toxiceye | c5ee6af8e3d3bdf216ce505c98458fb68f13360ad6c0cf50487b6bd3f33c52f8

Analysis

max time kernel
807s
max time network
808s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
27-04-2024 09:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TelegramRAT.exe
Size

111KB
MD5

8834c1eaf28b3b076df2a0aac5d1148e
SHA1

640e70c94c0e01492c4c45cf2b23b65914a94cc5
SHA256

49f704606ec839fa6867a5f5f67090299b69b02dab7d352e161c8a754165de8a
SHA512

59c6d085818d43607ee2aef904899690a116a34f6e50978c35017d1a546964bcdfc435b7fb09bab998d4d0eacc8b614a58a55c029311d7c33473a501f4f3f561
SSDEEP

1536:p+bvqJIP4M91qQIwzUrxxxdKy2nBfUbhDqI6CsQWVzCrAZuDZ6Dd:sbvqJe4MUlxxDrbxqHBQWVzCrAZuDQd

Score

10^/10

toxiceye rat trojan

Malware Config

Extracted

Family

toxiceye

https://api.telegram.org/bot7005624592:AAFT1GroRFjOnavaa8nJipFR-iCuYT3f2xQ/sendMessage?chat_id=6235796510

Signatures

ToxicEye
ToxicEye is a trojan written in C#.
rat trojan toxiceye
Executes dropped EXE 1 IoCs

Processes:

rat.exe

pid process

2716 rat.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2716	rat.exe

Checks processor information in registry 2 TTPs 24 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

3288 schtasks.exe
2200 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

392 timeout.exe
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

4596 tasklist.exe

pid	process
3288	schtasks.exe
2200	schtasks.exe

pid	process
392	timeout.exe

pid	process
4596	tasklist.exe

Modifies registry class 2 IoCs

Processes:

firefox.exefirefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000_Classes\Local Settings	firefox.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

TelegramRAT.exetasklist.exerat.exefirefox.exefirefox.exe

description	pid	process
Token: SeDebugPrivilege	3992	TelegramRAT.exe
Token: SeDebugPrivilege	4596	tasklist.exe
Token: SeDebugPrivilege	2716	rat.exe
Token: SeDebugPrivilege	3496	firefox.exe
Token: SeDebugPrivilege	3496	firefox.exe
Token: SeDebugPrivilege	904	firefox.exe
Token: SeDebugPrivilege	904	firefox.exe

Suspicious use of FindShellTrayWindow 42 IoCs

Processes:

firefox.exefirefox.exe

pid	process
3496	firefox.exe
3496	firefox.exe
3496	firefox.exe
3496	firefox.exe
3496	firefox.exe
3496	firefox.exe
3496	firefox.exe
3496	firefox.exe
3496	firefox.exe
3496	firefox.exe
3496	firefox.exe
3496	firefox.exe
3496	firefox.exe
3496	firefox.exe
3496	firefox.exe
3496	firefox.exe
3496	firefox.exe
3496	firefox.exe
3496	firefox.exe
3496	firefox.exe
3496	firefox.exe
904	firefox.exe
904	firefox.exe
904	firefox.exe
904	firefox.exe
904	firefox.exe
904	firefox.exe
904	firefox.exe
904	firefox.exe
904	firefox.exe
904	firefox.exe
904	firefox.exe
904	firefox.exe
904	firefox.exe
904	firefox.exe
904	firefox.exe
904	firefox.exe
904	firefox.exe
904	firefox.exe
904	firefox.exe
904	firefox.exe
904	firefox.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

