dcrat | 078f586ebb8a22305540fb5982b2521f1b82e4317f286e13bab680fff0a9d164

Resubmissions

25-04-2024 18:41

240425-xbtfwade97 10

23-02-2024 00:25

22-02-2024 20:52

22-02-2024 17:28

22-02-2024 17:13

22-02-2024 17:01

22-02-2024 15:57

Analysis

max time kernel
122s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
22-02-2024 15:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6958ACC382E71103A0B83D20BBBB37D2.exe
Size

232KB
MD5

6958acc382e71103a0b83d20bbbb37d2
SHA1

65bf64dfcabf7bc83e47ffc4360cda022d4dab34
SHA256

078f586ebb8a22305540fb5982b2521f1b82e4317f286e13bab680fff0a9d164
SHA512

ebfa8b6986630b3502409d38cdff54881e4bce48511c7ba4f027345296c29708112c19ec6c9181c4b0188fa1f5cbe17b3c5d44dc07f33858323c677ef9caaeae
SSDEEP

3072:FdfbYSFlTBL/A9OYh6++4hY7gfv9yPQxAVUmZAzsqvj1letKv/jbNRKCnrQbW:PbYSFH/AYYh9vERVUmSAQj1la9

Score

10^/10

dcrat djvu glupteba lumma smokeloader stealc tfd5 backdoor discovery dropper evasion infostealer loader persistence ransomware rat stealer trojan upx

Malware Config

Extracted

Family

smokeloader

Botnet

tfd5

Extracted

Family

smokeloader

Version

2022

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php

rc4.i32

Extracted

Family

djvu

http://habrafa.com/test1/get.php

Attributes

extension
.lkhy
offline_id
OxV6DGl22io8sqMOW1zCCOlzPiv4f1Vqzw7Y8zt1
payload_url
http://brusuax.com/dl/build2.exe

http://habrafa.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://we.tl/t-uNdL2KHHdy Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0851ASdw

rsa_pubkey.plain

Extracted

Family

lumma

https://resergvearyinitiani.shop/api

https://technologyenterdo.shop/api

https://detectordiscusser.shop/api

https://turkeyunlikelyofw.shop/api

https://associationokeo.shop/api

Signatures

DcRat 4 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI		6958ACC382E71103A0B83D20BBBB37D2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\a8e0840e-b118-40a3-b971-b20f5d38d0bf\\BF98.exe\" --AutoStart"		BF98.exe
		380	schtasks.exe
		4900	schtasks.exe

Detected Djvu ransomware 9 IoCs

resource	yara_rule
behavioral2/memory/4568-22-0x0000000002600000-0x000000000271B000-memory.dmp	family_djvu
behavioral2/memory/2484-23-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2484-25-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2484-26-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2484-27-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2484-37-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4696-43-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4696-44-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4696-46-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 12 IoCs

resource	yara_rule
behavioral2/memory/5080-95-0x0000000002E20000-0x000000000370B000-memory.dmp	family_glupteba
behavioral2/memory/5080-96-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/5080-181-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/5080-183-0x0000000002E20000-0x000000000370B000-memory.dmp	family_glupteba
behavioral2/memory/5080-193-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/3340-196-0x0000000002F30000-0x000000000381B000-memory.dmp	family_glupteba
behavioral2/memory/3340-197-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/3340-245-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/3340-293-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/4092-400-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/4092-401-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/4092-410-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3216	netsh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000\Control Panel\International\Geo\Nation	BF98.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000\Control Panel\International\Geo\Nation	A5C6.exe

Deletes itself 1 IoCs

pid	Process
3256	Process not Found

Executes dropped EXE 12 IoCs

pid	Process
4568	BF98.exe
2484	BF98.exe
3600	BF98.exe
4696	BF98.exe
2220	8A8.exe
5080	9847.exe
4960	A5C6.exe
1040	A809.exe
4040	Upgrades.pif
3340	9847.exe
4092	csrss.exe
2880	rjfavwt

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4296	icacls.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000700000002323f-413.dat	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	9847.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\a8e0840e-b118-40a3-b971-b20f5d38d0bf\\BF98.exe\" --AutoStart"	BF98.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
57	api.2ip.ua
58	api.2ip.ua

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	Process not Found
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4568 set thread context of 2484	4568	BF98.exe	96
PID 3600 set thread context of 4696	3600	BF98.exe	102

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	9847.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\rss	9847.exe
File created	C:\Windows\rss\csrss.exe	9847.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4432	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3488	4696	WerFault.exe	102

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6958ACC382E71103A0B83D20BBBB37D2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6958ACC382E71103A0B83D20BBBB37D2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6958ACC382E71103A0B83D20BBBB37D2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rjfavwt
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rjfavwt
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rjfavwt

