a7d9bb906fbff13c6d394325e32a77d6286711e74611bfc993fc9a48507906dd

Resubmissions

06/08/2024, 22:26

240806-2cxxxasfkq 10

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
06/08/2024, 22:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Rack 2 Furry Science_WO8-sk1.exe
Size

13.8MB
MD5

36f8adb499e6f6f9318f7bdb1d2bbd75
SHA1

709296223ebc2a31c0f0d37b535b62431c4e5991
SHA256

a7d9bb906fbff13c6d394325e32a77d6286711e74611bfc993fc9a48507906dd
SHA512

46c41a5300231aa83cc2445e1310d8ae878c590f06d1fc78b0d56e5370acff207fcb3e468666cb920308c9c0966119427f5a940d2849d4babee3806493ad1152
SSDEEP

196608:2j6kU9NYlObEk0Lp2dd/kZzkmxgy9NSW7I7GIXSpINbhiTGIwTh3kC3uDEN9TrSs:cLSN30LpEiSCC9XSpIFwah3RuINhkU9

Score

6^/10

discovery evasion persistence privilege_escalation

Malware Config

Signatures

Checks for any installed AV software in registry 1 TTPs 9 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast	Rack 2 Furry Science_WO8-sk1.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Avira\Browser\Installed	Rack 2 Furry Science_WO8-sk1.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avira\Browser\Installed	Rack 2 Furry Science_WO8-sk1.tmp
Key opened	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\SOFTWARE\Avira\Browser\Installed	Rack 2 Furry Science_WO8-sk1.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVAST Software\Avast	Rack 2 Furry Science_WO8-sk1.tmp
Key opened	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\SOFTWARE\AVAST Software\Avast	Rack 2 Furry Science_WO8-sk1.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVG\AV\Dir	Rack 2 Furry Science_WO8-sk1.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV\Dir	Rack 2 Furry Science_WO8-sk1.tmp
Key opened	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\SOFTWARE\AVG\AV\Dir	Rack 2 Furry Science_WO8-sk1.tmp

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	qbittorrent.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3044	netsh.exe

Executes dropped EXE 2 IoCs

pid	Process
2340	Rack 2 Furry Science_WO8-sk1.tmp
2456	qbittorrent.exe

Loads dropped DLL 4 IoCs

pid	Process
376	Rack 2 Furry Science_WO8-sk1.exe
2340	Rack 2 Furry Science_WO8-sk1.tmp
2340	Rack 2 Furry Science_WO8-sk1.tmp
2340	Rack 2 Furry Science_WO8-sk1.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qbittorrent.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rack 2 Furry Science_WO8-sk1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rack 2 Furry Science_WO8-sk1.tmp

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\	Rack 2 Furry Science_WO8-sk1.tmp
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Rack 2 Furry Science_WO8-sk1.tmp

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	Rack 2 Furry Science_WO8-sk1.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d4624030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	Rack 2 Furry Science_WO8-sk1.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e260f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a040000000100000010000000324a4bbbc863699bbe749ac6dd1d46242000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	Rack 2 Furry Science_WO8-sk1.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	Rack 2 Furry Science_WO8-sk1.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	Rack 2 Furry Science_WO8-sk1.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	Rack 2 Furry Science_WO8-sk1.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	Rack 2 Furry Science_WO8-sk1.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	Rack 2 Furry Science_WO8-sk1.tmp

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	3	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2456	qbittorrent.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
2340	Rack 2 Furry Science_WO8-sk1.tmp
2340	Rack 2 Furry Science_WO8-sk1.tmp
2340	Rack 2 Furry Science_WO8-sk1.tmp
2340	Rack 2 Furry Science_WO8-sk1.tmp
2340	Rack 2 Furry Science_WO8-sk1.tmp
2340	Rack 2 Furry Science_WO8-sk1.tmp
2340	Rack 2 Furry Science_WO8-sk1.tmp
2340	Rack 2 Furry Science_WO8-sk1.tmp
2340	Rack 2 Furry Science_WO8-sk1.tmp
2340	Rack 2 Furry Science_WO8-sk1.tmp
2340	Rack 2 Furry Science_WO8-sk1.tmp

