redline | f5faa2b827aaae846580fe313cfc3562fcf04dbf26320c7190247621c7e10f19

Analysis

max time kernel
295s
max time network
300s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
24-05-2024 02:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f5faa2b827aaae846580fe313cfc3562fcf04dbf26320c7190247621c7e10f19.exe
Size

596KB
MD5

1d3535cc01b2cc54b808a55e945707a0
SHA1

a9a563b8ee37f17c847248bb207b28086d9f4628
SHA256

f5faa2b827aaae846580fe313cfc3562fcf04dbf26320c7190247621c7e10f19
SHA512

4c344a2abc7ace17a3fced1e3fcf09ac959b47d8bc1a5bf4280d46c3dccd015254a42ce722f93bbbe28f9866696db685df6209b4e863fa9e02772753eeb2ebbc
SSDEEP

12288:15/Sm4/r42toIX4IaZo2BOtdMKX8MbICwAvV6LwfAnxMlpxxWmBNIg9SWvAK:70/rX8IJ2BwNQcfAnxgDzBx

Score

10^/10

redline sectoprat xworm docx vic discovery execution infostealer persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

127.0.0.1:7000

beshomandotestbesnd.run.place:7000

Attributes

Install_directory
%ProgramData%
install_file
taskmgr.exe
telegram
https://api.telegram.org/bot2128988424:AAEkYnwvOQA95riqRZwlqBxg4GV-odRNOyo/sendMessage?chat_id=966649672

Extracted

Family

redline

Botnet

Vic

beshomandotestbesnd.run.place:1111

Extracted

Family

redline

Botnet

DOCX

beshomandotestbesnd.run.place:1111

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral2/memory/3824-455-0x000000001B8F0000-0x000000001B8FE000-memory.dmp	disable_win_def

Detect Xworm Payload 2 IoCs

Processes:

resource	yara_rule
C:\ProgramData\system.exe	family_xworm
behavioral2/memory/3824-130-0x00000000000D0000-0x00000000000EA000-memory.dmp	family_xworm

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

Processes:

resource	yara_rule
C:\ProgramData\build.exe	family_redline
behavioral2/memory/4712-135-0x0000000000720000-0x000000000073E000-memory.dmp	family_redline
behavioral2/memory/3824-452-0x000000001B8D0000-0x000000001B8EE000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 3 IoCs

Processes:

resource	yara_rule
C:\ProgramData\build.exe	family_sectoprat
behavioral2/memory/4712-135-0x0000000000720000-0x000000000073E000-memory.dmp	family_sectoprat
behavioral2/memory/3824-452-0x000000001B8D0000-0x000000001B8EE000-memory.dmp	family_sectoprat