firefox.exefirefox.exe

pid process

3496 firefox.exe
904 firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

TelegramRAT.execmd.exerat.exefirefox.exefirefox.exe

description	pid	process	target process
PID 3992 wrote to memory of 2200	3992	TelegramRAT.exe	schtasks.exe
PID 3992 wrote to memory of 2200	3992	TelegramRAT.exe	schtasks.exe
PID 3992 wrote to memory of 792	3992	TelegramRAT.exe	cmd.exe
PID 3992 wrote to memory of 792	3992	TelegramRAT.exe	cmd.exe
PID 792 wrote to memory of 4596	792	cmd.exe	tasklist.exe
PID 792 wrote to memory of 4596	792	cmd.exe	tasklist.exe
PID 792 wrote to memory of 4540	792	cmd.exe	find.exe
PID 792 wrote to memory of 4540	792	cmd.exe	find.exe
PID 792 wrote to memory of 392	792	cmd.exe	timeout.exe
PID 792 wrote to memory of 392	792	cmd.exe	timeout.exe
PID 792 wrote to memory of 2716	792	cmd.exe	rat.exe
PID 792 wrote to memory of 2716	792	cmd.exe	rat.exe
PID 2716 wrote to memory of 3288	2716	rat.exe	schtasks.exe
PID 2716 wrote to memory of 3288	2716	rat.exe	schtasks.exe
PID 2144 wrote to memory of 3496	2144	firefox.exe	firefox.exe
PID 2144 wrote to memory of 3496	2144	firefox.exe	firefox.exe
PID 2144 wrote to memory of 3496	2144	firefox.exe	firefox.exe
PID 2144 wrote to memory of 3496	2144	firefox.exe	firefox.exe
PID 2144 wrote to memory of 3496	2144	firefox.exe	firefox.exe
PID 2144 wrote to memory of 3496	2144	firefox.exe	firefox.exe
PID 2144 wrote to memory of 3496	2144	firefox.exe	firefox.exe
PID 2144 wrote to memory of 3496	2144	firefox.exe	firefox.exe
PID 2144 wrote to memory of 3496	2144	firefox.exe	firefox.exe
PID 2144 wrote to memory of 3496	2144	firefox.exe	firefox.exe
PID 2144 wrote to memory of 3496	2144	firefox.exe	firefox.exe
PID 3496 wrote to memory of 416	3496	firefox.exe	firefox.exe
PID 3496 wrote to memory of 416	3496	firefox.exe	firefox.exe
PID 3496 wrote to memory of 416	3496	firefox.exe	firefox.exe
PID 3496 wrote to memory of 416	3496	firefox.exe	firefox.exe
PID 3496 wrote to memory of 416	3496	firefox.exe	firefox.exe
PID 3496 wrote to memory of 416	3496	firefox.exe	firefox.exe
PID 3496 wrote to memory of 416	3496	firefox.exe	firefox.exe
PID 3496 wrote to memory of 416	3496	firefox.exe	firefox.exe
PID 3496 wrote to memory of 416	3496	firefox.exe	firefox.exe
PID 3496 wrote to memory of 416	3496	firefox.exe	firefox.exe
PID 3496 wrote to memory of 416	3496	firefox.exe	firefox.exe
PID 3496 wrote to memory of 416	3496	firefox.exe	firefox.exe
PID 3496 wrote to memory of 416	3496	firefox.exe	firefox.exe
PID 3496 wrote to memory of 416	3496	firefox.exe	firefox.exe
PID 3496 wrote to memory of 416	3496	firefox.exe	firefox.exe
PID 3496 wrote to memory of 416	3496	firefox.exe	firefox.exe
PID 3496 wrote to memory of 416	3496	firefox.exe	firefox.exe
PID 3496 wrote to memory of 416	3496	firefox.exe	firefox.exe
PID 3496 wrote to memory of 416	3496	firefox.exe	firefox.exe
PID 3496 wrote to memory of 416	3496	firefox.exe	firefox.exe
PID 3496 wrote to memory of 416	3496	firefox.exe	firefox.exe
PID 3496 wrote to memory of 416	3496	firefox.exe	firefox.exe
PID 3496 wrote to memory of 416	3496	firefox.exe	firefox.exe
PID 3496 wrote to memory of 416	3496	firefox.exe	firefox.exe
PID 3496 wrote to memory of 416	3496	firefox.exe	firefox.exe
PID 3496 wrote to memory of 416	3496	firefox.exe	firefox.exe
PID 3496 wrote to memory of 416	3496	firefox.exe	firefox.exe
PID 3496 wrote to memory of 416	3496	firefox.exe	firefox.exe
PID 3496 wrote to memory of 416	3496	firefox.exe	firefox.exe
PID 3496 wrote to memory of 416	3496	firefox.exe	firefox.exe
PID 3496 wrote to memory of 416	3496	firefox.exe	firefox.exe
PID 3496 wrote to memory of 416	3496	firefox.exe	firefox.exe
PID 3496 wrote to memory of 416	3496	firefox.exe	firefox.exe
PID 3496 wrote to memory of 416	3496	firefox.exe	firefox.exe
PID 3496 wrote to memory of 416	3496	firefox.exe	firefox.exe
PID 3496 wrote to memory of 416	3496	firefox.exe	firefox.exe
PID 3496 wrote to memory of 416	3496	firefox.exe	firefox.exe
PID 3496 wrote to memory of 416	3496	firefox.exe	firefox.exe
PID 3496 wrote to memory of 416	3496	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe
"C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3992

