199ab84d301b4914a7eb23a40a575e2622928e58d3672da79e43c77e453c4a3d

Analysis

max time kernel
150s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
10-01-2025 14:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

199ab84d301b4914a7eb23a40a575e2622928e58d3672da79e43c77e453c4a3d.exe
Size

863KB
MD5

57f7d9095490a4aadda9e261fec73a68
SHA1

45e51f97abc52dd29e65d7ec78e18ee8d1721867
SHA256

199ab84d301b4914a7eb23a40a575e2622928e58d3672da79e43c77e453c4a3d
SHA512

80512a3188e69746425f828e394a0bf9ea6b50b4dda5b5f0b819248610d58d6fbd7862f29d42266f473515e60eadb2b5038c3ee9f7f9b26bb0a22981552f1810
SSDEEP

24576:Krl6kD68JmlotQfnkSjkpoftUXoBmZieeiftIZpr:4l328U2yfnrQaZoZiEFIZp

Score

7^/10

discovery upx

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bankrupture.vbs	bankrupture.exe

Executes dropped EXE 64 IoCs

pid	Process
2564	bankrupture.exe
3024	bankrupture.exe
2784	bankrupture.exe
2868	bankrupture.exe
2772	bankrupture.exe
2616	bankrupture.exe
1420	bankrupture.exe
1788	bankrupture.exe
1260	bankrupture.exe
2180	bankrupture.exe
2876	bankrupture.exe
1264	bankrupture.exe
112	bankrupture.exe
1600	bankrupture.exe
2220	bankrupture.exe
1672	bankrupture.exe
1504	bankrupture.exe
1920	bankrupture.exe
1980	bankrupture.exe
2848	bankrupture.exe
1732	bankrupture.exe
2668	bankrupture.exe
2124	bankrupture.exe
1712	bankrupture.exe
1564	bankrupture.exe
2464	bankrupture.exe
2148	bankrupture.exe
2904	bankrupture.exe
2992	bankrupture.exe
2820	bankrupture.exe
2792	bankrupture.exe
1928	bankrupture.exe
2608	bankrupture.exe
2100	bankrupture.exe
1044	bankrupture.exe
2088	bankrupture.exe
2252	bankrupture.exe
1764	bankrupture.exe
1132	bankrupture.exe
2132	bankrupture.exe
2236	bankrupture.exe
2732	bankrupture.exe
948	bankrupture.exe
992	bankrupture.exe
1624	bankrupture.exe
3040	bankrupture.exe
1948	bankrupture.exe
872	bankrupture.exe
1376	bankrupture.exe
2264	bankrupture.exe
2448	bankrupture.exe
2888	bankrupture.exe
2156	bankrupture.exe
424	bankrupture.exe
1892	bankrupture.exe
2916	bankrupture.exe
916	bankrupture.exe
1148	bankrupture.exe
968	bankrupture.exe
2152	bankrupture.exe
1680	bankrupture.exe
2408	bankrupture.exe
2764	bankrupture.exe
2540	bankrupture.exe

Loads dropped DLL 1 IoCs

pid	Process
2312	199ab84d301b4914a7eb23a40a575e2622928e58d3672da79e43c77e453c4a3d.exe

