smokeloader | 538af0e39f24f16e4e52cad03295a359304d8f458c1fe18d0681e884112f2185

Analysis

max time kernel
300s
max time network
190s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
01-05-2024 23:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

538af0e39f24f16e4e52cad03295a359304d8f458c1fe18d0681e884112f2185.exe
Size

693KB
MD5

83741bbca9631aa4925203fbddc0ad7d
SHA1

f636ef4f3279cd49d1036a70293f8390ecc96a3e
SHA256

538af0e39f24f16e4e52cad03295a359304d8f458c1fe18d0681e884112f2185
SHA512

55ee1b215e46024c3bb3722518d476be148c3c48d60d744c53fecba48b7a02ba9ab2f58b436b9657e4748d72d6696bc5e6f477f7805f91fa66841debd00b9a5b
SSDEEP

12288:tXBffJMAUAyQAg8Y3ElBvCm5KUwzq2uE2na367joJqTOX7gXX7:tXBfmPQXMqm5wzq2uDa367joJqaXQ7

Score

10^/10

smokeloader pub3 backdoor trojan

Malware Config

Extracted

Family

smokeloader

Botnet

pub3

Extracted

Family

smokeloader

Version

2022

http://cellc.org/tmp/index.php

http://h-c-v.ru/tmp/index.php

http://icebrasilpr.com/tmp/index.php

http://piratia-life.ru/tmp/index.php

http://piratia.su/tmp/index.php

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Suspicious use of NtCreateUserProcessOtherParentProcess 42 IoCs

Processes:

Labs.pif

description	pid	process	target process
PID 2476 created 1260	2476	Labs.pif	Explorer.EXE
PID 2476 created 1260	2476	Labs.pif	Explorer.EXE
PID 2476 created 1260	2476	Labs.pif	Explorer.EXE
PID 2476 created 1260	2476	Labs.pif	Explorer.EXE
PID 2476 created 1260	2476	Labs.pif	Explorer.EXE
PID 2476 created 1260	2476	Labs.pif	Explorer.EXE
PID 2476 created 1260	2476	Labs.pif	Explorer.EXE
PID 2476 created 1260	2476	Labs.pif	Explorer.EXE
PID 2476 created 1260	2476	Labs.pif	Explorer.EXE
PID 2476 created 1260	2476	Labs.pif	Explorer.EXE
PID 2476 created 1260	2476	Labs.pif	Explorer.EXE
PID 2476 created 1260	2476	Labs.pif	Explorer.EXE
PID 2476 created 1260	2476	Labs.pif	Explorer.EXE
PID 2476 created 1260	2476	Labs.pif	Explorer.EXE
PID 2476 created 1260	2476	Labs.pif	Explorer.EXE
PID 2476 created 1260	2476	Labs.pif	Explorer.EXE
PID 2476 created 1260	2476	Labs.pif	Explorer.EXE
PID 2476 created 1260	2476	Labs.pif	Explorer.EXE
PID 2476 created 1260	2476	Labs.pif	Explorer.EXE
PID 2476 created 1260	2476	Labs.pif	Explorer.EXE
PID 2476 created 1260	2476	Labs.pif	Explorer.EXE
PID 2476 created 1260	2476	Labs.pif	Explorer.EXE
PID 2476 created 1260	2476	Labs.pif	Explorer.EXE
PID 2476 created 1260	2476	Labs.pif	Explorer.EXE
PID 2476 created 1260	2476	Labs.pif	Explorer.EXE
PID 2476 created 1260	2476	Labs.pif	Explorer.EXE
PID 2476 created 1260	2476	Labs.pif	Explorer.EXE
PID 2476 created 1260	2476	Labs.pif	Explorer.EXE
PID 2476 created 1260	2476	Labs.pif	Explorer.EXE
PID 2476 created 1260	2476	Labs.pif	Explorer.EXE
PID 2476 created 1260	2476	Labs.pif	Explorer.EXE
PID 2476 created 1260	2476	Labs.pif	Explorer.EXE
PID 2476 created 1260	2476	Labs.pif	Explorer.EXE
PID 2476 created 1260	2476	Labs.pif	Explorer.EXE
PID 2476 created 1260	2476	Labs.pif	Explorer.EXE
PID 2476 created 1260	2476	Labs.pif	Explorer.EXE
PID 2476 created 1260	2476	Labs.pif	Explorer.EXE
PID 2476 created 1260	2476	Labs.pif	Explorer.EXE
PID 2476 created 1260	2476	Labs.pif	Explorer.EXE
PID 2476 created 1260	2476	Labs.pif	Explorer.EXE
PID 2476 created 1260	2476	Labs.pif	Explorer.EXE
PID 2476 created 1260	2476	Labs.pif	Explorer.EXE

