povertystealer | a2d53e86197c92c8532daac73fde6cfbe913940fc2fbfd7f76f862879d83de73

Analysis

max time kernel
92s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-01-2025 19:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a2d53e86197c92c8532daac73fde6cfbe913940fc2fbfd7f76f862879d83de73N.exe
Size

1.4MB
MD5

96a4885c4e2c4d005748b531c26b61d0
SHA1

f2d5b366c11adc7632f94cd2cc7525f9b93bfea3
SHA256

a2d53e86197c92c8532daac73fde6cfbe913940fc2fbfd7f76f862879d83de73
SHA512

be1b5c53741b04b3d191fb32e4ddff468ac7cb735048b8bb9413fc8726b4e18c05b77395636170d47bf838c522541cea47cdefcb0a3071d67e57aa3a8248b763
SSDEEP

24576:3Mjhfa5aaH+5vgpD650+RFo6kF/5SrkGB8PGqooMWiI05bmktUNudtJjdPrF:K/nog50+Ri6kokGB9qoC1ab7SNudXjdZ

Score

10^/10

povertystealer discovery execution stealer

Malware Config

Signatures

Detect Poverty Stealer Payload 8 IoCs

resource	yara_rule
behavioral2/memory/2352-117-0x00000000009B0000-0x00000000009BA000-memory.dmp	family_povertystealer
behavioral2/memory/2352-121-0x00000000009B0000-0x00000000009BA000-memory.dmp	family_povertystealer
behavioral2/memory/2352-123-0x00000000009B0000-0x00000000009BA000-memory.dmp	family_povertystealer
behavioral2/memory/2352-124-0x00000000009B0000-0x00000000009BA000-memory.dmp	family_povertystealer
behavioral2/memory/4728-150-0x0000000001020000-0x000000000102A000-memory.dmp	family_povertystealer
behavioral2/memory/4728-154-0x0000000001020000-0x000000000102A000-memory.dmp	family_povertystealer
behavioral2/memory/4728-156-0x0000000001020000-0x000000000102A000-memory.dmp	family_povertystealer
behavioral2/memory/4728-157-0x0000000001020000-0x000000000102A000-memory.dmp	family_povertystealer

Poverty Stealer
Poverty Stealer is a crypto and infostealer written in C++.
stealer povertystealer
Povertystealer family
povertystealer

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	a2d53e86197c92c8532daac73fde6cfbe913940fc2fbfd7f76f862879d83de73N.tmp

Executes dropped EXE 2 IoCs

pid	Process
2124	a2d53e86197c92c8532daac73fde6cfbe913940fc2fbfd7f76f862879d83de73N.tmp
2136	a2d53e86197c92c8532daac73fde6cfbe913940fc2fbfd7f76f862879d83de73N.tmp

Loads dropped DLL 6 IoCs

pid	Process
2124	a2d53e86197c92c8532daac73fde6cfbe913940fc2fbfd7f76f862879d83de73N.tmp
2124	a2d53e86197c92c8532daac73fde6cfbe913940fc2fbfd7f76f862879d83de73N.tmp
2136	a2d53e86197c92c8532daac73fde6cfbe913940fc2fbfd7f76f862879d83de73N.tmp
2136	a2d53e86197c92c8532daac73fde6cfbe913940fc2fbfd7f76f862879d83de73N.tmp
2352	regsvr32.exe
4728	regsvr32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to execute payload.