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
380	schtasks.exe
4900	schtasks.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
3896	tasklist.exe
5100	tasklist.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time"	9847.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time"	9847.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time"	9847.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time"	9847.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time"	9847.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time"	9847.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time"	9847.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time"	9847.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time"	9847.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time"	9847.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time"	9847.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time"	9847.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2871 = "Magallanes Daylight Time"	9847.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time"	9847.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time"	9847.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time"	9847.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time"	9847.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time"	9847.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time"	9847.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-3141 = "South Sudan Daylight Time"	9847.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time"	9847.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time"	9847.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time"	9847.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time"	9847.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time"	9847.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time"	9847.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time"	9847.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time"	9847.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2891 = "Sudan Daylight Time"	9847.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3956	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
764	6958ACC382E71103A0B83D20BBBB37D2.exe
764	6958ACC382E71103A0B83D20BBBB37D2.exe
3256	Process not Found
3256	Process not Found
3256	Process not Found
3256	Process not Found
3256	Process not Found
3256	Process not Found
3256	Process not Found
3256	Process not Found
3256	Process not Found
3256	Process not Found
3256	Process not Found
3256	Process not Found
3256	Process not Found
3256	Process not Found
3256	Process not Found
3256	Process not Found
3256	Process not Found
3256	Process not Found
3256	Process not Found
3256	Process not Found
3256	Process not Found
3256	Process not Found
3256	Process not Found
3256	Process not Found
3256	Process not Found
3256	Process not Found
3256	Process not Found
3256	Process not Found
3256	Process not Found
3256	Process not Found
3256	Process not Found
3256	Process not Found
3256	Process not Found
3256	Process not Found
3256	Process not Found
3256	Process not Found
3256	Process not Found
3256	Process not Found
3256	Process not Found
3256	Process not Found
3256	Process not Found
3256	Process not Found
3256	Process not Found
3256	Process not Found
3256	Process not Found
3256	Process not Found
3256	Process not Found
3256	Process not Found
3256	Process not Found
3256	Process not Found
3256	Process not Found
3256	Process not Found
3256	Process not Found
3256	Process not Found
3256	Process not Found
3256	Process not Found
3256	Process not Found
3256	Process not Found
3256	Process not Found
3256	Process not Found
3256	Process not Found
3256	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
764	6958ACC382E71103A0B83D20BBBB37D2.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3256	Process not Found
Token: SeCreatePagefilePrivilege	3256	Process not Found
Token: SeShutdownPrivilege	3256	Process not Found
Token: SeCreatePagefilePrivilege	3256	Process not Found
Token: SeShutdownPrivilege	3256	Process not Found
Token: SeCreatePagefilePrivilege	3256	Process not Found
Token: SeShutdownPrivilege	3256	Process not Found
Token: SeCreatePagefilePrivilege	3256	Process not Found
Token: SeShutdownPrivilege	3256	Process not Found
Token: SeCreatePagefilePrivilege	3256	Process not Found
Token: SeShutdownPrivilege	3256	Process not Found
Token: SeCreatePagefilePrivilege	3256	Process not Found
Token: SeShutdownPrivilege	3256	Process not Found
Token: SeCreatePagefilePrivilege	3256	Process not Found
Token: SeShutdownPrivilege	3256	Process not Found
Token: SeCreatePagefilePrivilege	3256	Process not Found
Token: SeDebugPrivilege	3480	powershell.exe
Token: SeDebugPrivilege	1040	A809.exe
Token: SeDebugPrivilege	3896	tasklist.exe
Token: SeDebugPrivilege	5100	tasklist.exe
Token: SeShutdownPrivilege	3256	Process not Found
Token: SeCreatePagefilePrivilege	3256	Process not Found
Token: SeDebugPrivilege	5080	9847.exe
Token: SeImpersonatePrivilege	5080	9847.exe
Token: SeShutdownPrivilege	3256	Process not Found
Token: SeCreatePagefilePrivilege	3256	Process not Found
Token: SeDebugPrivilege	4084	powershell.exe
Token: SeShutdownPrivilege	3256	Process not Found
Token: SeCreatePagefilePrivilege	3256	Process not Found
Token: SeShutdownPrivilege	3256	Process not Found
Token: SeCreatePagefilePrivilege	3256	Process not Found
Token: SeDebugPrivilege	4308	powershell.exe
Token: SeShutdownPrivilege	3256	Process not Found
Token: SeCreatePagefilePrivilege	3256	Process not Found
Token: SeDebugPrivilege	4384	powershell.exe
Token: SeShutdownPrivilege	3256	Process not Found
Token: SeCreatePagefilePrivilege	3256	Process not Found
Token: SeDebugPrivilege	3608	powershell.exe
Token: SeShutdownPrivilege	3256	Process not Found
Token: SeCreatePagefilePrivilege	3256	Process not Found
Token: SeDebugPrivilege	3168	powershell.exe
Token: SeShutdownPrivilege	3256	Process not Found
Token: SeCreatePagefilePrivilege	3256	Process not Found
Token: SeDebugPrivilege	1572	powershell.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
4040	Upgrades.pif
3256	Process not Found
3256	Process not Found
4040	Upgrades.pif
4040	Upgrades.pif
3256	Process not Found
3256	Process not Found

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4040	Upgrades.pif
4040	Upgrades.pif
4040	Upgrades.pif