AutoIT Executable 64 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2312-15-0x0000000000C50000-0x0000000000E2C000-memory.dmp	autoit_exe
behavioral1/memory/2564-29-0x0000000000110000-0x00000000002EC000-memory.dmp	autoit_exe
behavioral1/memory/3024-40-0x0000000000110000-0x00000000002EC000-memory.dmp	autoit_exe
behavioral1/memory/2784-52-0x0000000000110000-0x00000000002EC000-memory.dmp	autoit_exe
behavioral1/memory/2868-61-0x0000000000110000-0x00000000002EC000-memory.dmp	autoit_exe
behavioral1/memory/2772-72-0x0000000000110000-0x00000000002EC000-memory.dmp	autoit_exe
behavioral1/memory/2616-82-0x0000000000110000-0x00000000002EC000-memory.dmp	autoit_exe
behavioral1/memory/1420-93-0x0000000000110000-0x00000000002EC000-memory.dmp	autoit_exe
behavioral1/memory/1788-104-0x0000000000110000-0x00000000002EC000-memory.dmp	autoit_exe
behavioral1/memory/1260-105-0x0000000000110000-0x00000000002EC000-memory.dmp	autoit_exe
behavioral1/memory/1260-115-0x0000000000110000-0x00000000002EC000-memory.dmp	autoit_exe
behavioral1/memory/2180-126-0x0000000000110000-0x00000000002EC000-memory.dmp	autoit_exe
behavioral1/memory/2876-137-0x0000000000110000-0x00000000002EC000-memory.dmp	autoit_exe
behavioral1/memory/1264-138-0x0000000000110000-0x00000000002EC000-memory.dmp	autoit_exe
behavioral1/memory/1264-148-0x0000000000110000-0x00000000002EC000-memory.dmp	autoit_exe
behavioral1/memory/112-157-0x0000000000110000-0x00000000002EC000-memory.dmp	autoit_exe
behavioral1/memory/1600-158-0x0000000000110000-0x00000000002EC000-memory.dmp	autoit_exe
behavioral1/memory/1600-168-0x0000000000110000-0x00000000002EC000-memory.dmp	autoit_exe
behavioral1/memory/2220-178-0x0000000000110000-0x00000000002EC000-memory.dmp	autoit_exe
behavioral1/memory/1672-189-0x0000000000110000-0x00000000002EC000-memory.dmp	autoit_exe
behavioral1/memory/1504-199-0x0000000000110000-0x00000000002EC000-memory.dmp	autoit_exe
behavioral1/memory/1920-209-0x0000000000110000-0x00000000002EC000-memory.dmp	autoit_exe
behavioral1/memory/1980-218-0x0000000000110000-0x00000000002EC000-memory.dmp	autoit_exe
behavioral1/memory/2848-228-0x0000000000110000-0x00000000002EC000-memory.dmp	autoit_exe
behavioral1/memory/1732-238-0x0000000000110000-0x00000000002EC000-memory.dmp	autoit_exe
behavioral1/memory/2668-248-0x0000000000110000-0x00000000002EC000-memory.dmp	autoit_exe
behavioral1/memory/2124-249-0x0000000000110000-0x00000000002EC000-memory.dmp	autoit_exe
behavioral1/memory/1980-259-0x0000000000110000-0x00000000002EC000-memory.dmp	autoit_exe
behavioral1/memory/2124-258-0x0000000000110000-0x00000000002EC000-memory.dmp	autoit_exe
behavioral1/memory/1712-260-0x0000000000110000-0x00000000002EC000-memory.dmp	autoit_exe
behavioral1/memory/1712-270-0x0000000000110000-0x00000000002EC000-memory.dmp	autoit_exe
behavioral1/memory/1564-281-0x0000000000110000-0x00000000002EC000-memory.dmp	autoit_exe
behavioral1/memory/2464-291-0x0000000000110000-0x00000000002EC000-memory.dmp	autoit_exe
behavioral1/memory/2148-301-0x0000000000110000-0x00000000002EC000-memory.dmp	autoit_exe
behavioral1/memory/2904-312-0x0000000000110000-0x00000000002EC000-memory.dmp	autoit_exe
behavioral1/memory/2992-323-0x0000000000110000-0x00000000002EC000-memory.dmp	autoit_exe
behavioral1/memory/2820-333-0x0000000000110000-0x00000000002EC000-memory.dmp	autoit_exe
behavioral1/memory/2792-334-0x0000000000110000-0x00000000002EC000-memory.dmp	autoit_exe
behavioral1/memory/2792-343-0x0000000000110000-0x00000000002EC000-memory.dmp	autoit_exe
behavioral1/memory/1928-351-0x0000000000110000-0x00000000002EC000-memory.dmp	autoit_exe
behavioral1/memory/2608-352-0x0000000000110000-0x00000000002EC000-memory.dmp	autoit_exe
behavioral1/memory/2608-359-0x0000000000110000-0x00000000002EC000-memory.dmp	autoit_exe
behavioral1/memory/2100-367-0x0000000000110000-0x00000000002EC000-memory.dmp	autoit_exe
behavioral1/memory/1044-368-0x0000000000110000-0x00000000002EC000-memory.dmp	autoit_exe
behavioral1/memory/1044-376-0x0000000000110000-0x00000000002EC000-memory.dmp	autoit_exe
behavioral1/memory/2088-385-0x0000000000110000-0x00000000002EC000-memory.dmp	autoit_exe
behavioral1/memory/2252-386-0x0000000000110000-0x00000000002EC000-memory.dmp	autoit_exe
behavioral1/memory/2608-394-0x0000000000110000-0x00000000002EC000-memory.dmp	autoit_exe
behavioral1/memory/2252-393-0x0000000000110000-0x00000000002EC000-memory.dmp	autoit_exe
behavioral1/memory/1764-395-0x0000000000110000-0x00000000002EC000-memory.dmp	autoit_exe
behavioral1/memory/1764-403-0x0000000000110000-0x00000000002EC000-memory.dmp	autoit_exe
behavioral1/memory/1132-411-0x0000000000110000-0x00000000002EC000-memory.dmp	autoit_exe
behavioral1/memory/2132-412-0x0000000000110000-0x00000000002EC000-memory.dmp	autoit_exe
behavioral1/memory/2132-420-0x0000000000110000-0x00000000002EC000-memory.dmp	autoit_exe
behavioral1/memory/2236-429-0x0000000000110000-0x00000000002EC000-memory.dmp	autoit_exe
behavioral1/memory/2732-437-0x0000000000110000-0x00000000002EC000-memory.dmp	autoit_exe
behavioral1/memory/948-446-0x0000000000110000-0x00000000002EC000-memory.dmp	autoit_exe
behavioral1/memory/992-455-0x0000000000110000-0x00000000002EC000-memory.dmp	autoit_exe
behavioral1/memory/1624-456-0x0000000000110000-0x00000000002EC000-memory.dmp	autoit_exe
behavioral1/memory/1624-463-0x0000000000110000-0x00000000002EC000-memory.dmp	autoit_exe
behavioral1/memory/3040-471-0x0000000000110000-0x00000000002EC000-memory.dmp	autoit_exe
behavioral1/memory/1948-472-0x0000000000110000-0x00000000002EC000-memory.dmp	autoit_exe