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2456	qbittorrent.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2456	qbittorrent.exe
Token: SeIncBasePriorityPrivilege	2456	qbittorrent.exe

Suspicious use of FindShellTrayWindow 56 IoCs

pid	Process
2340	Rack 2 Furry Science_WO8-sk1.tmp
2456	qbittorrent.exe
2456	qbittorrent.exe
2456	qbittorrent.exe
2456	qbittorrent.exe
2456	qbittorrent.exe
2456	qbittorrent.exe
2456	qbittorrent.exe
2456	qbittorrent.exe
2456	qbittorrent.exe
2456	qbittorrent.exe
2456	qbittorrent.exe
2456	qbittorrent.exe
2456	qbittorrent.exe
2456	qbittorrent.exe
2456	qbittorrent.exe
2456	qbittorrent.exe
2456	qbittorrent.exe
2456	qbittorrent.exe
2456	qbittorrent.exe
2456	qbittorrent.exe
2456	qbittorrent.exe
2456	qbittorrent.exe
2456	qbittorrent.exe
2456	qbittorrent.exe
2456	qbittorrent.exe
2456	qbittorrent.exe
2456	qbittorrent.exe
2456	qbittorrent.exe
2456	qbittorrent.exe
2456	qbittorrent.exe
2456	qbittorrent.exe
2456	qbittorrent.exe
2456	qbittorrent.exe
2456	qbittorrent.exe
2456	qbittorrent.exe
2456	qbittorrent.exe
2456	qbittorrent.exe
2456	qbittorrent.exe
2456	qbittorrent.exe
2456	qbittorrent.exe
2456	qbittorrent.exe
2456	qbittorrent.exe
2456	qbittorrent.exe
2456	qbittorrent.exe
2456	qbittorrent.exe
2456	qbittorrent.exe
2456	qbittorrent.exe
2456	qbittorrent.exe
2456	qbittorrent.exe
2456	qbittorrent.exe
2456	qbittorrent.exe
2456	qbittorrent.exe
2456	qbittorrent.exe
2456	qbittorrent.exe
2456	qbittorrent.exe

Suspicious use of SendNotifyMessage 53 IoCs

pid	Process
2456	qbittorrent.exe
2456	qbittorrent.exe
2456	qbittorrent.exe
2456	qbittorrent.exe
2456	qbittorrent.exe
2456	qbittorrent.exe
2456	qbittorrent.exe
2456	qbittorrent.exe
2456	qbittorrent.exe
2456	qbittorrent.exe
2456	qbittorrent.exe
2456	qbittorrent.exe
2456	qbittorrent.exe
2456	qbittorrent.exe
2456	qbittorrent.exe
2456	qbittorrent.exe
2456	qbittorrent.exe
2456	qbittorrent.exe
2456	qbittorrent.exe
2456	qbittorrent.exe
2456	qbittorrent.exe
2456	qbittorrent.exe
2456	qbittorrent.exe
2456	qbittorrent.exe
2456	qbittorrent.exe
2456	qbittorrent.exe
2456	qbittorrent.exe
2456	qbittorrent.exe
2456	qbittorrent.exe
2456	qbittorrent.exe
2456	qbittorrent.exe
2456	qbittorrent.exe
2456	qbittorrent.exe
2456	qbittorrent.exe
2456	qbittorrent.exe
2456	qbittorrent.exe
2456	qbittorrent.exe
2456	qbittorrent.exe
2456	qbittorrent.exe
2456	qbittorrent.exe
2456	qbittorrent.exe
2456	qbittorrent.exe
2456	qbittorrent.exe
2456	qbittorrent.exe
2456	qbittorrent.exe
2456	qbittorrent.exe
2456	qbittorrent.exe
2456	qbittorrent.exe
2456	qbittorrent.exe
2456	qbittorrent.exe
2456	qbittorrent.exe
2456	qbittorrent.exe
2456	qbittorrent.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2456	qbittorrent.exe
2456	qbittorrent.exe
2456	qbittorrent.exe
2456	qbittorrent.exe
2456	qbittorrent.exe
2456	qbittorrent.exe
2456	qbittorrent.exe
2456	qbittorrent.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 376 wrote to memory of 2340	376	Rack 2 Furry Science_WO8-sk1.exe	30
PID 376 wrote to memory of 2340	376	Rack 2 Furry Science_WO8-sk1.exe	30
PID 376 wrote to memory of 2340	376	Rack 2 Furry Science_WO8-sk1.exe	30
PID 376 wrote to memory of 2340	376	Rack 2 Furry Science_WO8-sk1.exe	30
PID 376 wrote to memory of 2340	376	Rack 2 Furry Science_WO8-sk1.exe	30
PID 376 wrote to memory of 2340	376	Rack 2 Furry Science_WO8-sk1.exe	30
PID 376 wrote to memory of 2340	376	Rack 2 Furry Science_WO8-sk1.exe	30
PID 2340 wrote to memory of 3044	2340	Rack 2 Furry Science_WO8-sk1.tmp	31
PID 2340 wrote to memory of 3044	2340	Rack 2 Furry Science_WO8-sk1.tmp	31
PID 2340 wrote to memory of 3044	2340	Rack 2 Furry Science_WO8-sk1.tmp	31
PID 2340 wrote to memory of 3044	2340	Rack 2 Furry Science_WO8-sk1.tmp	31
PID 2340 wrote to memory of 2456	2340	Rack 2 Furry Science_WO8-sk1.tmp	33
PID 2340 wrote to memory of 2456	2340	Rack 2 Furry Science_WO8-sk1.tmp	33
PID 2340 wrote to memory of 2456	2340	Rack 2 Furry Science_WO8-sk1.tmp	33
PID 2340 wrote to memory of 2456	2340	Rack 2 Furry Science_WO8-sk1.tmp	33

