wannacry | ad34f6a17ee318591b59ac4fbc300c53808630e4f163b644a58eadc85057348a

Resubmissions

25-01-2025 13:24

250125-qnsa1swmdj 10

24-01-2025 22:04

250124-1y8e4a1lbz 10

Analysis

max time kernel
149s
max time network
151s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
24-01-2025 22:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NetCat Loader.exe
Size

76KB
MD5

1a56b39b62cff3bf7a75a708f6a11762
SHA1

180d91a57ebb95a81bfaa394bca35c123efa916e
SHA256

ad34f6a17ee318591b59ac4fbc300c53808630e4f163b644a58eadc85057348a
SHA512

b86dfa4287e283fd7e734cc3897589c2bb6b98e35f1c82a6ab50f271baf8a9748a125a6c04425ccdf93566ddacb453290a9a63e5fc0d2797b70fb70b6dac03fb
SSDEEP

1536:JqDtM7DwroXh9bSQ6/jyrV9nmRWnXzWb6Alyj:EwblSlryrV9nmwPeyj

Score

10^/10

wannacry xworm aspackv2 bootkit defense_evasion discovery execution persistence ransomware rat spyware stealer trojan upx worm

Malware Config

Extracted

Family

xworm

194.59.31.87:1111

Attributes

install_file
USB.exe

Extracted

Path

C:\Users\Admin\Documents\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000900000001225f-5.dat	family_xworm
behavioral1/memory/2912-8-0x0000000000B20000-0x0000000000B36000-memory.dmp	family_xworm

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
536	powershell.exe
2792	powershell.exe

Disables Task Manager via registry modification
defense_evasion

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0005000000019345-621.dat	aspack_v212_v242

Executes dropped EXE 12 IoCs

pid	Process
2912	System32.exe
1344	pzersa.exe
2436	MBRPayload.exe
1756	melter.exe
880	Craze.exe
2032	screenscrew.exe
1904	lines.exe
604	INV.exe
2400	Craze.exe
852	qydxwh.EXE
2844	tmypzt.exe
2852	taskdl.exe

Loads dropped DLL 16 IoCs

pid	Process
2528	cmd.exe
2528	cmd.exe
2528	cmd.exe
2528	cmd.exe
2528	cmd.exe
2528	cmd.exe
2528	cmd.exe
2528	cmd.exe
2528	cmd.exe
2528	cmd.exe
2528	cmd.exe
2528	cmd.exe
2528	cmd.exe
2528	cmd.exe
852	qydxwh.EXE
852	qydxwh.EXE

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
928	icacls.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Local\\Temp\\A7F3.tmp\\MBRPayload.exe"	MBRPayload.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	MBRPayload.exe

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000a00000001678f-30.dat	upx
behavioral1/memory/1344-31-0x0000000000400000-0x00000000004F8000-memory.dmp	upx
behavioral1/memory/1344-129-0x0000000000400000-0x00000000004F8000-memory.dmp	upx
behavioral1/files/0x0005000000019371-184.dat	upx
behavioral1/memory/2528-186-0x0000000002720000-0x0000000002794000-memory.dmp	upx
behavioral1/memory/880-190-0x0000000000400000-0x0000000000474000-memory.dmp	upx
behavioral1/memory/880-620-0x0000000000400000-0x0000000000474000-memory.dmp	upx
behavioral1/memory/2400-643-0x0000000000400000-0x0000000000474000-memory.dmp	upx
behavioral1/memory/2400-649-0x0000000000400000-0x0000000000474000-memory.dmp	upx
behavioral1/memory/2528-648-0x0000000002720000-0x0000000002794000-memory.dmp	upx
behavioral1/memory/2400-650-0x0000000000400000-0x0000000000474000-memory.dmp	upx
behavioral1/memory/1344-652-0x0000000000400000-0x00000000004F8000-memory.dmp	upx
behavioral1/memory/2400-656-0x0000000000400000-0x0000000000474000-memory.dmp	upx
behavioral1/memory/2400-660-0x0000000000400000-0x0000000000474000-memory.dmp	upx
behavioral1/memory/2400-664-0x0000000000400000-0x0000000000474000-memory.dmp	upx
behavioral1/memory/2400-669-0x0000000000400000-0x0000000000474000-memory.dmp	upx
behavioral1/memory/2400-899-0x0000000000400000-0x0000000000474000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 28 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmypzt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MBRPayload.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Craze.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	melter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	screenscrew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Craze.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shutdown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pzersa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qydxwh.EXE

Delays execution with timeout.exe 10 IoCs

defense_evasion

pid	Process
908	timeout.exe
2940	timeout.exe
1000	timeout.exe
2612	timeout.exe
1764	timeout.exe
1148	timeout.exe
1016	timeout.exe
2572	timeout.exe
1364	timeout.exe
2948	timeout.exe