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

4580 powershell.exe
3816 powershell.exe
3600 powershell.exe
2608 powershell.exe

.NET Reactor proctector 35 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
behavioral2/memory/4112-5-0x0000000002630000-0x0000000002696000-memory.dmp	net_reactor
behavioral2/memory/4112-7-0x00000000026A0000-0x0000000002704000-memory.dmp	net_reactor
behavioral2/memory/4112-33-0x00000000026A0000-0x00000000026FF000-memory.dmp	net_reactor
behavioral2/memory/4112-41-0x00000000026A0000-0x00000000026FF000-memory.dmp	net_reactor
behavioral2/memory/4112-71-0x00000000026A0000-0x00000000026FF000-memory.dmp	net_reactor
behavioral2/memory/4112-69-0x00000000026A0000-0x00000000026FF000-memory.dmp	net_reactor
behavioral2/memory/4112-67-0x00000000026A0000-0x00000000026FF000-memory.dmp	net_reactor
behavioral2/memory/4112-65-0x00000000026A0000-0x00000000026FF000-memory.dmp	net_reactor
behavioral2/memory/4112-61-0x00000000026A0000-0x00000000026FF000-memory.dmp	net_reactor
behavioral2/memory/4112-59-0x00000000026A0000-0x00000000026FF000-memory.dmp	net_reactor
behavioral2/memory/4112-57-0x00000000026A0000-0x00000000026FF000-memory.dmp	net_reactor
behavioral2/memory/4112-55-0x00000000026A0000-0x00000000026FF000-memory.dmp	net_reactor
behavioral2/memory/4112-51-0x00000000026A0000-0x00000000026FF000-memory.dmp	net_reactor
behavioral2/memory/4112-49-0x00000000026A0000-0x00000000026FF000-memory.dmp	net_reactor
behavioral2/memory/4112-47-0x00000000026A0000-0x00000000026FF000-memory.dmp	net_reactor
behavioral2/memory/4112-45-0x00000000026A0000-0x00000000026FF000-memory.dmp	net_reactor
behavioral2/memory/4112-39-0x00000000026A0000-0x00000000026FF000-memory.dmp	net_reactor
behavioral2/memory/4112-37-0x00000000026A0000-0x00000000026FF000-memory.dmp	net_reactor
behavioral2/memory/4112-35-0x00000000026A0000-0x00000000026FF000-memory.dmp	net_reactor
behavioral2/memory/4112-31-0x00000000026A0000-0x00000000026FF000-memory.dmp	net_reactor
behavioral2/memory/4112-29-0x00000000026A0000-0x00000000026FF000-memory.dmp	net_reactor
behavioral2/memory/4112-27-0x00000000026A0000-0x00000000026FF000-memory.dmp	net_reactor
behavioral2/memory/4112-25-0x00000000026A0000-0x00000000026FF000-memory.dmp	net_reactor
behavioral2/memory/4112-21-0x00000000026A0000-0x00000000026FF000-memory.dmp	net_reactor
behavioral2/memory/4112-19-0x00000000026A0000-0x00000000026FF000-memory.dmp	net_reactor
behavioral2/memory/4112-15-0x00000000026A0000-0x00000000026FF000-memory.dmp	net_reactor
behavioral2/memory/4112-13-0x00000000026A0000-0x00000000026FF000-memory.dmp	net_reactor
behavioral2/memory/4112-11-0x00000000026A0000-0x00000000026FF000-memory.dmp	net_reactor
behavioral2/memory/4112-63-0x00000000026A0000-0x00000000026FF000-memory.dmp	net_reactor
behavioral2/memory/4112-53-0x00000000026A0000-0x00000000026FF000-memory.dmp	net_reactor
behavioral2/memory/4112-43-0x00000000026A0000-0x00000000026FF000-memory.dmp	net_reactor
behavioral2/memory/4112-23-0x00000000026A0000-0x00000000026FF000-memory.dmp	net_reactor
behavioral2/memory/4112-17-0x00000000026A0000-0x00000000026FF000-memory.dmp	net_reactor
behavioral2/memory/4112-9-0x00000000026A0000-0x00000000026FF000-memory.dmp	net_reactor
behavioral2/memory/4112-8-0x00000000026A0000-0x00000000026FF000-memory.dmp	net_reactor

Drops startup file 2 IoCs

Processes:

system.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\taskmgr.lnk	system.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\taskmgr.lnk	system.exe

Executes dropped EXE 7 IoCs

Processes:

system.exebuild.exetaskmgr.exetaskmgr.exetaskmgr.exetaskmgr.exetaskmgr.exe

pid process

3824 system.exe
4712 build.exe
1832 taskmgr.exe
4224 taskmgr.exe
204 taskmgr.exe
5052 taskmgr.exe
3720 taskmgr.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
3824	system.exe
4712	build.exe
1832	taskmgr.exe
4224	taskmgr.exe
204	taskmgr.exe
5052	taskmgr.exe
3720	taskmgr.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

system.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskmgr = "C:\\ProgramData\\taskmgr.exe"	system.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

