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe

Executes dropped EXE 2 IoCs

pid	Process
4872	RdrCEF.exe
880	Autoit3.exe

Loads dropped DLL 2 IoCs

pid	Process
5116	MsiExec.exe
4872	RdrCEF.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000083dd7964f79773090000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000083dd79640000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090083dd7964000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d83dd7964000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000083dd796400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings	Autoit3.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
4488	msiexec.exe
4488	msiexec.exe
880	Autoit3.exe
880	Autoit3.exe
880	Autoit3.exe
880	Autoit3.exe
5008	AcroRd32.exe
5008	AcroRd32.exe
5008	AcroRd32.exe
5008	AcroRd32.exe
5008	AcroRd32.exe
5008	AcroRd32.exe
5008	AcroRd32.exe
5008	AcroRd32.exe
5008	AcroRd32.exe
5008	AcroRd32.exe
5008	AcroRd32.exe
5008	AcroRd32.exe
5008	AcroRd32.exe
5008	AcroRd32.exe
5008	AcroRd32.exe
5008	AcroRd32.exe
5008	AcroRd32.exe
5008	AcroRd32.exe
5008	AcroRd32.exe
5008	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1960	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1960	msiexec.exe
Token: SeSecurityPrivilege	4488	msiexec.exe
Token: SeCreateTokenPrivilege	1960	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1960	msiexec.exe
Token: SeLockMemoryPrivilege	1960	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1960	msiexec.exe
Token: SeMachineAccountPrivilege	1960	msiexec.exe
Token: SeTcbPrivilege	1960	msiexec.exe
Token: SeSecurityPrivilege	1960	msiexec.exe
Token: SeTakeOwnershipPrivilege	1960	msiexec.exe
Token: SeLoadDriverPrivilege	1960	msiexec.exe
Token: SeSystemProfilePrivilege	1960	msiexec.exe
Token: SeSystemtimePrivilege	1960	msiexec.exe
Token: SeProfSingleProcessPrivilege	1960	msiexec.exe
Token: SeIncBasePriorityPrivilege	1960	msiexec.exe
Token: SeCreatePagefilePrivilege	1960	msiexec.exe
Token: SeCreatePermanentPrivilege	1960	msiexec.exe
Token: SeBackupPrivilege	1960	msiexec.exe
Token: SeRestorePrivilege	1960	msiexec.exe
Token: SeShutdownPrivilege	1960	msiexec.exe
Token: SeDebugPrivilege	1960	msiexec.exe
Token: SeAuditPrivilege	1960	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1960	msiexec.exe
Token: SeChangeNotifyPrivilege	1960	msiexec.exe
Token: SeRemoteShutdownPrivilege	1960	msiexec.exe
Token: SeUndockPrivilege	1960	msiexec.exe
Token: SeSyncAgentPrivilege	1960	msiexec.exe
Token: SeEnableDelegationPrivilege	1960	msiexec.exe
Token: SeManageVolumePrivilege	1960	msiexec.exe
Token: SeImpersonatePrivilege	1960	msiexec.exe
Token: SeCreateGlobalPrivilege	1960	msiexec.exe
Token: SeBackupPrivilege	2236	vssvc.exe
Token: SeRestorePrivilege	2236	vssvc.exe
Token: SeAuditPrivilege	2236	vssvc.exe
Token: SeBackupPrivilege	4488	msiexec.exe
Token: SeRestorePrivilege	4488	msiexec.exe
Token: SeRestorePrivilege	4488	msiexec.exe
Token: SeTakeOwnershipPrivilege	4488	msiexec.exe
Token: SeRestorePrivilege	4488	msiexec.exe
Token: SeTakeOwnershipPrivilege	4488	msiexec.exe
Token: SeBackupPrivilege	4972	srtasks.exe
Token: SeRestorePrivilege	4972	srtasks.exe
Token: SeSecurityPrivilege	4972	srtasks.exe
Token: SeTakeOwnershipPrivilege	4972	srtasks.exe
Token: SeBackupPrivilege	4972	srtasks.exe
Token: SeRestorePrivilege	4972	srtasks.exe
Token: SeSecurityPrivilege	4972	srtasks.exe
Token: SeTakeOwnershipPrivilege	4972	srtasks.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1960	msiexec.exe
1960	msiexec.exe
5008	AcroRd32.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
