djvu | f8856a9be46c533273581793064b4329f7ff7e686688433fc3a792957dbf1208

Analysis

max time kernel
151s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
04-04-2022 03:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3087_1647879063_1352.exe
Size

296KB
MD5

71d6dbe9511b9fe051d5b5e75aefe06f
SHA1

e47becfc1f6d724722ba7caf9f34b1dab65a76ab
SHA256

f8856a9be46c533273581793064b4329f7ff7e686688433fc3a792957dbf1208
SHA512

7eae4575a1aa33708fcaed0f57ce75d1afc3fa6184f372277bfff4610a501b9b23397d68a0f3659be937f2525fc49f9cf16e25d46b2e8071af64d0d4c1be74d2

Score

10^/10

djvu smokeloader tofsee vidar 865 backdoor discovery evasion persistence ransomware spyware stealer suricata trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://monsutiur4.com/

http://nusurionuy5ff.at/

http://moroitomo4.net/

http://susuerulianita1.net/

http://cucumbetuturel4.com/

http://nunuslushau.com/

http://linislominyt11.at/

http://luxulixionus.net/

http://lilisjjoer44.com/

http://nikogminut88.at/

http://limo00ruling.org/

http://mini55tunul.com/

http://samnutu11nuli.com/

http://nikogkojam.org/

http://hydroxychl0roquine.xyz/

https://hydroxychl0roquine.xyz/

rc4.i32

Extracted

Family

tofsee

niflheimr.cn

jotunheim.name

Extracted

Family

vidar

Version

51.3

Botnet

865

https://t.me/hi20220328

https://indieweb.social/@samsual

Attributes

profile_id
865

Extracted

Family

djvu

http://fuyt.org/lancer/get.php

Attributes

extension
.gtys
offline_id
qwVQoIsE2xLety0oNWloOilSDuIBXJGK86LM3ot1
payload_url
http://zerit.top/dl/build2.exe
http://fuyt.org/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-fnn5kv33Vv Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@sysmail.ch Reserve e-mail address to contact us: supportsys@airmail.cc Your personal ID: 0439JIjdm

rsa_pubkey.plain

Signatures

Detected Djvu ransomware 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/624-186-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1428-190-0x0000000002240000-0x000000000235B000-memory.dmp	family_djvu
behavioral2/memory/624-188-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/624-191-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) M2
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) M2
suricata
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (passwords.txt) M2
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (passwords.txt) M2
suricata
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Vidar Stealer 2 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/4080-161-0x0000000000400000-0x00000000004F2000-memory.dmp	family_vidar
behavioral2/memory/4080-162-0x0000000002070000-0x000000000211C000-memory.dmp	family_vidar

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Downloads MZ/PE file
Executes dropped EXE 8 IoCs

Processes:

C476.exeD80F.exenhpnmaw.exeE8AA.exeFA7D.exeE8AA.exe1048.exe61A6.exe

pid process

2984 C476.exe
4080 D80F.exe
2592 nhpnmaw.exe
1428 E8AA.exe
2940 FA7D.exe
624 E8AA.exe
2236 1048.exe
3736 61A6.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

pid	process
2984	C476.exe
4080	D80F.exe
2592	nhpnmaw.exe
1428	E8AA.exe
2940	FA7D.exe
624	E8AA.exe
2236	1048.exe
3736	61A6.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

FA7D.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	FA7D.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	FA7D.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

C476.exeD80F.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	C476.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	D80F.exe

Loads dropped DLL 2 IoCs

Processes:

D80F.exe

pid process

4080 D80F.exe
4080 D80F.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

FA7D.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA FA7D.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

FA7D.exe

pid process

2940 FA7D.exe
2940 FA7D.exe

pid	process
4080	D80F.exe
4080	D80F.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	FA7D.exe

pid	process
2940	FA7D.exe
2940	FA7D.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

nhpnmaw.exeE8AA.exe61A6.exe

description	pid	process	target process
PID 2592 set thread context of 3468	2592	nhpnmaw.exe	svchost.exe
PID 1428 set thread context of 624	1428	E8AA.exe	E8AA.exe
PID 3736 set thread context of 3676	3736	61A6.exe	RegAsm.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1688	2984	WerFault.exe	C476.exe
2004	2592	WerFault.exe	nhpnmaw.exe
1844	624	WerFault.exe	E8AA.exe
1140	372	WerFault.exe	explorer.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

