Overview

overview

10

Static

static

10

dba803bf09...JC.exe

windows7-x64

10

dba803bf09...JC.exe

windows10-1703-x64

10

dba803bf09...JC.exe

windows10-2004-x64

10

dba803bf09...JC.exe

windows11-21h2-x64

10

Resubmissions

10-04-2024 02:55

240410-dektcsff5x 10

10-04-2024 02:54

240410-dd6z7scc89 10

10-04-2024 02:54

240410-dd6pfacc88 10

10-04-2024 02:54

240410-dd53xacc87 10

09-09-2023 16:01

230909-tgqqdscd3z 7

Analysis

  • max time kernel
    1195s
  • max time network
    1203s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240319-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-04-2024 02:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe

  • Size

    203KB

  • MD5

    661cdb95fe5810f365ddb936ea8f3432

  • SHA1

    6210c0691ee20e61dc9a9da1a371d561cd850774

  • SHA256

    dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236a

  • SHA512

    aa25009dfbddfb300c14ab65c9eeb68aa785a54d40fa28a684275b9f506cc6fd337842cf42c54bcff79018241c9a0ac606ad4ebf614a2a355aed7e6dbe70c41d

  • SSDEEP

    6144:8N0J0dLFzW/wKWsBGKqkv07bKXZSgsBuQdwLhXC1:8NDpzGAsgL+ZSwQdwLhXC1

Score
10/10
gurcuzgratcollectiondiscoveryratspywarestealer

Malware Config

Signatures

  • Detect Gurcu Stealer V3 payload 3 IoCs
  • Detect ZGRat V1 2 IoCs
  • Gurcu, WhiteSnake

    Gurcu is a malware stealer written in C#.