5008	AcroRd32.exe
5008	AcroRd32.exe
5008	AcroRd32.exe
5008	AcroRd32.exe
5008	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4488 wrote to memory of 4972	4488	msiexec.exe	95
PID 4488 wrote to memory of 4972	4488	msiexec.exe	95
PID 4488 wrote to memory of 5116	4488	msiexec.exe	97
PID 4488 wrote to memory of 5116	4488	msiexec.exe	97
PID 4488 wrote to memory of 5116	4488	msiexec.exe	97
PID 5116 wrote to memory of 2272	5116	MsiExec.exe	98
PID 5116 wrote to memory of 2272	5116	MsiExec.exe	98
PID 5116 wrote to memory of 2272	5116	MsiExec.exe	98
PID 5116 wrote to memory of 1692	5116	MsiExec.exe	101
PID 5116 wrote to memory of 1692	5116	MsiExec.exe	101
PID 5116 wrote to memory of 1692	5116	MsiExec.exe	101
PID 5116 wrote to memory of 4872	5116	MsiExec.exe	116
PID 5116 wrote to memory of 4872	5116	MsiExec.exe	116
PID 4872 wrote to memory of 880	4872	RdrCEF.exe	104
PID 4872 wrote to memory of 880	4872	RdrCEF.exe	104
PID 4872 wrote to memory of 880	4872	RdrCEF.exe	104
PID 5116 wrote to memory of 1764	5116	MsiExec.exe	110
PID 5116 wrote to memory of 1764	5116	MsiExec.exe	110
PID 5116 wrote to memory of 1764	5116	MsiExec.exe	110
PID 880 wrote to memory of 5008	880	Autoit3.exe	108
PID 880 wrote to memory of 5008	880	Autoit3.exe	108
PID 880 wrote to memory of 5008	880	Autoit3.exe	108
PID 5116 wrote to memory of 4984	5116	MsiExec.exe	112
PID 5116 wrote to memory of 4984	5116	MsiExec.exe	112
PID 5116 wrote to memory of 4984	5116	MsiExec.exe	112
PID 880 wrote to memory of 5116	880	Autoit3.exe	97
PID 5008 wrote to memory of 2852	5008	AcroRd32.exe	115
PID 5008 wrote to memory of 2852	5008	AcroRd32.exe	115
PID 5008 wrote to memory of 2852	5008	AcroRd32.exe	115
PID 2852 wrote to memory of 4872	2852	RdrCEF.exe	116
PID 2852 wrote to memory of 4872	2852	RdrCEF.exe	116
PID 2852 wrote to memory of 4872	2852	RdrCEF.exe	116
PID 2852 wrote to memory of 4872	2852	RdrCEF.exe	116
PID 2852 wrote to memory of 4872	2852	RdrCEF.exe	116
PID 2852 wrote to memory of 4872	2852	RdrCEF.exe	116
PID 2852 wrote to memory of 4872	2852	RdrCEF.exe	116
PID 2852 wrote to memory of 4872	2852	RdrCEF.exe	116
PID 2852 wrote to memory of 4872	2852	RdrCEF.exe	116
PID 2852 wrote to memory of 4872	2852	RdrCEF.exe	116
PID 2852 wrote to memory of 4872	2852	RdrCEF.exe	116
PID 2852 wrote to memory of 4872	2852	RdrCEF.exe	116
PID 2852 wrote to memory of 4872	2852	RdrCEF.exe	116
PID 2852 wrote to memory of 4872	2852	RdrCEF.exe	116
PID 2852 wrote to memory of 4872	2852	RdrCEF.exe	116
PID 2852 wrote to memory of 4872	2852	RdrCEF.exe	116
PID 2852 wrote to memory of 4872	2852	RdrCEF.exe	116
PID 2852 wrote to memory of 4872	2852	RdrCEF.exe	116
PID 2852 wrote to memory of 4872	2852	RdrCEF.exe	116
PID 2852 wrote to memory of 4872	2852	RdrCEF.exe	116
PID 2852 wrote to memory of 4872	2852	RdrCEF.exe	116
PID 2852 wrote to memory of 4872	2852	RdrCEF.exe	116
PID 2852 wrote to memory of 4872	2852	RdrCEF.exe	116
PID 2852 wrote to memory of 4872	2852	RdrCEF.exe	116
PID 2852 wrote to memory of 4872	2852	RdrCEF.exe	116
PID 2852 wrote to memory of 4872	2852	RdrCEF.exe	116
PID 2852 wrote to memory of 4872	2852	RdrCEF.exe	116
PID 2852 wrote to memory of 4872	2852	RdrCEF.exe	116
PID 2852 wrote to memory of 4872	2852	RdrCEF.exe	116
PID 2852 wrote to memory of 4872	2852	RdrCEF.exe	116
PID 2852 wrote to memory of 4872	2852	RdrCEF.exe	116
PID 2852 wrote to memory of 4872	2852	RdrCEF.exe	116
PID 2852 wrote to memory of 4872	2852	RdrCEF.exe	116
PID 2852 wrote to memory of 4872	2852	RdrCEF.exe	116
PID 2852 wrote to memory of 4872	2852	RdrCEF.exe	116