execution

PowerShell

T1059.001

pid	Process
2564	powershell.exe
2260	powershell.exe
3244	powershell.exe
2564	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a2d53e86197c92c8532daac73fde6cfbe913940fc2fbfd7f76f862879d83de73N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a2d53e86197c92c8532daac73fde6cfbe913940fc2fbfd7f76f862879d83de73N.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a2d53e86197c92c8532daac73fde6cfbe913940fc2fbfd7f76f862879d83de73N.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a2d53e86197c92c8532daac73fde6cfbe913940fc2fbfd7f76f862879d83de73N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
2136	a2d53e86197c92c8532daac73fde6cfbe913940fc2fbfd7f76f862879d83de73N.tmp
2136	a2d53e86197c92c8532daac73fde6cfbe913940fc2fbfd7f76f862879d83de73N.tmp
2352	regsvr32.exe
2352	regsvr32.exe
3244	powershell.exe
3244	powershell.exe
2564	powershell.exe
2564	powershell.exe
2352	regsvr32.exe
2352	regsvr32.exe
2352	regsvr32.exe
4728	regsvr32.exe
4728	regsvr32.exe
2260	powershell.exe
2260	powershell.exe
4728	regsvr32.exe
4728	regsvr32.exe
4728	regsvr32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3244	powershell.exe
Token: SeIncreaseQuotaPrivilege	3244	powershell.exe
Token: SeSecurityPrivilege	3244	powershell.exe
Token: SeTakeOwnershipPrivilege	3244	powershell.exe
Token: SeLoadDriverPrivilege	3244	powershell.exe
Token: SeSystemProfilePrivilege	3244	powershell.exe
Token: SeSystemtimePrivilege	3244	powershell.exe
Token: SeProfSingleProcessPrivilege	3244	powershell.exe
Token: SeIncBasePriorityPrivilege	3244	powershell.exe
Token: SeCreatePagefilePrivilege	3244	powershell.exe
Token: SeBackupPrivilege	3244	powershell.exe
Token: SeRestorePrivilege	3244	powershell.exe
Token: SeShutdownPrivilege	3244	powershell.exe
Token: SeDebugPrivilege	3244	powershell.exe
Token: SeSystemEnvironmentPrivilege	3244	powershell.exe
Token: SeRemoteShutdownPrivilege	3244	powershell.exe
Token: SeUndockPrivilege	3244	powershell.exe
Token: SeManageVolumePrivilege	3244	powershell.exe
Token: 33	3244	powershell.exe
Token: 34	3244	powershell.exe
Token: 35	3244	powershell.exe
Token: 36	3244	powershell.exe
Token: SeDebugPrivilege	2564	powershell.exe
Token: SeIncreaseQuotaPrivilege	2564	powershell.exe
Token: SeSecurityPrivilege	2564	powershell.exe
Token: SeTakeOwnershipPrivilege	2564	powershell.exe
Token: SeLoadDriverPrivilege	2564	powershell.exe
Token: SeSystemProfilePrivilege	2564	powershell.exe
Token: SeSystemtimePrivilege	2564	powershell.exe
Token: SeProfSingleProcessPrivilege	2564	powershell.exe
Token: SeIncBasePriorityPrivilege	2564	powershell.exe
Token: SeCreatePagefilePrivilege	2564	powershell.exe
Token: SeBackupPrivilege	2564	powershell.exe
Token: SeRestorePrivilege	2564	powershell.exe
Token: SeShutdownPrivilege	2564	powershell.exe
Token: SeDebugPrivilege	2564	powershell.exe
Token: SeSystemEnvironmentPrivilege	2564	powershell.exe
Token: SeRemoteShutdownPrivilege	2564	powershell.exe
Token: SeUndockPrivilege	2564	powershell.exe
Token: SeManageVolumePrivilege	2564	powershell.exe
Token: 33	2564	powershell.exe
Token: 34	2564	powershell.exe
Token: 35	2564	powershell.exe
Token: 36	2564	powershell.exe
Token: SeIncreaseQuotaPrivilege	2564	powershell.exe
Token: SeSecurityPrivilege	2564	powershell.exe
Token: SeTakeOwnershipPrivilege	2564	powershell.exe
Token: SeLoadDriverPrivilege	2564	powershell.exe
Token: SeSystemProfilePrivilege	2564	powershell.exe
Token: SeSystemtimePrivilege	2564	powershell.exe
Token: SeProfSingleProcessPrivilege	2564	powershell.exe
Token: SeIncBasePriorityPrivilege	2564	powershell.exe
Token: SeCreatePagefilePrivilege	2564	powershell.exe
Token: SeBackupPrivilege	2564	powershell.exe
Token: SeRestorePrivilege	2564	powershell.exe
Token: SeShutdownPrivilege	2564	powershell.exe
Token: SeDebugPrivilege	2564	powershell.exe
Token: SeSystemEnvironmentPrivilege	2564	powershell.exe
Token: SeRemoteShutdownPrivilege	2564	powershell.exe
Token: SeUndockPrivilege	2564	powershell.exe
Token: SeManageVolumePrivilege	2564	powershell.exe
Token: 33	2564	powershell.exe
Token: 34	2564	powershell.exe
Token: 35	2564	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2136	a2d53e86197c92c8532daac73fde6cfbe913940fc2fbfd7f76f862879d83de73N.tmp