    stealergurcu
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Checks computer location settings 2 TTPs 22 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 42 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
    collection
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 27 IoCs
  • Suspicious use of AdjustPrivilegeToken 22 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4032
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\EsetSecurity\dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe" &&START "" "C:\Users\Admin\AppData\Local\EsetSecurity\dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:484
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:3668
        • C:\Windows\system32\PING.EXE
          ping 127.0.0.1
          3⤵
          • Runs ping.exe
          PID:2660
        • C:\Windows\system32\schtasks.exe
          schtasks /create /tn "dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\EsetSecurity\dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe" /rl HIGHEST /f
          3⤵
          • Creates scheduled task(s)
          PID:2732
        • C:\Users\Admin\AppData\Local\EsetSecurity\dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe
          "C:\Users\Admin\AppData\Local\EsetSecurity\dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe"
          3⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Accesses Microsoft Outlook profiles
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4896
          • C:\Windows\System32\tar.exe
            "C:\Windows\System32\tar.exe" -xvzf "C:\Users\Admin\AppData\Local\Temp\tmp9F3D.tmp" -C "C:\Users\Admin\AppData\Local\9krryil1hy"
            4⤵
              PID:2024
            • C:\Users\Admin\AppData\Local\9krryil1hy\tor\tor.exe
              "C:\Users\Admin\AppData\Local\9krryil1hy\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\9krryil1hy\torrc.txt"
              4⤵
              • Executes dropped EXE
              PID:3132
      • C:\Users\Admin\AppData\Local\EsetSecurity\dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe
        C:\Users\Admin\AppData\Local\EsetSecurity\dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe
        1⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        • outlook_office_path
        • outlook_win_path
        PID:4920
        • C:\Users\Admin\AppData\Local\9krryil1hy\tor\tor.exe
          "C:\Users\Admin\AppData\Local\9krryil1hy\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\9krryil1hy\torrc.txt"
          2⤵
          • Executes dropped EXE
          PID:1428
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4164 --field-trial-handle=2148,i,1752153415760610784,11376271161549019716,262144 --variations-seed-version /prefetch:8
        1⤵
          PID:3140
        • C:\Users\Admin\AppData\Local\EsetSecurity\dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe
          C:\Users\Admin\AppData\Local\EsetSecurity\dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe
          1⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2148
          • C:\Users\Admin\AppData\Local\9krryil1hy\tor\tor.exe
            "C:\Users\Admin\AppData\Local\9krryil1hy\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\9krryil1hy\torrc.txt"
            2⤵
            • Executes dropped EXE
            PID:3112
        • C:\Users\Admin\AppData\Local\EsetSecurity\dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe
          C:\Users\Admin\AppData\Local\EsetSecurity\dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe
          1⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1992
          • C:\Users\Admin\AppData\Local\9krryil1hy\tor\tor.exe
            "C:\Users\Admin\AppData\Local\9krryil1hy\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\9krryil1hy\torrc.txt"
            2⤵
            • Executes dropped EXE
            PID:4644
        • C:\Users\Admin\AppData\Local\EsetSecurity\dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe
          C:\Users\Admin\AppData\Local\EsetSecurity\dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe
          1⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1876
          • C:\Users\Admin\AppData\Local\9krryil1hy\tor\tor.exe
            "C:\Users\Admin\AppData\Local\9krryil1hy\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\9krryil1hy\torrc.txt"
            2⤵
            • Executes dropped EXE
            PID:4884
        • C:\Users\Admin\AppData\Local\EsetSecurity\dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe
          C:\Users\Admin\AppData\Local\EsetSecurity\dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe
          1⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3744
          • C:\Users\Admin\AppData\Local\9krryil1hy\tor\tor.exe
            "C:\Users\Admin\AppData\Local\9krryil1hy\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\9krryil1hy\torrc.txt"
            2⤵
            • Executes dropped EXE
            PID:1400
        • C:\Users\Admin\AppData\Local\EsetSecurity\dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe
          C:\Users\Admin\AppData\Local\EsetSecurity\dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe
          1⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3160
          • C:\Users\Admin\AppData\Local\9krryil1hy\tor\tor.exe
            "C:\Users\Admin\AppData\Local\9krryil1hy\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\9krryil1hy\torrc.txt"
            2⤵
            • Executes dropped EXE
            PID:456
        • C:\Users\Admin\AppData\Local\EsetSecurity\dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe
          C:\Users\Admin\AppData\Local\EsetSecurity\dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe
          1⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:968
          • C:\Users\Admin\AppData\Local\9krryil1hy\tor\tor.exe
            "C:\Users\Admin\AppData\Local\9krryil1hy\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\9krryil1hy\torrc.txt"
            2⤵
            • Executes dropped EXE
            PID:3096
        • C:\Users\Admin\AppData\Local\EsetSecurity\dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe
          C:\Users\Admin\AppData\Local\EsetSecurity\dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe
          1⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1140
          • C:\Users\Admin\AppData\Local\9krryil1hy\tor\tor.exe
            "C:\Users\Admin\AppData\Local\9krryil1hy\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\9krryil1hy\torrc.txt"
            2⤵
            • Executes dropped EXE
            PID:4872
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4012 --field-trial-handle=2148,i,1752153415760610784,11376271161549019716,262144 --variations-seed-version /prefetch:8
          1⤵
