asyncrat | 8347a7ae54a9a8023fe9fe3b4ab8c877b588c461ba8d7bcd26df4a6ac6688b39

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-12-2024 00:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ItroublveTSC.6.1.3/ItroublveTSC.exe
Size

20.2MB
MD5

009ccbe83baac45b58b4d68cc6c38dad
SHA1

3ddef3044c1ff7eddcd8c342f54f8fa3b92bdbae
SHA256

d6568b81da1c122667dfae75d8383bf93a07d4334df37b8b443463874d03fa94
SHA512

57ff97490ecfb426d0d87397a5c075d9f9f499f0bd8785c573032f8d9b70c7f9457a5d4253d15c223b36882fdfa14dbb978f27cabe7066c277bc85e09cca31ea
SSDEEP

393216:JyDn6besFfMj2DPPHtvEK15iDaXDXLybnk:4DYLLHtvEZaXLyg

Score

10^/10

asyncrat modiloader default discovery evasion execution persistence privilege_escalation pyinstaller rat spyware stealer trojan

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

zzzpmax.ddns.net:6666

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/files/0x0007000000023cf9-15.dat	family_asyncrat

ModiLoader Second Stage 1 IoCs

resource	yara_rule
behavioral2/memory/1644-113-0x0000000000400000-0x0000000001839000-memory.dmp	modiloader_stage2

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1612	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	ItroublveTSC.exe

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System32.exe	Qasim_Haxor.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System32.exe	Qasim_Haxor.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.vbs	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.vbs	WScript.exe

Executes dropped EXE 5 IoCs

pid	Process
4948	ItroublveTSC.exe
2604	AsyncClient.exe
4804	Windoes.exe
4780	Qasim_Haxor.exe
3296	Windoes.exe

Loads dropped DLL 47 IoCs

pid	Process
3296	Windoes.exe
3296	Windoes.exe
3296	Windoes.exe
3296	Windoes.exe
3296	Windoes.exe
3296	Windoes.exe
3296	Windoes.exe
3296	Windoes.exe
3296	Windoes.exe
3296	Windoes.exe
3296	Windoes.exe
3296	Windoes.exe
3296	Windoes.exe
3296	Windoes.exe
3296	Windoes.exe
3296	Windoes.exe
3296	Windoes.exe
3296	Windoes.exe
3296	Windoes.exe
3296	Windoes.exe
3296	Windoes.exe
3296	Windoes.exe
3296	Windoes.exe
3296	Windoes.exe
3296	Windoes.exe
3296	Windoes.exe
3296	Windoes.exe
3296	Windoes.exe
3296	Windoes.exe
3296	Windoes.exe
3296	Windoes.exe
3296	Windoes.exe
3296	Windoes.exe
3296	Windoes.exe
3296	Windoes.exe
3296	Windoes.exe
3296	Windoes.exe
3296	Windoes.exe
3296	Windoes.exe
3296	Windoes.exe
3296	Windoes.exe
3296	Windoes.exe
3296	Windoes.exe
3296	Windoes.exe
3296	Windoes.exe
3296	Windoes.exe
3296	Windoes.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System32 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Qasim_Haxor.exe\" .."	Qasim_Haxor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System32 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\explorer\\WmiPrvSE.exe"	Qasim_Haxor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System32 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Qasim_Haxor.exe"	Qasim_Haxor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System32 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Qasim_Haxor.exe"	Qasim_Haxor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.vbs\""	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.vbs\""	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\53$79$73$74$65$6d$33$32 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\explorer\\WmiPrvSE.exe"	Qasim_Haxor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System32 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Qasim_Haxor.exe\" .."	Qasim_Haxor.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
648	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
21	discord.com
22	discord.com
20	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
18	ipinfo.io
19	ipinfo.io

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral2/files/0x0007000000023cfa-29.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qasim_Haxor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ItroublveTSC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ItroublveTSC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AsyncClient.exe