Kills process with taskkill 2 IoCs

defense_evasion

pid	Process
2032	taskkill.exe
2004	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 35 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007ea60b70cd089742858f7ef23fca2c5b00000000020000000000106600000001000020000000f6bc8ec8c0671eec5209e4cb1f4d55af016fbb121838b45b75763e6fca3ee729000000000e800000000200002000000019acb13b4065fb12d2b5f8462c0b0f62b32ef5cc6a8a0b71a0d8b5755b689ef9900000004dea70ee72a344161fbc9965858dfe6517ab7afac9fc512266af22298369c3863c906d06be91606d9ff5f3575475ebee9f98a4857cacdc60f70f6edf7e4cb8d315186a79f52a0d3b93b6bab82c296ecc82bd544ffcbd3502f7e7eed072b930e485477980001a6e3e9517882624ba4c95e03fa8ad64595e4b6973f7ab3dd1101b9611ba4fd0ff0c65fb84b5a57fdd83c840000000c4944a159f9fdc55f7c14def28795de954d8232cacc687d1b5796bd0143fe6f899d364a8809435776a3564ded97ccb599d763e803ae2cb92f79b019fa9b48c23	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007ea60b70cd089742858f7ef23fca2c5b00000000020000000000106600000001000020000000c4b45ade4c202f83ec537d52a975758fa6658ee57bbfade1c58afbe2461aa15f000000000e8000000002000020000000d9991fe50d300924daca713e20e46609ed72835909d7f6d24597c4bd43c06f1c20000000d2abc10c9ff726d30a71b48ea7d4415a505ec3e3dbbb25271c8f0573ee1a2f9e4000000029c07ceae548b0e36424ab5268015a9a9b9fd643cdcc58cd088de9ea22b8f976ad3a8175ddc9e60f4a6f9e46e5a9f3c900be51df8814bfe92a817f8e42b6f3ef	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5D680C91-DA9F-11EF-9CB4-D238DC34531D} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 501d7a34ac6edb01	iexplore.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2848	reg.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
408	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2912	System32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2792	powershell.exe
536	powershell.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2912	System32.exe
Token: SeDebugPrivilege	2792	powershell.exe
Token: SeDebugPrivilege	536	powershell.exe
Token: SeDebugPrivilege	2912	System32.exe
Token: SeDebugPrivilege	2032	taskkill.exe
Token: SeDebugPrivilege	2004	taskkill.exe
Token: SeShutdownPrivilege	1036	shutdown.exe
Token: SeRemoteShutdownPrivilege	1036	shutdown.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1436	iexplore.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1436	iexplore.exe
1436	iexplore.exe
340	IEXPLORE.EXE
340	IEXPLORE.EXE
340	IEXPLORE.EXE
340	IEXPLORE.EXE
352	IEXPLORE.EXE
352	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2976 wrote to memory of 2912	2976	NetCat Loader.exe	31
PID 2976 wrote to memory of 2912	2976	NetCat Loader.exe	31
PID 2976 wrote to memory of 2912	2976	NetCat Loader.exe	31
PID 2976 wrote to memory of 2264	2976	NetCat Loader.exe	32
PID 2976 wrote to memory of 2264	2976	NetCat Loader.exe	32
PID 2976 wrote to memory of 2264	2976	NetCat Loader.exe	32
PID 2912 wrote to memory of 2792	2912	System32.exe	34
PID 2912 wrote to memory of 2792	2912	System32.exe	34
PID 2912 wrote to memory of 2792	2912	System32.exe	34
PID 2912 wrote to memory of 536	2912	System32.exe	36
PID 2912 wrote to memory of 536	2912	System32.exe	36
PID 2912 wrote to memory of 536	2912	System32.exe	36
PID 2912 wrote to memory of 1344	2912	System32.exe	38
PID 2912 wrote to memory of 1344	2912	System32.exe	38
PID 2912 wrote to memory of 1344	2912	System32.exe	38
PID 2912 wrote to memory of 1344	2912	System32.exe	38
PID 1344 wrote to memory of 2528	1344	pzersa.exe	39
PID 1344 wrote to memory of 2528	1344	pzersa.exe	39
PID 1344 wrote to memory of 2528	1344	pzersa.exe	39
PID 1344 wrote to memory of 2528	1344	pzersa.exe	39
PID 2528 wrote to memory of 908	2528	cmd.exe	41
PID 2528 wrote to memory of 908	2528	cmd.exe	41
PID 2528 wrote to memory of 908	2528	cmd.exe	41
PID 2528 wrote to memory of 908	2528	cmd.exe	41
PID 2528 wrote to memory of 2436	2528	cmd.exe	42
PID 2528 wrote to memory of 2436	2528	cmd.exe	42
PID 2528 wrote to memory of 2436	2528	cmd.exe	42
PID 2528 wrote to memory of 2436	2528	cmd.exe	42
PID 2528 wrote to memory of 2848	2528	cmd.exe	43
PID 2528 wrote to memory of 2848	2528	cmd.exe	43
PID 2528 wrote to memory of 2848	2528	cmd.exe	43
PID 2528 wrote to memory of 2848	2528	cmd.exe	43
PID 2436 wrote to memory of 408	2436	MBRPayload.exe	44
PID 2436 wrote to memory of 408	2436	MBRPayload.exe	44
PID 2436 wrote to memory of 408	2436	MBRPayload.exe	44
PID 2436 wrote to memory of 408	2436	MBRPayload.exe	44
PID 2528 wrote to memory of 604	2528	cmd.exe	46
PID 2528 wrote to memory of 604	2528	cmd.exe	46
PID 2528 wrote to memory of 604	2528	cmd.exe	46
PID 2528 wrote to memory of 604	2528	cmd.exe	46
PID 2528 wrote to memory of 2940	2528	cmd.exe	47
PID 2528 wrote to memory of 2940	2528	cmd.exe	47
PID 2528 wrote to memory of 2940	2528	cmd.exe	47
PID 2528 wrote to memory of 2940	2528	cmd.exe	47
PID 2528 wrote to memory of 1360	2528	cmd.exe	48
PID 2528 wrote to memory of 1360	2528	cmd.exe	48
PID 2528 wrote to memory of 1360	2528	cmd.exe	48
PID 2528 wrote to memory of 1360	2528	cmd.exe	48
PID 2528 wrote to memory of 1756	2528	cmd.exe	49
PID 2528 wrote to memory of 1756	2528	cmd.exe	49
PID 2528 wrote to memory of 1756	2528	cmd.exe	49
PID 2528 wrote to memory of 1756	2528	cmd.exe	49
PID 2528 wrote to memory of 1000	2528	cmd.exe	50
PID 2528 wrote to memory of 1000	2528	cmd.exe	50
PID 2528 wrote to memory of 1000	2528	cmd.exe	50
PID 2528 wrote to memory of 1000	2528	cmd.exe	50
PID 1360 wrote to memory of 1436	1360	WScript.exe	51
PID 1360 wrote to memory of 1436	1360	WScript.exe	51
PID 1360 wrote to memory of 1436	1360	WScript.exe	51
PID 1360 wrote to memory of 1436	1360	WScript.exe	51
PID 1436 wrote to memory of 340	1436	iexplore.exe	52
PID 1436 wrote to memory of 340	1436	iexplore.exe	52
PID 1436 wrote to memory of 340	1436	iexplore.exe	52
PID 1436 wrote to memory of 340	1436	iexplore.exe	52