C:\Users\Admin\AppData\Local\Temp\Rack 2 Furry Science_WO8-sk1.exe
"C:\Users\Admin\AppData\Local\Temp\Rack 2 Furry Science_WO8-sk1.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:376
- C:\Users\Admin\AppData\Local\Temp\is-KI0BH.tmp\Rack 2 Furry Science_WO8-sk1.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-KI0BH.tmp\Rack 2 Furry Science_WO8-sk1.tmp" /SL5="$40110,13603942,780800,C:\Users\Admin\AppData\Local\Temp\Rack 2 Furry Science_WO8-sk1.exe"
  2⤵
  - Checks for any installed AV software in registry
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2340
- - C:\Windows\SysWOW64\netsh.exe
    "netsh" firewall add allowedprogramC:\Users\Admin\AppData\Local\Temp\is-IDRPQ.tmp\qbittorrent.exe "qBittorrent" ENABLE
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:3044
- - C:\Users\Admin\AppData\Local\Temp\is-IDRPQ.tmp\qbittorrent.exe
    "C:\Users\Admin\AppData\Local\Temp\is-IDRPQ.tmp\qbittorrent.exe" magnet:?xt=urn:btih:A719452BA7CFCF47BDCE2E5C7784E4FCF3C7844C
    3⤵
    - Enumerates connected drives
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:2456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9dd7e74b709ca9b49f7917d6b0119ff4

SHA1
7be962e78ef4863054213a60fed1eefbcdd7591e

SHA256
7201f143ed126734e94212493c600e08be35db2c692329ec760a83789ec733be

SHA512
b7c67faf13c048c6838e62843e44d5fce52bda99f0009021de22de48607baabf2a0fea6acb11517a406a010855fc3b27e5905788a0ec3f47ba8e647605c8ad9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7FBD.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7FDF.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-IDRPQ.tmp\AVG_AV.png

Filesize
51KB

MD5
aee8e80b35dcb3cf2a5733ba99231560

SHA1
7bcf9feb3094b7d79d080597b56a18da5144ca7b

SHA256
35bbd8f390865173d65ba2f38320a04755541a0783e9f825fdb9862f80d97aa9

SHA512
dcd84221571bf809107f7aeaf94bab2f494ea0431b9dadb97feed63074322d1cf0446dbd52429a70186d3ecd631fb409102afcf7e11713e9c1041caacdb8b976