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\refurefy.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1960

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4488
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4972
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 107ABA07B55428C1740F8B46EE374C17
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:5116
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-37fd11ce-b51b-4bb0-a57c-d955b87c7745\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
    3⤵
    - Modifies file permissions
    PID:2272
- - C:\Windows\SysWOW64\EXPAND.EXE
    "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
    3⤵
    - Drops file in Windows directory
    PID:1692
- - C:\Users\Admin\AppData\Local\Temp\MW-37fd11ce-b51b-4bb0-a57c-d955b87c7745\files\iTunesHelper.exe
    "C:\Users\Admin\AppData\Local\Temp\MW-37fd11ce-b51b-4bb0-a57c-d955b87c7745\files\iTunesHelper.exe"
    3⤵
    PID:4872
  - - \??\c:\temp\Autoit3.exe
      "c:\temp\Autoit3.exe" c:\temp\script.au3
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Checks processor information in registry
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:880
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\temp\Overdue Account Letter Feb 13, 2023.pdf"
        5⤵
        Checks processor information in registry
        Modifies Internet Explorer settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:5008
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2852
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=F287B3FFCC7D34589F99FDA94394DEDF --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:4872
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=9BBF5056A7B6C8716051552A30AFE517 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=9BBF5056A7B6C8716051552A30AFE517 --renderer-client-id=2 --mojo-platform-channel-handle=1756 --allow-no-sandbox-job /prefetch:1
        7⤵
        
        PID:3640
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=00F83D30F2BED35B1B5FB64E5AB118AF --mojo-platform-channel-handle=2308 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        7⤵
        
        PID:1616
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=7C303372F8954590EABB349E0B358DAC --mojo-platform-channel-handle=2012 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        7⤵
        
        PID:1356
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=744501B220E810EA6E3C87F3CCA9AE9E --mojo-platform-channel-handle=2380 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        7⤵
        
        PID:3564
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=6B427864675A780723FA048BF8F32A99 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=6B427864675A780723FA048BF8F32A99 --renderer-client-id=7 --mojo-platform-channel-handle=2312 --allow-no-sandbox-job /prefetch:1
        7⤵
        
        PID:3192
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\Admin\AppData\Local\Temp\MW-37fd11ce-b51b-4bb0-a57c-d955b87c7745\files"
    3⤵
    PID:1764
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-37fd11ce-b51b-4bb0-a57c-d955b87c7745\." /SETINTEGRITYLEVEL (CI)(OI)LOW
    3⤵
    - Modifies file permissions
    PID:4984

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2236

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
36KB

MD5
b30d3becc8731792523d599d949e63f5

SHA1
19350257e42d7aee17fb3bf139a9d3adb330fad4

SHA256
b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

SHA512
523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
56KB

MD5
752a1f26b18748311b691c7d8fc20633

SHA1
c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

SHA256
111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

SHA512
a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
5a0287a1a30b39d9a88793abe3a4f06d

SHA1
eb5b1a72f6c99de99fdf3556c258dea82dc1d494

SHA256
39318b0eab5da028e89fd8d6946b4d3afbaa6b4985609bd6f002679ecd0ae93b

SHA512
f96088f794061bf266aa12fc379d8f70556aea9f18a77677995be88fc0e4438a2b8016d7a9537bbdf837c295a4db292b9bb4437b442cbf3b5a6dc2ab55ee5a5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-37fd11ce-b51b-4bb0-a57c-d955b87c7745\files.cab

Filesize
2.5MB

MD5
04ad84d2d35c9950a50d74ab64748584

SHA1
1260c2301ed32e11d565c598b96ef7db227904af

SHA256
b5c58884f4f2bfd992b27f1fac076d7bb54ed3c18947fe6b269e078224d389c2

SHA512
66c1b9eba34d395ad2756d9ad6dfe2c01cf271dad1b3f3315bfdd99cbc58d28d450e8eeaeda36cbee72840be19dd20c9b060bf641525febc0459755871f559bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-37fd11ce-b51b-4bb0-a57c-d955b87c7745\files\CoreFoundation.dll