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\Admin\rat.exe"
2⤵
- Creates scheduled task(s)
PID:2200

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp5C87.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp5C87.tmp.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:792

C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 3992"
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4596

C:\Windows\system32\find.exe
find ":"
3⤵
PID:4540

C:\Windows\system32\timeout.exe
Timeout /T 1 /Nobreak
3⤵
- Delays execution with timeout.exe
PID:392

C:\Users\Admin\rat.exe
"rat.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2716

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\Admin\rat.exe"
4⤵
- Creates scheduled task(s)
PID:3288

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2144

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3496

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1968 -parentBuildID 20240401114208 -prefsHandle 1896 -prefMapHandle 1888 -prefsLen 25459 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d421f977-de15-41dd-b0e3-0490d25fb204} 3496 "\\.\pipe\gecko-crash-server-pipe.3496" gpu
3⤵
PID:416

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2360 -parentBuildID 20240401114208 -prefsHandle 2340 -prefMapHandle 2328 -prefsLen 25495 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {832ceb71-d3f8-4ce8-81bc-59360cb0a6af} 3496 "\\.\pipe\gecko-crash-server-pipe.3496" socket
3⤵
- Checks processor information in registry
PID:4836

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3052 -childID 1 -isForBrowser -prefsHandle 3044 -prefMapHandle 3040 -prefsLen 25636 -prefMapSize 244658 -jsInitHandle 1356 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {741365f8-915d-49ec-a861-6e7f03ed544e} 3496 "\\.\pipe\gecko-crash-server-pipe.3496" tab
3⤵
PID:972

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3624 -childID 2 -isForBrowser -prefsHandle 3616 -prefMapHandle 3412 -prefsLen 30869 -prefMapSize 244658 -jsInitHandle 1356 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {811759d9-b08c-427c-95bf-8b6d91e426f0} 3496 "\\.\pipe\gecko-crash-server-pipe.3496" tab
3⤵
PID:4004

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4116 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4140 -prefMapHandle 4136 -prefsLen 30869 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8ba052d1-353d-4529-ac28-bf6e4c162544} 3496 "\\.\pipe\gecko-crash-server-pipe.3496" utility
3⤵
- Checks processor information in registry
PID:4048

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5196 -childID 3 -isForBrowser -prefsHandle 5148 -prefMapHandle 5180 -prefsLen 26990 -prefMapSize 244658 -jsInitHandle 1356 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {16e03a61-bd22-4da6-babb-8ed752e90ced} 3496 "\\.\pipe\gecko-crash-server-pipe.3496" tab
3⤵
PID:992

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5424 -childID 4 -isForBrowser -prefsHandle 5344 -prefMapHandle 5348 -prefsLen 26990 -prefMapSize 244658 -jsInitHandle 1356 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7bfdcd56-5cd1-4cb9-aa7d-4567797998db} 3496 "\\.\pipe\gecko-crash-server-pipe.3496" tab
3⤵
PID:4512

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5328 -childID 5 -isForBrowser -prefsHandle 5556 -prefMapHandle 5560 -prefsLen 26990 -prefMapSize 244658 -jsInitHandle 1356 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {401fcf75-a9df-4d54-af61-bcdabe7a98fd} 3496 "\\.\pipe\gecko-crash-server-pipe.3496" tab
3⤵
PID:4692

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:4268

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:904

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1960 -parentBuildID 20240401114208 -prefsHandle 1868 -prefMapHandle 1860 -prefsLen 25459 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1a27c5d1-c0df-4caf-a90f-3f2a413ad7e8} 904 "\\.\pipe\gecko-crash-server-pipe.904" gpu
3⤵
PID:2100

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2380 -parentBuildID 20240401114208 -prefsHandle 2372 -prefMapHandle 2368 -prefsLen 25495 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {06c23d2c-9792-413b-9cd8-d0fa4ca6e8e4} 904 "\\.\pipe\gecko-crash-server-pipe.904" socket
3⤵
- Checks processor information in registry
PID:1400

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3204 -childID 1 -isForBrowser -prefsHandle 3196 -prefMapHandle 3192 -prefsLen 25636 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {36f95912-8037-426e-b86a-1f9dc4593e3a} 904 "\\.\pipe\gecko-crash-server-pipe.904" tab
3⤵
PID:4512