behavioral1/memory/1948-480-0x0000000000110000-0x00000000002EC000-memory.dmp	autoit_exe
behavioral1/memory/872-487-0x0000000000110000-0x00000000002EC000-memory.dmp	autoit_exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2312-0-0x0000000000C50000-0x0000000000E2C000-memory.dmp	upx
behavioral1/files/0x0009000000016ccc-9.dat	upx
behavioral1/memory/2312-15-0x0000000000C50000-0x0000000000E2C000-memory.dmp	upx
behavioral1/memory/2564-16-0x0000000000110000-0x00000000002EC000-memory.dmp	upx
behavioral1/memory/2312-13-0x0000000002AF0000-0x0000000002CCC000-memory.dmp	upx
behavioral1/memory/2564-29-0x0000000000110000-0x00000000002EC000-memory.dmp	upx
behavioral1/memory/3024-40-0x0000000000110000-0x00000000002EC000-memory.dmp	upx
behavioral1/memory/2784-41-0x0000000000110000-0x00000000002EC000-memory.dmp	upx
behavioral1/memory/2784-52-0x0000000000110000-0x00000000002EC000-memory.dmp	upx
behavioral1/memory/2868-50-0x0000000000110000-0x00000000002EC000-memory.dmp	upx
behavioral1/memory/2772-62-0x0000000000110000-0x00000000002EC000-memory.dmp	upx
behavioral1/memory/2868-61-0x0000000000110000-0x00000000002EC000-memory.dmp	upx
behavioral1/memory/2772-72-0x0000000000110000-0x00000000002EC000-memory.dmp	upx
behavioral1/memory/2616-82-0x0000000000110000-0x00000000002EC000-memory.dmp	upx
behavioral1/memory/1420-83-0x0000000000110000-0x00000000002EC000-memory.dmp	upx
behavioral1/memory/1788-94-0x0000000000110000-0x00000000002EC000-memory.dmp	upx
behavioral1/memory/1420-93-0x0000000000110000-0x00000000002EC000-memory.dmp	upx
behavioral1/memory/1788-104-0x0000000000110000-0x00000000002EC000-memory.dmp	upx
behavioral1/memory/1260-105-0x0000000000110000-0x00000000002EC000-memory.dmp	upx
behavioral1/memory/2180-116-0x0000000000110000-0x00000000002EC000-memory.dmp	upx
behavioral1/memory/1260-115-0x0000000000110000-0x00000000002EC000-memory.dmp	upx
behavioral1/memory/2876-127-0x0000000000110000-0x00000000002EC000-memory.dmp	upx
behavioral1/memory/2180-126-0x0000000000110000-0x00000000002EC000-memory.dmp	upx
behavioral1/memory/2876-137-0x0000000000110000-0x00000000002EC000-memory.dmp	upx
behavioral1/memory/1264-138-0x0000000000110000-0x00000000002EC000-memory.dmp	upx
behavioral1/memory/1264-148-0x0000000000110000-0x00000000002EC000-memory.dmp	upx
behavioral1/memory/112-157-0x0000000000110000-0x00000000002EC000-memory.dmp	upx
behavioral1/memory/1600-158-0x0000000000110000-0x00000000002EC000-memory.dmp	upx
behavioral1/memory/1600-168-0x0000000000110000-0x00000000002EC000-memory.dmp	upx
behavioral1/memory/2220-178-0x0000000000110000-0x00000000002EC000-memory.dmp	upx
behavioral1/memory/1672-179-0x0000000000110000-0x00000000002EC000-memory.dmp	upx
behavioral1/memory/1672-189-0x0000000000110000-0x00000000002EC000-memory.dmp	upx
behavioral1/memory/1504-190-0x0000000000110000-0x00000000002EC000-memory.dmp	upx
behavioral1/memory/1504-199-0x0000000000110000-0x00000000002EC000-memory.dmp	upx
behavioral1/memory/1920-209-0x0000000000110000-0x00000000002EC000-memory.dmp	upx
behavioral1/memory/1980-218-0x0000000000110000-0x00000000002EC000-memory.dmp	upx
behavioral1/memory/2848-228-0x0000000000110000-0x00000000002EC000-memory.dmp	upx
behavioral1/memory/1732-238-0x0000000000110000-0x00000000002EC000-memory.dmp	upx
behavioral1/memory/2668-248-0x0000000000110000-0x00000000002EC000-memory.dmp	upx
behavioral1/memory/2124-249-0x0000000000110000-0x00000000002EC000-memory.dmp	upx
behavioral1/memory/1980-259-0x0000000000110000-0x00000000002EC000-memory.dmp	upx
behavioral1/memory/2124-258-0x0000000000110000-0x00000000002EC000-memory.dmp	upx
behavioral1/memory/1712-260-0x0000000000110000-0x00000000002EC000-memory.dmp	upx
behavioral1/memory/1712-270-0x0000000000110000-0x00000000002EC000-memory.dmp	upx
behavioral1/memory/1564-271-0x0000000000110000-0x00000000002EC000-memory.dmp	upx
behavioral1/memory/1564-281-0x0000000000110000-0x00000000002EC000-memory.dmp	upx
behavioral1/memory/2464-291-0x0000000000110000-0x00000000002EC000-memory.dmp	upx
behavioral1/memory/2904-302-0x0000000000110000-0x00000000002EC000-memory.dmp	upx
behavioral1/memory/2148-301-0x0000000000110000-0x00000000002EC000-memory.dmp	upx
behavioral1/memory/2904-312-0x0000000000110000-0x00000000002EC000-memory.dmp	upx
behavioral1/memory/2992-313-0x0000000000110000-0x00000000002EC000-memory.dmp	upx
behavioral1/memory/2992-323-0x0000000000110000-0x00000000002EC000-memory.dmp	upx
behavioral1/memory/2820-333-0x0000000000110000-0x00000000002EC000-memory.dmp	upx
behavioral1/memory/2792-334-0x0000000000110000-0x00000000002EC000-memory.dmp	upx
behavioral1/memory/2792-343-0x0000000000110000-0x00000000002EC000-memory.dmp	upx
behavioral1/memory/1928-351-0x0000000000110000-0x00000000002EC000-memory.dmp	upx
behavioral1/memory/2608-352-0x0000000000110000-0x00000000002EC000-memory.dmp	upx
behavioral1/memory/2608-359-0x0000000000110000-0x00000000002EC000-memory.dmp	upx
behavioral1/memory/2100-367-0x0000000000110000-0x00000000002EC000-memory.dmp	upx
behavioral1/memory/1044-368-0x0000000000110000-0x00000000002EC000-memory.dmp	upx
behavioral1/memory/2088-377-0x0000000000110000-0x00000000002EC000-memory.dmp	upx
behavioral1/memory/1044-376-0x0000000000110000-0x00000000002EC000-memory.dmp	upx
behavioral1/memory/2088-385-0x0000000000110000-0x00000000002EC000-memory.dmp	upx