Views/modifies file attributes 1 TTPs 2 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
1848	attrib.exe
2748	attrib.exe

C:\Users\Admin\AppData\Local\Temp\NetCat Loader.exe
"C:\Users\Admin\AppData\Local\Temp\NetCat Loader.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Users\Admin\AppData\Roaming\System32.exe
  "C:\Users\Admin\AppData\Roaming\System32.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2912
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\System32.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2792
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System32.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:536
- - C:\Users\Admin\AppData\Local\Temp\pzersa.exe
    "C:\Users\Admin\AppData\Local\Temp\pzersa.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1344
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\A7F3.tmp\PanKoza.bat" "
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2528
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 5 /nobreak
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:908
    - - C:\Users\Admin\AppData\Local\Temp\A7F3.tmp\MBRPayload.exe
        
        MBRPayload.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2436
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Windows Update" /ru SYSTEM /SC ONSTART /TR "C:\Users\Admin\AppData\Local\Temp\A7F3.tmp\MBRPayload.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:408
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2848
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\A7F3.tmp\note.vbs"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:604
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 3 /nobreak
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:2940
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\A7F3.tmp\sites.vbs"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1360
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" https://www.youtube.com/channel/UCTmub7HjR9Kc8Uh-Vy3eLaw
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1436
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1436 CREDAT:275457 /prefetch:2
        7⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:340
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1436 CREDAT:406549 /prefetch:2
        7⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:352
    - - C:\Users\Admin\AppData\Local\Temp\A7F3.tmp\melter.exe
        
        melter.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1756
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 6 /nobreak
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:1000
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im melter.exe
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2032
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 3 /nobreak
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:2572
    - - C:\Users\Admin\AppData\Local\Temp\A7F3.tmp\Craze.exe
        
        Craze.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:880
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 4 /nobreak
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:2612
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im craze.exe
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2004
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 1
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:1764
    - - C:\Users\Admin\AppData\Local\Temp\A7F3.tmp\screenscrew.exe
        
        screenscrew.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2032
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 3 /nobreak
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:1364
    - - C:\Users\Admin\AppData\Local\Temp\A7F3.tmp\lines.exe
        
        lines.exe
        5⤵
        Executes dropped EXE
        
        PID:1904
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 5 /nobreak
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:1148
    - - C:\Users\Admin\AppData\Local\Temp\A7F3.tmp\INV.exe
        
        INV.exe
        5⤵
        Executes dropped EXE
        
        PID:604
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 6 /nobreak
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:1016
    - - C:\Users\Admin\AppData\Local\Temp\A7F3.tmp\Craze.exe
        
        craze.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2400
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 8 /nobreak
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:2948
    - - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown /r /t 1000 /c "It's Your final 1000 seconds to use Windows"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1036
- - C:\Users\Admin\AppData\Local\Temp\qydxwh.EXE
    "C:\Users\Admin\AppData\Local\Temp\qydxwh.EXE"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:852
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +h .
      4⤵
      Views/modifies file attributes
      PID:1848
  - - C:\Windows\SysWOW64\icacls.exe
      icacls . /grant Everyone:F /T /C /Q
      4⤵
      Modifies file permissions
      PID:928
  - - C:\Users\Admin\AppData\Local\Temp\taskdl.exe
      taskdl.exe
      4⤵
      Executes dropped EXE
      PID:2852
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c 77541737756441.bat
      4⤵
      PID:2312
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +h +s F:\$RECYCLE
      4⤵
      Views/modifies file attributes
      PID:2748
- - C:\Users\Admin\AppData\Local\Temp\tmypzt.exe
    "C:\Users\Admin\AppData\Local\Temp\tmypzt.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2844
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\Thanks For Using.txt
  2⤵
  PID:2264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
b1e40548664978d153e7da3c889d55ea