Modifies registry class 21 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	ItroublveTSC.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	ItroublveTSC.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	ItroublveTSC.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	ItroublveTSC.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	ItroublveTSC.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	ItroublveTSC.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	ItroublveTSC.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	ItroublveTSC.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	ItroublveTSC.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	ItroublveTSC.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	ItroublveTSC.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	ItroublveTSC.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	ItroublveTSC.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	ItroublveTSC.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	ItroublveTSC.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	ItroublveTSC.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	ItroublveTSC.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	ItroublveTSC.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	ItroublveTSC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	ItroublveTSC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	ItroublveTSC.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3900	powershell.exe
3900	powershell.exe
648	powershell.exe
648	powershell.exe
4844	powershell.exe
4844	powershell.exe
5032	powershell.exe
5032	powershell.exe

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeDebugPrivilege	3296	Windoes.exe
Token: SeDebugPrivilege	3900	powershell.exe
Token: SeDebugPrivilege	648	powershell.exe
Token: SeDebugPrivilege	4844	powershell.exe
Token: SeDebugPrivilege	5032	powershell.exe
Token: SeDebugPrivilege	4780	Qasim_Haxor.exe
Token: 33	4780	Qasim_Haxor.exe
Token: SeIncBasePriorityPrivilege	4780	Qasim_Haxor.exe
Token: 33	4780	Qasim_Haxor.exe
Token: SeIncBasePriorityPrivilege	4780	Qasim_Haxor.exe
Token: 33	4780	Qasim_Haxor.exe
Token: SeIncBasePriorityPrivilege	4780	Qasim_Haxor.exe
Token: 33	4780	Qasim_Haxor.exe
Token: SeIncBasePriorityPrivilege	4780	Qasim_Haxor.exe
Token: 33	4780	Qasim_Haxor.exe
Token: SeIncBasePriorityPrivilege	4780	Qasim_Haxor.exe
Token: 33	4780	Qasim_Haxor.exe
Token: SeIncBasePriorityPrivilege	4780	Qasim_Haxor.exe
Token: 33	4780	Qasim_Haxor.exe
Token: SeIncBasePriorityPrivilege	4780	Qasim_Haxor.exe
Token: 33	4780	Qasim_Haxor.exe
Token: SeIncBasePriorityPrivilege	4780	Qasim_Haxor.exe
Token: 33	4780	Qasim_Haxor.exe
Token: SeIncBasePriorityPrivilege	4780	Qasim_Haxor.exe
Token: 33	4780	Qasim_Haxor.exe