Executes dropped EXE 43 IoCs

Processes:

Labs.pifLabs.pifLabs.pifLabs.pifLabs.pifLabs.pifLabs.pifLabs.pifLabs.pifLabs.pifLabs.pifLabs.pifLabs.pifLabs.pifLabs.pifLabs.pifLabs.pifLabs.pifLabs.pifLabs.pifLabs.pifLabs.pifLabs.pifLabs.pifLabs.pifLabs.pifLabs.pifLabs.pifLabs.pifLabs.pifLabs.pifLabs.pifLabs.pifLabs.pifLabs.pifLabs.pifLabs.pifLabs.pifLabs.pifLabs.pifLabs.pifLabs.pifwdedbwg

pid	process
2476	Labs.pif
2956	Labs.pif
2952	Labs.pif
1408	Labs.pif
1880	Labs.pif
1068	Labs.pif
1076	Labs.pif
2252	Labs.pif
2060	Labs.pif
2296	Labs.pif
1952	Labs.pif
1732	Labs.pif
2316	Labs.pif
1864	Labs.pif
1892	Labs.pif
2388	Labs.pif
588	Labs.pif
324	Labs.pif
1048	Labs.pif
600	Labs.pif
1116	Labs.pif
1488	Labs.pif
1984	Labs.pif
1628	Labs.pif
2004	Labs.pif
700	Labs.pif
1044	Labs.pif
2180	Labs.pif
2884	Labs.pif
792	Labs.pif
1672	Labs.pif
332	Labs.pif
1060	Labs.pif
1620	Labs.pif
2852	Labs.pif
1636	Labs.pif
2268	Labs.pif
108	Labs.pif
884	Labs.pif
2328	Labs.pif
1052	Labs.pif
2984	Labs.pif
2504	wdedbwg

Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

2840 cmd.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Labs.pif

description pid process target process

PID 2476 set thread context of 872 2476 Labs.pif TapiUnattend.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2840	cmd.exe

description	pid	process	target process
PID 2476 set thread context of 872	2476	Labs.pif	TapiUnattend.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

TapiUnattend.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	TapiUnattend.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	TapiUnattend.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	TapiUnattend.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

2872 tasklist.exe
1212 tasklist.exe

pid	process
2872	tasklist.exe
1212	tasklist.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

Labs.pif

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	Labs.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	Labs.pif
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	Labs.pif

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1360 PING.EXE

pid	process
1360	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Labs.pifTapiUnattend.exeExplorer.EXE

pid	process
2476	Labs.pif
2476	Labs.pif
2476	Labs.pif
2476	Labs.pif
2476	Labs.pif
2476	Labs.pif
2476	Labs.pif
2476	Labs.pif
2476	Labs.pif
2476	Labs.pif
2476	Labs.pif
2476	Labs.pif
2476	Labs.pif
2476	Labs.pif
2476	Labs.pif
2476	Labs.pif
2476	Labs.pif
2476	Labs.pif
2476	Labs.pif
2476	Labs.pif
2476	Labs.pif
2476	Labs.pif
2476	Labs.pif
2476	Labs.pif
2476	Labs.pif
2476	Labs.pif
2476	Labs.pif
2476	Labs.pif
2476	Labs.pif
2476	Labs.pif
2476	Labs.pif
2476	Labs.pif
2476	Labs.pif
2476	Labs.pif
2476	Labs.pif
2476	Labs.pif
2476	Labs.pif
2476	Labs.pif
2476	Labs.pif
2476	Labs.pif
2476	Labs.pif
2476	Labs.pif
2476	Labs.pif
2476	Labs.pif
2476	Labs.pif
2476	Labs.pif
872	TapiUnattend.exe
872	TapiUnattend.exe
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

TapiUnattend.exe

pid process

872 TapiUnattend.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

tasklist.exetasklist.exe

description pid process

Token: SeDebugPrivilege 1212 tasklist.exe
Token: SeDebugPrivilege 2872 tasklist.exe
Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

