Overview

overview

10

Static

static

7

799a5a6ba9...05.exe

windows7-x64

10

799a5a6ba9...05.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250129-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/01/2025, 22:50 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    799a5a6ba92e7a86a579e1a4d94204e4e40798ef384239aaee4c1d0cb1331b05.exe

  • Size

    1.2MB

  • MD5

    cce161d87ab59da77d10f4e6f10a0573

  • SHA1

    3ffb8bffa7a57c0c534d4845f3f018090252536c

  • SHA256

    799a5a6ba92e7a86a579e1a4d94204e4e40798ef384239aaee4c1d0cb1331b05

  • SHA512

    c623b99eef20dacb37ef20ce9fac4a6707bd57ae31416ed492cf7eb0d0a1dde54997f3719ffa4e0ead0ef5a62def34b9e22104d89c7a394d3f5ffad2cb0a8844

  • SSDEEP

    24576:HovxCwgMBqHO5ZdYXOp0nQrXctTfK+d+MrTXowFlw57XYBwJtit:WIwgMEuy+inDfp3/XoCw57XYBwKt

Score
10/10
gh0stratpurplefoxdiscoverypersistenceratrootkittrojanupxvmprotect

Malware Config

Signatures

  • Detect PurpleFox Rootkit 7 IoCs

    Detect PurpleFox Rootkit.

    rootkit
  • Gh0st RAT payload 8 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Gh0strat family
    gh0strat
  • PurpleFox

    PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    rootkittrojanpurplefox
  • Purplefox family
    purplefox
  • Drops file in Drivers directory 1 IoCs
  • Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
    persistence
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 3 IoCs
  • VMProtect packed file 10 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 7 IoCs
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies registry class 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\799a5a6ba92e7a86a579e1a4d94204e4e40798ef384239aaee4c1d0cb1331b05.exe
    "C:\Users\Admin\AppData\Local\Temp\799a5a6ba92e7a86a579e1a4d94204e4e40798ef384239aaee4c1d0cb1331b05.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1748
    • C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      PID:2796
    • C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      2⤵
      • Server Software Component: Terminal Services DLL
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      PID:1048
    • C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3496
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Suspicious use of WriteProcessMemory
        PID:1172
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 2 127.0.0.1
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:3532
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:760
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"
    1⤵
      PID:4136
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"
      1⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3644
      • C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
        C:\Windows\system32\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe "c:\windows\system32\240613937.txt",MainThread
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:3200
    • C:\Windows\SysWOW64\Ghiya.exe
      C:\Windows\SysWOW64\Ghiya.exe -auto
      1⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3180
      • C:\Windows\SysWOW64\Ghiya.exe
        C:\Windows\SysWOW64\Ghiya.exe -acsi
        2⤵
        • Drops file in Drivers directory
        • Sets service image path in registry
        • Executes dropped EXE
        • Suspicious behavior: LoadsDriver
        • Suspicious use of AdjustPrivilegeToken
        PID:5052