Token: SeIncBasePriorityPrivilege	4780	Qasim_Haxor.exe
Token: 33	4780	Qasim_Haxor.exe
Token: SeIncBasePriorityPrivilege	4780	Qasim_Haxor.exe
Token: 33	4780	Qasim_Haxor.exe
Token: SeIncBasePriorityPrivilege	4780	Qasim_Haxor.exe
Token: 33	4780	Qasim_Haxor.exe
Token: SeIncBasePriorityPrivilege	4780	Qasim_Haxor.exe
Token: 33	4780	Qasim_Haxor.exe
Token: SeIncBasePriorityPrivilege	4780	Qasim_Haxor.exe
Token: 33	4780	Qasim_Haxor.exe
Token: SeIncBasePriorityPrivilege	4780	Qasim_Haxor.exe
Token: 33	4780	Qasim_Haxor.exe
Token: SeIncBasePriorityPrivilege	4780	Qasim_Haxor.exe
Token: 33	4780	Qasim_Haxor.exe
Token: SeIncBasePriorityPrivilege	4780	Qasim_Haxor.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4948	ItroublveTSC.exe
4948	ItroublveTSC.exe
4948	ItroublveTSC.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4948	ItroublveTSC.exe
4948	ItroublveTSC.exe
4948	ItroublveTSC.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
4948	ItroublveTSC.exe
4948	ItroublveTSC.exe
4948	ItroublveTSC.exe
4948	ItroublveTSC.exe
4948	ItroublveTSC.exe
4948	ItroublveTSC.exe
4948	ItroublveTSC.exe
4948	ItroublveTSC.exe
4948	ItroublveTSC.exe
4948	ItroublveTSC.exe
4948	ItroublveTSC.exe
4948	ItroublveTSC.exe
4948	ItroublveTSC.exe
4948	ItroublveTSC.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 1644 wrote to memory of 4948	1644	ItroublveTSC.exe	82
PID 1644 wrote to memory of 4948	1644	ItroublveTSC.exe	82
PID 1644 wrote to memory of 4948	1644	ItroublveTSC.exe	82
PID 1644 wrote to memory of 2604	1644	ItroublveTSC.exe	83
PID 1644 wrote to memory of 2604	1644	ItroublveTSC.exe	83
PID 1644 wrote to memory of 2604	1644	ItroublveTSC.exe	83
PID 1644 wrote to memory of 4804	1644	ItroublveTSC.exe	84
PID 1644 wrote to memory of 4804	1644	ItroublveTSC.exe	84
PID 1644 wrote to memory of 4780	1644	ItroublveTSC.exe	85
PID 1644 wrote to memory of 4780	1644	ItroublveTSC.exe	85
PID 1644 wrote to memory of 4780	1644	ItroublveTSC.exe	85
PID 1644 wrote to memory of 4480	1644	ItroublveTSC.exe	86
PID 1644 wrote to memory of 4480	1644	ItroublveTSC.exe	86
PID 1644 wrote to memory of 4480	1644	ItroublveTSC.exe	86
PID 4804 wrote to memory of 3296	4804	Windoes.exe	87
PID 4804 wrote to memory of 3296	4804	Windoes.exe	87
PID 3296 wrote to memory of 3900	3296	Windoes.exe	88
PID 3296 wrote to memory of 3900	3296	Windoes.exe	88
PID 3296 wrote to memory of 648	3296	Windoes.exe	90
PID 3296 wrote to memory of 648	3296	Windoes.exe	90
PID 4780 wrote to memory of 1612	4780	Qasim_Haxor.exe	92
PID 4780 wrote to memory of 1612	4780	Qasim_Haxor.exe	92
PID 4780 wrote to memory of 1612	4780	Qasim_Haxor.exe	92
PID 3296 wrote to memory of 4844	3296	Windoes.exe	94
PID 3296 wrote to memory of 4844	3296	Windoes.exe	94
PID 3296 wrote to memory of 5032	3296	Windoes.exe	96
PID 3296 wrote to memory of 5032	3296	Windoes.exe	96