SHA1
12352f2ff42341ccc14daf4ece4f46444cf3bbc2

SHA256
5fed383d0f56a14ca6ba83dcb242484b3e51cb4c49bc1c5578a65f4505733d1a

SHA512
4a6cffedb80ad68b5596a730071fdabf78f625cb830180846897875d2ac5934ac21badac2838135e9b04b8fcd5c61962f08ef766f8a5d607bd779380cea1b513

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6a349025ce42b68154e51a3b08bfb2cb

SHA1
6ecde9e1e0231c82e91622d94e3eceea0560b7de

SHA256
2a24a34a5a555ed17e9666365bdef48148f543cdb71e9076e0becaf78188429e

SHA512
4d56ab6387d9f0459a19fed89b0deb403575be1088ff31f392a5212839ecc69ee57d13ee84ac7db6124cac4478dacbcefa6cec78dea232eb209dc51107921bc0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
405fe576b5555bd5d08f04d4f1c74917

SHA1
1f4f34e701af3d25ab1fde5fcb1968b2c8470cd3

SHA256
654018a0ba736ecacbc4e4d405527ce3624480ca171858f1947f57ccbca8c3cc

SHA512
831b2a849ef7c74773b497f3ca58d992cec4374ca4f66ff7ec1fa02b3efabdcbf7d861378b82897dc55f7944bf56d80b89c1b76cb0ce8294ffb9f2ad9c1c7755

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
40dd2e850f0dec1900ae8f8577a6d752

SHA1
f0dec01d4393644afed5c8536233bc35998c9bda

SHA256
68b2f6a8fd345c940888c3f3984b450eabfbe98cd9a70fdade851aaff7730d8e

SHA512
fdfc3aaa0fff559b0609cb269c103d3538d23de70d5ebe6d393bed2a14b879473813b77327698df141a26e61f144a7b7f5b9a2a7e47252af958af0dc4df6a8c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7e500bdd39d5e4c1fdf035bfcf1c0385

SHA1
269b07eaebc4dda035e141dcc9cf7fca440a50ca

SHA256
f397463baf7c395705b1ad660313f64efffb63e61296932fc15e522ec2936e66

SHA512
ad8bf5b4a3223ccc3beca8e1e6aa0313c58f7d24dbc69dfdfe1cd573add295e994f209e698ea3024e78ff225ab3037be123259b7847e1c2cb2e99cfde7d0173f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3bfc2409de477f41cf6c7848684c10ed

SHA1
18de0f0c979a8428e3c2fc36c182cbcd7af89999

SHA256
d779265aaa5efaf11a90db09aac8af948a00a9e29ca8f2ed17aa99ea6798fee2

SHA512
e75f9532391ed9f62e5a953e57c83bab4b57ede831494b43614d1b9bd1695ad50d446e5dcec7b27199fee4021dd1751d23a610957db7c0b996f0c1bb48c629d9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2e90a1e802aa8a1101bce2acdf6482b0

SHA1
84a32b705fa7015019423dcc8175c2060fa7d592

SHA256
7444602f541a73d2fe0b835826280fbefff402ec5d6bd26ac8778db896d9eda8

SHA512
50443b1752ca3f6884d9865540337312e9fda45bb55b3cae74fa66bd986d44c12cadb679d2a036f9e5541fac446f1c73cd132c53c85ae32d3adf4b4d21fb2402

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1afdd4a12e53b1236df0ba5b0dbcda2f

SHA1
73b11e53c84f46733b82019042949a065f573f9e

SHA256
1f58ec81df1f9118902d097ea8774426cf2e5aba375189d0f59f2f19fb1b69b9

SHA512
372ba707211beaf9b33f4b636adcd0b66b1ee894482aacb2e265258bda30cfca5af06f5049cffb0d745c3ced56a0a483793b99deff70e33d03f74d627062b39d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e70060948a08b85acacf73a9e7fce14a

SHA1
e4921a8a7a1c87a66a7e9f3a037ce735dc468ae8

SHA256
0a4b5c2c929f207576e621c7a238c69f496d7eb4f96f4bf830b6bdc916103fbe

SHA512
6062512e6af4936eb66646773e132740ee7720cd113ca60ad3980760c49ff3fe5d4d30c487c9d58468d670da9e4a3109bbc06cf5c82006480e1e6af8946c3adb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7019c71681cdd3c2d9f52537cece07c4