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3256	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3256 wrote to memory of 4480	3256	Process not Found	92
PID 3256 wrote to memory of 4480	3256	Process not Found	92
PID 4480 wrote to memory of 3876	4480	cmd.exe	94
PID 4480 wrote to memory of 3876	4480	cmd.exe	94
PID 3256 wrote to memory of 4568	3256	Process not Found	95
PID 3256 wrote to memory of 4568	3256	Process not Found	95
PID 3256 wrote to memory of 4568	3256	Process not Found	95
PID 4568 wrote to memory of 2484	4568	BF98.exe	96
PID 4568 wrote to memory of 2484	4568	BF98.exe	96
PID 4568 wrote to memory of 2484	4568	BF98.exe	96
PID 4568 wrote to memory of 2484	4568	BF98.exe	96
PID 4568 wrote to memory of 2484	4568	BF98.exe	96
PID 4568 wrote to memory of 2484	4568	BF98.exe	96
PID 4568 wrote to memory of 2484	4568	BF98.exe	96
PID 4568 wrote to memory of 2484	4568	BF98.exe	96
PID 4568 wrote to memory of 2484	4568	BF98.exe	96
PID 4568 wrote to memory of 2484	4568	BF98.exe	96
PID 2484 wrote to memory of 4296	2484	BF98.exe	99
PID 2484 wrote to memory of 4296	2484	BF98.exe	99
PID 2484 wrote to memory of 4296	2484	BF98.exe	99
PID 2484 wrote to memory of 3600	2484	BF98.exe	100
PID 2484 wrote to memory of 3600	2484	BF98.exe	100
PID 2484 wrote to memory of 3600	2484	BF98.exe	100
PID 3600 wrote to memory of 4696	3600	BF98.exe	102
PID 3600 wrote to memory of 4696	3600	BF98.exe	102
PID 3600 wrote to memory of 4696	3600	BF98.exe	102
PID 3600 wrote to memory of 4696	3600	BF98.exe	102
PID 3600 wrote to memory of 4696	3600	BF98.exe	102
PID 3600 wrote to memory of 4696	3600	BF98.exe	102
PID 3600 wrote to memory of 4696	3600	BF98.exe	102
PID 3600 wrote to memory of 4696	3600	BF98.exe	102
PID 3600 wrote to memory of 4696	3600	BF98.exe	102
PID 3600 wrote to memory of 4696	3600	BF98.exe	102
PID 3256 wrote to memory of 2220	3256	Process not Found	106
PID 3256 wrote to memory of 2220	3256	Process not Found	106
PID 3256 wrote to memory of 2220	3256	Process not Found	106
PID 3256 wrote to memory of 2872	3256	Process not Found	107
PID 3256 wrote to memory of 2872	3256	Process not Found	107
PID 2872 wrote to memory of 1692	2872	cmd.exe	109
PID 2872 wrote to memory of 1692	2872	cmd.exe	109
PID 3256 wrote to memory of 5080	3256	Process not Found	110
PID 3256 wrote to memory of 5080	3256	Process not Found	110
PID 3256 wrote to memory of 5080	3256	Process not Found	110
PID 5080 wrote to memory of 3480	5080	9847.exe	111
PID 5080 wrote to memory of 3480	5080	9847.exe	111
PID 5080 wrote to memory of 3480	5080	9847.exe	111
PID 3256 wrote to memory of 4960	3256	Process not Found	113
PID 3256 wrote to memory of 4960	3256	Process not Found	113
PID 3256 wrote to memory of 4960	3256	Process not Found	113
PID 3256 wrote to memory of 1040	3256	Process not Found	115
PID 3256 wrote to memory of 1040	3256	Process not Found	115
PID 4960 wrote to memory of 536	4960	A5C6.exe	116
PID 4960 wrote to memory of 536	4960	A5C6.exe	116
PID 4960 wrote to memory of 536	4960	A5C6.exe	116
PID 536 wrote to memory of 3896	536	cmd.exe	118
PID 536 wrote to memory of 3896	536	cmd.exe	118
PID 536 wrote to memory of 3896	536	cmd.exe	118
PID 536 wrote to memory of 3572	536	cmd.exe	119
PID 536 wrote to memory of 3572	536	cmd.exe	119
PID 536 wrote to memory of 3572	536	cmd.exe	119
PID 536 wrote to memory of 5100	536	cmd.exe	121
PID 536 wrote to memory of 5100	536	cmd.exe	121
PID 536 wrote to memory of 5100	536	cmd.exe	121
PID 536 wrote to memory of 4152	536	cmd.exe	120

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe
"C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe"
1⤵
- DcRat
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A96F.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:4480
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
  2⤵
  PID:3876