C:\Users\Admin\AppData\Local\Temp\ItroublveTSC.6.1.3\ItroublveTSC.exe
"C:\Users\Admin\AppData\Local\Temp\ItroublveTSC.6.1.3\ItroublveTSC.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1644
- C:\Users\Admin\AppData\Local\Temp\ItroublveTSC.exe
  "C:\Users\Admin\AppData\Local\Temp\ItroublveTSC.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:4948
- C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe
  "C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2604
- C:\Users\Admin\AppData\Local\Temp\Windoes.exe
  "C:\Users\Admin\AppData\Local\Temp\Windoes.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4804
- - C:\Users\Admin\AppData\Local\Temp\Windoes.exe
    "C:\Users\Admin\AppData\Local\Temp\Windoes.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3296
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3900
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:648
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4844
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5032
- C:\Users\Admin\AppData\Local\Temp\Qasim_Haxor.exe
  "C:\Users\Admin\AppData\Local\Temp\Qasim_Haxor.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4780
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Qasim_Haxor.exe" "Qasim_Haxor.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:1612
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\System.vbs"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:4480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe

Filesize
45KB

MD5
d9678a811b8e751dc9bf9e4d2e0d37f0

SHA1
2155f106d01cff13775d49abed054de2b68241a8

SHA256
a774ff7eaa90c54fd38c2c1d3428ecbf88c09dacaf723abe92e4be4c3d427de7

SHA512
723cc5a06900f9f23f2d1095282d32631bb315a578bffd8c4ac328c2c3b15680b0f895faee74c9ef2e20ddb27f2dec8040901ce6b905f37d99ce2556403377c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ItroublveTSC.exe

Filesize
3.9MB

MD5
63b97ca45d11bffe5f3317531335bb24

SHA1
5b445cfb8f8364c8b22f8e99067acdbede93e9b7

SHA256
df685c35cdfa3c2cd9c8c6390ccdf95442461558c4a1c5a17f37eb823f566cff

SHA512
37dd84cc2f45fc720a2a61dfe1d71f2a4b6ece9d3b19e87dfb17dbd4b5127a7b9d0b0cc2d842358ee222fe335a771b9a168cea52b3c931605d2576c3267e153e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qasim_Haxor.exe

Filesize
48KB

MD5
de60e7d10209074a91b02daf81ad0686

SHA1
f00b0eb7c6247f2c539f5a2400578b45fea41eb8

SHA256
dcf12cad4292eb8342e505e9df6c057499009a4acfc7f8f330ca494809293862

SHA512
2d236cf57e636ae62aff895773929a9e3cd21ffeea7cb76cf2379261a2e5e00c1f417a59fab0489f62c0e6335c36f07c00b230cf773b8eed7c616bf52d3712d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\System.vbs

Filesize
53KB

MD5
f3b7e99ffb2107e81718e835b390374a

SHA1
dd8fae76baa76383111de14ff7135f270bb80d80

SHA256
1dc7951edfe21d0b7e91900f3fee0c0954b7b9e08299ff3289995590a6e20d90

SHA512
3568e8653547ecc0e59b09041b0fe5042322c2654d628beffe15dc9011f605c95c95c5d8aa8359150b6841fb12013793bbced1fd722460fceda1d200a9ede93e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windoes.exe

Filesize
15.8MB

MD5
38d07fee3ab0258d37807e7e0a7a1268

SHA1
6205237c114c7cce491bb65b57b3bce24ba315df

SHA256
d471ea5e509d30e7af5ef074f9006dacb549cb9c3bb6d1ef8387792a857a87b9

SHA512
99b591d4f970a0d738ff94c98cef5415ebf2212fb69c705aab8946ee88bbf2af9db0fdb2ac6fe3ef8e6071b9565937c91b902396fc663d11045cf4e0389cb859

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48042\MSVCP140.dll

Filesize
553KB

MD5
6da7f4530edb350cf9d967d969ccecf8

SHA1
3e2681ea91f60a7a9ef2407399d13c1ca6aa71e9

SHA256
9fee6f36547d6f6ea7ca0338655555dba6bb0f798bc60334d29b94d1547da4da

SHA512
1f77f900215a4966f7f4e5d23b4aaad203136cb8561f4e36f03f13659fe1ff4b81caa75fef557c890e108f28f0484ad2baa825559114c0daa588cf1de6c1afab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48042\PIL\_imaging.cp39-win_amd64.pyd

Filesize
3.1MB

MD5
4a262e6b22a4a7d1c185470e0204d2dd

SHA1
786373a8c32e8b8b1f2fab3b41c990e81283843e

SHA256
ae3071d449b839911d69a07911413aa6d1fbccb6d20481c0e7817131d7c289e3

SHA512
0d9a5fa8785180d195b020edbc74a4a1c2191fcecdd668d3c33d46e0e6c616877d513e6b9393baded5c73d08e19d5e3a9e2fe3962e7350624f03243b1d4ef66a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48042\VCRUNTIME140.dll

Filesize
94KB

MD5
a87575e7cf8967e481241f13940ee4f7

SHA1
879098b8a353a39e16c79e6479195d43ce98629e

SHA256
ded5adaa94341e6c62aea03845762591666381dca30eb7c17261dd154121b83e

SHA512
e112f267ae4c9a592d0dd2a19b50187eb13e25f23ded74c2e6ccde458bcdaee99f4e3e0a00baf0e3362167ae7b7fe4f96ecbcd265cc584c1c3a4d1ac316e92f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48042\VCRUNTIME140_1.dll