    Network

    • flag-us
      DNS
      8.8.8.8.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      8.8.8.8.in-addr.arpa
      IN PTR
      Response
      8.8.8.8.in-addr.arpa
      IN PTR
      dnsgoogle
    • flag-us
      DNS
      67.160.190.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      67.160.190.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      cf1549064127.f3322.net
      Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
      Remote address:
      8.8.8.8:53
      Request
      cf1549064127.f3322.net
      IN A
      Response
    • flag-us
      DNS
      g.bing.com
      Remote address:
      8.8.8.8:53
      Request
      g.bing.com
      IN A
      Response
      g.bing.com
      IN CNAME
      g-bing-com.ax-0001.ax-msedge.net
      g-bing-com.ax-0001.ax-msedge.net
      IN CNAME
      ax-0001.ax-msedge.net
      ax-0001.ax-msedge.net
      IN A
      150.171.28.10
      ax-0001.ax-msedge.net
      IN A
      150.171.27.10
    • flag-us
      GET
      https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8y3vRQ5_07OGxM4pMAMMLKTVUCUwZpJwbMOZPXOL4tRe_QothYFVCCEct5Fqdoh71wieBSTZp1GLSygkIZpxo2ljgjqqf9WAzzbT63VrVZ4yavY1vfy5XK_P_oiJG7YIMkGhdBg43IsWbgUS5PqlKMJ_GuwEtXlA9YZyX_2Xbs7JoTRXs%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZnd3dy5iaW5nLmNvbSUyZnNlYXJjaCUzZnElM2RtYWtlJTJiYSUyYm5ldyUyYnllYXIlMjUyN3MlMmJyZXNvbHV0aW9uJTI2Zm9ybSUzZE01MDBHNCUyNk9DSUQlM2RNNTAwRzQ%26rlid%3D4afe52c0690e1688e611355994b93d61&TIME=20250129T100716Z&CID=532605794&EID=532605794&tids=15000&adUnitId=11730597&localId=w:D1AAAD14-B6FE-7436-2F51-AE121FA51FA0&deviceId=6825842710415466&muid=D1AAAD14B6FE74362F51AE121FA51FA0
      Remote address:
      150.171.28.10:443
      Request
      GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8y3vRQ5_07OGxM4pMAMMLKTVUCUwZpJwbMOZPXOL4tRe_QothYFVCCEct5Fqdoh71wieBSTZp1GLSygkIZpxo2ljgjqqf9WAzzbT63VrVZ4yavY1vfy5XK_P_oiJG7YIMkGhdBg43IsWbgUS5PqlKMJ_GuwEtXlA9YZyX_2Xbs7JoTRXs%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZnd3dy5iaW5nLmNvbSUyZnNlYXJjaCUzZnElM2RtYWtlJTJiYSUyYm5ldyUyYnllYXIlMjUyN3MlMmJyZXNvbHV0aW9uJTI2Zm9ybSUzZE01MDBHNCUyNk9DSUQlM2RNNTAwRzQ%26rlid%3D4afe52c0690e1688e611355994b93d61&TIME=20250129T100716Z&CID=532605794&EID=532605794&tids=15000&adUnitId=11730597&localId=w:D1AAAD14-B6FE-7436-2F51-AE121FA51FA0&deviceId=6825842710415466&muid=D1AAAD14B6FE74362F51AE121FA51FA0 HTTP/2.0
      host: g.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      Response
      HTTP/2.0 204
      cache-control: no-cache, must-revalidate
      pragma: no-cache
      expires: Fri, 01 Jan 1990 00:00:00 GMT
      set-cookie: MUID=26E684BB4D9D670003FD913E4C5F663A; domain=.bing.com; expires=Wed, 25-Feb-2026 22:50:22 GMT; path=/; SameSite=None; Secure; Priority=High;
      strict-transport-security: max-age=31536000; includeSubDomains; preload
      access-control-allow-origin: *
      x-cache: CONFIG_NOCACHE
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: E4AA943B635A421D8933562A1181FC15 Ref B: LON601060105054 Ref C: 2025-01-31T22:50:22Z
      date: Fri, 31 Jan 2025 22:50:22 GMT
    • flag-us
      GET
      https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8y3vRQ5_07OGxM4pMAMMLKTVUCUwZpJwbMOZPXOL4tRe_QothYFVCCEct5Fqdoh71wieBSTZp1GLSygkIZpxo2ljgjqqf9WAzzbT63VrVZ4yavY1vfy5XK_P_oiJG7YIMkGhdBg43IsWbgUS5PqlKMJ_GuwEtXlA9YZyX_2Xbs7JoTRXs%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZnd3dy5iaW5nLmNvbSUyZnNlYXJjaCUzZnElM2RtYWtlJTJiYSUyYm5ldyUyYnllYXIlMjUyN3MlMmJyZXNvbHV0aW9uJTI2Zm9ybSUzZE01MDBHNCUyNk9DSUQlM2RNNTAwRzQ%26rlid%3D4afe52c0690e1688e611355994b93d61&TIME=20250129T100716Z&CID=532605794&EID=&tids=15000&adUnitId=11730597&localId=w:D1AAAD14-B6FE-7436-2F51-AE121FA51FA0&deviceId=6825842710415466&muid=D1AAAD14B6FE74362F51AE121FA51FA0
      Remote address:
      150.171.28.10:443
      Request
      GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8y3vRQ5_07OGxM4pMAMMLKTVUCUwZpJwbMOZPXOL4tRe_QothYFVCCEct5Fqdoh71wieBSTZp1GLSygkIZpxo2ljgjqqf9WAzzbT63VrVZ4yavY1vfy5XK_P_oiJG7YIMkGhdBg43IsWbgUS5PqlKMJ_GuwEtXlA9YZyX_2Xbs7JoTRXs%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZnd3dy5iaW5nLmNvbSUyZnNlYXJjaCUzZnElM2RtYWtlJTJiYSUyYm5ldyUyYnllYXIlMjUyN3MlMmJyZXNvbHV0aW9uJTI2Zm9ybSUzZE01MDBHNCUyNk9DSUQlM2RNNTAwRzQ%26rlid%3D4afe52c0690e1688e611355994b93d61&TIME=20250129T100716Z&CID=532605794&EID=&tids=15000&adUnitId=11730597&localId=w:D1AAAD14-B6FE-7436-2F51-AE121FA51FA0&deviceId=6825842710415466&muid=D1AAAD14B6FE74362F51AE121FA51FA0 HTTP/2.0
      host: g.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      cookie: MUID=26E684BB4D9D670003FD913E4C5F663A; _EDGE_S=SID=0D8C9A26FF65610415378FA3FE5460C6
      Response
      HTTP/2.0 204
      cache-control: no-cache, must-revalidate
      pragma: no-cache
      expires: Fri, 01 Jan 1990 00:00:00 GMT
      set-cookie: MSPTC=DVo2vtfhyzXS7bqthcT9IULcdFS9RIvfD41f_S6qkVw; domain=.bing.com; expires=Wed, 25-Feb-2026 22:50:22 GMT; path=/; Partitioned; secure; SameSite=None
      strict-transport-security: max-age=31536000; includeSubDomains; preload