3087_1647879063_1352.exeFA7D.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3087_1647879063_1352.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	FA7D.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	FA7D.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	FA7D.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3087_1647879063_1352.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3087_1647879063_1352.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

D80F.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	D80F.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	D80F.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3260 timeout.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1736 taskkill.exe

pid	process
3260	timeout.exe

pid	process
1736	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

3087_1647879063_1352.exe

pid	process
212	3087_1647879063_1352.exe
212	3087_1647879063_1352.exe
896
896
896
896
896
896
896
896
896
896
896
896
896
896
896
896
896
896
896
896
896
896
896
896
896
896
896
896
896
896
896
896
896
896
896
896
896
896
896
896
896
896
896
896
896
896
896
896
896
896
896
896
896
896
896
896
896
896
896
896
896
896

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

896
Suspicious behavior: MapViewOfSection 24 IoCs

Processes:

3087_1647879063_1352.exeFA7D.exe

pid process

212 3087_1647879063_1352.exe
2940 FA7D.exe
896
896
896
896
896
896
896
896
896
896
896
896
896
896
896
896
896
896
896
896
896
896

pid	process
896

Suspicious use of AdjustPrivilegeToken 54 IoCs

Processes:

taskkill.exe1048.exe61A6.exeRegAsm.exe

description	pid	process
Token: SeShutdownPrivilege	896
Token: SeCreatePagefilePrivilege	896
Token: SeShutdownPrivilege	896
Token: SeCreatePagefilePrivilege	896
Token: SeShutdownPrivilege	896
Token: SeCreatePagefilePrivilege	896
Token: SeShutdownPrivilege	896
Token: SeCreatePagefilePrivilege	896
Token: SeShutdownPrivilege	896
Token: SeCreatePagefilePrivilege	896
Token: SeShutdownPrivilege	896
Token: SeCreatePagefilePrivilege	896
Token: SeShutdownPrivilege	896
Token: SeCreatePagefilePrivilege	896
Token: SeShutdownPrivilege	896
Token: SeCreatePagefilePrivilege	896
Token: SeShutdownPrivilege	896
Token: SeCreatePagefilePrivilege	896
Token: SeShutdownPrivilege	896
Token: SeCreatePagefilePrivilege	896
Token: SeShutdownPrivilege	896
Token: SeCreatePagefilePrivilege	896
Token: SeShutdownPrivilege	896
Token: SeCreatePagefilePrivilege	896
Token: SeShutdownPrivilege	896
Token: SeCreatePagefilePrivilege	896
Token: SeDebugPrivilege	1736	taskkill.exe
Token: SeShutdownPrivilege	896
Token: SeCreatePagefilePrivilege	896
Token: SeDebugPrivilege	2236	1048.exe
Token: SeShutdownPrivilege	896
Token: SeCreatePagefilePrivilege	896
Token: SeShutdownPrivilege	896
Token: SeCreatePagefilePrivilege	896
Token: SeShutdownPrivilege	896
Token: SeCreatePagefilePrivilege	896
Token: SeShutdownPrivilege	896
Token: SeCreatePagefilePrivilege	896
Token: SeShutdownPrivilege	896
Token: SeCreatePagefilePrivilege	896
Token: SeDebugPrivilege	3736	61A6.exe
Token: SeShutdownPrivilege	896
Token: SeCreatePagefilePrivilege	896
Token: SeShutdownPrivilege	896
Token: SeCreatePagefilePrivilege	896
Token: SeDebugPrivilege	3676	RegAsm.exe
Token: SeShutdownPrivilege	896
Token: SeCreatePagefilePrivilege	896
Token: SeShutdownPrivilege	896
Token: SeCreatePagefilePrivilege	896
Token: SeShutdownPrivilege	896
Token: SeCreatePagefilePrivilege	896
Token: SeShutdownPrivilege	896
Token: SeCreatePagefilePrivilege	896