Filesize
720KB

MD5
a87b315f7a90f31e7eacba22cc05fe0f

SHA1
c66f49f66a1ae0cfae482e9951441a2edab82c15

SHA256
5c42dff057b9f247e90c04f1b17bf1b0f77c16f6eea187ad580ed108f6896b9f

SHA512
846555ec081954923adc346a2babc3c137d3fc1791cece32aa9a68ac18ce43a41077d84902ff933d25cbdcefd343ba61916ff0b21fa0f34b90546fb1da7a5979

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-37fd11ce-b51b-4bb0-a57c-d955b87c7745\files\CoreFoundation.dll

Filesize
583KB

MD5
8b89faa06e9cee6d8fbc951d0126afc6

SHA1
6bb641fa37b24a683e42109c928104ae0ec1ce99

SHA256
a7fad960c2fbf8065fa4a4b946ef12ba83399ed85114e919b3ac38e22fa8fa84

SHA512
db47e98762430025ce3412289e9e3bf21ae2831992a8ddb1c7e25b5f941588b9989fa0ee216114d72c0594e9878826522de3a665ca8c1bd52426ec1703170204

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-37fd11ce-b51b-4bb0-a57c-d955b87c7745\files\iTunesHelper.exe

Filesize
358KB

MD5
ed6a1c72a75dee15a6fa75873cd64975

SHA1
67a15ca72e3156f8be6c46391e184087e47f4a0d

SHA256
0d8878cca08903777888b3681f90e4a07c7aef7d9600a67dfa985844d4bf5eda

SHA512
256c2ebfeb42c2d3340d8bb423ef0ae48d5fb9fe5ca09c363595f51a03007482b67a777e4cae7a8194f69bc3a3fbcdb9abb5c9f92097925272431bb9d50f5c03

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-37fd11ce-b51b-4bb0-a57c-d955b87c7745\files\sqlite3.dll

Filesize
763KB

MD5
cbb4364485da747111f4ac4c9e7f4b21

SHA1
09a6fe09f87d90ceefbd2eb239c3067a846a511a

SHA256
601d2e813cde70aa4bfd92ddf705559027060399d452ce9549ec77f06174355d

SHA512
89338057aa560e046ed61d44cc2ce584fbf1491023b5345a78187294715d873ae42b644665e866cef1482b551c7c1175cdbefe95fafa482fa7df4f19e9cfc0fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-37fd11ce-b51b-4bb0-a57c-d955b87c7745\msiwrapper.ini

Filesize
1KB

MD5
90874dd211fc2676b03b6d7cc9a7459f

SHA1
46eeb17278f8e96066ebb2fdadd3376b8ed6d801

SHA256
c75546a6e45487ba2114c026ba2b94e8dd406bcde93744d929206c3d199d6d29

SHA512
eb4d4e081f8537097b8a5d089cc1effae9ce7a8ed6279a5f6704aed298cc0ce79313817c173750280eb1ace114eff43329a18572015f48667b9e19fda779b037

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-37fd11ce-b51b-4bb0-a57c-d955b87c7745\msiwrapper.ini

Filesize
1KB

MD5
d1e271762b3d88902efd85596ecef07e

SHA1
96d062313ddf30b1670b0aa81b46ff7d9dca098e

SHA256
b90e97808df4dab341970548561c50b0765b8a13d513e73ea660f847685429b2

SHA512
16441aa08692315f58494e6272fd30fd589f9033a3e776d3cdc6f58eb7a2eef2e567ac1c1a8edca25e07c5cb9b53f99725a1fe039f0ab572ea66f455d0f6ca3d

Download Submit
C:\Windows\Installer\MSI76D6.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\temp\Autoit3.exe

Filesize
499KB

MD5
b434ff60c5f956d7167145d5ccac895f

SHA1
c7df77c71455b12455861afa3f1ac4327d298c3c

SHA256
0c6f8b40673c82d5b503b78786d320e5ecd98a3b8c8a702579138b47731f8880

SHA512
846c2a228a29fa7c095de2b01e95f6d17e9b11e16e3e05169a108722b83bc0318ed4054f55b9812e7eecd22eaf0ebec9833e8728752f17fb2e8b17711a42a52a

Download Submit
C:\temp\Overdue Account Letter Feb 13, 2023.pdf

Filesize
233KB

MD5
ad9ef4cc5781eb1a9ad522c5eae25e57

SHA1
7da29e9c472aaa407ab17683b94b4c9f644394a4

SHA256
3a036153e86c0023d0f761bfb14333c694c28b2fa131620b50c2a357e303027d

SHA512
9961c809a0ceb22ded5edf9bbe00df95bb4656b429d5e85872fb77ff6579d279132fb66910fa4a1fee91c89c64e58da02f59b89ff6841ab733e2133bf0671966