            PID:428
          • C:\Users\Admin\AppData\Local\EsetSecurity\dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe
            C:\Users\Admin\AppData\Local\EsetSecurity\dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe
            1⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4656
            • C:\Users\Admin\AppData\Local\9krryil1hy\tor\tor.exe
              "C:\Users\Admin\AppData\Local\9krryil1hy\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\9krryil1hy\torrc.txt"
              2⤵
              • Executes dropped EXE
              PID:3872
          • C:\Users\Admin\AppData\Local\EsetSecurity\dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe
            C:\Users\Admin\AppData\Local\EsetSecurity\dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe
            1⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:968
            • C:\Users\Admin\AppData\Local\9krryil1hy\tor\tor.exe
              "C:\Users\Admin\AppData\Local\9krryil1hy\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\9krryil1hy\torrc.txt"
              2⤵
              • Executes dropped EXE
              PID:4912
          • C:\Users\Admin\AppData\Local\EsetSecurity\dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe
            C:\Users\Admin\AppData\Local\EsetSecurity\dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe
            1⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2784
            • C:\Users\Admin\AppData\Local\9krryil1hy\tor\tor.exe
              "C:\Users\Admin\AppData\Local\9krryil1hy\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\9krryil1hy\torrc.txt"
              2⤵
              • Executes dropped EXE
              PID:860
          • C:\Users\Admin\AppData\Local\EsetSecurity\dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe
            C:\Users\Admin\AppData\Local\EsetSecurity\dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe
            1⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:956
            • C:\Users\Admin\AppData\Local\9krryil1hy\tor\tor.exe
              "C:\Users\Admin\AppData\Local\9krryil1hy\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\9krryil1hy\torrc.txt"
              2⤵
              • Executes dropped EXE
              PID:1876
          • C:\Users\Admin\AppData\Local\EsetSecurity\dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe
            C:\Users\Admin\AppData\Local\EsetSecurity\dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe
            1⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:5024
            • C:\Users\Admin\AppData\Local\9krryil1hy\tor\tor.exe
              "C:\Users\Admin\AppData\Local\9krryil1hy\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\9krryil1hy\torrc.txt"
              2⤵
              • Executes dropped EXE
              PID:2972
          • C:\Users\Admin\AppData\Local\EsetSecurity\dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe
            C:\Users\Admin\AppData\Local\EsetSecurity\dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe
            1⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3576
            • C:\Users\Admin\AppData\Local\9krryil1hy\tor\tor.exe
              "C:\Users\Admin\AppData\Local\9krryil1hy\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\9krryil1hy\torrc.txt"
              2⤵
              • Executes dropped EXE
              PID:2272
          • C:\Users\Admin\AppData\Local\EsetSecurity\dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe
            C:\Users\Admin\AppData\Local\EsetSecurity\dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe
            1⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1992
            • C:\Users\Admin\AppData\Local\9krryil1hy\tor\tor.exe
              "C:\Users\Admin\AppData\Local\9krryil1hy\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\9krryil1hy\torrc.txt"
              2⤵
              • Executes dropped EXE
              PID:2952
          • C:\Users\Admin\AppData\Local\EsetSecurity\dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe
            C:\Users\Admin\AppData\Local\EsetSecurity\dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe
            1⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2504
            • C:\Users\Admin\AppData\Local\9krryil1hy\tor\tor.exe
              "C:\Users\Admin\AppData\Local\9krryil1hy\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\9krryil1hy\torrc.txt"
              2⤵
              • Executes dropped EXE
              PID:2168
          • C:\Users\Admin\AppData\Local\EsetSecurity\dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe
            C:\Users\Admin\AppData\Local\EsetSecurity\dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe
            1⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:440
            • C:\Users\Admin\AppData\Local\9krryil1hy\tor\tor.exe
              "C:\Users\Admin\AppData\Local\9krryil1hy\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\9krryil1hy\torrc.txt"
              2⤵
              • Executes dropped EXE
              PID:3968
          • C:\Users\Admin\AppData\Local\EsetSecurity\dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe
            C:\Users\Admin\AppData\Local\EsetSecurity\dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe
            1⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2984
            • C:\Users\Admin\AppData\Local\9krryil1hy\tor\tor.exe
              "C:\Users\Admin\AppData\Local\9krryil1hy\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\9krryil1hy\torrc.txt"
              2⤵
              • Executes dropped EXE
              PID:4944
          • C:\Users\Admin\AppData\Local\EsetSecurity\dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe
            C:\Users\Admin\AppData\Local\EsetSecurity\dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe
            1⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:456
            • C:\Users\Admin\AppData\Local\9krryil1hy\tor\tor.exe
              "C:\Users\Admin\AppData\Local\9krryil1hy\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\9krryil1hy\torrc.txt"
              2⤵
              • Executes dropped EXE
              PID:924
          • C:\Users\Admin\AppData\Local\EsetSecurity\dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe
            C:\Users\Admin\AppData\Local\EsetSecurity\dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe
            1⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:304
            • C:\Users\Admin\AppData\Local\9krryil1hy\tor\tor.exe
              "C:\Users\Admin\AppData\Local\9krryil1hy\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\9krryil1hy\torrc.txt"
              2⤵
              • Executes dropped EXE
              PID:4736