C:\Users\Admin\AppData\Local\Temp\BF98.exe
C:\Users\Admin\AppData\Local\Temp\BF98.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4568
- C:\Users\Admin\AppData\Local\Temp\BF98.exe
  C:\Users\Admin\AppData\Local\Temp\BF98.exe
  2⤵
  - DcRat
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2484
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Users\Admin\AppData\Local\a8e0840e-b118-40a3-b971-b20f5d38d0bf" /deny *S-1-1-0:(OI)(CI)(DE,DC)
    3⤵
    - Modifies file permissions
    PID:4296
- - C:\Users\Admin\AppData\Local\Temp\BF98.exe
    "C:\Users\Admin\AppData\Local\Temp\BF98.exe" --Admin IsNotAutoStart IsNotTask
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3600
  - - C:\Users\Admin\AppData\Local\Temp\BF98.exe
      "C:\Users\Admin\AppData\Local\Temp\BF98.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      Executes dropped EXE
      PID:4696
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 568
        5⤵
        Program crash
        
        PID:3488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4696 -ip 4696
1⤵
PID:3168

C:\Users\Admin\AppData\Local\Temp\8A8.exe
C:\Users\Admin\AppData\Local\Temp\8A8.exe
1⤵
- Executes dropped EXE
PID:2220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CCF.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:2872
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
  2⤵
  PID:1692

C:\Users\Admin\AppData\Local\Temp\9847.exe
C:\Users\Admin\AppData\Local\Temp\9847.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5080
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -nologo -noprofile
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3480
- C:\Users\Admin\AppData\Local\Temp\9847.exe
  "C:\Users\Admin\AppData\Local\Temp\9847.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks for VirtualBox DLLs, possible anti-VM trick
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:3340
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious use of AdjustPrivilegeToken
    PID:4084
- - C:\Windows\system32\cmd.exe
    C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
    3⤵
    PID:232
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:3216
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Modifies data under HKEY_USERS
    - Suspicious use of AdjustPrivilegeToken
    PID:4308
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious use of AdjustPrivilegeToken
    PID:4384
- - C:\Windows\rss\csrss.exe
    C:\Windows\rss\csrss.exe
    3⤵
    - Executes dropped EXE
    PID:4092
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      Suspicious use of AdjustPrivilegeToken
      PID:3608
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      DcRat
      Creates scheduled task(s)
      PID:380
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /delete /tn ScheduledUpdate /f
      4⤵
      PID:4032
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      Suspicious use of AdjustPrivilegeToken
      PID:3168
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Modifies data under HKEY_USERS
      Suspicious use of AdjustPrivilegeToken
      PID:1572
  - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
      4⤵
      PID:4076
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      DcRat
      Creates scheduled task(s)
      PID:4900
  - - C:\Windows\windefender.exe
      "C:\Windows\windefender.exe"
      4⤵
      PID:1320
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        5⤵
        
        PID:2840
      - C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        6⤵
        Launches sc.exe
        
        PID:4432

C:\Users\Admin\AppData\Local\Temp\A5C6.exe
C:\Users\Admin\AppData\Local\Temp\A5C6.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4960
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k move Unlikely Unlikely.bat & Unlikely.bat & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:536
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:3896
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
    3⤵
    PID:3572
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "wrsa.exe opssvc.exe"
    3⤵
    PID:4152
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:5100
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 22108
    3⤵
    PID:3164
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b Here + Td + Passwords + Movements + Cambodia 22108\Upgrades.pif
    3⤵
    PID:5020
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b Meaning 22108\Z
    3⤵
    PID:3088
- - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\22108\Upgrades.pif
    22108\Upgrades.pif 22108\Z
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:4040
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 5 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:3956

C:\Users\Admin\AppData\Local\Temp\A809.exe
C:\Users\Admin\AppData\Local\Temp\A809.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1040

C:\Users\Admin\AppData\Roaming\rjfavwt
C:\Users\Admin\AppData\Roaming\rjfavwt
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\22108\Upgrades.pif

Filesize
924KB

MD5
848164d084384c49937f99d5b894253e

SHA1
3055ef803eeec4f175ebf120f94125717ee12444

SHA256
f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3

SHA512
aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Cambodia

Filesize
216KB

MD5
4e9db9155039f5a6a04e16a6a6bfe3b0

SHA1
b293c7fe05d7e92ce7d9cc6f36940eba14f5d460

SHA256
bd3cd1801a2c226c63186f6fe3182fff1847609c5d99ca22209c7e9dbdd3db2d

SHA512
8692e29ec7717ddad30ea365bd4408a178f1d3ff7f7c3535f8ba1545ffdcfe78ae108259d4feb81b1ca819eedf4ef79531103512d29f7fd0fd8146beb14e854a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Here

Filesize
227KB

MD5
1e7e25167c2a8f93c2d176e935b21834

SHA1
95b93372222ebde1bed0e0efec167bdda7ef04bc

SHA256
d022378a9b3074cf3fb5ea080588846c0aaadb2112cfd5554a0068e76cdd5736

SHA512
503f7b6797182ed5f1ef42d3b52b2815e140ebed505fc9b81ee8f920e49c36f379881c1a51afb4b398c9577a583155a0d2c66ca6cdaf303ac9538746571efdb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Meaning