      access-control-allow-origin: *
      x-cache: CONFIG_NOCACHE
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 81A97F0E21D44132B99B7BEE60327299 Ref B: LON601060105054 Ref C: 2025-01-31T22:50:22Z
      date: Fri, 31 Jan 2025 22:50:22 GMT
    • flag-us
      DNS
      172.210.232.199.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      172.210.232.199.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      55.36.223.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      55.36.223.20.in-addr.arpa
      IN PTR
      Response
    • flag-gb
      GET
      https://www.bing.com/aes/c.gif?RG=14e4cf3f0c99487186ae842e4da35af3&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20250129T100716Z&adUnitId=11730597&localId=w:D1AAAD14-B6FE-7436-2F51-AE121FA51FA0&deviceId=6825842710415466
      Remote address:
      95.101.143.210:443
      Request
      GET /aes/c.gif?RG=14e4cf3f0c99487186ae842e4da35af3&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20250129T100716Z&adUnitId=11730597&localId=w:D1AAAD14-B6FE-7436-2F51-AE121FA51FA0&deviceId=6825842710415466 HTTP/2.0
      host: www.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      cookie: MUID=26E684BB4D9D670003FD913E4C5F663A
      Response
      HTTP/2.0 200
      cache-control: private,no-store
      pragma: no-cache
      vary: Origin
      p3p: CP=BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 7F1A3B67DD624EE08E66C1EC64231930 Ref B: LON601060101029 Ref C: 2025-01-31T22:50:22Z
      content-length: 0
      date: Fri, 31 Jan 2025 22:50:22 GMT
      set-cookie: _EDGE_S=SID=0D8C9A26FF65610415378FA3FE5460C6; path=/; httponly; domain=bing.com
      set-cookie: MUIDB=26E684BB4D9D670003FD913E4C5F663A; path=/; httponly; expires=Wed, 25-Feb-2026 22:50:22 GMT
      alt-svc: h3=":443"; ma=93600
      x-cdn-traceid: 0.c58f655f.1738363822.12c38286
    • flag-us
      DNS
      10.28.171.150.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      10.28.171.150.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      167.173.78.104.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      167.173.78.104.in-addr.arpa
      IN PTR
      Response
      167.173.78.104.in-addr.arpa
      IN PTR
      a104-78-173-167deploystaticakamaitechnologiescom
    • flag-us
      DNS
      210.143.101.95.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      210.143.101.95.in-addr.arpa
      IN PTR
      Response
      210.143.101.95.in-addr.arpa
      IN PTR
      a95-101-143-210deploystaticakamaitechnologiescom
    • flag-us
      DNS
      cf1549064127.f3322.net
      Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
      Remote address:
      8.8.8.8:53
      Request
      cf1549064127.f3322.net
      IN A
      Response
    • flag-us
      DNS
      cf1549064127.f3322.net
      Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
      Remote address:
      8.8.8.8:53
      Request
      cf1549064127.f3322.net
      IN A
      Response
    • flag-us
      DNS
      cf1549064127.f3322.net
      Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
      Remote address:
      8.8.8.8:53
      Request
      cf1549064127.f3322.net
      IN A
      Response
    • flag-us
      DNS
      cf1549064127.f3322.net
      Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
      Remote address:
      8.8.8.8:53
      Request
      cf1549064127.f3322.net
      IN A
      Response
    • flag-us
      DNS
      197.87.175.4.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      197.87.175.4.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      198.187.3.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      198.187.3.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      20.49.80.91.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      20.49.80.91.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      cf1549064127.f3322.net
      Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
      Remote address:
      8.8.8.8:53
      Request
      cf1549064127.f3322.net
      IN A
      Response
    • flag-us
      DNS
      cf1549064127.f3322.net
      Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
      Remote address:
      8.8.8.8:53
      Request
      cf1549064127.f3322.net
      IN A
      Response
    • flag-us
      DNS
      cf1549064127.f3322.net
      Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
      Remote address:
      8.8.8.8:53
      Request
      cf1549064127.f3322.net
      IN A
      Response
    • flag-us
      DNS
      cf1549064127.f3322.net
      Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
      Remote address:
      8.8.8.8:53
      Request
      cf1549064127.f3322.net
      IN A
      Response
    • flag-us
      DNS
      cf1549064127.f3322.net
      Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
      Remote address:
      8.8.8.8:53
      Request
      cf1549064127.f3322.net
      IN A
      Response
    • flag-us
      DNS
      cf1549064127.f3322.net
      Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
      Remote address:
      8.8.8.8:53