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3696 -childID 2 -isForBrowser -prefsHandle 3048 -prefMapHandle 3652 -prefsLen 29985 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cab1ddad-0b73-48b0-94de-01fedaaefe49} 904 "\\.\pipe\gecko-crash-server-pipe.904" tab
3⤵
PID:3712

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4692 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4684 -prefMapHandle 4680 -prefsLen 30869 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {42ea4d5d-478c-4d48-b20d-48221ff83e18} 904 "\\.\pipe\gecko-crash-server-pipe.904" utility
3⤵
- Checks processor information in registry
PID:4396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\oil2g1jl.default-release\activity-stream.discovery_stream.json.tmp

Filesize
21KB

MD5
75c65568d28dfef57501e7e75cb2d7df

SHA1
475173c0b924aeb2b07e41ee21b7e28ef7c72c4b

SHA256
aa13bf3289094b5f9772f259997e5e8846611eaecad3c345aefc69339722a148

SHA512
4f8d279adf840fbf8a35e9e5bee61a6f9f0c5dde1fa0ec399ed08af9c479b1810ec2bc4d9ecbb7d94c5460f01fe3479d33ce9aa2d74659e62ce5845158bfecc5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\oil2g1jl.default-release\cache2\entries\254256B27E0C48CF9B80B695F0B3B8CA84610495

Filesize
9KB

MD5
7f124c2e770d2d11df78225338b0010f

SHA1
159c5ed9acca5573ba4bcdf7fca139259383e866

SHA256
d38f5f7f08dbda2a9a42e7d72959ca7a58318ef34f308d460c35e08d8af470d6

SHA512
cd89f8b4ab77014d49476bfcad0f08188af96bf3a942077313b9b2ea57d724b703685d803935fe9b57ac075d55ac4901e81573d03d50ae02f7db555da574dd37

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\oil2g1jl.default-release\cache2\entries\6D89348819C8881868053197CA0754F36784BF5F

Filesize
9KB

MD5
3a9a96993c733bacf3ae87bd7e5f9bc6

SHA1
665344fc03226a53df7f3ba3847914ca784e1a87

SHA256
c0763b6d7f2d4e0353900fdf29991a26be72089dcd26fe5f79699fee18916c88

SHA512
b29a05a5bcd626afc7e76c1f3baed4a2b4778933801071525dec2d630ad4ea583fd3d5a94ec669a242364c07c04a5ef5c2e3a1dded1ecf27834e530fd70d0813

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\oil2g1jl.default-release\cache2\entries\7BFCF32544F467F973AF267DF4EB4842EDED0C1F

Filesize
15KB

MD5
25fe1fb0b75990933215f6ea63b96e74

SHA1
27da8eb3df207f46106b1460ebee6c73e415f359

SHA256
1e4da1542a0635e512360e497aa3de2fec8dce04f9f9be470d0c8a4fa195417d

SHA512
acbcbc5d00160eefd48fdf6a33b8a598a0abc5316366d68a1433a7c55f21f39c10f7d4fb49f4a84e41d0d4a00b013403c24b6a3fdd5ee04dd090d027d5f2eb99

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\oil2g1jl.default-release\cache2\entries\C72D4296C2EBC6FD41A9F780CD0C8F30F0FF937C

Filesize
13KB

MD5
104bc95c927de23717e88370f0c34e5b

SHA1
267505320ab8d19c64dd2e2d7909198b5c85db44

SHA256
f94beda278d274ab3ba8397af6a073a52f7fa4d21b4eb4c97068e5ac44d87780

SHA512
48345c24858cccddd9f3af2623083798ba1cbeb7012facff84c7994ff36ee822c1d18b461cd76d86cccac6b0069b818a2e304450e2e60a07d019311228abdc4d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\oil2g1jl.default-release\cache2\entries\D0F48A0632B6C451791F4257697E861961F06A6F

Filesize
32KB

MD5
92a0d20c8dcbd6030d9b35f0fceefa44

SHA1
68e7961b31594aace3353b6376c04475ae836fd9

SHA256
5414855ef06fef77d5cb97e6839b2cecd1d346a026c2247d8fd81ee7c7bac5b3

SHA512
ca0f2465c5e3199ad7319113d35b1cd0ece03de8071b462ff840b53c548459327141981869bf93e020f3e4467f65aec8e16d52d53193bdd3fdc729ead24685f7