behavioral1/memory/2252-386-0x0000000000110000-0x00000000002EC000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bankrupture.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bankrupture.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bankrupture.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bankrupture.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bankrupture.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bankrupture.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bankrupture.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bankrupture.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bankrupture.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bankrupture.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bankrupture.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bankrupture.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bankrupture.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bankrupture.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bankrupture.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bankrupture.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bankrupture.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	199ab84d301b4914a7eb23a40a575e2622928e58d3672da79e43c77e453c4a3d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bankrupture.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bankrupture.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bankrupture.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bankrupture.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bankrupture.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bankrupture.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bankrupture.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bankrupture.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bankrupture.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bankrupture.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bankrupture.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bankrupture.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bankrupture.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bankrupture.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bankrupture.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bankrupture.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bankrupture.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bankrupture.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bankrupture.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bankrupture.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bankrupture.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bankrupture.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bankrupture.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bankrupture.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bankrupture.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bankrupture.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bankrupture.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bankrupture.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bankrupture.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bankrupture.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bankrupture.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bankrupture.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bankrupture.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bankrupture.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bankrupture.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bankrupture.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bankrupture.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bankrupture.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bankrupture.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bankrupture.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bankrupture.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bankrupture.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bankrupture.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bankrupture.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bankrupture.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bankrupture.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2312	199ab84d301b4914a7eb23a40a575e2622928e58d3672da79e43c77e453c4a3d.exe
2312	199ab84d301b4914a7eb23a40a575e2622928e58d3672da79e43c77e453c4a3d.exe
2312	199ab84d301b4914a7eb23a40a575e2622928e58d3672da79e43c77e453c4a3d.exe
2564	bankrupture.exe
2564	bankrupture.exe
2564	bankrupture.exe
3024	bankrupture.exe
3024	bankrupture.exe
3024	bankrupture.exe
3024	bankrupture.exe
2784	bankrupture.exe
2784	bankrupture.exe
2784	bankrupture.exe
2868	bankrupture.exe
2868	bankrupture.exe
2868	bankrupture.exe
2772	bankrupture.exe
2772	bankrupture.exe
2772	bankrupture.exe
2616	bankrupture.exe
2616	bankrupture.exe
2616	bankrupture.exe
1420	bankrupture.exe
1420	bankrupture.exe
1420	bankrupture.exe
1788	bankrupture.exe
1788	bankrupture.exe
1788	bankrupture.exe
1260	bankrupture.exe
1260	bankrupture.exe
1260	bankrupture.exe
2180	bankrupture.exe
2180	bankrupture.exe
2180	bankrupture.exe
2876	bankrupture.exe
2876	bankrupture.exe
2876	bankrupture.exe
1264	bankrupture.exe
1264	bankrupture.exe
1264	bankrupture.exe
112	bankrupture.exe
112	bankrupture.exe
112	bankrupture.exe
1600	bankrupture.exe
1600	bankrupture.exe
1600	bankrupture.exe
2220	bankrupture.exe
2220	bankrupture.exe
2220	bankrupture.exe
1672	bankrupture.exe
1672	bankrupture.exe
1672	bankrupture.exe
1504	bankrupture.exe
1504	bankrupture.exe
1504	bankrupture.exe
1920	bankrupture.exe
1920	bankrupture.exe
1920	bankrupture.exe
1980	bankrupture.exe
1980	bankrupture.exe
1980	bankrupture.exe