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\9krryil1hy\data\cached-certs
            Filesize

            18KB

            MD5

            e6188366d894350bee0514ce20f76e37

            SHA1

            b86f051257256480a314c02b00061fd821d7bb3e

            SHA256

            910ed5f3e0190a970b0208246773f2ba97e567205c8e836933c97e418ae57926

            SHA512

            4376945a6bd2fed9c8926201eb44ad25e8bfb93cbcb66276c29e40972a15cca39a7aedd7f5b02dde9a743bf9c7c0012c526c3fb3599a07e63eec054d74d9ea4a

            Download Submit

          • C:\Users\Admin\AppData\Local\9krryil1hy\data\cached-microdesc-consensus.tmp
            Filesize

            2.6MB

            MD5

            8155dd4a16697830a63d507d2666b2a9

            SHA1

            e07a54b15c905cd1d9d41db3ccde3bade36bcdb4

            SHA256

            6b4f443629c32b632d8ad7bcb17d84da1e4eaec556dccdf98c5e9051cb404fed

            SHA512

            0cb6c3fa12cbe7f8e63c5c73c0665fc2593109801ba318c582c4bd1c14dfd27fff3252c22b9078040e743ec788ad9534856c72ca5e38d992d9cb5aeacf819e6f

            Download Submit

          • C:\Users\Admin\AppData\Local\9krryil1hy\data\cached-microdescs.new
            Filesize

            10.5MB

            MD5

            4b115a27fba9a66cec9010901a7ea529

            SHA1

            7007aedc2c13b78c73947018ccf67275890c899e

            SHA256

            43b36173fd3c3eda080c3ac4c2157dae4fb4571b9bfeb62dca077d26f7492851

            SHA512

            6a32b75f20a1c3e972e20bd2983cf6139c82e233ab0ac5c3863faf7edc569e2afa5f1e2443fc821abff7f1d1cd92f7a251968a9da88022d6f2248e632b657b35

            Download Submit

          • C:\Users\Admin\AppData\Local\9krryil1hy\host\hostname
            Filesize

            64B

            MD5

            65d615f3856723437290a8b29a6090f0

            SHA1

            587ebbd0f84f78c33cfad8964ee3a5a89aa5e6a9

            SHA256

            6b2a6006add21754fdef0f49d190b6d9fe400fdbdcb4f90976300fbde237080e

            SHA512

            39bb16066b92fe966a4e228fc69058a534725595cfca5664a5d94b6b6cf1a5c448fe4e7d56d86bc0bc28b84934a23faec494ae6d554da83a92e310b6316ae32e

            Download Submit

          • C:\Users\Admin\AppData\Local\9krryil1hy\port.dat
            Filesize

            4B

            MD5

            b5c01503041b70d41d80e3dbe31bbd8c

            SHA1

            ff85921b5f9e5a7bba47582976bc6875a102c5e6

            SHA256

            1dffd68e5364ca2371d1627e59141f261264a7539f81c1746000b7320b5ad65b

            SHA512

            fc866f7a953f51b3c1e3d9ee8eeb874e359c4700eda2191017d9d777e1c228ceda52bda11d3a947ad26eef9dfdb9ca51403675c609fd4ea308aa66e8d51facc6

            Download Submit

          • C:\Users\Admin\AppData\Local\9krryil1hy\tor\tor.exe
            Filesize

            7.4MB

            MD5

            88590909765350c0d70c6c34b1f31dd2

            SHA1

            129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7

            SHA256

            46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82

            SHA512

            a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

            Download Submit

          • C:\Users\Admin\AppData\Local\9krryil1hy\torrc.txt
            Filesize

            218B

            MD5

            b6b07a3f819bb0352aa890b5a12010b9

            SHA1

            12a036b4f00ebf0824f202415498e89f7ad669bd

            SHA256

            a8e30ccbebbcb23470aa4de088cd30e90f83b9884cd89ccde879622f02f2250c

            SHA512

            af019f9b086edfc50a93311524eb6588db849aeed7b7bf1808a6a1a2aeaef949c7875f1942eea69b3207084d2b4cfae7990de84c43441f1081acd2c2c265f698

            Download Submit

          • C:\Users\Admin\AppData\Local\EsetSecurity\dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe
            Filesize

            203KB

            MD5

            661cdb95fe5810f365ddb936ea8f3432

            SHA1

            6210c0691ee20e61dc9a9da1a371d561cd850774

            SHA256

            dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236a

            SHA512

            aa25009dfbddfb300c14ab65c9eeb68aa785a54d40fa28a684275b9f506cc6fd337842cf42c54bcff79018241c9a0ac606ad4ebf614a2a355aed7e6dbe70c41d

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe.log
            Filesize

            847B

            MD5

            3308a84a40841fab7dfec198b3c31af7

            SHA1

            4e7ab6336c0538be5dd7da529c0265b3b6523083

            SHA256

            169bc31a8d1666535977ca170d246a463e6531bb21faab6c48cb4269d9d60b2e

            SHA512

            97521d5fb94efdc836ea2723098a1f26a7589a76af51358eee17292d29c9325baf53ad6b4496c5ca3e208d1c9b9ad6797a370e2ae378072fc68f5d6e8b73b198