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\oil2g1jl.default-release\startupCache\scriptCache-child.bin

Filesize
462KB

MD5
24d6c20c2371bb9028a30bf2a6c873cb

SHA1
0c3e9dd4ae0d70fa241ff9c9104bc8800a8e703c

SHA256
5531f258fd34995aad0248d4781fa9182332fdad29406e3dee6d99fc2b7205ee

SHA512
a06ec9cc88980c6a9c8f18f65a205599f49eb62071d5a06e0328853de9e888687eb6eba70d7f0e4bc8d403a5cff532d2f93defbeefa3d469986c0466d8e02dc9

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\oil2g1jl.default-release\startupCache\scriptCache.bin

Filesize
8.6MB

MD5
bc61192a6c46a5cbdc470015df30b1de

SHA1
0d3d67942b2a07614e9a8ffd0dfde1e5a0c28901

SHA256
5b653bc5a2bff995d6fa901b67a4a61a36e1ca8e4ce637077491a61af984d39f

SHA512
3ebac15e657440ee4cb21bcfeae31dd37247d94da3c26e65fadcc50991c2d24a2e971833e600b28cd5cb41bc7fe191cdff0c6bb3038fc6d58bd3e21e0cd07e39

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\oil2g1jl.default-release\startupCache\urlCache.bin

Filesize
2KB

MD5
51f586a74f2c3c10e6fd61723f1963a0

SHA1
f94e60d58b67ec54a2ceff1afb2e31f0256cb9ae

SHA256
fca8f17f56516963a7714d5f589f2e8f63471be306f46ffe3b5a23c02a9a3ce8

SHA512
ca925aecb7484c7dfa20c0b470efba5fb004239481d5735c93f95ff786694c0a9686676e83dd2b5a6852315a1c48c1510ee79542d81d5ea3b3f5d2daa039b221

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\oil2g1jl.default-release\startupCache\webext.sc.lz4

Filesize
107KB

MD5
f1bccbf0a7ccbc399ecf4749c60fbc63

SHA1
ca4ca6025ef98d2822e863429b684ada2e9ba3e4

SHA256
b943374f79771d487dff9b929067f347dd656346b5bc3249ad449e45f5933440

SHA512
257d01c084629be41f47b640f4a0fd4125c3118135b8e0c39effe1136c0d496f0d0313938b3a4ad0780df4027e8760b9168843c3766e213a10efea751dd86e33

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5C87.tmp.bat

Filesize
185B

MD5
100a8fc83fe848967d9f4af6b0a7a2e4

SHA1
54db04a13c27b6b2cf2a8d9c159a290109081a16

SHA256
5221743f30b645ec9d7e998890d495e12202110367707ee712009d94025327f5

SHA512
2af097b39b2382cd4f991ac7d9e81bb818cd61f50fa98010b2950c178a0babfdb8fdeb9741ec68270bc4dfab038a75b9a65478df96f89b378185cf8c322fea1f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\oil2g1jl.default-release\AlternateServices.bin

Filesize
3KB

MD5
56be8ae2ed9fec2cb89df4693841a3e3

SHA1
4bb2f6c077b8952eae83fc17f030758b1fecda2d

SHA256
034ef7dcb8f32f2196800ebfae79a24ba66d1737d774fc41ba963bfdb382141a

SHA512
9a141ff24a99b40e5e82c91db92ec934b1257c0ad658e0888a17ac2579ee073603363962f9bdc1223011752ff92044bb1f66cfec59bcce80fef91a225b583f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\oil2g1jl.default-release\SiteSecurityServiceState.bin

Filesize
1KB

MD5
c541e21744a8a77c7b279f900f98ec08

SHA1
3935725803ad437f02f972cdd1cf13516ce9b2c2

SHA256
a7ffacd0b44507ca964f6dabbf57f4114124699b9ac0c607058a6eaaa33fbe09

SHA512
d25fc8eaba059f12b63cc9b54a5414e6c3925e0172fc6b0bc6c25125eb85252b61926e20937a8838ffdf0821eef3d550b3cea6fb21640101c1718a1c123c4cd1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\oil2g1jl.default-release\datareporting\glean\db\data.safe.bin

Filesize
13KB

MD5
41f8e450a11b857acc0e86e00bf32151

SHA1
9a13df2285a0f403c24c230818e8b1907fb30426

SHA256
c1e168103be22ac8a92e195986cef6be24d3809b237eb512a239199d0665470a

SHA512
8f1e8f77b70e3f9520a415ddbe85ef117c74797d2d9be36149d0031f2a21e1bc77e95b0412d17784d10303e597e7916470ea5542cdec8bc47fd526135c8813de