2848	bankrupture.exe
2848	bankrupture.exe
2848	bankrupture.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2312	199ab84d301b4914a7eb23a40a575e2622928e58d3672da79e43c77e453c4a3d.exe
2312	199ab84d301b4914a7eb23a40a575e2622928e58d3672da79e43c77e453c4a3d.exe
2312	199ab84d301b4914a7eb23a40a575e2622928e58d3672da79e43c77e453c4a3d.exe
2564	bankrupture.exe
2564	bankrupture.exe
2564	bankrupture.exe
3024	bankrupture.exe
3024	bankrupture.exe
3024	bankrupture.exe
3024	bankrupture.exe
2784	bankrupture.exe
2784	bankrupture.exe
2784	bankrupture.exe
2868	bankrupture.exe
2868	bankrupture.exe
2868	bankrupture.exe
2772	bankrupture.exe
2772	bankrupture.exe
2772	bankrupture.exe
2616	bankrupture.exe
2616	bankrupture.exe
2616	bankrupture.exe
1420	bankrupture.exe
1420	bankrupture.exe
1420	bankrupture.exe
1788	bankrupture.exe
1788	bankrupture.exe
1788	bankrupture.exe
1260	bankrupture.exe
1260	bankrupture.exe
1260	bankrupture.exe
2180	bankrupture.exe
2180	bankrupture.exe
2180	bankrupture.exe
2876	bankrupture.exe
2876	bankrupture.exe
2876	bankrupture.exe
1264	bankrupture.exe
1264	bankrupture.exe
1264	bankrupture.exe
112	bankrupture.exe
112	bankrupture.exe
112	bankrupture.exe
1600	bankrupture.exe
1600	bankrupture.exe
1600	bankrupture.exe
2220	bankrupture.exe
2220	bankrupture.exe
2220	bankrupture.exe
1672	bankrupture.exe
1672	bankrupture.exe
1672	bankrupture.exe
1504	bankrupture.exe
1504	bankrupture.exe
1504	bankrupture.exe
1920	bankrupture.exe
1920	bankrupture.exe
1920	bankrupture.exe
1980	bankrupture.exe
1980	bankrupture.exe
1980	bankrupture.exe
2848	bankrupture.exe
2848	bankrupture.exe
2848	bankrupture.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2312 wrote to memory of 2564	2312	199ab84d301b4914a7eb23a40a575e2622928e58d3672da79e43c77e453c4a3d.exe	30
PID 2312 wrote to memory of 2564	2312	199ab84d301b4914a7eb23a40a575e2622928e58d3672da79e43c77e453c4a3d.exe	30
PID 2312 wrote to memory of 2564	2312	199ab84d301b4914a7eb23a40a575e2622928e58d3672da79e43c77e453c4a3d.exe	30
PID 2312 wrote to memory of 2564	2312	199ab84d301b4914a7eb23a40a575e2622928e58d3672da79e43c77e453c4a3d.exe	30
PID 2564 wrote to memory of 3024	2564	bankrupture.exe	31
PID 2564 wrote to memory of 3024	2564	bankrupture.exe	31
PID 2564 wrote to memory of 3024	2564	bankrupture.exe	31
PID 2564 wrote to memory of 3024	2564	bankrupture.exe	31
PID 3024 wrote to memory of 2784	3024	bankrupture.exe	32
PID 3024 wrote to memory of 2784	3024	bankrupture.exe	32
PID 3024 wrote to memory of 2784	3024	bankrupture.exe	32
PID 3024 wrote to memory of 2784	3024	bankrupture.exe	32
PID 2784 wrote to memory of 2868	2784	bankrupture.exe	33
PID 2784 wrote to memory of 2868	2784	bankrupture.exe	33
PID 2784 wrote to memory of 2868	2784	bankrupture.exe	33
PID 2784 wrote to memory of 2868	2784	bankrupture.exe	33
PID 2868 wrote to memory of 2772	2868	bankrupture.exe	34
PID 2868 wrote to memory of 2772	2868	bankrupture.exe	34
PID 2868 wrote to memory of 2772	2868	bankrupture.exe	34
PID 2868 wrote to memory of 2772	2868	bankrupture.exe	34
PID 2772 wrote to memory of 2616	2772	bankrupture.exe	35
PID 2772 wrote to memory of 2616	2772	bankrupture.exe	35
PID 2772 wrote to memory of 2616	2772	bankrupture.exe	35
PID 2772 wrote to memory of 2616	2772	bankrupture.exe	35
PID 2616 wrote to memory of 1420	2616	bankrupture.exe	36
PID 2616 wrote to memory of 1420	2616	bankrupture.exe	36
PID 2616 wrote to memory of 1420	2616	bankrupture.exe	36
PID 2616 wrote to memory of 1420	2616	bankrupture.exe	36
PID 1420 wrote to memory of 1788	1420	bankrupture.exe	37
PID 1420 wrote to memory of 1788	1420	bankrupture.exe	37
PID 1420 wrote to memory of 1788	1420	bankrupture.exe	37
PID 1420 wrote to memory of 1788	1420	bankrupture.exe	37
PID 1788 wrote to memory of 1260	1788	bankrupture.exe	38
PID 1788 wrote to memory of 1260	1788	bankrupture.exe	38
PID 1788 wrote to memory of 1260	1788	bankrupture.exe	38
PID 1788 wrote to memory of 1260	1788	bankrupture.exe	38
PID 1260 wrote to memory of 2180	1260	bankrupture.exe	39
PID 1260 wrote to memory of 2180	1260	bankrupture.exe	39
PID 1260 wrote to memory of 2180	1260	bankrupture.exe	39
PID 1260 wrote to memory of 2180	1260	bankrupture.exe	39
PID 2180 wrote to memory of 2876	2180	bankrupture.exe	40
PID 2180 wrote to memory of 2876	2180	bankrupture.exe	40
PID 2180 wrote to memory of 2876	2180	bankrupture.exe	40
PID 2180 wrote to memory of 2876	2180	bankrupture.exe	40
PID 2876 wrote to memory of 1264	2876	bankrupture.exe	41
PID 2876 wrote to memory of 1264	2876	bankrupture.exe	41
PID 2876 wrote to memory of 1264	2876	bankrupture.exe	41
PID 2876 wrote to memory of 1264	2876	bankrupture.exe	41
PID 1264 wrote to memory of 112	1264	bankrupture.exe	42
PID 1264 wrote to memory of 112	1264	bankrupture.exe	42
PID 1264 wrote to memory of 112	1264	bankrupture.exe	42
PID 1264 wrote to memory of 112	1264	bankrupture.exe	42
PID 112 wrote to memory of 1600	112	bankrupture.exe	43
PID 112 wrote to memory of 1600	112	bankrupture.exe	43
PID 112 wrote to memory of 1600	112	bankrupture.exe	43
PID 112 wrote to memory of 1600	112	bankrupture.exe	43
PID 1600 wrote to memory of 2220	1600	bankrupture.exe	44
PID 1600 wrote to memory of 2220	1600	bankrupture.exe	44
PID 1600 wrote to memory of 2220	1600	bankrupture.exe	44
PID 1600 wrote to memory of 2220	1600	bankrupture.exe	44
PID 2220 wrote to memory of 1672	2220	bankrupture.exe	45
PID 2220 wrote to memory of 1672	2220	bankrupture.exe	45
PID 2220 wrote to memory of 1672	2220	bankrupture.exe	45
PID 2220 wrote to memory of 1672	2220	bankrupture.exe	45