Labs.pifExplorer.EXE

pid process

2476 Labs.pif
2476 Labs.pif
2476 Labs.pif
1260 Explorer.EXE
1260 Explorer.EXE
Suspicious use of SendNotifyMessage 5 IoCs

Processes:

Labs.pifExplorer.EXE

pid process

2476 Labs.pif
2476 Labs.pif
2476 Labs.pif
1260 Explorer.EXE
1260 Explorer.EXE

pid	process
872	TapiUnattend.exe

description	pid	process
Token: SeDebugPrivilege	1212	tasklist.exe
Token: SeDebugPrivilege	2872	tasklist.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

538af0e39f24f16e4e52cad03295a359304d8f458c1fe18d0681e884112f2185.execmd.exeLabs.pif

description	pid	process	target process
PID 1660 wrote to memory of 2840	1660	538af0e39f24f16e4e52cad03295a359304d8f458c1fe18d0681e884112f2185.exe	cmd.exe
PID 1660 wrote to memory of 2840	1660	538af0e39f24f16e4e52cad03295a359304d8f458c1fe18d0681e884112f2185.exe	cmd.exe
PID 1660 wrote to memory of 2840	1660	538af0e39f24f16e4e52cad03295a359304d8f458c1fe18d0681e884112f2185.exe	cmd.exe
PID 1660 wrote to memory of 2840	1660	538af0e39f24f16e4e52cad03295a359304d8f458c1fe18d0681e884112f2185.exe	cmd.exe
PID 2840 wrote to memory of 1212	2840	cmd.exe	tasklist.exe
PID 2840 wrote to memory of 1212	2840	cmd.exe	tasklist.exe
PID 2840 wrote to memory of 1212	2840	cmd.exe	tasklist.exe
PID 2840 wrote to memory of 1212	2840	cmd.exe	tasklist.exe
PID 2840 wrote to memory of 2280	2840	cmd.exe	findstr.exe
PID 2840 wrote to memory of 2280	2840	cmd.exe	findstr.exe
PID 2840 wrote to memory of 2280	2840	cmd.exe	findstr.exe
PID 2840 wrote to memory of 2280	2840	cmd.exe	findstr.exe
PID 2840 wrote to memory of 2872	2840	cmd.exe	tasklist.exe
PID 2840 wrote to memory of 2872	2840	cmd.exe	tasklist.exe
PID 2840 wrote to memory of 2872	2840	cmd.exe	tasklist.exe
PID 2840 wrote to memory of 2872	2840	cmd.exe	tasklist.exe
PID 2840 wrote to memory of 2588	2840	cmd.exe	findstr.exe
PID 2840 wrote to memory of 2588	2840	cmd.exe	findstr.exe
PID 2840 wrote to memory of 2588	2840	cmd.exe	findstr.exe
PID 2840 wrote to memory of 2588	2840	cmd.exe	findstr.exe
PID 2840 wrote to memory of 2568	2840	cmd.exe	cmd.exe
PID 2840 wrote to memory of 2568	2840	cmd.exe	cmd.exe
PID 2840 wrote to memory of 2568	2840	cmd.exe	cmd.exe
PID 2840 wrote to memory of 2568	2840	cmd.exe	cmd.exe
PID 2840 wrote to memory of 2672	2840	cmd.exe	findstr.exe
PID 2840 wrote to memory of 2672	2840	cmd.exe	findstr.exe
PID 2840 wrote to memory of 2672	2840	cmd.exe	findstr.exe
PID 2840 wrote to memory of 2672	2840	cmd.exe	findstr.exe
PID 2840 wrote to memory of 2536	2840	cmd.exe	cmd.exe
PID 2840 wrote to memory of 2536	2840	cmd.exe	cmd.exe
PID 2840 wrote to memory of 2536	2840	cmd.exe	cmd.exe
PID 2840 wrote to memory of 2536	2840	cmd.exe	cmd.exe
PID 2840 wrote to memory of 2476	2840	cmd.exe	Labs.pif
PID 2840 wrote to memory of 2476	2840	cmd.exe	Labs.pif
PID 2840 wrote to memory of 2476	2840	cmd.exe	Labs.pif
PID 2840 wrote to memory of 2476	2840	cmd.exe	Labs.pif
PID 2840 wrote to memory of 1360	2840	cmd.exe	PING.EXE
PID 2840 wrote to memory of 1360	2840	cmd.exe	PING.EXE
PID 2840 wrote to memory of 1360	2840	cmd.exe	PING.EXE
PID 2840 wrote to memory of 1360	2840	cmd.exe	PING.EXE
PID 2476 wrote to memory of 2956	2476	Labs.pif	Labs.pif
PID 2476 wrote to memory of 2956	2476	Labs.pif	Labs.pif
PID 2476 wrote to memory of 2956	2476	Labs.pif	Labs.pif
PID 2476 wrote to memory of 2956	2476	Labs.pif	Labs.pif
PID 2476 wrote to memory of 2952	2476	Labs.pif	Labs.pif
PID 2476 wrote to memory of 2952	2476	Labs.pif	Labs.pif
PID 2476 wrote to memory of 2952	2476	Labs.pif	Labs.pif
PID 2476 wrote to memory of 2952	2476	Labs.pif	Labs.pif
PID 2476 wrote to memory of 1408	2476	Labs.pif	Labs.pif
PID 2476 wrote to memory of 1408	2476	Labs.pif	Labs.pif
PID 2476 wrote to memory of 1408	2476	Labs.pif	Labs.pif
PID 2476 wrote to memory of 1408	2476	Labs.pif	Labs.pif
PID 2476 wrote to memory of 1880	2476	Labs.pif	Labs.pif
PID 2476 wrote to memory of 1880	2476	Labs.pif	Labs.pif
PID 2476 wrote to memory of 1880	2476	Labs.pif	Labs.pif
PID 2476 wrote to memory of 1880	2476	Labs.pif	Labs.pif
PID 2476 wrote to memory of 1068	2476	Labs.pif	Labs.pif
PID 2476 wrote to memory of 1068	2476	Labs.pif	Labs.pif
PID 2476 wrote to memory of 1068	2476	Labs.pif	Labs.pif
PID 2476 wrote to memory of 1068	2476	Labs.pif	Labs.pif
PID 2476 wrote to memory of 1076	2476	Labs.pif	Labs.pif
PID 2476 wrote to memory of 1076	2476	Labs.pif	Labs.pif
PID 2476 wrote to memory of 1076	2476	Labs.pif	Labs.pif
PID 2476 wrote to memory of 1076	2476	Labs.pif	Labs.pif