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\installUtilLog.txt
            Filesize

            324B

            MD5

            c24724d0babfccf030c90b23d1fa819d

            SHA1

            0f0c916e2c3642164e3efd562e2c08cd3f6c5de2

            SHA256

            8efbad00f0666be7584215c6460d566e09ae112ca820bd08d404145b426eecbf

            SHA512

            78e0ec3fa45eee833c30dc9a748d7ec4c1ddaec54ca503f85cacc2f31082bc9182033a9633ec778317ebd8bd542902215a6750b25f4c9f30e71f3909605448cd

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\installUtilLog.txt
            Filesize

            377B

            MD5

            a99191fa87045912cc1435603d6852df

            SHA1

            000a4d69456dbf59e24ec89c6789bd0c7670b38e

            SHA256

            5119a568a5f504e97c38c5d2600c18e497492b34307b19f4ba7d5feefec4d1bf

            SHA512

            166920a58965b43425b27304f1364e3c2744a5c2de915b5720a61604471ea030bef63f30e40fd5b8ad0a563ed1a0dbba737d6e4ce44181dd44886d2ccdaafd83

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\installUtilLog.txt
            Filesize

            430B

            MD5

            8168ce4ceb5743f3ef39c739400fa785

            SHA1

            b9ae17c0f397897e31a9ea832a3b34d6db275855

            SHA256

            55892b663d48f86352501957da3942d66fa4667b13f237828bff6788e22e6e07

            SHA512

            fa743a4e43604bfa31189bf0716181e0d2d7678b6b535b90fa2327ae69270c2d65680209c189431780b97c95b556f5391068f24b5def5f91f9293c58b30dbf99

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\installUtilLog.txt
            Filesize

            483B

            MD5

            9f57175b6dce161c6428258038ec5760

            SHA1

            b1da8015a44e0824824a5abd855de89137ecd51a

            SHA256

            1ec5af97f98b0044cc8e82de4b9b34fd40703e8c35ef76bb9d46d41729328fc2

            SHA512

            59d7e2ec681d03c49243716412a490e87a321b58fa9aabca4ea4bd5531f1be6f65306a896688918b835c50f686d24fa5e8cf0be486b88fa4b51ae2fd9383d2b5

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\installUtilLog.txt
            Filesize

            536B

            MD5

            04d5825a02a7b1b6bade37538ea58d47

            SHA1

            79891e1842025de0d791223a45baaf211de56e0d

            SHA256

            0abfe822628d27d090f347d3db03e9117f2d8fb79d84087595e998d92b2fc1a0

            SHA512

            ab57b48b373992951a4c8b8c94af2466ac64e7ca5963a34db3138067ac3394e26a50a27e2e88c315d4567eec5dd8fc8968b9013363f58c0712749c2d93c5fde0

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\installUtilLog.txt
            Filesize

            589B

            MD5

            43514122c87009389b53b3684d651b9b

            SHA1

            7dc80947eb670e4dfc5a710299f39861501f4ac0

            SHA256

            05c2cbd5c7ce79ace8f7e58e7b228200003d3fec99dbe644e1e98305a36f7965

            SHA512

            602d409f6e3005696038c171e67566cc45af55de91b3033e19c0a23425a7eeefa08f3ed6869d4503f4c906bbd6ecfc16c48349d3cee626987b5efd88fee98d3f

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\installUtilLog.txt
            Filesize

            642B

            MD5

            8000d2ae29213f7792b72d5a625cc25e

            SHA1

            9c306fa468d7911d66be318744dc91e55d60417b

            SHA256

            1d1aa9b168c24baeacf9ae38ed4b993a081b6f7092ff9d44fe4bc0a802752bab

            SHA512

            ea1f56fbd1822f03055b8324a928aaf4457ddf5c015bc3cf3295aad029c36a95f96ef4a28e60359abdac514ce78112e11af37419cd4328a2094a38eccbec5969

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\installUtilLog.txt
            Filesize