C:\Users\Admin\AppData\Local\Temp\199ab84d301b4914a7eb23a40a575e2622928e58d3672da79e43c77e453c4a3d.exe
"C:\Users\Admin\AppData\Local\Temp\199ab84d301b4914a7eb23a40a575e2622928e58d3672da79e43c77e453c4a3d.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2312
- C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe
  "C:\Users\Admin\AppData\Local\Temp\199ab84d301b4914a7eb23a40a575e2622928e58d3672da79e43c77e453c4a3d.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2564
- - C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe
    "C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:3024
  - - C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe
      "C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2784
    - - C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe
        
        "C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2868
      - C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe
        
        "C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe
        
        "C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2616
        
        C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe
        
        "C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1420
        
        C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe
        
        "C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1788
        
        C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe
        
        "C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe"
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1260
        
        C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe
        
        "C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe
        
        "C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe"
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2876
        
        C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe
        
        "C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1264
        
        C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe
        
        "C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe"
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:112
        
        C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe
        
        "C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe
        
        "C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe"
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2220
        
        C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe
        
        "C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe
        
        "C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe"
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1504
        
        C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe
        
        "C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1920
        
        C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe
        
        "C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe"
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe
        
        "C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2848
        
        C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe
        
        "C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe"
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe
        
        "C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe"
        23⤵
        Executes dropped EXE
        
        PID:2668
        
        C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe
        
        "C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe"
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2124
        
        C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe
        
        "C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe
        
        "C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe"
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe
        
        "C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2464
        
        C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe
        
        "C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe"
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe
        
        "C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2904
        
        C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe
        
        "C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe"
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2992
        
        C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe
        
        "C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2820
        
        C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe
        
        "C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe"
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe
        
        "C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe
        
        "C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe"
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe
        
        "C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2100
        
        C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe
        
        "C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe"
        36⤵
        Executes dropped EXE
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe
        
        "C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe"
        37⤵
        Executes dropped EXE
        
        PID:2088
        
        C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe
        
        "C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe"
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2252
        
        C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe
        
        "C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe"
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe
        
        "C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe"
        40⤵
        Executes dropped EXE
        
        PID:1132
        
        C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe
        
        "C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe"
        41⤵
        Executes dropped EXE
        
        PID:2132
        
        C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe
        
        "C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe"
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe
        
        "C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe"
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2732
        
        C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe
        
        "C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe"
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:948
        
        C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe
        
        "C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe"
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:992
        
        C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe
        
        "C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe"
        46⤵
        Executes dropped EXE
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe
        
        "C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe"
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3040
        
        C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe
        
        "C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe"
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe
        
        "C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe"
        49⤵
        Executes dropped EXE
        
        PID:872
        
        C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe
        
        "C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe"
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe
        
        "C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe"
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2264
        
        C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe
        
        "C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe"
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2448
        
        C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe
        
        "C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe"
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2888
        
        C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe
        
        "C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe"
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2156
        
        C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe
        
        "C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe"
        55⤵
        Executes dropped EXE
        
        PID:424
        
        C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe
        
        "C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe"
        56⤵
        Executes dropped EXE
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe
        
        "C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe"
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2916
        
        C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe
        
        "C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe"
        58⤵
        Executes dropped EXE
        
        PID:916
        
        C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe
        
        "C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe"
        59⤵
        Executes dropped EXE
        
        PID:1148
        
        C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe
        
        "C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe"
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:968
        
        C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe
        
        "C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe"
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe
        
        "C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe"
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe
        
        "C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe"
        63⤵
        Executes dropped EXE
        
        PID:2408
        
        C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe
        
        "C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe"
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2764
        
        C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe
        
        "C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe"
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2540
        
        C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe
        
        "C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe"
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:2104
        
        C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe
        
        "C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe"
        67⤵
        
        PID:1080
        
        C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe
        
        "C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe"
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:2436
        
        C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe
        
        "C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe"
        69⤵
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe
        
        "C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe"
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe
        
        "C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe"
        71⤵
        
        PID:376
        
        C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe
        
        "C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe"
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe
        
        "C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe"
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:1460
        
        C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe
        
        "C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe"
        74⤵
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe
        
        "C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe"
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe
        
        "C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe"
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:2072
        
        C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe
        
        "C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe"
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe
        
        "C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe"
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:2728
        
        C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe
        
        "C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe"
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:2716
        
        C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe
        
        "C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe"
        80⤵
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe
        
        "C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe"
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:1452
        
        C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe
        
        "C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe"
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe
        
        "C:\Users\Admin\AppData\Local\ectosphere\bankrupture.exe"
        83⤵
        System Location Discovery: System Language Discovery
        
        PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\autCF02.tmp

Filesize
419KB

MD5
a9a0e5250052a7c19d3272e47dbf1f2d

SHA1
19d121b655a3802195d307c0431f84ceb9042d7b

SHA256
2cb6c8e181dd25247599136ada37c8cfc64bdc5b073a236524a97182ba8fc720

SHA512
8427ff93f6f6f7849be19e9dd93418067fe7e4da271e7e694a37feab606803a3a031979838c55551b0c7d590e5959cbb53a8ddfedee36494769fae7dbc1e2d4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\teer

Filesize
481KB

MD5
bd289fa20b842c995c4616d9cf521df5

SHA1
6d85a647c2995355869131522ca6c3f087db187a

SHA256
686deae06fa39d9d353c1433d1c43a360877631186a36ff92bb29c3914d6238e

SHA512
2004f457ea076b9e7243388ae1132790be023636be70c9161b38954aef6e27e2049ec87c5af7205a60964cc08bf9e968d9da71307a462c168f3bea7ade302be7

Download Submit
\Users\Admin\AppData\Local\ectosphere\bankrupture.exe

Filesize
863KB

MD5
57f7d9095490a4aadda9e261fec73a68

SHA1
45e51f97abc52dd29e65d7ec78e18ee8d1721867

SHA256
199ab84d301b4914a7eb23a40a575e2622928e58d3672da79e43c77e453c4a3d

SHA512
80512a3188e69746425f828e394a0bf9ea6b50b4dda5b5f0b819248610d58d6fbd7862f29d42266f473515e60eadb2b5038c3ee9f7f9b26bb0a22981552f1810