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1260

C:\Users\Admin\AppData\Local\Temp\538af0e39f24f16e4e52cad03295a359304d8f458c1fe18d0681e884112f2185.exe
"C:\Users\Admin\AppData\Local\Temp\538af0e39f24f16e4e52cad03295a359304d8f458c1fe18d0681e884112f2185.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1660

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k move Origins Origins.cmd & Origins.cmd & exit
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2840

C:\Windows\SysWOW64\tasklist.exe
tasklist
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1212

C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
4⤵
PID:2280

C:\Windows\SysWOW64\tasklist.exe
tasklist
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2872

C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
4⤵
PID:2588

C:\Windows\SysWOW64\cmd.exe
cmd /c md 55115695
4⤵
PID:2568

C:\Windows\SysWOW64\findstr.exe
findstr /V "SlutSteLouisTranslation" Cyprus
4⤵
PID:2672

C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Breeding + Fuji + Weather 55115695\s
4⤵
PID:2536

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\55115695\Labs.pif
55115695\Labs.pif 55115695\s
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2476

C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
4⤵
- Runs ping.exe
PID:1360

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\55115695\Labs.pif
"C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\55115695\Labs.pif"
2⤵
- Executes dropped EXE
PID:2956

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\55115695\Labs.pif
"C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\55115695\Labs.pif"
2⤵
- Executes dropped EXE
PID:2952

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\55115695\Labs.pif
"C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\55115695\Labs.pif"
2⤵
- Executes dropped EXE
PID:1408

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\55115695\Labs.pif
"C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\55115695\Labs.pif"
2⤵
- Executes dropped EXE
PID:1880

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\55115695\Labs.pif
"C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\55115695\Labs.pif"
2⤵
- Executes dropped EXE
PID:1068

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\55115695\Labs.pif
"C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\55115695\Labs.pif"
2⤵
- Executes dropped EXE
PID:1076