SHA1
1998dbb2a7f9098bc7126b9fc2aa11cb11d850a8

SHA256
8aee43d8ffa8a208bfbe6988f85ee486778dbd68f1d3952bcc9ed16e3674be9d

SHA512
51db4ab571e9a6b521219b07d1375217ad9a7fe9865324bf7e035e98e2fd148f207c2a06fafc353e0cf0f1e372b143eaaabc6713228e03aa38175249f2bfab0c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3af8e2320b32a3da1de5f30993621966

SHA1
0ab195aaee31f790d3df4eaae7d19772ce79cbc7

SHA256
fc52bd1561c82462cd48695d4c7a02e9655f475e3574922f9220d4a13ca07817

SHA512
83a7026e9d600477072f020e77b24de4eea4c610f5c77668ea55a55c06422c20dfb100f06931aeab2055ffc89e77e2164bee11c7ed867241b530ee936ec0961d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
31eeb8126b74adb6d3564b87c21b85f5

SHA1
92f77fb956fbf7fd63a75230f1a9dd2ac4638dfc

SHA256
f146baef3f62923c1d690511a4fc510322640abbfb749595a95096cc821a2835

SHA512
5bafaa2d32afdb6384198993105390444a7e4fc088054af218937101f124f1dbb00704befb52a5d3387a7f8008be6d73623bacaf6b05ac6b430795f3a50faa30

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b75ed89cc0355fb08d7b02266908c70f

SHA1
c4d1169fc4ea181668fdf901ef4c2066c98ee0ab

SHA256
d541f444db156d1b57de4f24fad9fbf80de4335979b024b874e34b4c38bdaf22

SHA512
3c59dd78dbe58d755541c2779df2d049ba88edc088ceb03c19f7ffee271bccec53f656f1aafbbe9f34d9a8be7e8b5a79b24650fb6f54b03a955efe5bea33f184

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c6a9b1b1af3470305e5f784e39e25cf0

SHA1
c76442563d8c864117ecd66d07809641b720439e

SHA256
6a93edb9394337ddae226db2a07d7912b09d4517d899b4d7e12505ec1f74e636

SHA512
b81842395f2b9625da70e935043dd33290edd4a2f8b4b3cc3c413caaefdd2d4e1065ee061b056fc0c0f38799101541e6608ac38eed1296a8398d0234315624a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b290ad80a9a41109fa91225698223497

SHA1
865e6d60c6fbdd3cd27b82ee8d1fce41ee19509a

SHA256
caf0333a56d0777fa1f39a1d266ae3751ee453bef64b0aec13410fea5dfbb4c8

SHA512
3c244f70917ac7a412ab906978057af91707ae9d4b25dc3554065f6f03aa98203db6f7f1334793a8bcac899575a39a42b5f180bcf0dcddcfb22799f9bb0f5293

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c88602cfe4ea9559b3a77b0151e86e14

SHA1
6ac0fd35a73aa354a2d95671e4c5598b217f4af5

SHA256
db7b91a69358471703e8ba6276f29b853ce9143840567a4b607af14a285c2a0f

SHA512
35ed8c8291ff6eff661916da52b6d96d0ee61bf5a4628b0ba44d1a2e4876bcd9605cafe656a499fb893a2508d02fef878d83eb1b7fe744b604894c86c5b3474e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8fa7cfd3a158ecc22698f9cba0c111cb

SHA1
0d53489e74274219dda69862f7c5a85e5b1cf350

SHA256
dd5ec4da50c5a94c9e3a563c66f3b759266eeb39e76eb9c92c141a0af40cde7c

SHA512
1c7c993a5c54f2c1cb3760d7f3c90875ba039a82880adfe80a54a470bc5dd47868849c97fd04e59cee3a02756294d7bf445f293c676aa9eec93b6955fcfce21a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c17899836f87da230a01c4f0a19ef9ce

SHA1
37bd5c31329dd6ab32dd3a6033a73abb06d7551a

SHA256
4df6941d60d89dbe99071867f5d08809e9f28e9d64fd25dcb6b2fa570803b5c0

SHA512
a2d17fb2c5a234dd4ef7b7ebdb2e54e94c78cc9d0e5f880479f85c608bdaaa129a0c1cc54a76982e41f52e00927867a42d01074df074f6c92781fe06cfc90c0b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1ee1b795b596a93dbe6503256811b7e5

SHA1
8a5b893eeec37bc0a8ec0634d85ecd42174a84fc

SHA256
41e9ea9d17988e5eeec3cfe649f07884130da53505c6f9d785a063b5fb75fa15

SHA512
85b5348a6753720e551af1c2772ec63bb4229480eac245acab4401202f30bf4a57c037fddaea30af910345f8417ef18d90aa4f12e1fc7c46012d22b12b724672

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dd19680bb74ee5a059c01cdea1ea0c7b

SHA1
395f9f00f07fa384bbae3d4fcb9be3930b5d1479

SHA256
fcbcb25a2931af81dd46b9108fc73d3751b377ed688bf21f425808974004ae66

SHA512
eef2d12146bf568675ff5ea1988b7ac15d0e3d8f48093e33e5b2095a2bbe738d4c002809283f19c4c916c50aaa484bb52784a10cf4b1c1c8fb59ed59af1a9155

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
642bc4e137943c7b7b0e4799dea43940