Filesize
36KB

MD5
135359d350f72ad4bf716b764d39e749

SHA1
2e59d9bbcce356f0fece56c9c4917a5cacec63d7

SHA256
34048abaa070ecc13b318cea31425f4ca3edd133d350318ac65259e6058c8b32

SHA512
cf23513d63ab2192c78cae98bd3fea67d933212b630be111fa7e03be3e92af38e247eb2d3804437fd0fda70fdc87916cd24cf1d3911e9f3bfb2cc4ab72b459ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48042\_asyncio.pyd

Filesize
64KB

MD5
43e7da594af7c0655cb9f57bd5556a49

SHA1
b75042853453e902ee54d0311311b4de74d40241

SHA256
6241f72162099095f111819fd5b9b2a0995ed7cf45ca08f1d0134ab7b3fe601a

SHA512
b088211220a6b73aa55e8ce1ed8d1517b25a5f53245abd9a07ba4c39518db9bd8742750d1f7f12c58955ee1ea642c733d4dca45bc7b67e1d18d25526806c4be9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48042\_bz2.pyd

Filesize
84KB

MD5
7f2bba8a38712d00907f6e37f0ce6028

SHA1
e22227fc0fd45afdcf6c5d31a1cebffee22dfc32

SHA256
cd04ebe932b2cb2fd7f01c25412bddd77b476fa47d0aff69a04a27d3bfe4b37b

SHA512
ca46ceaf1b6683e6d505edbe33b1d36f2940a72fc34f42fa4aa0928f918d836803113bf9a404657ec3a65bc4e40ed13117ad48457a048c82599db37f98b68af0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48042\_cffi_backend.cp39-win_amd64.pyd

Filesize
179KB

MD5
3d48e9bc9a3b68e816e1d0be284f2d3f

SHA1
410921af4383bdc898df691ea39e3e9f558c3d85

SHA256
88451f322707b22c43b36796c3711bace64f50ef7b22c94fbf29a04a2838e533

SHA512
829c0e0458f927ffd8e60194c5ef75c9e4f9da86d3fa7d7184715a869a2765b5e3a0d4263ab9acbbdb752f451acc87eb5a7b1d63712c67e21fcef8c228da3db3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48042\_ctypes.pyd

Filesize
124KB

MD5
38d9d8ed2b7df64790150a2a523fd3b9

SHA1
a629c8e76136fa5678c758351e2dcff5324f51e7

SHA256
11daef02afe45d9f3987bab5c2b6ef75b2b6f6f79704c45675d532f090f14b8b

SHA512
7a37a98bb9824680e3f0030e0db795f9eab1cc4d2b6605e4f6c37d432b4de0642481dd7b6c6f0e53264f2d940b4800555ab0d84145d7de35f4a65a26ca100fe8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48042\_hashlib.pyd

Filesize
63KB

MD5
75ed91d3b7a40eca5b32a13b90191ead

SHA1
320bd4b6116f735d8508382738e50ba8862b8029

SHA256
202535a5ceb0bf70c2046639a3884c24f2cccb1bd92827e61b5a7a663d9399ba

SHA512
0eb81335c97842233751e7b4c0d6581accaf00a86f3e06fe35b2c80bd6badf83a321eaf4a449a31238ed3f60aa09890769bf54775cd7efd5112255842e1582c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48042\_lzma.pyd

Filesize
159KB

MD5
ad02ea81a127a401f4df84c082f3cce6

SHA1
9c6c851c52f331d17a33936c9aad8dcef2542709

SHA256
4213fbb6936ad3eac1e1ba28f10e15719176bc3a59ff01ddc6828dd7eee52132

SHA512
cdccd9e5fffc2a2836f7677985d63c0a8a90fc91f1d98a0f2355c11141e21ecd564bbbfba87e717ac80f784a68b6f43430476fbd72cec9820c691df6612ffd16