      Request
      cf1549064127.f3322.net
      IN A
      Response
    • flag-us
      DNS
      11.153.16.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      11.153.16.2.in-addr.arpa
      IN PTR
      Response
      11.153.16.2.in-addr.arpa
      IN PTR
      a2-16-153-11deploystaticakamaitechnologiescom
    • flag-us
      DNS
      cf1549064127.f3322.net
      Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
      Remote address:
      8.8.8.8:53
      Request
      cf1549064127.f3322.net
      IN A
      Response
    • flag-us
      DNS
      cf1549064127.f3322.net
      Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
      Remote address:
      8.8.8.8:53
      Request
      cf1549064127.f3322.net
      IN A
      Response
    • flag-us
      DNS
      cf1549064127.f3322.net
      Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
      Remote address:
      8.8.8.8:53
      Request
      cf1549064127.f3322.net
      IN A
      Response
    • flag-us
      DNS
      cf1549064127.f3322.net
      Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
      Remote address:
      8.8.8.8:53
      Request
      cf1549064127.f3322.net
      IN A
      Response
    • flag-us
      DNS
      cf1549064127.f3322.net
      Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
      Remote address:
      8.8.8.8:53
      Request
      cf1549064127.f3322.net
      IN A
      Response
    • flag-us
      DNS
      cf1549064127.f3322.net
      Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
      Remote address:
      8.8.8.8:53
      Request
      cf1549064127.f3322.net
      IN A
      Response
    • flag-us
      DNS
      21.236.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      21.236.111.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      cf1549064127.f3322.net
      Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
      Remote address:
      8.8.8.8:53
      Request
      cf1549064127.f3322.net
      IN A
      Response
    • flag-us
      DNS
      cf1549064127.f3322.net
      Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
      Remote address:
      8.8.8.8:53
      Request
      cf1549064127.f3322.net
      IN A
      Response
    • flag-us
      DNS
      cf1549064127.f3322.net
      Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
      Remote address:
      8.8.8.8:53
      Request
      cf1549064127.f3322.net
      IN A
      Response
    • flag-us
      DNS
      cf1549064127.f3322.net
      Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
      Remote address:
      8.8.8.8:53
      Request
      cf1549064127.f3322.net
      IN A
      Response
    • flag-us
      DNS
      cf1549064127.f3322.net
      Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
      Remote address:
      8.8.8.8:53
      Request
      cf1549064127.f3322.net
      IN A
      Response
    • flag-us
      DNS
      cf1549064127.f3322.net
      Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
      Remote address:
      8.8.8.8:53
      Request
      cf1549064127.f3322.net
      IN A
      Response
    • flag-us
      DNS
      cf1549064127.f3322.net
      Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
      Remote address:
      8.8.8.8:53
      Request
      cf1549064127.f3322.net
      IN A
      Response
    • flag-us
      DNS
      cf1549064127.f3322.net
      Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
      Remote address:
      8.8.8.8:53
      Request
      cf1549064127.f3322.net
      IN A
      Response
    • flag-us
      DNS
      cf1549064127.f3322.net
      Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
      Remote address:
      8.8.8.8:53
      Request
      cf1549064127.f3322.net
      IN A
      Response
    • flag-us
      DNS
      cf1549064127.f3322.net
      Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
      Remote address:
      8.8.8.8:53
      Request
      cf1549064127.f3322.net
      IN A
      Response
    • flag-us
      DNS
      cf1549064127.f3322.net
      Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
      Remote address:
      8.8.8.8:53
      Request
      cf1549064127.f3322.net
      IN A
      Response
    • 43.249.193.73:54997
      799a5a6ba92e7a86a579e1a4d94204e4e40798ef384239aaee4c1d0cb1331b05.exe
      260 B
       5
    • 150.171.28.10:443
      https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8y3vRQ5_07OGxM4pMAMMLKTVUCUwZpJwbMOZPXOL4tRe_QothYFVCCEct5Fqdoh71wieBSTZp1GLSygkIZpxo2ljgjqqf9WAzzbT63VrVZ4yavY1vfy5XK_P_oiJG7YIMkGhdBg43IsWbgUS5PqlKMJ_GuwEtXlA9YZyX_2Xbs7JoTRXs%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZnd3dy5iaW5nLmNvbSUyZnNlYXJjaCUzZnElM2RtYWtlJTJiYSUyYm5ldyUyYnllYXIlMjUyN3MlMmJyZXNvbHV0aW9uJTI2Zm9ybSUzZE01MDBHNCUyNk9DSUQlM2RNNTAwRzQ%26rlid%3D4afe52c0690e1688e611355994b93d61&TIME=20250129T100716Z&CID=532605794&EID=&tids=15000&adUnitId=11730597&localId=w:D1AAAD14-B6FE-7436-2F51-AE121FA51FA0&deviceId=6825842710415466&muid=D1AAAD14B6FE74362F51AE121FA51FA0
      tls, http2
      2.6kB
       9.2kB
       19
      17