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\oil2g1jl.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
79a6fc167804d9ab0bf37776c42f7f89

SHA1
9f2936e5221309e1c85e635297d01b19d84edff2

SHA256
499dbec114445e3f71f8eda14d6ce4417ff1b5e6acb161c09c8df9e96e5f29e4

SHA512
51dbab91a66100544efb95b0825aaf9fcfec59294054882815cfb00e260faf7d78556ae3b8de52723165934e25857d0776c2747e581b65375140c661e0840ade

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\oil2g1jl.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
b596f06b733c5d8411ca99b89e575b32

SHA1
121a08fdea7c05eccdb89a838652118f3793eee4

SHA256
4c14ce8651cb4ba95386d1fc8e674fce52294703a6355db6f8f13f212116edca

SHA512
55eaf23f690d5999127a43ec5aea9781a6bae92002bfdd0826a078af4e7cba536216fd32d309af3cafb01f88ec0f0916341928131d3278fd66162580ffeb6c15

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\oil2g1jl.default-release\datareporting\glean\db\data.safe.tmp

Filesize
13KB

MD5
cd7be2453001ca3976dd2123f7ff774a

SHA1
86c2166e8e40727e0d19194fa5bf9f6ae3749938

SHA256
8d7011a6b2dda3abd1de898e6bc1ef480453f2405278c4b9f18978ca97488007

SHA512
1608f2cb98dcfa0b48c9472d875fb7ae7c29b06e02bec24b28d8a099755aa89cddae2952743afa787cdaa09444092421f934de8c7fbe4462f88cbf4791f10f51

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\oil2g1jl.default-release\datareporting\glean\events\events

Filesize
104B

MD5
defbf00981795a992d85fe5a8925f8af

SHA1
796910412264ffafc35a3402f2fc1d24236a7752

SHA256
db353ec3ecd2bb41dfbe5ed16f68c12da844ff82762b386c8899601d1f61031d

SHA512
d01df9cab58abf22ff765736053f79f42e35153e6984c62a375eb4d184c52f233423bb759a52c8eed249a6625d5b984a575ca4d7bf3a0ed72fc447b547e4f20a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\oil2g1jl.default-release\datareporting\glean\pending_pings\1cb49f14-31b1-40c0-ac13-2aa774a3f98d

Filesize
671B

MD5
919e04af88ff2f95c6e1432cd1bc43ac

SHA1
56292a745959ba4c58ceef3044986787fce6c1d2

SHA256
04f32ad6dfa64d17b51d1402adf570566a98ae12a80fa8da6063a0862983ac53

SHA512
391f4f2e6d921f85ccb873304872668efcc0ad1642970fed0dbbbe54f528c3704c2e95eca721cc7751d4e5df8c9d83df6899c322809f27ab6554c0269538af57

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\oil2g1jl.default-release\datareporting\glean\pending_pings\1da165ee-3cdb-4fa4-90be-48d6a0fdf8fd

Filesize
659B

MD5
07662c251f51dd38d245eb7f3e784b25

SHA1
8dad4c8692f888e498f41107d74beac35b0db072

SHA256
545bdd7e8430977f53e6f08fb1ca2dcc34efdc6e9d292b203379192bf1a326e4

SHA512
0b90312bb3e73c7d11702bdf7e21def1efa2c8ea185abdfea8f53be969c09bb7dc0b033d3bd794eb60e1a68e08f5ff76242688a3b2439043ba4330dea94e4bc0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\oil2g1jl.default-release\datareporting\glean\pending_pings\e556889f-e3b4-485a-b98d-e9b4e0713474

Filesize
905B

MD5
c8c99f1b1c9d3c8cb9f1c528d8cdbc91

SHA1
71b52ddd8983207ab561b2fd90aacabcd5ca5c87

SHA256
0387480a3d4c75422a8905350ed8fd4490f4b80e82444fba91a6c74e5ee3da17

SHA512
749c931531950e143602a4517262eb12790478f2a0d11bdae024dc25736ee0b87c5bc0a645690c90014ddb79e7d12bc443d4117f918fd1ff451ce0a8c3c542db

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\oil2g1jl.default-release\datareporting\glean\pending_pings\e7461589-60f6-4692-a785-da0006919994