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-IDRPQ.tmp\AVG_BRW.png

Filesize
29KB

MD5
0b4fa89d69051df475b75ca654752ef6

SHA1
81bf857a2af9e3c3e4632cbb88cd71e40a831a73

SHA256
60a9085cea2e072d4b65748cc71f616d3137c1f0b7eed4f77e1b6c9e3aa78b7e

SHA512
8106a4974f3453a1e894fec8939038a9692fd87096f716e5aa5895aa14ee1c187a9a9760c0d4aec7c1e0cc7614b4a2dbf9b6c297cc0f7a38ba47837bede3b296

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-IDRPQ.tmp\WebCompanionCHO.png

Filesize
19KB

MD5
992545a06d801d0fd6ef0390c147cae8

SHA1
c5e560ae740cb7da673edf2e7a9df0c31f2cfdfa

SHA256
ae499b9cf3d8b41a47c2b46abb0685230ab04ba0fc0dbfad92c3fc59cc188ea6

SHA512
e4d4211ff3f26d93e0e7bc9f07bc5f3db6ad2818d4044bdf8a457bb3e2f703e71c042a6c3e30f5131d47379c4c7418185084f88d5d3372d7ffaa2a09e6f0ef15

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-IDRPQ.tmp\finish.png

Filesize
2KB

MD5
7afaf9e0e99fd80fa1023a77524f5587

SHA1
e20c9c27691810b388c73d2ca3e67e109c2b69b6

SHA256
760b70612bb9bd967c2d15a5133a50ccce8c0bd46a6464d76875298dcc45dea0

SHA512
a090626e7b7f67fb5aa207aae0cf65c3a27e1b85e22c9728eee7475bd9bb7375ca93baaecc662473f9a427b4f505d55f2c61ba36bda460e4e6947fe22eedb044

Download Submit
C:\Users\Admin\AppData\Roaming\qBittorrent\qBittorrent.ini

Filesize
1KB

MD5
71785c387c41973b7c4d55731e4d3245

SHA1
34c3cf04eb9abe01db52f2c30ce67585e76a0ce0

SHA256
18d21294a8e31038b6e873ce465b3b093a006dec03edeeba9961c7f96ba4bf3f

SHA512
23f2c017fe22424e9e2940c1b6351b33df7b366aead7fa5a6dd2795d2bdde4c6a0c396691ede7a4745ca10f876f8a962376522b59ee911d57efb65845c055ec8

Download Submit
C:\Users\Admin\AppData\Roaming\qBittorrent\qBittorrent_new.ini

Filesize
1KB

MD5
e868a85b2053ba499ef3b9d6d8f5163c

SHA1
ebfd8c5e41ad808088f41d7d051bfe25b2011af0

SHA256
67771a02486a86442010c24b10443742ac0620c752eac1c80ae4001ecacc6a9d

SHA512
54a1618a7437a64139c3b840827f165f03e3832a7a486973e8fbbc9c69d1858cca5986c64cbb5a9b45cdfe3c5c58cb5bc2dd267587260c564c6cc6a15e66812d

Download Submit
C:\Users\Admin\AppData\Roaming\qBittorrent\qBittorrent_new.ini

Filesize
2KB

MD5
8d16f5fcf0144bcbdfb548a8e893a463

SHA1
df179b03d03c54e8831961fc1f383de868db3157

SHA256
bc02f62a2ecfe96d9c729da2cf348ca86088e48683fd449103bf3c9b5809e576

SHA512
f1ea0e0ce930d896f6de516776f58b8fc5c7b2bcbf7e4484df8bc41e28ca30ed4e7a982f6d402a5aca8ffb1af38f618810251e0ad19c3c7f6b34c6a72566455f

Download Submit
C:\Users\Admin\AppData\Roaming\qBittorrent\qBittorrent_new.ini.lock

Filesize
64B

MD5
93f80ae00076f6d651fc4bb964d535aa

SHA1
748c3de562a1e9e196c98a2749e616b8d07ab82a

SHA256
226547ad8541389032e34777038dae152b45fd053e3754e6ccf6824170adaaf9

SHA512
cbe52443bdeb8ce84afd795996973693ad9320bd5a1021c4f5b8f3e0ade143e958b032fa1624668ccefce7092418759fa332e7af55a56752defca2721c4a82e9