      HTTP Request

      GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8y3vRQ5_07OGxM4pMAMMLKTVUCUwZpJwbMOZPXOL4tRe_QothYFVCCEct5Fqdoh71wieBSTZp1GLSygkIZpxo2ljgjqqf9WAzzbT63VrVZ4yavY1vfy5XK_P_oiJG7YIMkGhdBg43IsWbgUS5PqlKMJ_GuwEtXlA9YZyX_2Xbs7JoTRXs%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZnd3dy5iaW5nLmNvbSUyZnNlYXJjaCUzZnElM2RtYWtlJTJiYSUyYm5ldyUyYnllYXIlMjUyN3MlMmJyZXNvbHV0aW9uJTI2Zm9ybSUzZE01MDBHNCUyNk9DSUQlM2RNNTAwRzQ%26rlid%3D4afe52c0690e1688e611355994b93d61&TIME=20250129T100716Z&CID=532605794&EID=532605794&tids=15000&adUnitId=11730597&localId=w:D1AAAD14-B6FE-7436-2F51-AE121FA51FA0&deviceId=6825842710415466&muid=D1AAAD14B6FE74362F51AE121FA51FA0

      HTTP Response

      204

      HTTP Request

      GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8y3vRQ5_07OGxM4pMAMMLKTVUCUwZpJwbMOZPXOL4tRe_QothYFVCCEct5Fqdoh71wieBSTZp1GLSygkIZpxo2ljgjqqf9WAzzbT63VrVZ4yavY1vfy5XK_P_oiJG7YIMkGhdBg43IsWbgUS5PqlKMJ_GuwEtXlA9YZyX_2Xbs7JoTRXs%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZnd3dy5iaW5nLmNvbSUyZnNlYXJjaCUzZnElM2RtYWtlJTJiYSUyYm5ldyUyYnllYXIlMjUyN3MlMmJyZXNvbHV0aW9uJTI2Zm9ybSUzZE01MDBHNCUyNk9DSUQlM2RNNTAwRzQ%26rlid%3D4afe52c0690e1688e611355994b93d61&TIME=20250129T100716Z&CID=532605794&EID=&tids=15000&adUnitId=11730597&localId=w:D1AAAD14-B6FE-7436-2F51-AE121FA51FA0&deviceId=6825842710415466&muid=D1AAAD14B6FE74362F51AE121FA51FA0

      HTTP Response

      204
    • 95.101.143.210:443
      https://www.bing.com/aes/c.gif?RG=14e4cf3f0c99487186ae842e4da35af3&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20250129T100716Z&adUnitId=11730597&localId=w:D1AAAD14-B6FE-7436-2F51-AE121FA51FA0&deviceId=6825842710415466
      tls, http2
      1.4kB
       5.4kB
       16
      12