5068 schtasks.exe

flow	ioc
4	ip-api.com

pid	process
5068	schtasks.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

system.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 19000000010000001000000063664b080559a094d10f0a3c5f4f62900300000001000000140000002796bae63f1801e277261ba0d77770028f20eee41d000000010000001000000099949d2179811f6b30a8c99c4f6b4226140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e3620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae409000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec537261877620000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4	system.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 0f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b06010505070301620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae4140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee420000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	system.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

system.exe

pid process

3824 system.exe

pid	process
3824	system.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exesystem.exebuild.exe

pid	process
4580	powershell.exe
4580	powershell.exe
4580	powershell.exe
3816	powershell.exe
3816	powershell.exe
3816	powershell.exe
3600	powershell.exe
3600	powershell.exe
3600	powershell.exe
2608	powershell.exe
2608	powershell.exe
2608	powershell.exe
3824	system.exe
4712	build.exe
4712	build.exe
3824	system.exe
3824	system.exe
3824	system.exe
3824	system.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

f5faa2b827aaae846580fe313cfc3562fcf04dbf26320c7190247621c7e10f19.exesystem.exebuild.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4112	f5faa2b827aaae846580fe313cfc3562fcf04dbf26320c7190247621c7e10f19.exe
Token: SeDebugPrivilege	3824	system.exe
Token: SeDebugPrivilege	4712	build.exe
Token: SeDebugPrivilege	4580	powershell.exe
Token: SeIncreaseQuotaPrivilege	4580	powershell.exe
Token: SeSecurityPrivilege	4580	powershell.exe
Token: SeTakeOwnershipPrivilege	4580	powershell.exe
Token: SeLoadDriverPrivilege	4580	powershell.exe
Token: SeSystemProfilePrivilege	4580	powershell.exe
Token: SeSystemtimePrivilege	4580	powershell.exe
Token: SeProfSingleProcessPrivilege	4580	powershell.exe
Token: SeIncBasePriorityPrivilege	4580	powershell.exe
Token: SeCreatePagefilePrivilege	4580	powershell.exe
Token: SeBackupPrivilege	4580	powershell.exe
Token: SeRestorePrivilege	4580	powershell.exe
Token: SeShutdownPrivilege	4580	powershell.exe
Token: SeDebugPrivilege	4580	powershell.exe
Token: SeSystemEnvironmentPrivilege	4580	powershell.exe
Token: SeRemoteShutdownPrivilege	4580	powershell.exe
Token: SeUndockPrivilege	4580	powershell.exe
Token: SeManageVolumePrivilege	4580	powershell.exe
Token: 33	4580	powershell.exe
Token: 34	4580	powershell.exe
Token: 35	4580	powershell.exe
Token: 36	4580	powershell.exe
Token: SeDebugPrivilege	3816	powershell.exe
Token: SeIncreaseQuotaPrivilege	3816	powershell.exe
Token: SeSecurityPrivilege	3816	powershell.exe
Token: SeTakeOwnershipPrivilege	3816	powershell.exe
Token: SeLoadDriverPrivilege	3816	powershell.exe
Token: SeSystemProfilePrivilege	3816	powershell.exe
Token: SeSystemtimePrivilege	3816	powershell.exe
Token: SeProfSingleProcessPrivilege	3816	powershell.exe
Token: SeIncBasePriorityPrivilege	3816	powershell.exe
Token: SeCreatePagefilePrivilege	3816	powershell.exe
Token: SeBackupPrivilege	3816	powershell.exe
Token: SeRestorePrivilege	3816	powershell.exe
Token: SeShutdownPrivilege	3816	powershell.exe
Token: SeDebugPrivilege	3816	powershell.exe
Token: SeSystemEnvironmentPrivilege	3816	powershell.exe
Token: SeRemoteShutdownPrivilege	3816	powershell.exe
Token: SeUndockPrivilege	3816	powershell.exe
Token: SeManageVolumePrivilege	3816	powershell.exe
Token: 33	3816	powershell.exe
Token: 34	3816	powershell.exe
Token: 35	3816	powershell.exe
Token: 36	3816	powershell.exe
Token: SeDebugPrivilege	3600	powershell.exe
Token: SeIncreaseQuotaPrivilege	3600	powershell.exe
Token: SeSecurityPrivilege	3600	powershell.exe
Token: SeTakeOwnershipPrivilege	3600	powershell.exe
Token: SeLoadDriverPrivilege	3600	powershell.exe
Token: SeSystemProfilePrivilege	3600	powershell.exe
Token: SeSystemtimePrivilege	3600	powershell.exe
Token: SeProfSingleProcessPrivilege	3600	powershell.exe
Token: SeIncBasePriorityPrivilege	3600	powershell.exe
Token: SeCreatePagefilePrivilege	3600	powershell.exe
Token: SeBackupPrivilege	3600	powershell.exe
Token: SeRestorePrivilege	3600	powershell.exe
Token: SeShutdownPrivilege	3600	powershell.exe
Token: SeDebugPrivilege	3600	powershell.exe
Token: SeSystemEnvironmentPrivilege	3600	powershell.exe
Token: SeRemoteShutdownPrivilege	3600	powershell.exe
Token: SeUndockPrivilege	3600	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