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48042\_overlapped.pyd

Filesize
45KB

MD5
5302eaf1e9af8e6550ab3720acf7ff63

SHA1
ce2dfdf34616a84a041ddaec025516ee6c5e2762

SHA256
42c7a03bffe76eafdee596f6b4c3ff950ff8808a31d194932c2bf48fdfc7f7c2

SHA512
7649a8356aff0b9f7012ca25a433771e84a722a3eda0608226d5871828d5a3e5c7eca009ae9c32d02bc01a5ceceb972f35d9ec9bf538f3151145469769c8ebf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48042\_queue.pyd

Filesize
29KB

MD5
f9718fe21174d8428f022aaf60bf92da

SHA1
db7e85eaa7c795792050af43d47518ca7fa7878a

SHA256
95e1c419e08d8ab229b8c64d51fd301cd9d75a659dfc05e75b0317ca0a4f22e3

SHA512
000929c994446f22e4f11a011c21b7401bbe8b3b1a624b80a4eeb818f94190b3db2782b00e477e548814caea5234d4de5a8a766d72365c26654d655ec4546be3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48042\_socket.pyd

Filesize
78KB

MD5
0a6c6fd7697e4c3757014fa6bf6dd615

SHA1
f14f79831b8b16a7b31f4c7f698317c023d446f9

SHA256
a611e9b4f4e5fe67e945b771d79cf15c48441ecfa11ce186cec9bf233dc20c0d

SHA512
f5fcfede06f0f81229b946f803b6e292fd0c909191f3c2a82ca317ff7c2e08d1ea98aa2d11ec85edd5449994a2a7c61318a15d47806cd761e25739494f3e18e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48042\_sqlite3.pyd

Filesize
88KB

MD5
1b7e6b8d16b0800917a1f5a88b73ff81

SHA1
a7bf3e6e6a5cfe990d2ee586fb7b08b26ced58fa

SHA256
a831f3eb5da12bfa9606f8a947f677cfb0f3790e2b7c8f046add7e5af566e688

SHA512
22a6a6ca295ae552cd98757fac789d2b14f9af6769919f35a41887ce47f5031bd1ff1764af0d7b537c376b7b090af8f2dff0ece6885e1755e8d3fcef97e72708

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48042\_ssl.pyd

Filesize
152KB

MD5
3baf56d4e63a800fcaf2cc98fc120709

SHA1
2a33341eda4b4549452b6db9b259f8ae6ec9c806

SHA256
d7610dd6be63aada4fe1895b64bbac961840257c6988e1f68bbf3d8e486b5a45

SHA512
e48899ed5581fe9f45c02219d62e0acbc92906af5b7a3b7d9be1bb28b41f5cfdb0d3496abc6d0c1a809bb80d2a49c5a456d34e4667995fb88ef8aca6958881dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48042\base_library.zip

Filesize
782KB

MD5
1356be97bab9e8a8df23f8ed2a47ce38

SHA1
1236a6e59c8acebaa11818be885f8db64a001bc4

SHA256
5c2e7ac085877f6c18374ef26b877f5e85db1cf2ab2dec836307db867710fec5

SHA512
37e31ce69f9ccdc2b17757200b3928d009c38b1056a0e7d9da700a2ada2fb351855e4d6225bd2b944aea07be8c6fe842ae713c85f23a1e5566b03a4c9d8bfe6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48042\libcrypto-1_1.dll

Filesize
3.3MB

MD5
ab01c808bed8164133e5279595437d3d

SHA1
0f512756a8db22576ec2e20cf0cafec7786fb12b

SHA256
9c0a0a11629cced6a064932e95a0158ee936739d75a56338702fed97cb0bad55

SHA512
4043cda02f6950abdc47413cfd8a0ba5c462f16bcd4f339f9f5a690823f4d0916478cab5cae81a3d5b03a8a196e17a716b06afee3f92dec3102e3bbc674774f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48042\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48042\libssl-1_1.dll