Filesize
577KB

MD5
a6c58504594ab91fc0ca6102abd10e80

SHA1
03edc02d3806aa46d5e4c3c1aa8b6cff1b5c80f6

SHA256
b07a3cb7f4af841db56d43b6d8d35aea563993b8e0ec6d921eab372f637260f7

SHA512
07d68c06afc66c71b04da74d387536cd800f7dcda422f4b67dbff60ba2b883fa360e9292190655448fc130d1ebbeb31af828ee1ba279f904b2a7e556dbb8f1ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Movements

Filesize
151KB

MD5
d7563558933a24bd74f0254272cf7830

SHA1
6982d08318ff2204d3714ce12d68a99b4f726fe7

SHA256
1b11dc628b44a4982b7b13891fae62471a380eb2973af359655cf65254ac5a7e

SHA512
fccdc060fd5ddd9b3892f82c343dcd80fdbc1bc24a24c50e9f86a1d917867c2b4189a3d4d6762daf8e9c719b999988a0d568f481c09802c5168010c490fdfcb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Passwords

Filesize
207KB

MD5
334f84837c9bcece9220e2c979503f68

SHA1
bdbdc63f1b85f72f8cf487dec6aaeb98e352c283

SHA256
10dfb698a8c05eff79092b546608c15e7df803d4aa759090509da6d5d96373d7

SHA512
37c3315a16d9f0e8ab044415a61220e2fa180e6f70f85435de7ccd7d1dcde84a0c13d48f670204e02ba7cfbe892a76f2efa979717b6b2b844a15aea0a845dcbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Td

Filesize
123KB

MD5
e32d058720e98d0fab73018ce1753b55

SHA1
f6b431cf3f225c3563591fbec4af922f6bff05d9

SHA256
1cf7bcef592ee857c079e82d39a1c371868597ee1c33e692556d780b5040b83b

SHA512
8f259f0f2eccbe01dc4efe5d4ad34a94dcb0b97f20c3f36c6b7e6c24c14a73fbb6aeefc11e76142cdba83f9bf1dd4d0647bcd1ad2d3a6780e063c48d872caa11

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Unlikely

Filesize
10KB

MD5
19bc1bbe515dee767f02d503fa9d2cff

SHA1
acc900deea8e8eff4e1bda1ac2c89aa70ef0e7f9

SHA256
51ad4dc19fa436ac00a8b019da9ca49f30dcfe31d9aee0aabbb037fd10bca367

SHA512
fd0b3d6a867d8c7923d1166f546d4e14db0209df8d13dc46e9d08578ee78d4fc8739638e01f456f542cc383a2d086ed600931a8e889dcb1c4eb93d3cfe3a3dac

Download Submit
C:\Users\Admin\AppData\Local\Temp\8A8.exe

Filesize
5.6MB

MD5
479342d62078aaf31881972c7574f6f2

SHA1
382fa9a95746ca6199e7dfb9ae2bd035f4000fb4

SHA256
a6b59e0a275b5314935a3f812a5ba7dd5d5cc9524d3a6efdeb3a103eea386f6d

SHA512
0e74e3e0b993968220e712ffd94a76c00d35f0452494d62b3f6780c80cc0cae2e9982978830c54bed3a57d17a5a84abbdc4c0cbb5961afcae785048ac4ac47da

Download Submit
C:\Users\Admin\AppData\Local\Temp\9847.exe

Filesize
4.1MB

MD5
c9e01ab6208b39a9f1a1253dca7e89bc

SHA1
5bcba5cc0dc560772f8026cb6dd4f236acbfd8bb

SHA256
0e1ccfee9b80ca2c36a53cc104ef5e8d3a702dabbcc1daafecca2a7f7db043b8

SHA512
4cacf3f7794a8e06ca2da7aaa0bef37009206fde58a5d5ce4326ef84addd7bdbfd7477b437ac6a72fa31023c17e9a7f7079bb0e97ff772d880d090bbb96d1da1

Download Submit
C:\Users\Admin\AppData\Local\Temp\A5C6.exe

Filesize
128KB

MD5
ece62c9a4225735bbd34f8b0bc797acf

SHA1
e354f308248dd81939ffc0b1bd756cbc758eae13

SHA256
19ff68076a9879f0b78ed86818b6a4886527e71f8c5dcd1a6bfd9a6b394ffe6a

SHA512
8113f871fab27614b9f9ed5f32c31312b34754c4e047e74eed958edd9d0e917c7f685d9b9c37379e3f273ce7fa98f660e3c655ee301a9ccbca34b372b96c6b0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\A5C6.exe

Filesize
3.1MB

MD5
50be07c44e47d88cd9d5b8462d4bc011

SHA1
fdb3e7e5f46b7660cf0c2282fa941009781df627

SHA256
5421065755f7a312ade0466963918c685f8de366c13247b2867a7fd3917d696d

SHA512
f40b6563c3efa7652cafabaeb93bea4c2338afb03dacf655a0105d2e8b96910a47d1cb756bff410389703ecce464cd55d3bd9884365edf5bd6fa561ef9e0af25