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\55115695\Labs.pif
"C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\55115695\Labs.pif"
2⤵
- Executes dropped EXE
PID:2252

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\55115695\Labs.pif
"C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\55115695\Labs.pif"
2⤵
- Executes dropped EXE
PID:2060

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\55115695\Labs.pif
"C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\55115695\Labs.pif"
2⤵
- Executes dropped EXE
PID:2296

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\55115695\Labs.pif
"C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\55115695\Labs.pif"
2⤵
- Executes dropped EXE
PID:1952

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\55115695\Labs.pif
"C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\55115695\Labs.pif"
2⤵
- Executes dropped EXE
PID:1732

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\55115695\Labs.pif
"C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\55115695\Labs.pif"
2⤵
- Executes dropped EXE
PID:2316

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\55115695\Labs.pif
"C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\55115695\Labs.pif"
2⤵
- Executes dropped EXE
PID:1864

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\55115695\Labs.pif
"C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\55115695\Labs.pif"
2⤵
- Executes dropped EXE
PID:1892

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\55115695\Labs.pif
"C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\55115695\Labs.pif"
2⤵
- Executes dropped EXE
PID:2388

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\55115695\Labs.pif
"C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\55115695\Labs.pif"
2⤵
- Executes dropped EXE
PID:588

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\55115695\Labs.pif
"C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\55115695\Labs.pif"
2⤵
- Executes dropped EXE
PID:324

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\55115695\Labs.pif
"C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\55115695\Labs.pif"
2⤵
- Executes dropped EXE
PID:1048

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\55115695\Labs.pif
"C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\55115695\Labs.pif"
2⤵
- Executes dropped EXE
PID:600

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\55115695\Labs.pif
"C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\55115695\Labs.pif"
2⤵
- Executes dropped EXE
PID:1116

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\55115695\Labs.pif
"C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\55115695\Labs.pif"
2⤵
- Executes dropped EXE
PID:1488

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\55115695\Labs.pif
"C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\55115695\Labs.pif"
2⤵
- Executes dropped EXE
PID:1984

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\55115695\Labs.pif
"C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\55115695\Labs.pif"
2⤵
- Executes dropped EXE
PID:1628

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\55115695\Labs.pif
"C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\55115695\Labs.pif"
2⤵
- Executes dropped EXE
PID:2004

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\55115695\Labs.pif
"C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\55115695\Labs.pif"
2⤵
- Executes dropped EXE
PID:700

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\55115695\Labs.pif
"C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\55115695\Labs.pif"
2⤵
- Executes dropped EXE
PID:1044

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\55115695\Labs.pif
"C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\55115695\Labs.pif"
2⤵
- Executes dropped EXE
PID:2180

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\55115695\Labs.pif
"C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\55115695\Labs.pif"
2⤵
- Executes dropped EXE
PID:2884

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\55115695\Labs.pif
"C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\55115695\Labs.pif"
2⤵
- Executes dropped EXE
PID:792

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\55115695\Labs.pif
"C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\55115695\Labs.pif"
2⤵
- Executes dropped EXE
PID:1672

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\55115695\Labs.pif
"C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\55115695\Labs.pif"
2⤵
- Executes dropped EXE
PID:332

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\55115695\Labs.pif
"C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\55115695\Labs.pif"
2⤵
- Executes dropped EXE
PID:1060

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\55115695\Labs.pif
"C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\55115695\Labs.pif"
2⤵
- Executes dropped EXE
PID:1620

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\55115695\Labs.pif
"C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\55115695\Labs.pif"
2⤵
- Executes dropped EXE
PID:2852

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\55115695\Labs.pif
"C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\55115695\Labs.pif"
2⤵
- Executes dropped EXE
PID:1636

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\55115695\Labs.pif
"C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\55115695\Labs.pif"
2⤵
- Executes dropped EXE
PID:2268

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\55115695\Labs.pif
"C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\55115695\Labs.pif"
2⤵
- Executes dropped EXE
PID:108

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\55115695\Labs.pif
"C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\55115695\Labs.pif"
2⤵
- Executes dropped EXE
PID:884

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\55115695\Labs.pif
"C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\55115695\Labs.pif"
2⤵
- Executes dropped EXE
PID:2328