      HTTP Request

      GET https://www.bing.com/aes/c.gif?RG=14e4cf3f0c99487186ae842e4da35af3&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20250129T100716Z&adUnitId=11730597&localId=w:D1AAAD14-B6FE-7436-2F51-AE121FA51FA0&deviceId=6825842710415466

      HTTP Response

      200
    • 43.249.193.73:54997
      799a5a6ba92e7a86a579e1a4d94204e4e40798ef384239aaee4c1d0cb1331b05.exe
      260 B
       5
    • 43.249.193.73:54997
      799a5a6ba92e7a86a579e1a4d94204e4e40798ef384239aaee4c1d0cb1331b05.exe
      260 B
       5
    • 43.249.193.73:54997
      799a5a6ba92e7a86a579e1a4d94204e4e40798ef384239aaee4c1d0cb1331b05.exe
      260 B
       5
    • 43.249.193.73:54997
      799a5a6ba92e7a86a579e1a4d94204e4e40798ef384239aaee4c1d0cb1331b05.exe
      260 B
       5
    • 43.249.193.73:54997
      799a5a6ba92e7a86a579e1a4d94204e4e40798ef384239aaee4c1d0cb1331b05.exe
      260 B
       5
    • 43.249.193.73:54997
      799a5a6ba92e7a86a579e1a4d94204e4e40798ef384239aaee4c1d0cb1331b05.exe
      260 B
       5
    • 43.249.193.73:54997
      799a5a6ba92e7a86a579e1a4d94204e4e40798ef384239aaee4c1d0cb1331b05.exe
    • 8.8.8.8:53
      8.8.8.8.in-addr.arpa
      dns
      66 B
       90 B
       1
      1

      DNS Request

      8.8.8.8.in-addr.arpa

    • 8.8.8.8:53
      67.160.190.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      67.160.190.20.in-addr.arpa

    • 8.8.8.8:53
      cf1549064127.f3322.net
      dns
      Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
      68 B
       129 B
       1
      1

      DNS Request

      cf1549064127.f3322.net

    • 8.8.8.8:53
      g.bing.com
      dns
      56 B
       148 B
       1
      1

      DNS Request

      g.bing.com

      DNS Response

      150.171.28.10
      150.171.27.10

    • 8.8.8.8:53
      172.210.232.199.in-addr.arpa
      dns
      74 B
       128 B
       1
      1

      DNS Request

      172.210.232.199.in-addr.arpa

    • 8.8.8.8:53
      55.36.223.20.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      55.36.223.20.in-addr.arpa

    • 8.8.8.8:53
      10.28.171.150.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      10.28.171.150.in-addr.arpa

    • 8.8.8.8:53
      167.173.78.104.in-addr.arpa
      dns
      73 B
       139 B
       1
      1

      DNS Request

      167.173.78.104.in-addr.arpa

    • 8.8.8.8:53
      210.143.101.95.in-addr.arpa
      dns
      73 B
       139 B
       1
      1

      DNS Request

      210.143.101.95.in-addr.arpa

    • 8.8.8.8:53
      cf1549064127.f3322.net
      dns
      Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
      68 B
       129 B
       1
      1

      DNS Request

      cf1549064127.f3322.net

    • 8.8.8.8:53
      cf1549064127.f3322.net
      dns
      Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
      68 B
       129 B
       1
      1

      DNS Request

      cf1549064127.f3322.net

    • 8.8.8.8:53
      cf1549064127.f3322.net
      dns
      Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
      68 B
       129 B
       1
      1

      DNS Request

      cf1549064127.f3322.net

    • 8.8.8.8:53
      cf1549064127.f3322.net
      dns
      Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
      68 B
       129 B
       1
      1

      DNS Request

      cf1549064127.f3322.net

    • 8.8.8.8:53
      197.87.175.4.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      197.87.175.4.in-addr.arpa

    • 8.8.8.8:53
      198.187.3.20.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      198.187.3.20.in-addr.arpa

    • 8.8.8.8:53
      20.49.80.91.in-addr.arpa
      dns
      70 B
       145 B
       1
      1

      DNS Request

      20.49.80.91.in-addr.arpa

    • 8.8.8.8:53
      cf1549064127.f3322.net
      dns
      Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
      68 B
       129 B
       1
      1

      DNS Request

      cf1549064127.f3322.net

    • 8.8.8.8:53
      cf1549064127.f3322.net
      dns
      Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
      68 B
       129 B
       1
      1