Filesize
26KB

MD5
3f0b533a09efcf0eb1dcdf012b8cf0e1

SHA1
b0583a6e50f265ba7a24d21e6ec51ae00fe00a6c

SHA256
0d5915042a21950937e415babb9af0efef5267ac218c74545129d179549621f3

SHA512
8f4f243bcdbb10c11ef61867d15938dbe3aed5e42e29cbdb9269502ffd14162f9c244ca3bc95df46357a49ad400be4d45b178885accdfa3668271580a4a070d9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\oil2g1jl.default-release\datareporting\glean\pending_pings\f0db8fe9-f03a-4de1-aae9-3a2bf964a2c7

Filesize
982B

MD5
5135cc9a36e1ced0d8eba235d6d0a140

SHA1
7db52ed758c78033f198458b5b679ea47ac25288

SHA256
a300e11d66ec8e79d93b2c92673fe7ab6f9d57a8d89883880ce5b79dafde46da

SHA512
fc741138e301d43a9971d76c3e58da905eb85e4aba95d4c7424441bd5b598d2e4fba6a1b586b6ddeaafdf7156e25c429dd8321c3f72e4cdc8b5998580ef2a41b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\oil2g1jl.default-release\prefs-1.js

Filesize
8KB

MD5
bded417e9af93197f161a559a9bf43ae

SHA1
16742ff89343fe42ad89ff6049383f6f9f76fff2

SHA256
caa2cd2ac41c81c16ff8599bdce72bb3a6c70612c912b42b9df87b9277640a00

SHA512
e3a0f83ce5e6227e79989aaee2f5902c6a3abfb627e2f1317e1ee2273a5369f6ab55e5c07c3787119faf7817e81ca197154d9d9d237ed63dccc4dd982628241f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\oil2g1jl.default-release\prefs-1.js

Filesize
8KB

MD5
ae1e69d2ec2b20ea87a033997073a13f

SHA1
aaaf6376be6be451a47faa4e2501bfb9d3884a13

SHA256
538a9b830c223a7f7cd4552c2d83be4d70a1a7bd46522eb505a967ee0d602a78

SHA512
62d6000eb277cf91f34e62baada6b9b98e536bb13e26fbb52a18bd6fe0bd8ca67b0bb34dd88e251c967482363c29a23904ce09b81f1da31440c2d22ff71de339

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\oil2g1jl.default-release\prefs.js

Filesize
8KB

MD5
2ed8e206372289afe12cd9da4305fd68

SHA1
30d6ec95edc9191b2588f9cb6609e8c7c5e3d18b

SHA256
7ec0224d81510c70dc33c386d6d62a363cd0aba5efd4d214961d4fd4a5275d02

SHA512
0cddb8170f032928ef3ec65413e2df169787295d05702761d56e617e42390f31cc5f4f37d8c2ca1cf0c28c04822688f4a47275e33fa2c453241849c0b4f61438

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\oil2g1jl.default-release\protections.sqlite

Filesize
64KB

MD5
76786a4c0dd19d88d6d3ed95a293bf2f

SHA1
b0d6d676127a7694fc6e71ee57fcc2ffaa621ff7

SHA256
1a2564c1ba20b8038d35c2319258d94dc15d97914dcf753b31c48b79940dfd31

SHA512
8cd3298e2ebba763d3c80ac4b17e44af7eb63b46304967d0c6316d314baf8611c05f7b9979c2c5c329ac167aea0246e8c9f057ffbb272481c13fd5e4b4bcb2d0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\oil2g1jl.default-release\sessionCheckpoints.json

Filesize
181B

MD5
2d87ba02e79c11351c1d478b06ca9b29

SHA1
4b0fb1927ca869256e9e2e2d480c3feb8e67e6f1

SHA256
16b7be97c92e0b75b9f8a3c22e90177941c7e6e3fbb97c8d46432554429f3524

SHA512
be7e128c140a88348c3676afc49a143227c013056007406c66a3cae16aae170543ca8a0749136702411f502f2c933891d7dcdde0db81c5733415c818f1668185

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\oil2g1jl.default-release\sessionCheckpoints.json

Filesize
122B

MD5
99601438ae1349b653fcd00278943f90

SHA1
8958d05e9362f6f0f3b616f7bfd0aeb5d37967c9

SHA256
72d74b596f7fc079d15431b51ce565a6465a40f5897682a94a3f1dd19b07959a

SHA512
ffa863d5d6af4a48aadc5c92df4781d3aacbf5d91b43b5e68569952ffec513ff95655b3e54c2161fe27d2274dd4778bad517c7a3972f206381ef292808628c55