system.exe

pid process

3824 system.exe

pid	process
3824	system.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

f5faa2b827aaae846580fe313cfc3562fcf04dbf26320c7190247621c7e10f19.exesystem.exe

description	pid	process	target process
PID 4112 wrote to memory of 3824	4112	f5faa2b827aaae846580fe313cfc3562fcf04dbf26320c7190247621c7e10f19.exe	system.exe
PID 4112 wrote to memory of 3824	4112	f5faa2b827aaae846580fe313cfc3562fcf04dbf26320c7190247621c7e10f19.exe	system.exe
PID 4112 wrote to memory of 4712	4112	f5faa2b827aaae846580fe313cfc3562fcf04dbf26320c7190247621c7e10f19.exe	build.exe
PID 4112 wrote to memory of 4712	4112	f5faa2b827aaae846580fe313cfc3562fcf04dbf26320c7190247621c7e10f19.exe	build.exe
PID 4112 wrote to memory of 4712	4112	f5faa2b827aaae846580fe313cfc3562fcf04dbf26320c7190247621c7e10f19.exe	build.exe
PID 3824 wrote to memory of 4580	3824	system.exe	powershell.exe
PID 3824 wrote to memory of 4580	3824	system.exe	powershell.exe
PID 3824 wrote to memory of 3816	3824	system.exe	powershell.exe
PID 3824 wrote to memory of 3816	3824	system.exe	powershell.exe
PID 3824 wrote to memory of 3600	3824	system.exe	powershell.exe
PID 3824 wrote to memory of 3600	3824	system.exe	powershell.exe
PID 3824 wrote to memory of 2608	3824	system.exe	powershell.exe
PID 3824 wrote to memory of 2608	3824	system.exe	powershell.exe
PID 3824 wrote to memory of 5068	3824	system.exe	schtasks.exe
PID 3824 wrote to memory of 5068	3824	system.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\f5faa2b827aaae846580fe313cfc3562fcf04dbf26320c7190247621c7e10f19.exe
"C:\Users\Admin\AppData\Local\Temp\f5faa2b827aaae846580fe313cfc3562fcf04dbf26320c7190247621c7e10f19.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4112

C:\ProgramData\system.exe
"C:\ProgramData\system.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Modifies system certificate store
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3824

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\system.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4580

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'system.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3816

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\taskmgr.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3600

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'taskmgr.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2608

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "taskmgr" /tr "C:\ProgramData\taskmgr.exe"
3⤵
- Creates scheduled task(s)
PID:5068

C:\ProgramData\build.exe
"C:\ProgramData\build.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4712

C:\ProgramData\taskmgr.exe
C:\ProgramData\taskmgr.exe
1⤵
- Executes dropped EXE
PID:1832

C:\ProgramData\taskmgr.exe
C:\ProgramData\taskmgr.exe
1⤵
- Executes dropped EXE
PID:4224