SHA1
80f2aec31a34033efb884c532dba97d8776a9c67

SHA256
307d97a3a7fc00622a3acf53f5e5492a66c369ec5aa97d1b28c9efe9fe70fcbb

SHA512
d467b03e08963ca2e4a2c5b79a894f7c617cd4ea30363a63d7c39b672d5fdf1345d6c0364cb8e37b44883362458e760104139142c558c27db23e6f36ec7758f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\0qn8gcy\imagestore.dat

Filesize
5KB

MD5
8f8df5b78cf987f25433b77fdd7e1ce0

SHA1
1aa4fbf5276dd3322c3ad5df8aa0f73f024281b7

SHA256
fdae597b4b27e8aed759db8cc1f4e6108830d7697d14c3a12d1219142dbb0acc

SHA512
88c43f71d389e8089abb6df747e7184efb232dc3b7f5d19e237781d2892156c0038d9bf88951bba74d6fdbf422c7a30f8b99e55a8ac553d12c0fb59cea7854c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UQFHO95Z\favicon[1].ico

Filesize
5KB

MD5
f3418a443e7d841097c714d69ec4bcb8

SHA1
49263695f6b0cdd72f45cf1b775e660fdc36c606

SHA256
6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

SHA512
82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

Download Submit
C:\Users\Admin\AppData\Local\Temp\77541737756441.bat

Filesize
340B

MD5
3867f2ec82a7d77c9ffefb1aac8b7903

SHA1
06fccf19b9c498b5afa2b35da00e3ab28d56f785

SHA256
4e25c23aa5babc853889d3e1e79bb01ca7650837b250314a8d50f2e2c4b6730f

SHA512
b413994e5b9f0ecb956055c7befff14845b56bb658fd8280d3213fdfa175ff76bc56e082174f2475fdf2d1f9eff618ebfd80ee2b67c091eaf1fd9c94697da5aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\@[email protected]

Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\A7F3.tmp\INV.exe

Filesize
103KB

MD5
e079c468c9caed494623dbf95e9ce5e8

SHA1
4d8d1d17e9d7ff455a5c69e048d7575b5a3ea0f7

SHA256
8e217ce5670ac1021fdb6101372f9322f7ff82481ecd9badc104ff542e46128c

SHA512
d9c1a6f28c0c76b6856dec8723eb79d1b620a70b8ab3b5f028848e890a684beeb3460e310959c69f21cffb0a14751ea6cb719aacdbc2043121f057dd56f868a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\A7F3.tmp\PanKoza.bat

Filesize
736B

MD5
24f0349bbf490fea5eb3acbf54bd1ba8

SHA1
e3ca3514fe098b27dac66dfaa93e035fe6ef25f0

SHA256
78c3005b4d5f500de7d540822cf2c334fc585a6a0d45da8c4af47f1500239899

SHA512
4aac8a6652c1ff52c797344299f5f21746ff1769425bcdbbe4b04fa9363619e320811a8bf8ef0c18e7d0758f38d6a33249c14c9af4a3773da61bb2d7910fa26b

Download Submit
C:\Users\Admin\AppData\Local\Temp\A7F3.tmp\melter.exe

Filesize
3KB

MD5
d9baac374cc96e41c9f86c669e53f61c

SHA1
b0ba67bfac3d23e718b3bfdfe120e5446d0229e8

SHA256
a1d883577bcb6c4f9de47b06fe97c370c09bddffb6569b6cf93576371bdbc412

SHA512
4ecdf8757e75b02da06a9d42a8ca62b9f2ef292dc04fa37d96603af78433f8aa9dd82fcf1e128a8f463b9691dcc1645b4a64e34f3c5d631f3a0e0670da0d0457

Download Submit
C:\Users\Admin\AppData\Local\Temp\A7F3.tmp\note.vbs

Filesize
123B

MD5
b41b06859fca8e157db46e6609e4a51d

SHA1
8daa0836735347c030e641abdc277bbd66662c33

SHA256
f613aec542d7967cae9d01794b7061bce5083d68c825821a5b702e97f32039c4

SHA512
4290d132c7c1ad154a3ade465e810e9fe4db5a8e0604a35d53e82a6482cd22fdd8ba74e97c0bc2e146e2bcf2ecc9afcc4e4e358e98b353168b67a71b71ced75c

Download Submit
C:\Users\Admin\AppData\Local\Temp\A7F3.tmp\sites.vbs

Filesize
287B

MD5
5c5324b059b0abf1824a5223832b8479

SHA1
145c596bd6bfc1bfbd1a5a2aa8e5f4b3cef4ef57

SHA256
9fd517699e352ffb9fd73319eb1ec58e7e771457f6e7c1d715e0f57e1d37d733

SHA512
b8219eba1d34c83cc193b5ba2da8aa9dce4f8b221c9aac3a52256e6c2855b77be4270a629dec7e36c92652f9b5e4c1dbc84b91a3bcdca663cc3d728eada6c3e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabED9C.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarED9E.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_finnish.wnry

Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\pzersa.exe

Filesize
552KB

MD5
4860c95131365be3bfa06efd3d95b7af

SHA1
3bc68ad8b5725137ff85709988ef434088ae2c81

SHA256
7bda3690420d2b0cf562713a67b95071d9b44ac01bfabe6cab4c4acbbaa04737

SHA512
00dcca22cd2feeab004a44f8f61c8c67172c88ee4ff4fa8dd495d09606fb6f231be79c8a2707e1c8cc934ffda73445bdaeb05f5ba77034cfbce3a8af75c7f00e

Download Submit
C:\Users\Admin\AppData\Local\Temp\qydxwh.EXE

Filesize
3.4MB

MD5
84c82835a5d21bbcf75a61706d8ab549

SHA1
5ff465afaabcbf0150d1a3ab2c2e74f3a4426467

SHA256
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

SHA512
90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmypzt.exe

Filesize
4.2MB

MD5
b91ab90f56394359bace83d1e6d686e2

SHA1
953fcc2dca1047772c5bfbd7f49f7dd2fb5d1bd6

SHA256
433ea10fa074c306cc89952722a1ff21d110f73253c42a54a34cde2308624315

SHA512
3f9aaee2c47510d44a219137c6b9fc278790131a0b18494f4fc350bd7073bced60ccb08ccfea4f406ce0bea898b6f6d3e550be027271375e59f5ba5c62862aa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmypzt.exe

Filesize
4.6MB

MD5
e86dd00ae03ba974321ec4114ca5c3d5

SHA1
7782cd357c513e48f7f2a717fb38a93609e01ac8

SHA256
eeefd39705069186da0376cb281c81d5e4bd310edfb0326b7dc15427cb6e17e1

SHA512
9bc9c90aba14fd90aa6cd952c8c7a0f48e1a0fe2554b54c4793894f47b4e0f2a145383642beeeb4e783fc96a64c06bb25cf98536e1ab694665a04a3788bde426

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\QBOWC1UU.txt

Filesize
305B

MD5
54a97b7210263c84d9b87d67409e0b72

SHA1
9032e7f6192aee0559058d6bc58056c041e44ce4

SHA256
bf9da18ea530b5625c7ef2013a2f5c408ead1bbb280a5ff1aa003d9d6701ca1f

SHA512
a5eebd7aba9ab1a9d887c690c16f6c2c436a97ea704315fc557e329e3e31143436d510dfb2464aac60fb4b8fe26f453c4c523ba64b50f384e6f2e8ecba38ac78

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BMRRHKAER6K1F165Y1XN.temp

Filesize
7KB

MD5
905884baab77117cf392c8c22a8594fe

SHA1
e41ffb0ddf7e5ad46615ecca643fa99a8c122018

SHA256
3f4a244504c825c52d69906828af0dfbc7e7dcb9c839b666e62c37a1428a92e4

SHA512
00dae350749c1cfe805e1ea75c5940439a3f91514ac934f1a1942cc280248855bb112af61932b1badf4b14577513c7a8dff30c3869c8767a3b967b5c732de52f

Download Submit
C:\Users\Admin\AppData\Roaming\System32.exe

Filesize
63KB

MD5
66bbe5829a613fedad7f79e2c6273448

SHA1
57314396a65e08b7bfc5f0b8cdfa9a050579d9d9

SHA256
72499a032c26ef7031b942590e4dd2e28d60b332620c7d2dc42bc4b70995e0dd

SHA512
9b0ea0bb6a4a6ae75c6463f2bc3b5bd012a40a89f491868979230b850b948240b40326c703211edd349911e97a218bf77d01d06f254c33d83939c21a152efae3

Download Submit
C:\Users\Admin\AppData\Roaming\Thanks For Using.txt

Filesize
57B

MD5
f9cfd0c4da0a9a068f8a26ee31c85036

SHA1
ea75b71cfdf7364eacfafcaac0421f9c80a2b4e5

SHA256
e52f33ee65ceb7e5fe9cd47744888c089c37ba7dbadeaf345e75b5cadd43ee2d

SHA512
f81823ed92d8f5aa299d0164f59fb77a3af4c6a9ca5a98e0d4b33104ec7f15ef19037d4bb4f3b2c8c1ca156bac2253f5052eb801468db73d71a67b10405e4b51

Download Submit
C:\Users\Admin\Documents\@[email protected]

Filesize
933B

MD5
f97d2e6f8d820dbd3b66f21137de4f09

SHA1
596799b75b5d60aa9cd45646f68e9c0bd06df252

SHA256
0e5ece918132a2b1a190906e74becb8e4ced36eec9f9d1c70f5da72ac4c6b92a

SHA512
efda21d83464a6a32fdeef93152ffd32a648130754fdd3635f7ff61cc1664f7fc050900f0f871b0ddd3a3846222bf62ab5df8eed42610a76be66fff5f7b4c4c0

Download Submit
\Users\Admin\AppData\Local\Temp\A7F3.tmp\Craze.exe

Filesize
202KB

MD5
ad27143d078706b7cadcbb3f63212384

SHA1
71e532c89954881636f8fe973b9ea035a9e2de6d

SHA256
0b86d60e99e9f4a3bfa60cd447ac62eda52428be564f777151c883fdf547fb26

SHA512
39d8abb4883d3db96a88e88ea76ec8cc6a11e8905eeba593789a08b7d26cf449d682b2537cda790b124e06dc94bede7a78477f941220fe47d3e7ffad3bf9868b