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 5036 wrote to memory of 2124	5036	a2d53e86197c92c8532daac73fde6cfbe913940fc2fbfd7f76f862879d83de73N.exe	83
PID 5036 wrote to memory of 2124	5036	a2d53e86197c92c8532daac73fde6cfbe913940fc2fbfd7f76f862879d83de73N.exe	83
PID 5036 wrote to memory of 2124	5036	a2d53e86197c92c8532daac73fde6cfbe913940fc2fbfd7f76f862879d83de73N.exe	83
PID 2124 wrote to memory of 3924	2124	a2d53e86197c92c8532daac73fde6cfbe913940fc2fbfd7f76f862879d83de73N.tmp	84
PID 2124 wrote to memory of 3924	2124	a2d53e86197c92c8532daac73fde6cfbe913940fc2fbfd7f76f862879d83de73N.tmp	84
PID 2124 wrote to memory of 3924	2124	a2d53e86197c92c8532daac73fde6cfbe913940fc2fbfd7f76f862879d83de73N.tmp	84
PID 3924 wrote to memory of 2136	3924	a2d53e86197c92c8532daac73fde6cfbe913940fc2fbfd7f76f862879d83de73N.exe	85
PID 3924 wrote to memory of 2136	3924	a2d53e86197c92c8532daac73fde6cfbe913940fc2fbfd7f76f862879d83de73N.exe	85
PID 3924 wrote to memory of 2136	3924	a2d53e86197c92c8532daac73fde6cfbe913940fc2fbfd7f76f862879d83de73N.exe	85
PID 2136 wrote to memory of 2352	2136	a2d53e86197c92c8532daac73fde6cfbe913940fc2fbfd7f76f862879d83de73N.tmp	86
PID 2136 wrote to memory of 2352	2136	a2d53e86197c92c8532daac73fde6cfbe913940fc2fbfd7f76f862879d83de73N.tmp	86
PID 2136 wrote to memory of 2352	2136	a2d53e86197c92c8532daac73fde6cfbe913940fc2fbfd7f76f862879d83de73N.tmp	86
PID 2352 wrote to memory of 3244	2352	regsvr32.exe	87
PID 2352 wrote to memory of 3244	2352	regsvr32.exe	87
PID 2352 wrote to memory of 3244	2352	regsvr32.exe	87
PID 2352 wrote to memory of 2564	2352	regsvr32.exe	91
PID 2352 wrote to memory of 2564	2352	regsvr32.exe	91
PID 2352 wrote to memory of 2564	2352	regsvr32.exe	91
PID 5040 wrote to memory of 4728	5040	regsvr32.EXE	110
PID 5040 wrote to memory of 4728	5040	regsvr32.EXE	110
PID 5040 wrote to memory of 4728	5040	regsvr32.EXE	110
PID 4728 wrote to memory of 2260	4728	regsvr32.exe	111
PID 4728 wrote to memory of 2260	4728	regsvr32.exe	111
PID 4728 wrote to memory of 2260	4728	regsvr32.exe	111

C:\Users\Admin\AppData\Local\Temp\a2d53e86197c92c8532daac73fde6cfbe913940fc2fbfd7f76f862879d83de73N.exe
"C:\Users\Admin\AppData\Local\Temp\a2d53e86197c92c8532daac73fde6cfbe913940fc2fbfd7f76f862879d83de73N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5036
- C:\Users\Admin\AppData\Local\Temp\is-GNVHE.tmp\a2d53e86197c92c8532daac73fde6cfbe913940fc2fbfd7f76f862879d83de73N.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-GNVHE.tmp\a2d53e86197c92c8532daac73fde6cfbe913940fc2fbfd7f76f862879d83de73N.tmp" /SL5="$501E2,1081243,161792,C:\Users\Admin\AppData\Local\Temp\a2d53e86197c92c8532daac73fde6cfbe913940fc2fbfd7f76f862879d83de73N.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2124
- - C:\Users\Admin\AppData\Local\Temp\a2d53e86197c92c8532daac73fde6cfbe913940fc2fbfd7f76f862879d83de73N.exe
    "C:\Users\Admin\AppData\Local\Temp\a2d53e86197c92c8532daac73fde6cfbe913940fc2fbfd7f76f862879d83de73N.exe" /VERYSILENT
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3924
  - - C:\Users\Admin\AppData\Local\Temp\is-2PD91.tmp\a2d53e86197c92c8532daac73fde6cfbe913940fc2fbfd7f76f862879d83de73N.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-2PD91.tmp\a2d53e86197c92c8532daac73fde6cfbe913940fc2fbfd7f76f862879d83de73N.tmp" /SL5="$F00E4,1081243,161792,C:\Users\Admin\AppData\Local\Temp\a2d53e86197c92c8532daac73fde6cfbe913940fc2fbfd7f76f862879d83de73N.exe" /VERYSILENT
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:2136
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "regsvr32.exe" /s /i:SYNC "C:\Users\Admin\AppData\Roaming\\9ntdll_4.drv"
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2352
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\Admin\AppData\Roaming\9ntdll_4.drv' }) { exit 0 } else { exit 1 }"
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3244
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/S /i:SYNC C:\Users\Admin\AppData\Roaming\9ntdll_4.drv\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{05DD0CE1-EF97-4824-DBD2-A7456DF810EE}' -Description 'MicrosoftEdgeUpdateTaskMachineUA' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2564