Download Submit
C:\Users\Admin\AppData\Local\Temp\A809.exe

Filesize
11KB

MD5
3d3ae7c2eddea19c3146543b95cdda7e

SHA1
ea36133e7bfc1b57cd8e78a6daf24f59526ceba0

SHA256
1f2a148765b1ef3247ca4312ea8d1460673744448ebd4559377eabd1ca1702f2

SHA512
2ee471f0e0423610dbac9f9d472d529d0b9da22f7ca45ae973a80080920f9ac04342051ad16858918ac4bbab48068b16d78d4d177b8a029c21dde509e333c775

Download Submit
C:\Users\Admin\AppData\Local\Temp\A96F.bat

Filesize
77B

MD5
55cc761bf3429324e5a0095cab002113

SHA1
2cc1ef4542a4e92d4158ab3978425d517fafd16d

SHA256
d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a

SHA512
33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

Download Submit
C:\Users\Admin\AppData\Local\Temp\BF98.exe

Filesize
666KB

MD5
5648348e81a70ef7ab40f963b44713f6

SHA1
3e2d708a95de8e53ba4a6b9359cc0cc6dfcddea7

SHA256
4bf966f6dd9cb739b073a8bc48f521eb9c35b4f050e799be6eac795fe615263d

SHA512
899d833a1a43ca6160bfb89775c83a049afaa0e3e8cf48dde112f7de351d307fd194c97ffe3ab0c2e86fc7bb75ed3b3d53b0d95ea1fa80252020153ca4813a8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2ymgg1wq.hjs.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Roaming\rjfavwt

Filesize
232KB

MD5
6958acc382e71103a0b83d20bbbb37d2

SHA1
65bf64dfcabf7bc83e47ffc4360cda022d4dab34

SHA256
078f586ebb8a22305540fb5982b2521f1b82e4317f286e13bab680fff0a9d164

SHA512
ebfa8b6986630b3502409d38cdff54881e4bce48511c7ba4f027345296c29708112c19ec6c9181c4b0188fa1f5cbe17b3c5d44dc07f33858323c677ef9caaeae

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
da81748d347711407a31e7ea5fef66dc

SHA1
1f0a4a7b9d8892fa34a7569ce323183d564fbea3

SHA256
cd1f7873de189b7c34e7b2e407d8b268ed0ead2a6a65ce5a145413a1f8804111

SHA512
985d2b955a2e2021af859b71610f9edd5e3928775b7d23414168bde45690e16d4890b1dde0691b46e2a9cc57a4014dab790098926e1c3ef16ca1eb8b0c0d1516

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
d8d1797059f662603821d6a51032a0b4

SHA1
da78a56bfd5c5b5a8dbeb70035c8dcd72f973779

SHA256
bff9fa28def49691f88fb266a22a78aec9b843ddc71fbf11717a5738b4cdb86d

SHA512
5bbae5d8bbbc0c59ca117c498f127eb5df7c40872938471adabfdc54cecc9c3d5096f63c79ca7caf1318a401bd0d4bf80fbc84fcc5af7733fa65269f52668822

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
8a783818152b8ca1b50a7ffe53c1a906

SHA1
79fa580d6e772f76c856e07e8c748314c1e27926

SHA256
26d3adf7093d808ba85a9a26182488fcb11e721594a159ad26be1b2790df55e5

SHA512
f821b31dd01c66e24229885783e20b1c74a167a261baaadf9a85c3f83ec1bd187019bee97a8d63063e67a17a92d145a5126fccc39548a2d4144d8f75d232da85

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
9d25225958b4aa7dee7fd90644821309

SHA1
588edfafac9e69757867d4c37749c1cb8ce8a5a8

SHA256
36f08cb16f7cbcb6ddfdd049983c54e195756c32717c641cf3ea1faa339dcb15

SHA512
1ba68a164746d83b830c94fa133f4074a3e0b7f3e841beede380ec8a0f3f3cba678fad080e8c28d4a1324798f8191d84f4565ca58b6b2b41d4b5f57d4eca401a

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
b4901204e06572a0563ed0a8893c1dc5

SHA1
d488d30d7fb96b4b9a96cdf2f5b5d6599a6eb50a

SHA256
bae5e8b8ee49f6557570ff871d5d1cd4ca26629ba2efca4fd9f3960d74789159

SHA512
7cd07b3db4741689889508cfe855c2a1107e39567822712001cbe69c6db719b3b427641cbf80568e835b8b6b2d9f2290435e077537700ef8c068981a7e3f7694

Download Submit
C:\Windows\windefender.exe

Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
memory/764-2-0x00000000006F0000-0x00000000006FB000-memory.dmp

Filesize
44KB

Download
memory/764-3-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/764-5-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/764-8-0x00000000006F0000-0x00000000006FB000-memory.dmp