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

C476.exenhpnmaw.exeE8AA.exeD80F.execmd.exe

description	pid	process	target process
PID 896 wrote to memory of 2984	896		C476.exe
PID 896 wrote to memory of 2984	896		C476.exe
PID 896 wrote to memory of 2984	896		C476.exe
PID 2984 wrote to memory of 804	2984	C476.exe	cmd.exe
PID 2984 wrote to memory of 804	2984	C476.exe	cmd.exe
PID 2984 wrote to memory of 804	2984	C476.exe	cmd.exe
PID 896 wrote to memory of 4080	896		D80F.exe
PID 896 wrote to memory of 4080	896		D80F.exe
PID 896 wrote to memory of 4080	896		D80F.exe
PID 2984 wrote to memory of 3372	2984	C476.exe	cmd.exe
PID 2984 wrote to memory of 3372	2984	C476.exe	cmd.exe
PID 2984 wrote to memory of 3372	2984	C476.exe	cmd.exe
PID 2984 wrote to memory of 2216	2984	C476.exe	sc.exe
PID 2984 wrote to memory of 2216	2984	C476.exe	sc.exe
PID 2984 wrote to memory of 2216	2984	C476.exe	sc.exe
PID 2984 wrote to memory of 3448	2984	C476.exe	sc.exe
PID 2984 wrote to memory of 3448	2984	C476.exe	sc.exe
PID 2984 wrote to memory of 3448	2984	C476.exe	sc.exe
PID 2984 wrote to memory of 840	2984	C476.exe	sc.exe
PID 2984 wrote to memory of 840	2984	C476.exe	sc.exe
PID 2984 wrote to memory of 840	2984	C476.exe	sc.exe
PID 2984 wrote to memory of 1888	2984	C476.exe	netsh.exe
PID 2984 wrote to memory of 1888	2984	C476.exe	netsh.exe
PID 2984 wrote to memory of 1888	2984	C476.exe	netsh.exe
PID 896 wrote to memory of 1428	896		E8AA.exe
PID 896 wrote to memory of 1428	896		E8AA.exe
PID 896 wrote to memory of 1428	896		E8AA.exe
PID 896 wrote to memory of 2940	896		FA7D.exe
PID 896 wrote to memory of 2940	896		FA7D.exe
PID 896 wrote to memory of 2940	896		FA7D.exe
PID 2592 wrote to memory of 3468	2592	nhpnmaw.exe	svchost.exe
PID 2592 wrote to memory of 3468	2592	nhpnmaw.exe	svchost.exe
PID 2592 wrote to memory of 3468	2592	nhpnmaw.exe	svchost.exe
PID 2592 wrote to memory of 3468	2592	nhpnmaw.exe	svchost.exe
PID 2592 wrote to memory of 3468	2592	nhpnmaw.exe	svchost.exe
PID 1428 wrote to memory of 624	1428	E8AA.exe	E8AA.exe
PID 1428 wrote to memory of 624	1428	E8AA.exe	E8AA.exe
PID 1428 wrote to memory of 624	1428	E8AA.exe	E8AA.exe
PID 1428 wrote to memory of 624	1428	E8AA.exe	E8AA.exe
PID 1428 wrote to memory of 624	1428	E8AA.exe	E8AA.exe
PID 1428 wrote to memory of 624	1428	E8AA.exe	E8AA.exe
PID 1428 wrote to memory of 624	1428	E8AA.exe	E8AA.exe
PID 1428 wrote to memory of 624	1428	E8AA.exe	E8AA.exe
PID 1428 wrote to memory of 624	1428	E8AA.exe	E8AA.exe
PID 1428 wrote to memory of 624	1428	E8AA.exe	E8AA.exe
PID 896 wrote to memory of 2236	896		1048.exe
PID 896 wrote to memory of 2236	896		1048.exe
PID 896 wrote to memory of 2236	896		1048.exe
PID 4080 wrote to memory of 3904	4080	D80F.exe	cmd.exe
PID 4080 wrote to memory of 3904	4080	D80F.exe	cmd.exe
PID 4080 wrote to memory of 3904	4080	D80F.exe	cmd.exe
PID 896 wrote to memory of 372	896		explorer.exe
PID 896 wrote to memory of 372	896		explorer.exe
PID 896 wrote to memory of 372	896		explorer.exe
PID 896 wrote to memory of 372	896		explorer.exe
PID 3904 wrote to memory of 1736	3904	cmd.exe	taskkill.exe
PID 3904 wrote to memory of 1736	3904	cmd.exe	taskkill.exe
PID 3904 wrote to memory of 1736	3904	cmd.exe	taskkill.exe
PID 3904 wrote to memory of 3260	3904	cmd.exe	timeout.exe
PID 3904 wrote to memory of 3260	3904	cmd.exe	timeout.exe
PID 3904 wrote to memory of 3260	3904	cmd.exe	timeout.exe
PID 896 wrote to memory of 3020	896		explorer.exe
PID 896 wrote to memory of 3020	896		explorer.exe
PID 896 wrote to memory of 3020	896		explorer.exe