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\55115695\Labs.pif
"C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\55115695\Labs.pif"
2⤵
- Executes dropped EXE
PID:1052

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\55115695\Labs.pif
"C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\55115695\Labs.pif"
2⤵
- Executes dropped EXE
PID:2984

C:\Windows\SysWOW64\TapiUnattend.exe
C:\Windows\SysWOW64\TapiUnattend.exe
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:872

C:\Windows\system32\taskeng.exe
taskeng.exe {32E194AA-0F96-43E3-A8CA-412B4AD998B2} S-1-5-21-3627615824-4061627003-3019543961-1000:SCFGBRBT\Admin:Interactive:[1]
1⤵
PID:1080

C:\Users\Admin\AppData\Roaming\wdedbwg
C:\Users\Admin\AppData\Roaming\wdedbwg
2⤵
- Executes dropped EXE
PID:2504

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Process Discovery

T1057

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\55115695\s
Filesize
242KB

MD5
832180873e27da9b7a218ec02099691a

SHA1
09a26d9ac5619df11650bf11e41c5dd96ea371d2

SHA256
19e0ed3240d70f9ac0602c8507cdcb12b448d8f4aea26f5f0a6913f9517f1a3f

SHA512
2abe2fd0d9e423b75d1d49d28711402c12c20ba7a88aa0c5360ddded3bac92f7f07b4fca874232e8f8c108427f3264e179a1a2f6f96f79aab1f8f07736f92ab6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Advocacy
Filesize
40KB

MD5
3e0a5939f55f64dc128ec03642f09392

SHA1
74fc5265b92bf9b807e023e968f94528904918e6

SHA256
4b0c83524efd0db079aba2519aaf676b784207ac84a7de69918e56c698d81a91

SHA512
ea6eb18fb83dfb46c5461e518a33e4a2279c803931e13fd5dd9d962eb4af35637c2011708b32f1d0457798bdad40f59dfb35ee770aa472cab2ef4901eddb0082

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Breeding
Filesize
75KB

MD5
3ec78865d37dba4270b52656bfcd5d51

SHA1
761877d874e583014bfe9c5f0d5ba71ba4f788a6

SHA256
7c8734f0a4571438a469037571f7ad8a7513e779fd65f3d547d1426bad7b2034

SHA512
cb7cafaa16c342f9d5e4a3c9bcebe32b1b2106ad811132be75a4c9f9222fea9ddc5ba5fb0c9cef6626c01e81215f550c060e4300e9d64d83065e806b783e80c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Cyprus
Filesize
210B

MD5
e5ecf7084f37757a977cb7854faf0dd2

SHA1
6778ea5ac5ecc59171883c2aa7204373f46c5fb1

SHA256
10d22d0f44bcdf23a31d0097069e1d095a86e2113580bfc61f50b7ac3218a4d2

SHA512
7f4eef0637c68154be4341c02da291e8b81e64ecd7ed5cba5d30a2e1a2e63839c1682fdade36a9da06124321aec610efaf23b4b5fcdd1bf4c6be104e7c0d9ceb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Folk
Filesize
121KB

MD5
00425db818e6fd2f0eeb0cf37469b749

SHA1
d9bd6e0afca273aa8a931360c2f91c0d9d1463a1

SHA256
da879d5eb37e5c0ef62422b95adb8aa39607bb6c6d1efa817cb8353633b8d0eb

SHA512
9b8d7aa19308b7376b4933e09613bac281d0ab332bce661b7e590f6568519c66a6d307883b3274e6668ad61b4ee52e519d8a574f6202ad827b9f0a2aa8366721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Fuji
Filesize
60KB

MD5
901f468eeda506282d7906687c36ef22

SHA1
0fb000fa798d648c1309cc6599692ed6ac4d4990

SHA256
2f64e2c562e065ae15a95be85d128e6f99f6d201b3b18a8cf5dbb1ab8cb87d62

SHA512
17b4768ce6075ea83b774cf37bc2c2f2b7f6b78156c883cb6fa38422513fd8e19e03556a5baf549e31b4f02de78638a3f480421440f4e38ea32e8cd014cee0e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Mind
Filesize
98KB