Download Submit
\Users\Admin\AppData\Local\Temp\A7F3.tmp\MBRPayload.exe

Filesize
101KB

MD5
3aa620597abcae5c26b71e21e15b9acf

SHA1
ed797bc834050bc108a31f1511102608943391c5

SHA256
91f9327997754b0238caeff5cffced7eed3e13d5ac39dec87b329678bee8a145

SHA512
562de36b77f6cf5a369c8b434fb5605ee4169fa50c6a4df4d22c1a64dfec39d779b1fc285407ab851ef27b33061159cb1bb548079fa0d0a3d2e10517f8ee0b12

Download Submit
\Users\Admin\AppData\Local\Temp\A7F3.tmp\lines.exe

Filesize
103KB

MD5
50caeee44dc92a147cf95fd82eb6e299

SHA1
a6619a150a31f4c1b4913884123f5b5334e23489

SHA256
81b9a2e3e9ee39f05b585ad871696a946837fcf784d3d4ecd4b9caea16560a1e

SHA512
e009de28d24abbecac2b20c4dcbbe4bd2de461c0d3140043d1ef6db3e4807d13723fb1916bc9bd1a636cfdc4bb3e102ecae645e783901ebdf9996e9bcdd9466b

Download Submit
\Users\Admin\AppData\Local\Temp\A7F3.tmp\screenscrew.exe

Filesize
111KB

MD5
e87a04c270f98bb6b5677cc789d1ad1d

SHA1
8c14cb338e23d4a82f6310d13b36729e543ff0ca

SHA256
e03520794f00fb39ef3cfff012f72a5d03c60f89de28dbe69016f6ed151b5338

SHA512
8784f4d42908e54ecedfb06b254992c63920f43a27903ccedd336daaeed346db44e1f40e7db971735da707b5b32206be1b1571bc0d6a2d6eb90bbf9d1f69de13

Download Submit
\Users\Admin\AppData\Local\Temp\taskdl.exe

Filesize
20KB

MD5
4fef5e34143e646dbf9907c4374276f5

SHA1
47a9ad4125b6bd7c55e4e7da251e23f089407b8f

SHA256
4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79

SHA512
4550dd1787deb353ebd28363dd2cdccca861f6a5d9358120fa6aa23baa478b2a9eb43cef5e3f6426f708a0753491710ac05483fac4a046c26bec4234122434d5

Download Submit
memory/536-24-0x0000000002870000-0x0000000002878000-memory.dmp

Filesize
32KB

Download
memory/536-23-0x000000001B560000-0x000000001B842000-memory.dmp

Filesize
2.9MB

Download
memory/604-645-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/852-1133-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/880-190-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/880-620-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1344-31-0x0000000000400000-0x00000000004F8000-memory.dmp

Filesize
992KB

Download
memory/1344-652-0x0000000000400000-0x00000000004F8000-memory.dmp

Filesize
992KB

Download
memory/1344-129-0x0000000000400000-0x00000000004F8000-memory.dmp

Filesize
992KB

Download
memory/1904-637-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2032-681-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2032-654-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2032-1391-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2032-662-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2032-636-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2032-658-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2032-646-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2400-899-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2400-664-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2400-650-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2400-649-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2400-669-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2400-660-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2400-643-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2400-656-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2436-65-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2528-641-0x0000000002720000-0x0000000002794000-memory.dmp

Filesize
464KB

Download
memory/2528-642-0x0000000002720000-0x0000000002794000-memory.dmp

Filesize
464KB

Download
memory/2528-629-0x0000000002720000-0x0000000002794000-memory.dmp

Filesize
464KB

Download
memory/2528-189-0x0000000002720000-0x0000000002794000-memory.dmp

Filesize
464KB

Download
memory/2528-186-0x0000000002720000-0x0000000002794000-memory.dmp

Filesize
464KB

Download
memory/2528-648-0x0000000002720000-0x0000000002794000-memory.dmp

Filesize
464KB

Download
memory/2792-17-0x0000000001D90000-0x0000000001D98000-memory.dmp

Filesize
32KB

Download
memory/2792-16-0x000000001B6A0000-0x000000001B982000-memory.dmp

Filesize
2.9MB

Download
memory/2912-630-0x000000001B4F0000-0x000000001B5D0000-memory.dmp

Filesize
896KB

Download
memory/2912-25-0x000007FEF5D00000-0x000007FEF66EC000-memory.dmp

Filesize
9.9MB

Download
memory/2912-11-0x000007FEF5D00000-0x000007FEF66EC000-memory.dmp

Filesize
9.9MB

Download
memory/2912-10-0x000007FEF5D00000-0x000007FEF66EC000-memory.dmp

Filesize
9.9MB

Download
memory/2912-8-0x0000000000B20000-0x0000000000B36000-memory.dmp

Filesize
88KB

Download
memory/2976-1-0x0000000001040000-0x000000000105A000-memory.dmp

Filesize
104KB

Download
memory/2976-0-0x000007FEF5D03000-0x000007FEF5D04000-memory.dmp

Filesize
4KB

Download