C:\Users\Admin\AppData\Local\Temp\3087_1647879063_1352.exe
"C:\Users\Admin\AppData\Local\Temp\3087_1647879063_1352.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:212

C:\Users\Admin\AppData\Local\Temp\C476.exe
C:\Users\Admin\AppData\Local\Temp\C476.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2984

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\wanvnfdv\
2⤵
PID:804

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\nhpnmaw.exe" C:\Windows\SysWOW64\wanvnfdv\
2⤵
PID:3372

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create wanvnfdv binPath= "C:\Windows\SysWOW64\wanvnfdv\nhpnmaw.exe /d\"C:\Users\Admin\AppData\Local\Temp\C476.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
PID:2216

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description wanvnfdv "wifi internet conection"
2⤵
PID:3448

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start wanvnfdv
2⤵
PID:840

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
PID:1888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 772
2⤵
- Program crash
PID:1688

C:\Users\Admin\AppData\Local\Temp\D80F.exe
C:\Users\Admin\AppData\Local\Temp\D80F.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:4080

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im D80F.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\D80F.exe" & del C:\ProgramData\*.dll & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:3904

C:\Windows\SysWOW64\taskkill.exe
taskkill /im D80F.exe /f
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1736

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
3⤵
- Delays execution with timeout.exe
PID:3260

C:\Windows\SysWOW64\wanvnfdv\nhpnmaw.exe
C:\Windows\SysWOW64\wanvnfdv\nhpnmaw.exe /d"C:\Users\Admin\AppData\Local\Temp\C476.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2592

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
PID:3468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2592 -s 572
2⤵
- Program crash
PID:2004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2984 -ip 2984
1⤵
PID:2292

C:\Users\Admin\AppData\Local\Temp\E8AA.exe
C:\Users\Admin\AppData\Local\Temp\E8AA.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1428

C:\Users\Admin\AppData\Local\Temp\E8AA.exe
C:\Users\Admin\AppData\Local\Temp\E8AA.exe
2⤵
- Executes dropped EXE
PID:624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 624 -s 536
3⤵
- Program crash
PID:1844

C:\Users\Admin\AppData\Local\Temp\FA7D.exe
C:\Users\Admin\AppData\Local\Temp\FA7D.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2592 -ip 2592
1⤵
PID:388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 624 -ip 624
1⤵
PID:2292

C:\Users\Admin\AppData\Local\Temp\1048.exe
C:\Users\Admin\AppData\Local\Temp\1048.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2236

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 372 -s 876
2⤵
- Program crash
PID:1140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 372 -ip 372
1⤵
PID:3472

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3020

C:\Users\Admin\AppData\Local\Temp\61A6.exe
C:\Users\Admin\AppData\Local\Temp\61A6.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3736

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3676

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1980

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3824

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3004

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1240

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2292

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2508

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3448

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1140

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2168

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

T1050

Modify Existing Service

T1031

Privilege Escalation

New Service

T1050

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\freebl3.dll
Filesize
326KB

MD5
ef2834ac4ee7d6724f255beaf527e635

SHA1
5be8c1e73a21b49f353c2ecfa4108e43a883cb7b

SHA256
a770ecba3b08bbabd0a567fc978e50615f8b346709f8eb3cfacf3faab24090ba

SHA512
c6ea0e4347cbd7ef5e80ae8c0afdca20ea23ac2bdd963361dfaf562a9aed58dcbc43f89dd826692a064d76c3f4b3e92361af7b79a6d16a75d9951591ae3544d2

Download Submit
C:\ProgramData\mozglue.dll
Filesize
133KB

MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
C:\ProgramData\mozglue.dll
Filesize
133KB

MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
C:\ProgramData\msvcp140.dll
Filesize
429KB

MD5
109f0f02fd37c84bfc7508d4227d7ed5

SHA1
ef7420141bb15ac334d3964082361a460bfdb975

SHA256
334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

SHA512
46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

Download Submit
C:\ProgramData\nss3.dll
Filesize
1.2MB

MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
C:\ProgramData\nss3.dll
Filesize
1.2MB

MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
C:\ProgramData\softokn3.dll
Filesize
141KB