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\oil2g1jl.default-release\sessionCheckpoints.json

Filesize
146B

MD5
65690c43c42921410ec8043e34f09079

SHA1
362add4dbd0c978ae222a354a4e8d35563da14b4

SHA256
7343d5a46e2fca762305a4f85c45484a49c1607ede8e8c4bd12bedd2327edb8d

SHA512
c0208d51cf1586e75f22764b82c48ecbb42c1ff54aa412a85af13d686e0119b4e49e98450d25c70e3792d3b9c2cda0c5ab0c6931ebaf548693bb970a35ae62b9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\oil2g1jl.default-release\sessionCheckpoints.json.tmp

Filesize
90B

MD5
c4ab2ee59ca41b6d6a6ea911f35bdc00

SHA1
5942cd6505fc8a9daba403b082067e1cdefdfbc4

SHA256
00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

SHA512
71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\oil2g1jl.default-release\sessionCheckpoints.json.tmp

Filesize
288B

MD5
6b77a9f779399e95d1cee931a2c8f8ff

SHA1
826efd4feb0d50fcce5696111af7c811b81adcd9

SHA256
3a0285c8233ef0324b269f7291094e19fd9b77259f9419861ad796f7e9c979f3

SHA512
ef537c75fab8e86483ac03cc0d2feaf41575e35f54b95669a26bf6dfbf58021dc9a5bbe54d9537b55da3fbb0e0262adf6c5efd4394faaec81a31604533afec4f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\oil2g1jl.default-release\sessionCheckpoints.json.tmp

Filesize
53B

MD5
ea8b62857dfdbd3d0be7d7e4a954ec9a

SHA1
b43bc4b3ea206a02ef8f63d5bfad0c96bf2a3b2a

SHA256
792955295ae9c382986222c6731c5870bd0e921e7f7e34cc4615f5cd67f225da

SHA512
076ee83534f42563046d25086166f82e1a3ec61840c113aec67abe2d8195daa247d827d0c54e7e8f8a1bbf2d082a3763577587e84342ec160ff97905243e6d19

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\oil2g1jl.default-release\sessionstore.jsonlz4

Filesize
1KB

MD5
bfb58c42adb1379d2b8de761ed8574f1

SHA1
156e84e154776697c0828276998331d1333a1b79

SHA256
e988b27587750e5868a74fed855612b2de5285674cb30a0ab036b238136c44ca

SHA512
a366c9a9acbc1f1dd1be035cc8036270b5e7441a3d62c30ce09feaa4d79720c3da16576ba23f339df5b6e20b9156fc5e57d0334398e9ceec8a4b0ec97a65a135

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\oil2g1jl.default-release\xulstore.json

Filesize
120B

MD5
8d689c06cb844185099c0398a280537e

SHA1
57073c7526ec37e94bb9db44fedc6d50276f7a6b

SHA256
96729e9b38f216605ff10715f96f364be32f02e2de23ede7e74b78244605124d

SHA512
3c7df326c695143915df1068cb2c0f58e93e4881b2c4d94b33948b80e954fbd4cf944ae53b4d15002b79fcdb8e88f8e9cf4c89ca50f56b7cfd8a13ea7dd6fff8

Download Submit
C:\Users\Admin\rat.exe

Filesize
111KB

MD5
8834c1eaf28b3b076df2a0aac5d1148e

SHA1
640e70c94c0e01492c4c45cf2b23b65914a94cc5

SHA256
49f704606ec839fa6867a5f5f67090299b69b02dab7d352e161c8a754165de8a

SHA512
59c6d085818d43607ee2aef904899690a116a34f6e50978c35017d1a546964bcdfc435b7fb09bab998d4d0eacc8b614a58a55c029311d7c33473a501f4f3f561

Download Submit
memory/3992-0-0x00000285D0D10000-0x00000285D0D32000-memory.dmp

Filesize
136KB

Download
memory/3992-1-0x00007FF8D82B0000-0x00007FF8D8D72000-memory.dmp

Filesize
10.8MB

Download
memory/3992-2-0x00000285EB430000-0x00000285EB440000-memory.dmp

Filesize
64KB

Download
memory/3992-6-0x00007FF8D82B0000-0x00007FF8D8D72000-memory.dmp

Filesize
10.8MB

Download