Filesize
44KB

Download
memory/764-1-0x00000000007B0000-0x00000000008B0000-memory.dmp

Filesize
1024KB

Download
memory/1040-127-0x000000001B070000-0x000000001B080000-memory.dmp

Filesize
64KB

Download
memory/1040-165-0x000000001C500000-0x000000001C53C000-memory.dmp

Filesize
240KB

Download
memory/1040-110-0x0000000000440000-0x000000000044A000-memory.dmp

Filesize
40KB

Download
memory/1040-125-0x00007FF9A2590000-0x00007FF9A3051000-memory.dmp

Filesize
10.8MB

Download
memory/1040-198-0x00007FF9A2590000-0x00007FF9A3051000-memory.dmp

Filesize
10.8MB

Download
memory/1040-164-0x0000000002550000-0x0000000002562000-memory.dmp

Filesize
72KB

Download
memory/2220-73-0x0000000002F00000-0x0000000002F01000-memory.dmp

Filesize
4KB

Download
memory/2220-71-0x0000000002EE0000-0x0000000002EE1000-memory.dmp

Filesize
4KB

Download
memory/2220-78-0x0000000002F50000-0x0000000002F51000-memory.dmp

Filesize
4KB

Download
memory/2220-79-0x0000000002F60000-0x0000000002F61000-memory.dmp

Filesize
4KB

Download
memory/2220-80-0x0000000002F70000-0x0000000002F71000-memory.dmp

Filesize
4KB

Download
memory/2220-81-0x0000000000620000-0x00000000010F7000-memory.dmp

Filesize
10.8MB

Download
memory/2220-83-0x0000000003070000-0x000000000360C000-memory.dmp

Filesize
5.6MB

Download
memory/2220-85-0x0000000002F80000-0x0000000002FB2000-memory.dmp

Filesize
200KB

Download
memory/2220-87-0x0000000002F80000-0x0000000002FB2000-memory.dmp

Filesize
200KB

Download
memory/2220-86-0x0000000002F80000-0x0000000002FB2000-memory.dmp

Filesize
200KB

Download
memory/2220-84-0x0000000002F80000-0x0000000002FB2000-memory.dmp

Filesize
200KB

Download
memory/2220-88-0x0000000000620000-0x00000000010F7000-memory.dmp

Filesize
10.8MB

Download
memory/2220-52-0x0000000000620000-0x00000000010F7000-memory.dmp

Filesize
10.8MB

Download
memory/2220-75-0x0000000002F20000-0x0000000002F21000-memory.dmp

Filesize
4KB

Download
memory/2220-76-0x0000000002F30000-0x0000000002F31000-memory.dmp

Filesize
4KB

Download
memory/2220-61-0x0000000000620000-0x00000000010F7000-memory.dmp

Filesize
10.8MB

Download
memory/2220-60-0x00000000011D0000-0x00000000011D1000-memory.dmp

Filesize
4KB

Download
memory/2220-62-0x00000000011E0000-0x00000000011E1000-memory.dmp

Filesize
4KB

Download
memory/2220-74-0x0000000002F10000-0x0000000002F11000-memory.dmp

Filesize
4KB

Download
memory/2220-63-0x0000000002D60000-0x0000000002D61000-memory.dmp

Filesize
4KB

Download
memory/2220-72-0x0000000002EF0000-0x0000000002EF1000-memory.dmp

Filesize
4KB

Download
memory/2220-77-0x0000000002F40000-0x0000000002F41000-memory.dmp

Filesize
4KB

Download
memory/2220-65-0x0000000002D80000-0x0000000002D81000-memory.dmp

Filesize
4KB

Download
memory/2220-64-0x0000000002D70000-0x0000000002D71000-memory.dmp

Filesize
4KB

Download
memory/2220-68-0x0000000002EC0000-0x0000000002EC1000-memory.dmp

Filesize
4KB

Download
memory/2220-69-0x0000000002ED0000-0x0000000002ED1000-memory.dmp

Filesize
4KB

Download
memory/2220-66-0x0000000002D90000-0x0000000002D91000-memory.dmp

Filesize
4KB

Download
memory/2220-67-0x0000000002EB0000-0x0000000002EB1000-memory.dmp

Filesize
4KB

Download
memory/2484-26-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2484-23-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2484-25-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2484-27-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2484-37-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2880-398-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/3256-4-0x00000000026A0000-0x00000000026B6000-memory.dmp

Filesize
88KB

Download
memory/3256-393-0x00000000007A0000-0x00000000007B6000-memory.dmp

Filesize
88KB

Download
memory/3340-197-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3340-196-0x0000000002F30000-0x000000000381B000-memory.dmp

Filesize
8.9MB

Download
memory/3340-195-0x0000000002B30000-0x0000000002F2E000-memory.dmp

Filesize
4.0MB

Download
memory/3340-245-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3340-293-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3480-129-0x00000000062C0000-0x0000000006326000-memory.dmp