            748B

            MD5

            28f472a32110debe86a8b4d98ba41375

            SHA1

            8569b1b297301944bfa09a316aabb9a46afbe6b2

            SHA256

            6f99f040828c0dedacf6985d71b12dbe9451c9c87fb600044bcafafca4af67f8

            SHA512

            0064e52937c00e35be30623f5b95488a9163f3b96cda3e5b3de1833205a4064584db06edd5edf74cedcd92045a2bea8e7c1bd6615c3f646f4d809d4fde13b30a

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\installUtilLog.txt
            Filesize

            854B

            MD5

            c902bf37990f14885e80bafb1b82f735

            SHA1

            3ea2d40f0e47a146840b24e76c72abfd901fff74

            SHA256

            26613170a9050c5cae69f52edc4de02fc3ed21b6e81289ee643d3b9c21ebc71b

            SHA512

            86ce54540a8e518cb22f1c9e7295c8b297ec5b961cd53280d61debdf9ebad7c45285b9a24bb6f5e65e153375c4bf70930c536e810bdc55944b95262bc456476e

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\installUtilLog.txt
            Filesize

            960B

            MD5

            d69f8f2e22a5efdb5111e072c08da0f8

            SHA1

            1d5c19d4e6ef754282e7c0f86f3a655a254ec60b

            SHA256

            90770f4153d3a4366731450d3b8dd424070980086d480ca6f3c545a4ef0c56c4

            SHA512

            3c40fad247f27d5996cd887d99f5b8608477113c7e9bf235148464f2368a292e0344db9b0d847cc4a7dc0cfd42b3ab438a2f6f2229d84a02ea8ebde93f177c47

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\installUtilLog.txt
            Filesize

            1013B

            MD5

            a91c94cfc8de96f494c2ba33da77ea0f

            SHA1

            eb5f9d6a1034969cab7c7fa2703c0bac13c9cf07

            SHA256

            1c0b5718cb28666404fb5c4e2a8204bdb0c269b7269861b250a3ba535aba18b2

            SHA512

            70380ba9b43143716b0e4e46298e0e4367d330b7f6c29a1276c96688d82ad6632918b5ae5cd0d0986c30573939f5fd5b73acde0967f36d2ae86b3e5420bf04bb

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\installUtilLog.txt
            Filesize

            1KB

            MD5

            8a41ae52c040d03ce61c5206186d2720

            SHA1

            8e92975c074824c74a5bee7ce2ef81dde0c89087

            SHA256

            dfe17f3d4f678b43e3955a7f98b29131bd49f0f08e0c053e5677cd9668907afc

            SHA512

            c8ae8cbfa20fcf4ffe50974e4d7d49b3fdce757c7c7b40eaf3784696aff70f4972977d6ee403d78d1eb4737675131ee813b6edd2bd893d6fa482102022a694c9

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\installUtilLog.txt
            Filesize

            165B

            MD5

            deb3cb2ba783e001dc792c4f22a25339

            SHA1

            895797cc8662e5ba8303c2ee6f303d71f0e91af6

            SHA256

            701b8fdd01f1dd096dfe55987c64bc657b574694e6ce92273d4dc6817ebe537f

            SHA512

            cef9fe588758a2d3742f1432194a628931dbed6a444bd51a2a97859d534ae7f15880cb4904defff9e36064da700f9a5b4bc806963f9d8a36e081187e3666f97c

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\installUtilLog.txt
            Filesize

            218B

            MD5

            36b9664a6ec5fca34d42f293456a1a7a

            SHA1

            9d89e41264ed5bbbf6ceaf01dc7f4d9bac59e3a0

            SHA256

            f1d267b062f672336a3e71e716977184c1e6a89aaaf22eb6342d0b4d07354b83

            SHA512

            4013cb5772547cee4114a713f695e8983b26beb9b99d03129c3c9a3a729309e1f1d38d770a6294b7bb1eb3c3089dd8925e0279e99a3fd4be414048d2e48a2b87

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\tmp9F3D.tmp
            Filesize

            13.3MB

            MD5

            89d2d5811c1aff539bb355f15f3ddad0

            SHA1

            5bb3577c25b6d323d927200c48cd184a3e27c873

            SHA256

            b630008f6d3887793d48b87091e56691e292894dd4fa100dc4a418a2f29dcc12

            SHA512

            39e576124c54143520c5435a2ef9b24506131e13403489c0692f09b89135015d611c4988d4772f8a1e6557fa68b4667d467334461009cee8c2227dfc3e295289