C:\ProgramData\taskmgr.exe
C:\ProgramData\taskmgr.exe
1⤵
- Executes dropped EXE
PID:204

C:\ProgramData\taskmgr.exe
C:\ProgramData\taskmgr.exe
1⤵
- Executes dropped EXE
PID:5052

C:\ProgramData\taskmgr.exe
C:\ProgramData\taskmgr.exe
1⤵
- Executes dropped EXE
PID:3720

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\build.exe
Filesize
95KB

MD5
16280875fdcf55ab4c8f1dff6dabc72e

SHA1
39880e6fbb258f4f4fa5c79337ec893acae55fb7

SHA256
91455ac8837ff1fdba7067cd3e7f790c1649ae70164ccbdf0483eae831a7253a

SHA512
53ba4e5e88a8f19ba3faa2f1244501c2d62827a9178ec0fdc995582e03e7d8e39f2dfd7bde11285781a65a021d4f4aab48b94be66a8a1cebbd47ab0cb819202e

Download Submit
C:\ProgramData\system.exe
Filesize
75KB

MD5
70b9f8ef4c4ce24fe372b292aebcd138

SHA1
5fd7ce9318727b27db0dd50effbb632686d53f8c

SHA256
15af516d88e83cfc8d3deebe7aeb9ccaebc558fc93544ef31b612113fcce907b

SHA512
b4658ccb665aa9f43cc049a51c477a0b314c5c13d254d648e34f9feca9feb06021bbf271857f73998e31cc7f877fa5457fbe7420beb58f3563fbfbe121a4cbad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\taskmgr.exe.log
Filesize
654B

MD5
16c5fce5f7230eea11598ec11ed42862

SHA1
75392d4824706090f5e8907eee1059349c927600

SHA256
87ba77c13905298acbac72be90949c4fe0755b6eff9777615aa37f252515f151

SHA512
153edd6da59beea6cc411ed7383c32916425d6ebb65f04c65aab7c1d6b25443d143aa8449aa92149de0ad8a975f6ecaa60f9f7574536eec6b38fe5fd3a6c6adc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
90387d6614de578177c9802fe87f9991

SHA1
7685d7d2f012d619ce0159af5006b36193220251

SHA256
87cac4aafa918dd9b22af4b03cd304a12fde1bb381e3c1a1001886c58867d557

SHA512
b85d4abcbb444ef44e3f5955999c24a8e56d7cc6081b76107cb798c893771bd114b8c5a27a50a57d4a63d10357e80de62ffa51661e8b1599f69aa6cc54cb747c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
20997f54d898cd6e572aff9166311b69

SHA1
88d64b4f3ecc36493f42ad025f7fdd8c07d625cb

SHA256
08a93e39cc8dfbfc0eac6c325bfacc709bac0c0a87acd581d7e69944c35c67cd

SHA512
089e7dbc49dca1f3f53843070416f3e130af82a1eee673920ebe1498cb3a9e6cd697cc773d0c7576703d3a473ea9bd1ee3605a2709ee8cdf2a1e31f3ee55433a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
45358e51b923bed044cceb310e829c78

SHA1
e7b855fd42a750a3bd7f6d57469136979e1428b6

SHA256
f969ca4c4494e9857fa3b8e66dc6fd49ec55cc60417be4aa5ddf9797566262f7

SHA512
707e22f74e066e39955670f9196be948936cca0b14f270bc8fed86a4f1176bcb0dbc0b91124b06235d83a8f9e8b67b3acb57cf190446269a0acc90355e89319a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uq4lt4s0.db4.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2AF7.tmp
Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2AF8.tmp
Filesize
11KB

MD5
4a8fbd593a733fc669169d614021185b

SHA1
166e66575715d4c52bcb471c09bdbc5a9bb2f615

SHA256
714cd32f8edacb3befbfc4b17db5b6eb05c2c8936e3bae14ea25a6050d88ae42

SHA512
6b2ebbbc34cd821fd9b3d7711d9cdadd8736412227e191883e5df19068f8118b7c80248eb61cc0a2f785a4153871a6003d79de934254b2c74c33b284c507a33b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2AF9.tmp
Filesize
2.1MB