Download Submit
C:\temp\cc.txt

Filesize
4B

MD5
d2e11dc2004046baecbfb842d5863c81

SHA1
c9e5748baf8b62547bace8bef38ca2d64b09f175

SHA256
6f032fb67a3bf3689efa6f662a5309e905ecba1980db709a2d0bf4ac8ebb928c

SHA512
24c3a57b3377a068cb7e783c63b72c491f8450da232a537c17f90d8dc3e2e4f0b13b32ffd49f1b88934faff5865098f029c3abb4f39ee24fd2310ca618a71f64

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
9.3MB

MD5
c96711f8b1ec1e50ba21fe4104b6c706

SHA1
3fee93d26e2e23999995fa32c08a34e254f80b20

SHA256
1d478d332f3aaacf0773f6be66f76a084e3e1de751c7ef69823194cc8154f970

SHA512
4e6f84f0b54016735e4cf3e0cd7a5621b9c34e7ce2d3d9855259a6e26827badef6ecf03100b73b136ff1d6ac3b08a216c019815c7ed5701223eb8bbd1e4fb1d0

Download Submit
\??\Volume{6479dd83-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{ef24608d-a9be-4a52-a0a1-d9170a4c99be}_OnDiskSnapshotProp

Filesize
6KB

MD5
9034d67addc6ad12b21b1ee5ea9921a2

SHA1
e2156931ea4267d734fce8ea220836b88824ea91

SHA256
b6a50caa1457bf70f942756ff0fd0cae8ea23be8feb7af6874cbeb996829a42e

SHA512
d052ecb84433e921260cb5eb5e4eec396cdbd898fe5aca829791161b1da75eb4617256168d52e954fbe7dfc8a1c13a91008ff5dc5910330fffe13bff818b9d64

Download Submit
\??\c:\temp\Autoit3.exe

Filesize
305KB

MD5
74d4bf8aad31b3ea56cb40b09fe00ab5

SHA1
8b5497c844fa7616d34e1c4d1b2e4abf6dd0b829

SHA256
85b2919851deeaa3a20c4252a76cb527892786544dadc6cf475da477d2ecab8c

SHA512
b2646c1a19b2358ef33bbb0583bc9ab286bc55240a78d51871dd01a1c5a726b904e2935360654ceb062aabcd61b15c87105842a7695fc808eb5527667342ef33

Download Submit
\??\c:\temp\script.au3

Filesize
586KB

MD5
c6021a5aec4c4254f3d866a7cf568dd3

SHA1
3efb58bf7f2f17d608365a3c685898e9b9b6d49f

SHA256
e4bec7357bad22f1924587621170ca22be1d4ef70ba5b0bf133d44eb1173defd

SHA512
1926a2f1b56436cc00167a1d50634b97f6f6f909d29e4d319061c2cdf9388fdf38a7b5fc0ddb29ee8f57da3ff45bd90d09dd7c930ef7e4bb4f184cfdafd32df1

Download Submit
\??\c:\temp\test.txt

Filesize
76B

MD5
dd1c5f83309a94272996a07fcff8734d

SHA1
49e1d44a0a18668407abf825dba95cc8204ed359

SHA256
eaab4bcfc55463f2ba708eba2e3e4a707c6e75513d5b9e84075b89979ea132be

SHA512
10563c675cfa2b1133ac3c3624f142c35064494af052eb031ab7c82cbfc688e44e00e7095d84dc047b294ae5f9f98cc67cb3139453049ada7e7dbb60869cfbf5

Download Submit
memory/880-86-0x0000000005110000-0x00000000060E0000-memory.dmp

Filesize
15.8MB

Download
memory/880-110-0x0000000006A90000-0x0000000006DDE000-memory.dmp

Filesize
3.3MB

Download
memory/880-87-0x0000000006A90000-0x0000000006DDE000-memory.dmp

Filesize
3.3MB

Download
memory/4872-91-0x0000021944550000-0x000002194475C000-memory.dmp

Filesize
2.0MB

Download
memory/4872-89-0x0000000064500000-0x000000006469D000-memory.dmp

Filesize
1.6MB

Download
memory/4872-78-0x0000021944550000-0x000002194475C000-memory.dmp

Filesize
2.0MB

Download
memory/5116-105-0x0000000003940000-0x00000000040E2000-memory.dmp

Filesize
7.6MB

Download
memory/5116-102-0x0000000003840000-0x0000000003841000-memory.dmp

Filesize
4KB

Download