Filesize
408KB

Download
memory/3480-128-0x00000000061E0000-0x0000000006246000-memory.dmp

Filesize
408KB

Download
memory/3480-161-0x0000000007E60000-0x0000000007E7E000-memory.dmp

Filesize
120KB

Download
memory/3480-162-0x0000000007EC0000-0x0000000007F63000-memory.dmp

Filesize
652KB

Download
memory/3480-163-0x0000000007FB0000-0x0000000007FBA000-memory.dmp

Filesize
40KB

Download
memory/3480-150-0x000000006F4D0000-0x000000006F51C000-memory.dmp

Filesize
304KB

Download
memory/3480-149-0x0000000007E80000-0x0000000007EB2000-memory.dmp

Filesize
200KB

Download
memory/3480-166-0x0000000008070000-0x0000000008106000-memory.dmp

Filesize
600KB

Download
memory/3480-148-0x000000007F500000-0x000000007F510000-memory.dmp

Filesize
64KB

Download
memory/3480-147-0x0000000007AC0000-0x0000000007ADA000-memory.dmp

Filesize
104KB

Download
memory/3480-146-0x0000000008120000-0x000000000879A000-memory.dmp

Filesize
6.5MB

Download
memory/3480-145-0x0000000007A20000-0x0000000007A96000-memory.dmp

Filesize
472KB

Download
memory/3480-144-0x0000000005470000-0x0000000005480000-memory.dmp

Filesize
64KB

Download
memory/3480-173-0x0000000007FD0000-0x0000000007FE1000-memory.dmp

Filesize
68KB

Download
memory/3480-143-0x0000000006E60000-0x0000000006EA4000-memory.dmp

Filesize
272KB

Download
memory/3480-142-0x0000000006940000-0x000000000698C000-memory.dmp

Filesize
304KB

Download
memory/3480-185-0x0000000008030000-0x000000000803E000-memory.dmp

Filesize
56KB

Download
memory/3480-186-0x0000000008040000-0x0000000008054000-memory.dmp

Filesize
80KB

Download
memory/3480-187-0x00000000087C0000-0x00000000087DA000-memory.dmp

Filesize
104KB

Download
memory/3480-188-0x00000000087A0000-0x00000000087A8000-memory.dmp

Filesize
32KB

Download
memory/3480-191-0x0000000074020000-0x00000000747D0000-memory.dmp

Filesize
7.7MB

Download
memory/3480-141-0x0000000005630000-0x000000000564E000-memory.dmp

Filesize
120KB

Download
memory/3480-101-0x0000000074020000-0x00000000747D0000-memory.dmp

Filesize
7.7MB

Download
memory/3480-104-0x0000000005470000-0x0000000005480000-memory.dmp

Filesize
64KB

Download
memory/3480-103-0x00000000032F0000-0x0000000003326000-memory.dmp

Filesize
216KB

Download
memory/3480-106-0x0000000005AB0000-0x00000000060D8000-memory.dmp

Filesize
6.2MB

Download
memory/3480-139-0x0000000006430000-0x0000000006784000-memory.dmp

Filesize
3.3MB

Download
memory/3480-151-0x000000006F640000-0x000000006F994000-memory.dmp

Filesize
3.3MB

Download
memory/3480-126-0x0000000005910000-0x0000000005932000-memory.dmp

Filesize
136KB

Download
memory/3600-40-0x0000000002420000-0x00000000024B8000-memory.dmp

Filesize
608KB

Download
memory/4040-184-0x0000000076E91000-0x0000000076FB1000-memory.dmp

Filesize
1.1MB

Download
memory/4040-404-0x0000000004F20000-0x0000000005167000-memory.dmp

Filesize
2.3MB

Download
memory/4040-405-0x0000000004F20000-0x0000000005167000-memory.dmp

Filesize
2.3MB

Download
memory/4040-406-0x0000000004F20000-0x0000000005167000-memory.dmp

Filesize
2.3MB

Download
memory/4040-403-0x0000000004F20000-0x0000000005167000-memory.dmp

Filesize
2.3MB

Download
memory/4040-407-0x0000000004F20000-0x0000000005167000-memory.dmp

Filesize
2.3MB

Download
memory/4084-207-0x0000000005550000-0x00000000058A4000-memory.dmp

Filesize
3.3MB

Download
memory/4084-199-0x00000000740E0000-0x0000000074890000-memory.dmp

Filesize
7.7MB

Download
memory/4084-212-0x0000000006150000-0x000000000619C000-memory.dmp

Filesize
304KB

Download
memory/4084-201-0x00000000047B0000-0x00000000047C0000-memory.dmp

Filesize
64KB

Download
memory/4084-200-0x00000000047B0000-0x00000000047C0000-memory.dmp

Filesize
64KB

Download
memory/4092-410-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4092-401-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4092-400-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4568-21-0x0000000002560000-0x00000000025FA000-memory.dmp

Filesize
616KB

Download
memory/4568-22-0x0000000002600000-0x000000000271B000-memory.dmp

Filesize
1.1MB

Download
memory/4696-43-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4696-44-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4696-46-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/5080-182-0x0000000002A10000-0x0000000002E18000-memory.dmp

Filesize
4.0MB

Download
memory/5080-94-0x0000000002A10000-0x0000000002E18000-memory.dmp

Filesize
4.0MB

Download
memory/5080-95-0x0000000002E20000-0x000000000370B000-memory.dmp

Filesize
8.9MB

Download
memory/5080-96-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/5080-193-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/5080-181-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/5080-183-0x0000000002E20000-0x000000000370B000-memory.dmp

Filesize
8.9MB

Download