      DNS Request

      cf1549064127.f3322.net

    • 8.8.8.8:53
      cf1549064127.f3322.net
      dns
      Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
      68 B
       129 B
       1
      1

      DNS Request

      cf1549064127.f3322.net

    • 8.8.8.8:53
      cf1549064127.f3322.net
      dns
      Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
      68 B
       129 B
       1
      1

      DNS Request

      cf1549064127.f3322.net

    • 8.8.8.8:53
      cf1549064127.f3322.net
      dns
      Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
      68 B
       129 B
       1
      1

      DNS Request

      cf1549064127.f3322.net

    • 8.8.8.8:53
      cf1549064127.f3322.net
      dns
      Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
      68 B
       129 B
       1
      1

      DNS Request

      cf1549064127.f3322.net

    • 8.8.8.8:53
      11.153.16.2.in-addr.arpa
      dns
      70 B
       133 B
       1
      1

      DNS Request

      11.153.16.2.in-addr.arpa

    • 8.8.8.8:53
      cf1549064127.f3322.net
      dns
      Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
      68 B
       129 B
       1
      1

      DNS Request

      cf1549064127.f3322.net

    • 8.8.8.8:53
      cf1549064127.f3322.net
      dns
      Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
      68 B
       129 B
       1
      1

      DNS Request

      cf1549064127.f3322.net

    • 8.8.8.8:53
      cf1549064127.f3322.net
      dns
      Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
      68 B
       129 B
       1
      1

      DNS Request

      cf1549064127.f3322.net

    • 8.8.8.8:53
      cf1549064127.f3322.net
      dns
      Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
      68 B
       129 B
       1
      1

      DNS Request

      cf1549064127.f3322.net

    • 8.8.8.8:53
      cf1549064127.f3322.net
      dns
      Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
      68 B
       129 B
       1
      1

      DNS Request

      cf1549064127.f3322.net

    • 8.8.8.8:53
      cf1549064127.f3322.net
      dns
      Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
      68 B
       129 B
       1
      1

      DNS Request

      cf1549064127.f3322.net

    • 8.8.8.8:53
      21.236.111.52.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      21.236.111.52.in-addr.arpa

    • 8.8.8.8:53
      cf1549064127.f3322.net
      dns
      Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
      68 B
       129 B
       1
      1

      DNS Request

      cf1549064127.f3322.net

    • 8.8.8.8:53
      cf1549064127.f3322.net
      dns
      Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
      68 B
       129 B
       1
      1

      DNS Request

      cf1549064127.f3322.net

    • 8.8.8.8:53
      cf1549064127.f3322.net
      dns
      Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
      68 B
       129 B
       1
      1

      DNS Request

      cf1549064127.f3322.net

    • 8.8.8.8:53
      cf1549064127.f3322.net
      dns
      Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
      68 B
       129 B
       1
      1

      DNS Request

      cf1549064127.f3322.net

    • 8.8.8.8:53
      cf1549064127.f3322.net
      dns
      Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
      68 B
       129 B
       1
      1

      DNS Request

      cf1549064127.f3322.net

    • 8.8.8.8:53
      cf1549064127.f3322.net
      dns
      Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
      68 B
       129 B
       1
      1

      DNS Request

      cf1549064127.f3322.net

    • 8.8.8.8:53
      cf1549064127.f3322.net
      dns
      Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
      68 B
       129 B
       1
      1

      DNS Request

      cf1549064127.f3322.net

    • 8.8.8.8:53
      cf1549064127.f3322.net
      dns
      Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
      68 B
       129 B
       1
      1

      DNS Request

      cf1549064127.f3322.net

    • 8.8.8.8:53
      cf1549064127.f3322.net
      dns
      Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
      68 B
       129 B
       1
      1

      DNS Request

      cf1549064127.f3322.net

    • 8.8.8.8:53
      cf1549064127.f3322.net
      dns
      Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
      68 B
       129 B
       1
      1

      DNS Request

      cf1549064127.f3322.net

    • 8.8.8.8:53
      cf1549064127.f3322.net
      dns
      Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
      68 B
       129 B
       1
      1

      DNS Request

      cf1549064127.f3322.net

    • 8.8.8.8:53

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\AK47.exe
      Filesize

      91KB

      MD5

      423eb994ed553294f8a6813619b8da87

      SHA1

      eca6a16ccd13adcfc27bc1041ddef97ec8081255

      SHA256

      050b4f2d5ae8eaecd414318dc8e222a56f169626da6ca8feb7edd78e8b1f0218

      SHA512

      fab0a9af8031c242c486de373df7277c8b0e39f7a0c9c2ac2e385dbd3ea67be16e91b128287634f76131e5264149ab1b452cd21df4c4895e8c4efc8d8cf99095