Download Submit
C:\Users\Admin\AppData\Roaming\qBittorrent\watched_folders.json

Filesize
4B

MD5
5b76b0eef9af8a2300673e0553f609f9

SHA1
0b56d40c0630a74abec5398e01c6cd83263feddc

SHA256
d914176fd50bd7f565700006a31aa97b79d3ad17cee20c8e5ff2061d5cb74817

SHA512
cf06a50de1bf63b7052c19ad53766fa0d99a4d88db76a7cbc672e33276e3d423e4c5f5cb4a8ae188c5c0e17d93bb740eaab6f25753f0d26501c5f84aeded075d

Download Submit
C:\Users\Admin\Downloads\FSR2\LINUX.iso

Filesize
39.5MB

MD5
a471dc6e468d118d3fd7db6a19626984

SHA1
d5050898313c8490cdbf9a13ce7f28c770bb61fa

SHA256
233b7b9bac36ca610255d2a9f5d2a64732c56d1c962cb1f6a9c9f1c7878252e0

SHA512
300d13e3b5f5839f39f66e7057c8db1f891c70149de6443b02ba3b73d41132b938011d2e12940e5e4c2fbceaa6ebf479e7331d58eab1c2b64cdd4ebd98f02d20

Download Submit
\Users\Admin\AppData\Local\Temp\is-IDRPQ.tmp\botva2.dll

Filesize
37KB

MD5
67965a5957a61867d661f05ae1f4773e

SHA1
f14c0a4f154dc685bb7c65b2d804a02a0fb2360d

SHA256
450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105

SHA512
c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b

Download Submit
\Users\Admin\AppData\Local\Temp\is-IDRPQ.tmp\qbittorrent.exe

Filesize
22.8MB

MD5
22a34900ada67ead7e634eb693bd3095

SHA1
2913c78bcaaa6f4ee22b0977be72333d2077191d

SHA256
3cec1e40e8116a35aac6df3da0356864e5d14bc7687c502c7936ee9b7c1b9c58

SHA512
88d90646f047f86adf3d9fc5c04d97649b0e01bac3c973b2477bb0e9a02e97f56665b7ede1800b68edd87115aed6559412c48a79942a8c2a656dfae519e2c36f

Download Submit
\Users\Admin\AppData\Local\Temp\is-IDRPQ.tmp\zbShieldUtils.dll

Filesize
2.0MB

MD5
c79e3df659cdee033a447a8f372760ce

SHA1
f402273e29a6fa39572163e4595e72bde3d9330a

SHA256
7d09715c4e0735a0832bf81d92d84600df1815a2ba451586bd25eb16f7c450a5

SHA512
490cc30ccfac209f1f5332ce4168b0dc849d7e4d86f3c198ddd23b39ddc950001928a1e071c2ace74c4710508265c0872adb02e3f068e521d28ed8b19ea36492

Download Submit
\Users\Admin\AppData\Local\Temp\is-KI0BH.tmp\Rack 2 Furry Science_WO8-sk1.tmp

Filesize
2.9MB

MD5
392188858aab78d544835de0fe665a04

SHA1
e2c06e4d926bbecee75887c83b5a9e732b0103b8

SHA256
eaa483432e2cae37fcf1350c160b848948f8e512ed085fab67d901bfcd8d5d07

SHA512
0d0d1d1196d705af2a755d054372b45e8540edeb201d2b9ac2d48a08240399314130f3e78e7e962ce708d3da90ed933fa848023f7db9ecaf7fc6ec7979cb05a5

Download Submit
memory/376-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/376-189-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/376-0-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/376-137-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2340-145-0x0000000007CA0000-0x0000000007CAF000-memory.dmp

Filesize
60KB

Download
memory/2340-187-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/2340-171-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/2340-172-0x0000000007CA0000-0x0000000007CAF000-memory.dmp

Filesize
60KB

Download
memory/2340-138-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/2340-8-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/2456-199-0x0000000000980000-0x000000000098A000-memory.dmp

Filesize
40KB

Download
memory/2456-200-0x0000000000980000-0x000000000098A000-memory.dmp

Filesize
40KB

Download
memory/2456-173-0x0000000000980000-0x000000000098A000-memory.dmp

Filesize
40KB

Download
memory/2456-174-0x0000000000980000-0x000000000098A000-memory.dmp

Filesize
40KB

Download