MD5
a2ee53de9167bf0d6c019303b7ca84e5

SHA1
2a3c737fa1157e8483815e98b666408a18c0db42

SHA256
43536adef2ddcc811c28d35fa6ce3031029a2424ad393989db36169ff2995083

SHA512
45b56432244f86321fa88fbcca6a0d2a2f7f4e0648c1d7d7b1866adc9daa5eddd9f6bb73662149f279c9ab60930dad1113c8337cb5e6ec9eed5048322f65f7d8

Download Submit
C:\ProgramData\vcruntime140.dll
Filesize
81KB

MD5
7587bf9cb4147022cd5681b015183046

SHA1
f2106306a8f6f0da5afb7fc765cfa0757ad5a628

SHA256
c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

SHA512
0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1048.exe
Filesize
1.0MB

MD5
58d4a4a40084d0797e21275558f8bd97

SHA1
5477465eedb7c94725efd1ab5133ad2129340c9c

SHA256
ac67d9e0b617faab29d762961dc8564eade4b3f9383b1b8327de7b117bc286ec

SHA512
208627f05140db12c856d9eef2a0df67aa32bb79cfba6bf982a84c56d7f128b43f9602a229013c4a782da51ef0dd02f644df77189fb7635bbefac1516091dcce

Download Submit
C:\Users\Admin\AppData\Local\Temp\1048.exe
Filesize
1.0MB

MD5
58d4a4a40084d0797e21275558f8bd97

SHA1
5477465eedb7c94725efd1ab5133ad2129340c9c

SHA256
ac67d9e0b617faab29d762961dc8564eade4b3f9383b1b8327de7b117bc286ec

SHA512
208627f05140db12c856d9eef2a0df67aa32bb79cfba6bf982a84c56d7f128b43f9602a229013c4a782da51ef0dd02f644df77189fb7635bbefac1516091dcce

Download Submit
C:\Users\Admin\AppData\Local\Temp\61A6.exe
Filesize
1.0MB

MD5
273ad70f68326de22a515cd14ef45508

SHA1
8905394e3172f56b5feebd265a915c4f106fd3fc

SHA256
86a0cfbbd6356a1de69f1adf4a25791ce375eb5f0f3ea66be24b230b0b46245b

SHA512
5b3f3d0ee1d73ce67174f7ee5c459de58321bc0ebd84bb840e6fadcb01f78b0b10c3b2a7ae4c22ea55c5b57cab99a95fae883d6bd1fc453a419a07db6f10f350

Download Submit
C:\Users\Admin\AppData\Local\Temp\61A6.exe
Filesize
1.0MB

MD5
273ad70f68326de22a515cd14ef45508

SHA1
8905394e3172f56b5feebd265a915c4f106fd3fc

SHA256
86a0cfbbd6356a1de69f1adf4a25791ce375eb5f0f3ea66be24b230b0b46245b

SHA512
5b3f3d0ee1d73ce67174f7ee5c459de58321bc0ebd84bb840e6fadcb01f78b0b10c3b2a7ae4c22ea55c5b57cab99a95fae883d6bd1fc453a419a07db6f10f350

Download Submit
C:\Users\Admin\AppData\Local\Temp\C476.exe
Filesize
262KB

MD5
03a3858edda11d9addf980e84fe669f2

SHA1
17d806fdbf304fb0243d50e761a0b40eb9642490

SHA256
5baf83e3ec3ade7fc1760e65bf958f3ddc8217bfb5307b78ccfd690c828c1fae

SHA512
4f763efe25b7e4b97ca7093a497f54583e40fd9af4d822fe5257d8c7f8a1594adfc099db7d14c755fd6b61ca9861cf2676cd7f6efd3923b7af4eaa286b4c9f83

Download Submit
C:\Users\Admin\AppData\Local\Temp\C476.exe
Filesize
262KB

MD5
03a3858edda11d9addf980e84fe669f2

SHA1
17d806fdbf304fb0243d50e761a0b40eb9642490

SHA256
5baf83e3ec3ade7fc1760e65bf958f3ddc8217bfb5307b78ccfd690c828c1fae

SHA512
4f763efe25b7e4b97ca7093a497f54583e40fd9af4d822fe5257d8c7f8a1594adfc099db7d14c755fd6b61ca9861cf2676cd7f6efd3923b7af4eaa286b4c9f83