C:\Windows\system32\regsvr32.EXE
C:\Windows\system32\regsvr32.EXE /S /i:SYNC C:\Users\Admin\AppData\Roaming\9ntdll_4.drv
1⤵
- Suspicious use of WriteProcessMemory
PID:5040
- C:\Windows\SysWOW64\regsvr32.exe
  /S /i:SYNC C:\Users\Admin\AppData\Roaming\9ntdll_4.drv
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4728
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\Admin\AppData\Roaming\9ntdll_4.drv' }) { exit 0 } else { exit 1 }"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
9751fcb3d8dc82d33d50eebe53abe314

SHA1
7a680212700a5d9f3ca67c81e0e243834387c20c

SHA256
ad2e3139aa438f799c4a876ca3e64af772b8a5786149925a08389723e42394d7

SHA512
54907cc18684ff892b737496183ca60c788d8f5d76365586954f269dbd50ac1b9cd48c7c50bd6ca02009e6020fd77a8282c9a7ad6b824a20585c505bd7e13709

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
20KB

MD5
d83f26f93139b58264c5abea553a1ef2

SHA1
0d888aac6549a65995a7559dd8908af189e9640e

SHA256
a847cd208732fef9aba1eeec9c9663625d9811194448d6228d3a30706875eb71

SHA512
aa3ac1157e70cb7ebc3690391c3c6739d8644048a1056666963fe5ae9b91eed20b3ccf822d34d02e2d33d4ada95de3fffa454361f027987501fac4fa7b3b40e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
21KB

MD5
e6640e9459fb44b7c8b4668372ece6bf

SHA1
86c2ca7b7e2ad0291e26393904b2679bb177a4c7

SHA256
633b22695b8e812fb407a4dfd94abecf7c68bcda4e69d07588bf21f8300ca502

SHA512
ea72e126583ec2bc959ca3675e62727cde57e81593f2deedfcfccdc5dd75eb6593b794e3ae261b9f9d6e8ddaa5930cdac7f66e72c80972ba53cf50355aa26bd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_30tpwa1m.1ig.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7KGTE.tmp\_isetup\_isdecmp.dll

Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GNVHE.tmp\a2d53e86197c92c8532daac73fde6cfbe913940fc2fbfd7f76f862879d83de73N.tmp

Filesize
1.1MB

MD5
bcc236a3921e1388596a42b05686ff5e

SHA1
43bffbbac6a1bf5f1fa21e971e06e6f1d0af9263

SHA256
43a656bcd060e8a36502ca2deb878d56a99078f13d3e57dcd73a87128588c9e9

SHA512
e3baaf1a8f4eb0e1ab57a1fb35bc7ded476606b65fafb09835d34705d8c661819c3cfa0ecc43c5a0d0085fd570df581438de27944e054e12c09a6933bbf5ce04

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TAUP3.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
C:\Users\Admin\AppData\Roaming\9ntdll_4.drv