Download Submit
memory/112-157-0x0000000000110000-0x00000000002EC000-memory.dmp

Filesize
1.9MB

Download
memory/424-530-0x0000000000110000-0x00000000002EC000-memory.dmp

Filesize
1.9MB

Download
memory/872-487-0x0000000000110000-0x00000000002EC000-memory.dmp

Filesize
1.9MB

Download
memory/916-551-0x0000000000110000-0x00000000002EC000-memory.dmp

Filesize
1.9MB

Download
memory/948-438-0x0000000000110000-0x00000000002EC000-memory.dmp

Filesize
1.9MB

Download
memory/948-446-0x0000000000110000-0x00000000002EC000-memory.dmp

Filesize
1.9MB

Download
memory/968-565-0x0000000000110000-0x00000000002EC000-memory.dmp

Filesize
1.9MB

Download
memory/992-447-0x0000000000110000-0x00000000002EC000-memory.dmp

Filesize
1.9MB

Download
memory/992-455-0x0000000000110000-0x00000000002EC000-memory.dmp

Filesize
1.9MB

Download
memory/1044-368-0x0000000000110000-0x00000000002EC000-memory.dmp

Filesize
1.9MB

Download
memory/1044-376-0x0000000000110000-0x00000000002EC000-memory.dmp

Filesize
1.9MB

Download
memory/1132-411-0x0000000000110000-0x00000000002EC000-memory.dmp

Filesize
1.9MB

Download
memory/1132-404-0x0000000000110000-0x00000000002EC000-memory.dmp

Filesize
1.9MB

Download
memory/1148-558-0x0000000000110000-0x00000000002EC000-memory.dmp

Filesize
1.9MB

Download
memory/1260-115-0x0000000000110000-0x00000000002EC000-memory.dmp

Filesize
1.9MB

Download
memory/1260-105-0x0000000000110000-0x00000000002EC000-memory.dmp

Filesize
1.9MB

Download
memory/1264-138-0x0000000000110000-0x00000000002EC000-memory.dmp

Filesize
1.9MB

Download
memory/1264-148-0x0000000000110000-0x00000000002EC000-memory.dmp

Filesize
1.9MB

Download
memory/1376-494-0x0000000000110000-0x00000000002EC000-memory.dmp

Filesize
1.9MB

Download
memory/1420-83-0x0000000000110000-0x00000000002EC000-memory.dmp

Filesize
1.9MB

Download
memory/1420-93-0x0000000000110000-0x00000000002EC000-memory.dmp

Filesize
1.9MB

Download
memory/1504-190-0x0000000000110000-0x00000000002EC000-memory.dmp

Filesize
1.9MB

Download
memory/1504-199-0x0000000000110000-0x00000000002EC000-memory.dmp

Filesize
1.9MB

Download
memory/1564-271-0x0000000000110000-0x00000000002EC000-memory.dmp

Filesize
1.9MB

Download
memory/1564-281-0x0000000000110000-0x00000000002EC000-memory.dmp

Filesize
1.9MB

Download
memory/1600-158-0x0000000000110000-0x00000000002EC000-memory.dmp

Filesize
1.9MB

Download
memory/1600-168-0x0000000000110000-0x00000000002EC000-memory.dmp

Filesize
1.9MB

Download
memory/1624-495-0x0000000000110000-0x00000000002EC000-memory.dmp

Filesize
1.9MB

Download
memory/1624-463-0x0000000000110000-0x00000000002EC000-memory.dmp

Filesize
1.9MB

Download
memory/1624-456-0x0000000000110000-0x00000000002EC000-memory.dmp

Filesize
1.9MB

Download
memory/1672-179-0x0000000000110000-0x00000000002EC000-memory.dmp

Filesize
1.9MB

Download
memory/1672-189-0x0000000000110000-0x00000000002EC000-memory.dmp

Filesize
1.9MB

Download
memory/1680-579-0x0000000000110000-0x00000000002EC000-memory.dmp

Filesize
1.9MB

Download
memory/1712-260-0x0000000000110000-0x00000000002EC000-memory.dmp

Filesize
1.9MB

Download
memory/1712-270-0x0000000000110000-0x00000000002EC000-memory.dmp

Filesize
1.9MB

Download
memory/1732-238-0x0000000000110000-0x00000000002EC000-memory.dmp

Filesize
1.9MB

Download
memory/1764-395-0x0000000000110000-0x00000000002EC000-memory.dmp

Filesize
1.9MB

Download
memory/1764-403-0x0000000000110000-0x00000000002EC000-memory.dmp

Filesize
1.9MB

Download
memory/1788-94-0x0000000000110000-0x00000000002EC000-memory.dmp

Filesize
1.9MB

Download
memory/1788-104-0x0000000000110000-0x00000000002EC000-memory.dmp

Filesize
1.9MB

Download
memory/1892-537-0x0000000000110000-0x00000000002EC000-memory.dmp

Filesize
1.9MB

Download
memory/1920-209-0x0000000000110000-0x00000000002EC000-memory.dmp

Filesize
1.9MB

Download
memory/1928-351-0x0000000000110000-0x00000000002EC000-memory.dmp

Filesize
1.9MB

Download
memory/1948-472-0x0000000000110000-0x00000000002EC000-memory.dmp

Filesize
1.9MB

Download
memory/1948-480-0x0000000000110000-0x00000000002EC000-memory.dmp

Filesize
1.9MB

Download
memory/1980-259-0x0000000000110000-0x00000000002EC000-memory.dmp

Filesize
1.9MB

Download
memory/1980-218-0x0000000000110000-0x00000000002EC000-memory.dmp

Filesize
1.9MB

Download
memory/2088-385-0x0000000000110000-0x00000000002EC000-memory.dmp

Filesize
1.9MB

Download
memory/2088-377-0x0000000000110000-0x00000000002EC000-memory.dmp

Filesize
1.9MB

Download
memory/2100-367-0x0000000000110000-0x00000000002EC000-memory.dmp

Filesize
1.9MB

Download
memory/2124-249-0x0000000000110000-0x00000000002EC000-memory.dmp

Filesize
1.9MB

Download
memory/2124-258-0x0000000000110000-0x00000000002EC000-memory.dmp

Filesize
1.9MB

Download
memory/2132-420-0x0000000000110000-0x00000000002EC000-memory.dmp