MD5
d41db097c14bb1361ffd34f8c7130488

SHA1
b403ea8fcffec8371783a80d7ae17ae0f4614fe5

SHA256
5da42926d082c52dfd87980d0ef011df9ddab1f864cfb99c409653c3f133904c

SHA512
7846a97ab38f77a7434f110306f4822aa452787ddfbf811c84bee35e2bb123535a50e094d33d622ea57d1977bb59fd22fb7af25e9e861ec19f318e2c2db70e04

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2AFA.tmp
Filesize
11KB

MD5
bfbc1a403197ac8cfc95638c2da2cf0e

SHA1
634658f4dd9747e87fa540f5ba47e218acfc8af2

SHA256
272ed278e82c84cf4f80f48ec7989e1fc35f2055d6d05b63c8a31880846597a6

SHA512
b8938526fcbf7152805aec130ca553e3ec949cb825430a5d0a25c90ec5eb0863857010484a4b31fdc4bb65a4c92ad7127c812b93114be4569a677f60debe43b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2AFB.tmp
Filesize
11KB

MD5
3b068f508d40eb8258ff0b0592ca1f9c

SHA1
59ac025c3256e9c6c86165082974fe791ff9833a

SHA256
07db44a8d6c3a512b15f1cb7262a2d7e4b63ced2130bc9228515431699191cc7

SHA512
e29624bc8fecb0e2a9d917642375bd97b42502e5f23812195a61a4920cae5b6ed540e74dfcf8432dcceb7de906ad0501cdd68056f9b0ec86a6bb0c1e336bfe32

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2B0C.tmp
Filesize
11KB

MD5
87cbab2a743fb7e0625cc332c9aac537

SHA1
50f858caa7f4ac3a93cf141a5d15b4edeb447ee7

SHA256
57e3b0d22fa619da90237d8bcf8f922b142c9f6abf47efc5a1f5b208c4d3f023

SHA512
6b678f0dd0030806effe6825fd52a6a30b951e0c3dcf91dfd7a713d387aa8b39ec24368e9623c463360acba5e929e268f75ce996526c5d4485894b8ac6b2e0fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2B0D.tmp
Filesize
1.2MB

MD5
fa4b36127d693daf0e2cd4fa2c79c74a

SHA1
b0ce1c5d11a417159ea7c7a639af2f206c05e2ab

SHA256
17da7245a70b1868e7084424bfb8c71b6b89692872545971ccf4fcf1e083df8c

SHA512
eb7f5985f536d06a6df4ae945733e441889362fe103f7dd108624ebc51e4bd5181b663edb11ae0358e80ce0c2546b4e6b96c2bb81e77a5c3e5246b1d250ddf42

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA0E5.tmp
Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA129.tmp
Filesize
92KB

MD5
3daad470df391b2f80f1355a73f49b47

SHA1
fd3d71f1d5bcca2c56518cdb061fc1e0a2465dec

SHA256
a0732dc29331aee2809c08b9dd1bbddcfd6badc2b90a932b1e5c220d573e7b08

SHA512
a03c5c17710c1ecafebca8b3066db41e1d682a619162da61d12f7f84c8ead35b49b6f390a473e23c41baff6072ffc6000a52345d5a1f73371b8711f470216b6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA154.tmp
Filesize
96KB