Filesize
682KB

MD5
de72697933d7673279fb85fd48d1a4dd

SHA1
085fd4c6fb6d89ffcc9b2741947b74f0766fc383

SHA256
ed1c8769f5096afd000fc730a37b11177fcf90890345071ab7fbceac684d571f

SHA512
0fd4678c65da181d7c27b19056d5ab0e5dd0e9714e9606e524cdad9e46ec4d0b35fe22d594282309f718b30e065f6896674d3edce6b3b0c8eb637a3680715c2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48042\psutil\_psutil_windows.cp39-win_amd64.pyd

Filesize
67KB

MD5
1350d7dd4c8715fb749092b370362d91

SHA1
6a706c275c48ab835c9d1a3e6e619306003a41c7

SHA256
1090e69fa90e0f55b90a2ae429aad7843db013eeef42aa8b0f0267f76abbf6be

SHA512
65e2051669daed30a89c60e96c52214bb161de8571eaf26dd680bf9ad91a1474497cfa2399f5da2023e9205f32c668de654fe81cf7bcacdcd58995be451e981c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48042\pyexpat.pyd

Filesize
200KB

MD5
82d5cf404925997d094202dabaf6f5e6

SHA1
4207d98c747b68ccfaf911c87bc7715814454d15

SHA256
9e90ade54232d61d106b182326085fc843c8b48b363733865abe40652d78614c

SHA512
12276495c2b504b4ebe83514b9231199beab86459217591e7446e97e4ab2c92413bf3c3cef83877fa4ea698b04c8df4ec1cbb7579f22c5686625397f0ce0aae3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48042\python39.dll

Filesize
4.3MB

MD5
19e6d310c1bd0578d468a888d3ec0e3d

SHA1
32561ad9b89dc9e9a086569780890ad10337e698

SHA256
f4609ec3bbcc74ed9257e3440ec15adf3061f7162a89e4e9a370e1c2273370a1

SHA512
4a8332c22a40a170ea83fc8cfd5b8a0ed0df1d59fd22ebe10088ba0be78cc0e91a537d7085549a4d06204cbe77e83154a812daed885c25aa4b4cb4aca5b9cc85

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48042\pythoncom39.dll

Filesize
543KB

MD5
70bc8ed8d8010f70eac573acb2da9102

SHA1
0eb61a4b1542560688d74c8242f51f6e4d0fb845

SHA256
9b3d25eb5b8cd86dac4b6301df30c2a9b9815732e52b6d8e96bf58a6ad988a84

SHA512
c110716018fece63efdb1956eb4a200a74c47f56819e4c112408cf62a50d4f2f325ba8f9c88b91d2824fe6ec1760cc5bc1a63b12dc13a757715101c4b67cca79

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48042\pywintypes39.dll

Filesize
139KB

MD5
7fda0690544ac0051f53adefdb079c6a

SHA1
3d4a20d7b76c3352d3f6b3cddad232d823048152

SHA256
4dcdc4f5e684d0c031122515b4f089e33dc0cc9869ef1ab65832ac90cf428906

SHA512
fedc45635b8977fa7bff36659e34e8cd21686ccb8af93ad4b5fa77c8ed02d54210442ccd6479b939b1e928ef1bdc0c9c73fb4dd637e9d4c4d9d88442c49d4a07

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48042\select.pyd

Filesize
28KB

MD5
196c4d2f8bdc9e9d2dbcce866050684c

SHA1
1166c85c761d8188c45d9cc7441abfe8a7071132

SHA256
cd31f9f557d57a6909186940eafe483c37de9a7251e604644a747c7ec26b7823

SHA512
cb9a02530721482f0ff912ca65dae94f6930676e2390cb5523f99452174622d7e2e70cafaf46e053f0c3dfc314edc8c2f4fd3bc7ea888be81e83ff40d3a30e78