Filesize
3.0MB

MD5
0cfacfa4f5044659a2928ec133ca6fb1

SHA1
d4ef7b298d5fc6e58a83cd994d9b739c82ff3188

SHA256
54d6ad606a151e075b2e854da88c876ace57c42d4c94ddf13acb2ccd8695bdce

SHA512
630bee59a1b1a8c461841e380364635f7c620a21102c1a347375602b827b3edaea3a7a23e6517b5a5124a02094c4a37f443b10728a92efae6e3817689078b63c

Download Submit
memory/2124-7-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/2124-25-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/2136-33-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/2136-53-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/2260-136-0x0000000005FB0000-0x0000000006304000-memory.dmp

Filesize
3.3MB

Download
memory/2260-138-0x0000000006A50000-0x0000000006A9C000-memory.dmp

Filesize
304KB

Download
memory/2260-139-0x00000000702C0000-0x000000007030C000-memory.dmp

Filesize
304KB

Download
memory/2352-117-0x00000000009B0000-0x00000000009BA000-memory.dmp

Filesize
40KB

Download
memory/2352-125-0x0000000073C60000-0x0000000073F26000-memory.dmp

Filesize
2.8MB

Download
memory/2352-124-0x00000000009B0000-0x00000000009BA000-memory.dmp

Filesize
40KB

Download
memory/2352-123-0x00000000009B0000-0x00000000009BA000-memory.dmp

Filesize
40KB

Download
memory/2352-121-0x00000000009B0000-0x00000000009BA000-memory.dmp

Filesize
40KB

Download
memory/2352-116-0x0000000073C60000-0x0000000073F26000-memory.dmp

Filesize
2.8MB

Download
memory/2564-104-0x0000000074290000-0x00000000742DC000-memory.dmp

Filesize
304KB

Download
memory/3244-74-0x0000000074290000-0x00000000742DC000-memory.dmp

Filesize
304KB

Download
memory/3244-71-0x0000000006330000-0x000000000634E000-memory.dmp

Filesize
120KB

Download
memory/3244-58-0x0000000005330000-0x0000000005352000-memory.dmp

Filesize
136KB

Download
memory/3244-84-0x0000000006900000-0x000000000691E000-memory.dmp

Filesize
120KB

Download
memory/3244-85-0x0000000007520000-0x00000000075C3000-memory.dmp

Filesize
652KB

Download
memory/3244-86-0x0000000007CB0000-0x000000000832A000-memory.dmp

Filesize
6.5MB

Download
memory/3244-87-0x0000000007670000-0x000000000768A000-memory.dmp

Filesize
104KB

Download
memory/3244-88-0x00000000076C0000-0x00000000076CA000-memory.dmp

Filesize
40KB

Download
memory/3244-89-0x00000000078F0000-0x0000000007986000-memory.dmp

Filesize
600KB

Download
memory/3244-90-0x0000000007870000-0x0000000007881000-memory.dmp

Filesize
68KB

Download
memory/3244-56-0x0000000004CD0000-0x0000000004D06000-memory.dmp

Filesize
216KB

Download
memory/3244-59-0x0000000005BD0000-0x0000000005C36000-memory.dmp

Filesize
408KB

Download
memory/3244-72-0x0000000006370000-0x00000000063BC000-memory.dmp

Filesize
304KB

Download
memory/3244-73-0x00000000072D0000-0x0000000007302000-memory.dmp

Filesize
200KB

Download
memory/3244-60-0x0000000005C40000-0x0000000005CA6000-memory.dmp

Filesize
408KB

Download
memory/3244-70-0x0000000005CB0000-0x0000000006004000-memory.dmp

Filesize
3.3MB

Download
memory/3244-57-0x00000000053B0000-0x00000000059D8000-memory.dmp

Filesize
6.2MB

Download
memory/3924-55-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3924-21-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3924-23-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4728-150-0x0000000001020000-0x000000000102A000-memory.dmp

Filesize
40KB

Download
memory/4728-154-0x0000000001020000-0x000000000102A000-memory.dmp

Filesize
40KB

Download
memory/4728-156-0x0000000001020000-0x000000000102A000-memory.dmp

Filesize
40KB

Download
memory/4728-157-0x0000000001020000-0x000000000102A000-memory.dmp

Filesize
40KB

Download
memory/4728-158-0x0000000074AF0000-0x0000000074DB6000-memory.dmp

Filesize
2.8MB

Download
memory/5036-0-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5036-27-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5036-2-0x0000000000401000-0x0000000000417000-memory.dmp

Filesize
88KB

Download