MD5
d367ddfda80fdcf578726bc3b0bc3e3c

SHA1
23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

SHA256
0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

SHA512
40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

Download Submit
memory/3824-453-0x000000001B910000-0x000000001B922000-memory.dmp

Filesize
72KB

Download
memory/3824-465-0x000000001D910000-0x000000001DAD2000-memory.dmp

Filesize
1.8MB

Download
memory/3824-449-0x000000001AE70000-0x000000001AE80000-memory.dmp

Filesize
64KB

Download
memory/3824-466-0x000000001E5D0000-0x000000001EAF6000-memory.dmp

Filesize
5.1MB

Download
memory/3824-452-0x000000001B8D0000-0x000000001B8EE000-memory.dmp

Filesize
120KB

Download
memory/3824-446-0x00007FFF43B33000-0x00007FFF43B34000-memory.dmp

Filesize
4KB

Download
memory/3824-454-0x000000001D300000-0x000000001D33E000-memory.dmp

Filesize
248KB

Download
memory/3824-455-0x000000001B8F0000-0x000000001B8FE000-memory.dmp

Filesize
56KB

Download
memory/3824-143-0x000000001AE70000-0x000000001AE80000-memory.dmp

Filesize
64KB

Download
memory/3824-130-0x00000000000D0000-0x00000000000EA000-memory.dmp

Filesize
104KB

Download
memory/3824-129-0x00007FFF43B33000-0x00007FFF43B34000-memory.dmp

Filesize
4KB

Download
memory/3824-585-0x000000001D4C0000-0x000000001D4DE000-memory.dmp

Filesize
120KB

Download
memory/4112-133-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4112-37-0x00000000026A0000-0x00000000026FF000-memory.dmp

Filesize
380KB

Download
memory/4112-11-0x00000000026A0000-0x00000000026FF000-memory.dmp

Filesize
380KB

Download
memory/4112-63-0x00000000026A0000-0x00000000026FF000-memory.dmp

Filesize
380KB

Download
memory/4112-53-0x00000000026A0000-0x00000000026FF000-memory.dmp

Filesize
380KB

Download
memory/4112-43-0x00000000026A0000-0x00000000026FF000-memory.dmp

Filesize
380KB

Download
memory/4112-23-0x00000000026A0000-0x00000000026FF000-memory.dmp

Filesize
380KB

Download
memory/4112-17-0x00000000026A0000-0x00000000026FF000-memory.dmp

Filesize
380KB

Download
memory/4112-9-0x00000000026A0000-0x00000000026FF000-memory.dmp

Filesize
380KB

Download
memory/4112-8-0x00000000026A0000-0x00000000026FF000-memory.dmp

Filesize
380KB

Download
memory/4112-118-0x0000000004D70000-0x0000000004E0C000-memory.dmp

Filesize
624KB

Download
memory/4112-15-0x00000000026A0000-0x00000000026FF000-memory.dmp

Filesize
380KB

Download
memory/4112-19-0x00000000026A0000-0x00000000026FF000-memory.dmp

Filesize
380KB

Download
memory/4112-21-0x00000000026A0000-0x00000000026FF000-memory.dmp

Filesize
380KB

Download
memory/4112-132-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4112-1-0x0000000000610000-0x0000000000710000-memory.dmp

Filesize
1024KB

Download
memory/4112-25-0x00000000026A0000-0x00000000026FF000-memory.dmp

Filesize
380KB

Download
memory/4112-3-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4112-2-0x00000000020F0000-0x0000000002178000-memory.dmp

Filesize
544KB

Download
memory/4112-4-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4112-5-0x0000000002630000-0x0000000002696000-memory.dmp