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\AK74.exe
      Filesize

      400KB

      MD5

      b0998aa7d5071d33daa5b60b9c3c9735

      SHA1

      9365a1ff0c6de244d6f36c8d84072cc916665d3c

      SHA256

      3080b6bb456564899b0d99d4131bd6a0b284d31f7d80ef773e4872d94048d49a

      SHA512

      308c13cda9fea39b980ae686f44afd9090e9cb8970fffc4436320e0d09a31aee5e656914e0121fe888098a14c52749716fa04980396fd6ac70a88c11cbb6b850

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini
      Filesize

      92B

      MD5

      29ce53e2a4a446614ccc8d64d346bde4

      SHA1

      39a7aa5cc1124842aa0c25abb16ea94452125cbe

      SHA256

      56225be6838bc6e93ea215891eacf28844ae27a9f8b2b29bf19d3a8c2b1f58df

      SHA512

      b2c5a2708c427171a5715801f8ea733ffe88d73aaaaf59c5c752ea32cbe7aae8526cc26eabe84ad5043174c0c69b1d6b15a9fb125c15accfac3462d5d08a0faa

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
      Filesize

      753B

      MD5

      3d253a47a23a6b3547739f0f1fd80d04

      SHA1

      86935961667d1b44b5906f4cb4440589f988d95d

      SHA256

      2b159a6109c93cdd9ebde2de7ecd73554b0c98caa983c1d9dc06c36a8af7d721

      SHA512

      01ad04deb8379aef502d69e32b88ebd76c20bcd9bbe8370a3425ffd9fa318eaab9bae68da53416b3b8e2247878c0f019802d080aa0cdba58c5331d518fbd223a

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
      Filesize

      1.2MB

      MD5

      180b71c8fa373e4334f7adb6b6c52548

      SHA1

      350fb54a214e897bbb67700ec1f6826d7b45c19a

      SHA256

      1e823a16ac550443c15c2669280dbbde32784e8cdacb16d674c7f37e5c60ac4b

      SHA512

      99a676d7bc3dafad5c38f4facb382830a5649dff01aab7b18dd92edeccd0aacb191015050f34f998fdbb5076a53c350a24fef6b87bc7fe69e1794c301322cc3f

      Download Submit

    • C:\Windows\SysWOW64\240613937.txt
      Filesize

      49KB

      MD5

      387c384ce91464e7a42bf27dbbd5436a

      SHA1

      d2df7efe3c0a67a904c60ceb5ac61b3ba907fc37

      SHA256

      45b2751a76e6dbd93e549edd6db030653929d93cdccc74536c0f5db09613dca4

      SHA512

      f76311a8adaf5fb953b05920c35ccec719b31035eab0457ab499d87e743753d6f9d134b5aa3d6aca80363974a8e9d3c370cccd7cd30763876d81c208affacae9

      Download Submit

    • C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
      Filesize

      60KB

      MD5

      889b99c52a60dd49227c5e485a016679

      SHA1

      8fa889e456aa646a4d0a4349977430ce5fa5e2d7

      SHA256

      6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

      SHA512

      08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

      Download Submit

    • memory/1748-72-0x0000000000400000-0x0000000000760000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/1748-75-0x0000000000400000-0x0000000000760000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/1748-88-0x0000000000400000-0x0000000000760000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/1748-85-0x0000000000400000-0x0000000000760000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/1748-82-0x0000000000400000-0x0000000000760000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/1748-1-0x0000000000400000-0x0000000000760000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/1748-79-0x0000000000400000-0x0000000000760000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/1748-69-0x0000000000400000-0x0000000000760000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/1748-0-0x0000000000400000-0x0000000000760000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/3180-39-0x0000000010000000-0x00000000101BA000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/3180-38-0x0000000010000000-0x00000000101BA000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/3180-36-0x0000000010000000-0x00000000101BA000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/3496-31-0x0000000010000000-0x00000000101BA000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/3496-28-0x0000000010000000-0x00000000101BA000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/3496-30-0x0000000010000000-0x00000000101BA000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/5052-61-0x0000000010000000-0x00000000101BA000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/5052-60-0x0000000010000000-0x00000000101BA000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/5052-51-0x0000000010000000-0x00000000101BA000-memory.dmp

      Filesize

      1.7MB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.