MD5
83aeea636c54d733cc32ab493a5364d4

SHA1
545c1357944c51e9f8d2110d01dfa2076a716613

SHA256
0d5602ba1e91c3672992926d40ade260db5df228af923df30c5bf4242df2f133

SHA512
f61acfb0b7ace3331945dd1b623fed445b8e2641380861708d1146ca595bb921b81025f9e39aa8c94f7fef20635f009fd8bd4697227f61ed7b5dee56466b616a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Orders
Filesize
221KB

MD5
634d131aef5fb9666cdcaf3c8c2c4260

SHA1
87200be917ff801478dea404ef60980c45d05cde

SHA256
4536f5904c52e8e2b0b7aa3c5cf2527fe09dad507a40335473d4386eef02e0d7

SHA512
aa87118cd7cf36b567d58b0db75bf3e2058c8e3f7ace69e8be0e7f79e10ad316101bbdd3facaf9e725b75e4b755b8f674c1070a51da4dbc0720f4d1de1dbd3c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Origins
Filesize
23KB

MD5
14dbb5fcfe93369164f6423ef2a9a618

SHA1
c5d414a05eecfd9ba26ede311dbe0c6addc62f79

SHA256
6cb0f1e1d71431257f46db15167cd8bf22313e6ab3425bad00c64ea918f213a5

SHA512
28e64e8d41da778cd1ba5c29667fd54f3ca5af276d87f8aa3d14ec77a1c15e04f5a58d7c0e5df8807d2c5381960f3fc25394f949365d09ebf8455a63470f2e8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Titten
Filesize
104KB

MD5
237d2f88a43c21c9bc5599be91b3571b

SHA1
e94251dd329300f7c74631cdaafd5f504c4866fa

SHA256
698e3aba58edb38fb5c26cb561c65811636a18f8dd28edbe2cf9fcba87df229c

SHA512
79249b8a15e807c2af0423d2fb5615d96e95ee1a7e4e6e10fa196838194c1ee16f11c41d5580c9d40a693937fecf392e1c607439e3012bb035a99fa7a1334213

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Towards
Filesize
288KB

MD5
9747e2f0863c6acee2cad8e96980658a

SHA1
3da9cfb884a513a5ecd9138d09287055a423d110

SHA256
6f47415606c5b750d66c7340f65a3fecafe28b2e7a83dadc3dc154d72b727fff

SHA512
a48acf816e1d607925a549b904a52665c5aaab37a3a9f198183e78c7ebff22806c1d74b934b01298da82b5701d553d1da4ebf1862099ed0091cedfe0571bb744

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Weather
Filesize
107KB

MD5
c7980f56319f536020f8bef4bb8974c0

SHA1
adb8adf76b9add121cefbce1c58ca5510d21f671

SHA256
9e5bdbe0a3f24b4700e379f38fe40928ebfe69fc2fb2e9d2fd942b6cf7991545

SHA512
cb37715791f3e3d8c4bd30ccc8e3e8e84f4a8720467f80e742d70aa6e9755f1ecec9db8cf55d4d8f8572dce818f55ff7c3771bbacd6fa597c4db04ae56389e70

Download Submit
C:\Users\Admin\AppData\Roaming\wdedbwg
Filesize
11KB

MD5
fbd07354e3ecd632bbc9b49da0067fc5

SHA1
171a70f4b3414e87c917602fe7136f1af22fdd06

SHA256
b4e32ebc08ba8e7e2d952e7baeadddd971b5f6357066ba64d1a69c02daaa33ad

SHA512
9e83359c5ad6a3e1130d043ad2ad9bcab63f18a153572ba724e142d078e0b093a6285020d309ee1ac7f469f94737661473368a7fc6ced58e920a81bf070ece99

Download Submit
\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\55115695\Labs.pif
Filesize
872KB

MD5
6ee7ddebff0a2b78c7ac30f6e00d1d11

SHA1
f2f57024c7cc3f9ff5f999ee20c4f5c38bfc20a2

SHA256
865347471135bb5459ad0e647e75a14ad91424b6f13a5c05d9ecd9183a8a1cf4

SHA512
57d56de2bb882f491e633972003d7c6562ef2758c3731b913ff4d15379ada575062f4de2a48ca6d6d9241852a5b8a007f52792753fd8d8fee85b9a218714efd0

Download Submit
memory/872-148-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/872-149-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1260-150-0x0000000002600000-0x0000000002616000-memory.dmp

Filesize
88KB

Download