Filesize
408KB

Download
memory/4112-6-0x0000000004E70000-0x000000000536E000-memory.dmp

Filesize
5.0MB

Download
memory/4112-7-0x00000000026A0000-0x0000000002704000-memory.dmp

Filesize
400KB

Download
memory/4112-33-0x00000000026A0000-0x00000000026FF000-memory.dmp

Filesize
380KB

Download
memory/4112-41-0x00000000026A0000-0x00000000026FF000-memory.dmp

Filesize
380KB

Download
memory/4112-27-0x00000000026A0000-0x00000000026FF000-memory.dmp

Filesize
380KB

Download
memory/4112-71-0x00000000026A0000-0x00000000026FF000-memory.dmp

Filesize
380KB

Download
memory/4112-69-0x00000000026A0000-0x00000000026FF000-memory.dmp

Filesize
380KB

Download
memory/4112-29-0x00000000026A0000-0x00000000026FF000-memory.dmp

Filesize
380KB

Download
memory/4112-31-0x00000000026A0000-0x00000000026FF000-memory.dmp

Filesize
380KB

Download
memory/4112-35-0x00000000026A0000-0x00000000026FF000-memory.dmp

Filesize
380KB

Download
memory/4112-13-0x00000000026A0000-0x00000000026FF000-memory.dmp

Filesize
380KB

Download
memory/4112-39-0x00000000026A0000-0x00000000026FF000-memory.dmp

Filesize
380KB

Download
memory/4112-67-0x00000000026A0000-0x00000000026FF000-memory.dmp

Filesize
380KB

Download
memory/4112-65-0x00000000026A0000-0x00000000026FF000-memory.dmp

Filesize
380KB

Download
memory/4112-61-0x00000000026A0000-0x00000000026FF000-memory.dmp

Filesize
380KB

Download
memory/4112-45-0x00000000026A0000-0x00000000026FF000-memory.dmp

Filesize
380KB

Download
memory/4112-47-0x00000000026A0000-0x00000000026FF000-memory.dmp

Filesize
380KB

Download
memory/4112-49-0x00000000026A0000-0x00000000026FF000-memory.dmp

Filesize
380KB

Download
memory/4112-59-0x00000000026A0000-0x00000000026FF000-memory.dmp

Filesize
380KB

Download
memory/4112-57-0x00000000026A0000-0x00000000026FF000-memory.dmp

Filesize
380KB

Download
memory/4112-55-0x00000000026A0000-0x00000000026FF000-memory.dmp

Filesize
380KB

Download
memory/4112-51-0x00000000026A0000-0x00000000026FF000-memory.dmp

Filesize
380KB

Download
memory/4580-151-0x0000027FD51E0000-0x0000027FD5256000-memory.dmp

Filesize
472KB

Download
memory/4580-148-0x0000027FD5030000-0x0000027FD5052000-memory.dmp

Filesize
136KB

Download
memory/4712-443-0x00000000070D0000-0x0000000007162000-memory.dmp

Filesize
584KB

Download
memory/4712-141-0x0000000073260000-0x000000007394E000-memory.dmp

Filesize
6.9MB

Download
memory/4712-447-0x000000007326E000-0x000000007326F000-memory.dmp

Filesize
4KB

Download
memory/4712-321-0x0000000006640000-0x00000000066A6000-memory.dmp

Filesize
408KB

Download
memory/4712-319-0x0000000006B00000-0x000000000702C000-memory.dmp

Filesize
5.2MB

Download
memory/4712-318-0x0000000006400000-0x00000000065C2000-memory.dmp

Filesize
1.8MB

Download
memory/4712-445-0x0000000007210000-0x000000000722E000-memory.dmp

Filesize
120KB

Download
memory/4712-448-0x0000000073260000-0x000000007394E000-memory.dmp

Filesize
6.9MB

Download
memory/4712-142-0x0000000005250000-0x000000000535A000-memory.dmp

Filesize
1.0MB

Download
memory/4712-444-0x0000000007030000-0x00000000070A6000-memory.dmp

Filesize
472KB

Download
memory/4712-140-0x0000000004FF0000-0x000000000503B000-memory.dmp

Filesize
300KB

Download
memory/4712-139-0x0000000004FB0000-0x0000000004FEE000-memory.dmp

Filesize
248KB

Download
memory/4712-138-0x0000000004F50000-0x0000000004F62000-memory.dmp

Filesize
72KB

Download
memory/4712-137-0x00000000054E0000-0x0000000005AE6000-memory.dmp

Filesize
6.0MB

Download
memory/4712-136-0x000000007326E000-0x000000007326F000-memory.dmp

Filesize
4KB

Download
memory/4712-587-0x0000000073260000-0x000000007394E000-memory.dmp

Filesize
6.9MB

Download
memory/4712-135-0x0000000000720000-0x000000000073E000-memory.dmp

Filesize
120KB

Download