            Download Submit

          • memory/304-312-0x00007FFE39560000-0x00007FFE3A021000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/304-315-0x00007FFE39560000-0x00007FFE3A021000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/304-313-0x0000014FCF5B0000-0x0000014FCF5C0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/440-276-0x00007FFE39560000-0x00007FFE3A021000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/440-272-0x00007FFE39560000-0x00007FFE3A021000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/456-307-0x00007FFE39560000-0x00007FFE3A021000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/456-305-0x00000291F5430000-0x00000291F5440000-memory.dmp

            Filesize

            64KB

            Download

          • memory/456-304-0x00007FFE39560000-0x00007FFE3A021000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/956-214-0x000002589ADA0000-0x000002589ADB0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/956-213-0x00007FFE39560000-0x00007FFE3A021000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/956-218-0x00007FFE39560000-0x00007FFE3A021000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/968-188-0x00007FFE39430000-0x00007FFE39EF1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/968-144-0x00000253989F0000-0x0000025398A00000-memory.dmp

            Filesize

            64KB

            Download

          • memory/968-143-0x00007FFE39430000-0x00007FFE39EF1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/968-148-0x00007FFE39430000-0x00007FFE39EF1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/968-184-0x0000017C73BC0000-0x0000017C73BD0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/968-183-0x00007FFE39430000-0x00007FFE39EF1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/1140-154-0x00007FFE39430000-0x00007FFE39EF1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/1140-155-0x00000205C9BC0000-0x00000205C9BD0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1140-159-0x00007FFE39430000-0x00007FFE39EF1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/1876-113-0x00007FFE39000000-0x00007FFE39AC1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/1876-109-0x00007FFE39000000-0x00007FFE39AC1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/1992-107-0x00007FFE380C0000-0x00007FFE38B81000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/1992-103-0x00007FFE380C0000-0x00007FFE38B81000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/1992-244-0x00007FFE39560000-0x00007FFE3A021000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/1992-248-0x00007FFE39560000-0x00007FFE3A021000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/2148-93-0x00007FFE380C0000-0x00007FFE38B81000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/2148-97-0x00007FFE380C0000-0x00007FFE38B81000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/2504-262-0x00007FFE39560000-0x00007FFE3A021000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/2504-258-0x00007FFE39560000-0x00007FFE3A021000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/2784-199-0x00007FFE39560000-0x00007FFE3A021000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/2784-195-0x000001E7E7BB0000-0x000001E7E7BC0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2784-194-0x00007FFE39560000-0x00007FFE3A021000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/2984-290-0x00007FFE39560000-0x00007FFE3A021000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/2984-286-0x00007FFE39560000-0x00007FFE3A021000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/3160-141-0x00007FFE39430000-0x00007FFE39EF1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/3160-137-0x00007FFE39430000-0x00007FFE39EF1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/3576-230-0x00007FFE39560000-0x00007FFE3A021000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/3576-238-0x00007FFE39560000-0x00007FFE3A021000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/3744-127-0x00007FFE39000000-0x00007FFE39AC1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/3744-123-0x00007FFE39000000-0x00007FFE39AC1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4032-6-0x00007FFE395D0000-0x00007FFE3A091000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4032-0-0x000002CA13E60000-0x000002CA13E98000-memory.dmp

            Filesize

            224KB

            Download

          • memory/4032-3-0x00007FFE395D0000-0x00007FFE3A091000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4032-4-0x000002CA2E3B0000-0x000002CA2E3C0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4656-177-0x00007FFE39430000-0x00007FFE39EF1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4656-173-0x00007FFE39430000-0x00007FFE39EF1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4896-87-0x00007FFE380C0000-0x00007FFE38B81000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4896-62-0x000001E965BD0000-0x000001E965BE0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4896-60-0x00007FFE380C0000-0x00007FFE38B81000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4896-12-0x000001E965BD0000-0x000001E965BE0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4896-11-0x00007FFE380C0000-0x00007FFE38B81000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4920-71-0x00007FFE380C0000-0x00007FFE38B81000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4920-75-0x00007FFE380C0000-0x00007FFE38B81000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/5024-224-0x00007FFE39560000-0x00007FFE3A021000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/5024-228-0x00007FFE39560000-0x00007FFE3A021000-memory.dmp

            Filesize

            10.8MB

            Download