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48042\sqlite3.dll

Filesize
1.5MB

MD5
7e1348caeb9f0e0d8356110b3801476a

SHA1
b13411049bfa2968683e4655270bb65b1dc67659

SHA256
2e5dee18e25fa8115b84285da45b910142141ea734f34570cd6ec03f74212ae9

SHA512
aaa6c1811d7b494b42a7992d387776e4b8de55fb0f33a3a461dfc5b528964f8f3d83ad770b0077a0ed2bfcb47961608d0ee62529b7cc6940da22dfc4d878178b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48042\unicodedata.pyd

Filesize
1.1MB

MD5
684ae6992f55ad6c64588367e42f44f7

SHA1
66d8868286924ada60966a620dffe87b2c978711

SHA256
91834e28cc0acbd966dc6d323b95113e0050301b7cd6cd4abe43390f2bbddb34

SHA512
70453ee98cbf6365aa7a326520cdad438d6a1d6f463da6180cb5e20708647951831d232b577be50a16825912a9e40386c64a9987e3265fc870cddd918b31614c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48042\win32api.pyd

Filesize
131KB

MD5
c2c0fa32e01f7bc4542bf96e0cc3ffe5

SHA1
6b2733b08351442f27ff943c3faccf45378a87eb

SHA256
2ab33cca6227c6a2d5d9cc5e694a678a292b3b26e299cb94343a466900d7014c

SHA512
311f94646e76247ce3db8b73f47a8f56abe7b8f34df642e40bd7842b6609814ec99bf4a500e8c5fbbb0f88fc25413b7c5516cdd9b7ccacea872317cde1a1bbd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3fygbobu.whm.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp_\Google Cookies.txt

Filesize
368B

MD5
d053e70f5cd875879f2270b0e80cf8e3

SHA1
1b45a9bf768c3b963a424dc4ad7a727433c1aeb1

SHA256
1208bca5a972ee3b748ebccc7308598307505579c4634415f6a91e062503e6d8

SHA512
9fb4fbe1ad8a51df56c121f2477470139ecf4b418a39792637c098c191f4c1f27947c17e90c481088cc1f7f65003cc2a75e2c35479aa72e37c6a92e1a9746cdd

Download Submit
memory/1644-113-0x0000000000400000-0x0000000001839000-memory.dmp

Filesize
20.2MB

Download
memory/2604-329-0x0000000073500000-0x0000000073CB0000-memory.dmp

Filesize
7.7MB

Download
memory/2604-31-0x0000000073500000-0x0000000073CB0000-memory.dmp

Filesize
7.7MB

Download
memory/2604-23-0x0000000000310000-0x0000000000322000-memory.dmp

Filesize
72KB

Download
memory/3900-220-0x0000028E73AA0000-0x0000028E73AC2000-memory.dmp

Filesize
136KB

Download
memory/4948-30-0x00000000054E0000-0x0000000005A84000-memory.dmp

Filesize
5.6MB

Download
memory/4948-106-0x0000000005190000-0x000000000519A000-memory.dmp

Filesize
40KB

Download
memory/4948-19-0x000000007350E000-0x000000007350F000-memory.dmp

Filesize
4KB

Download
memory/4948-27-0x0000000000200000-0x00000000005E6000-memory.dmp

Filesize
3.9MB

Download
memory/4948-32-0x0000000004FD0000-0x0000000005062000-memory.dmp

Filesize
584KB

Download
memory/4948-272-0x000000007350E000-0x000000007350F000-memory.dmp

Filesize
4KB

Download
memory/4948-74-0x0000000073500000-0x0000000073CB0000-memory.dmp

Filesize
7.7MB

Download
memory/4948-330-0x0000000006460000-0x000000000646A000-memory.dmp

Filesize
40KB

Download
memory/4948-331-0x0000000073500000-0x0000000073CB0000-memory.dmp

Filesize
7.7MB

Download