Filesize
1.9MB

Download
memory/2132-412-0x0000000000110000-0x00000000002EC000-memory.dmp

Filesize
1.9MB

Download
memory/2148-301-0x0000000000110000-0x00000000002EC000-memory.dmp

Filesize
1.9MB

Download
memory/2152-572-0x0000000000110000-0x00000000002EC000-memory.dmp

Filesize
1.9MB

Download
memory/2156-523-0x0000000000110000-0x00000000002EC000-memory.dmp

Filesize
1.9MB

Download
memory/2180-126-0x0000000000110000-0x00000000002EC000-memory.dmp

Filesize
1.9MB

Download
memory/2180-116-0x0000000000110000-0x00000000002EC000-memory.dmp

Filesize
1.9MB

Download
memory/2220-178-0x0000000000110000-0x00000000002EC000-memory.dmp

Filesize
1.9MB

Download
memory/2236-429-0x0000000000110000-0x00000000002EC000-memory.dmp

Filesize
1.9MB

Download
memory/2236-421-0x0000000000110000-0x00000000002EC000-memory.dmp

Filesize
1.9MB

Download
memory/2252-386-0x0000000000110000-0x00000000002EC000-memory.dmp

Filesize
1.9MB

Download
memory/2252-393-0x0000000000110000-0x00000000002EC000-memory.dmp

Filesize
1.9MB

Download
memory/2264-500-0x0000000000110000-0x00000000002EC000-memory.dmp

Filesize
1.9MB

Download
memory/2264-496-0x0000000000110000-0x00000000002EC000-memory.dmp

Filesize
1.9MB

Download
memory/2312-13-0x0000000002AF0000-0x0000000002CCC000-memory.dmp

Filesize
1.9MB

Download
memory/2312-7-0x00000000007B0000-0x0000000000BB0000-memory.dmp

Filesize
4.0MB

Download
memory/2312-15-0x0000000000C50000-0x0000000000E2C000-memory.dmp

Filesize
1.9MB

Download
memory/2312-0-0x0000000000C50000-0x0000000000E2C000-memory.dmp

Filesize
1.9MB

Download
memory/2408-586-0x0000000000110000-0x00000000002EC000-memory.dmp

Filesize
1.9MB

Download
memory/2448-501-0x0000000000110000-0x00000000002EC000-memory.dmp

Filesize
1.9MB

Download
memory/2448-508-0x0000000000110000-0x00000000002EC000-memory.dmp

Filesize
1.9MB

Download
memory/2464-291-0x0000000000110000-0x00000000002EC000-memory.dmp

Filesize
1.9MB

Download
memory/2564-25-0x0000000000910000-0x0000000000D10000-memory.dmp

Filesize
4.0MB

Download
memory/2564-29-0x0000000000110000-0x00000000002EC000-memory.dmp

Filesize
1.9MB

Download
memory/2564-16-0x0000000000110000-0x00000000002EC000-memory.dmp

Filesize
1.9MB

Download
memory/2608-359-0x0000000000110000-0x00000000002EC000-memory.dmp

Filesize
1.9MB

Download
memory/2608-394-0x0000000000110000-0x00000000002EC000-memory.dmp

Filesize
1.9MB

Download
memory/2608-352-0x0000000000110000-0x00000000002EC000-memory.dmp

Filesize
1.9MB

Download
memory/2616-82-0x0000000000110000-0x00000000002EC000-memory.dmp

Filesize
1.9MB

Download
memory/2668-248-0x0000000000110000-0x00000000002EC000-memory.dmp

Filesize
1.9MB

Download
memory/2732-437-0x0000000000110000-0x00000000002EC000-memory.dmp

Filesize
1.9MB

Download
memory/2764-593-0x0000000000110000-0x00000000002EC000-memory.dmp

Filesize
1.9MB

Download
memory/2772-72-0x0000000000110000-0x00000000002EC000-memory.dmp

Filesize
1.9MB

Download
memory/2772-62-0x0000000000110000-0x00000000002EC000-memory.dmp

Filesize
1.9MB

Download
memory/2784-41-0x0000000000110000-0x00000000002EC000-memory.dmp

Filesize
1.9MB

Download
memory/2784-52-0x0000000000110000-0x00000000002EC000-memory.dmp

Filesize
1.9MB

Download
memory/2792-343-0x0000000000110000-0x00000000002EC000-memory.dmp

Filesize
1.9MB

Download
memory/2792-334-0x0000000000110000-0x00000000002EC000-memory.dmp

Filesize
1.9MB

Download
memory/2820-333-0x0000000000110000-0x00000000002EC000-memory.dmp

Filesize
1.9MB

Download
memory/2848-228-0x0000000000110000-0x00000000002EC000-memory.dmp

Filesize
1.9MB

Download
memory/2868-61-0x0000000000110000-0x00000000002EC000-memory.dmp

Filesize
1.9MB

Download
memory/2868-50-0x0000000000110000-0x00000000002EC000-memory.dmp

Filesize
1.9MB

Download
memory/2876-137-0x0000000000110000-0x00000000002EC000-memory.dmp

Filesize
1.9MB

Download
memory/2876-127-0x0000000000110000-0x00000000002EC000-memory.dmp

Filesize
1.9MB

Download
memory/2888-516-0x0000000000110000-0x00000000002EC000-memory.dmp

Filesize
1.9MB

Download
memory/2904-302-0x0000000000110000-0x00000000002EC000-memory.dmp

Filesize
1.9MB

Download
memory/2904-312-0x0000000000110000-0x00000000002EC000-memory.dmp

Filesize
1.9MB

Download
memory/2916-544-0x0000000000110000-0x00000000002EC000-memory.dmp

Filesize
1.9MB

Download
memory/2992-313-0x0000000000110000-0x00000000002EC000-memory.dmp

Filesize
1.9MB

Download
memory/2992-323-0x0000000000110000-0x00000000002EC000-memory.dmp

Filesize
1.9MB

Download
memory/3024-37-0x0000000000DA0000-0x00000000011A0000-memory.dmp

Filesize
4.0MB

Download
memory/3024-40-0x0000000000110000-0x00000000002EC000-memory.dmp

Filesize
1.9MB

Download
memory/3040-471-0x0000000000110000-0x00000000002EC000-memory.dmp

Filesize
1.9MB

Download