Download Submit
C:\Users\Admin\AppData\Local\Temp\D80F.exe
Filesize
696KB

MD5
1c73b198d8bb81f87904aa5da4df8228

SHA1
5068682c838adff96c7f8cfd713dca9eeafb1c58

SHA256
dba8b60ad720aba879052340f32cc3843f6430d7d65355604ca7e80787a82bd4

SHA512
c9ffcd206cffa786cb55d95dddc5b3ab2778fe2b01bba0240ab49bb9c1ba44ad2a17867817ad5321384bf437fb744d7ef3f3b1e8108e621346fc4a8247a86216

Download Submit
C:\Users\Admin\AppData\Local\Temp\D80F.exe
Filesize
696KB

MD5
1c73b198d8bb81f87904aa5da4df8228

SHA1
5068682c838adff96c7f8cfd713dca9eeafb1c58

SHA256
dba8b60ad720aba879052340f32cc3843f6430d7d65355604ca7e80787a82bd4

SHA512
c9ffcd206cffa786cb55d95dddc5b3ab2778fe2b01bba0240ab49bb9c1ba44ad2a17867817ad5321384bf437fb744d7ef3f3b1e8108e621346fc4a8247a86216

Download Submit
C:\Users\Admin\AppData\Local\Temp\E8AA.exe
Filesize
841KB

MD5
efed57771cb41fdde63781d1e195912c

SHA1
a71b0545951c99eb6ad4a50c22d02c958003d920

SHA256
72cd1426f13a698c7d63a288f4920147812303e8f10a4e66e414cc7c2206381d

SHA512
6fd84f80ba5f3c53f48a6a0135cedc7b489cca419742e043116468bcda0898398dd7ddff4ac7d0d8b283312d4c411790b8ff74276f14016021597498b306a080

Download Submit
C:\Users\Admin\AppData\Local\Temp\E8AA.exe
Filesize
841KB

MD5
efed57771cb41fdde63781d1e195912c

SHA1
a71b0545951c99eb6ad4a50c22d02c958003d920

SHA256
72cd1426f13a698c7d63a288f4920147812303e8f10a4e66e414cc7c2206381d

SHA512
6fd84f80ba5f3c53f48a6a0135cedc7b489cca419742e043116468bcda0898398dd7ddff4ac7d0d8b283312d4c411790b8ff74276f14016021597498b306a080

Download Submit
C:\Users\Admin\AppData\Local\Temp\E8AA.exe
Filesize
841KB

MD5
efed57771cb41fdde63781d1e195912c

SHA1
a71b0545951c99eb6ad4a50c22d02c958003d920

SHA256
72cd1426f13a698c7d63a288f4920147812303e8f10a4e66e414cc7c2206381d

SHA512
6fd84f80ba5f3c53f48a6a0135cedc7b489cca419742e043116468bcda0898398dd7ddff4ac7d0d8b283312d4c411790b8ff74276f14016021597498b306a080

Download Submit
C:\Users\Admin\AppData\Local\Temp\FA7D.exe
Filesize
2.4MB

MD5
4740291ec0e127d24cee534329bc1625

SHA1
3b0cc4e8f779f7268716e7a116ed4443ba30383b

SHA256
edf108a4b5049c7ccf26d401c9ae48b9444744e71322e41b6a8a89873c63147b

SHA512
1e88a2b9ae851967f915387f669e9debe044eb5cbb8d922598834a5c226546451614ef501615d1d0d43dfb0e41992075ba38f6bbde89d337b09e6342ba10d38e

Download Submit
C:\Users\Admin\AppData\Local\Temp\FA7D.exe
Filesize
2.4MB

MD5
4740291ec0e127d24cee534329bc1625

SHA1
3b0cc4e8f779f7268716e7a116ed4443ba30383b

SHA256
edf108a4b5049c7ccf26d401c9ae48b9444744e71322e41b6a8a89873c63147b

SHA512
1e88a2b9ae851967f915387f669e9debe044eb5cbb8d922598834a5c226546451614ef501615d1d0d43dfb0e41992075ba38f6bbde89d337b09e6342ba10d38e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nhpnmaw.exe
Filesize
13.0MB

MD5
1763445c80f58b9816d82b99cc37075b

SHA1
57cb33fa5f808a2d2341f2bd1b79fce120f21370

SHA256
a4450fb81c8e3c0890759bf1e1184aebd761bb77cbe84738dbacfe7e831f3c1c

SHA512
6fd164399fa6c2f34261d90e6b679f0cd5c2d47d1a5aa04dc2257ab8ec19af13e0225ce29792f2dc2904d5f2abfeae8f05d69a2fdfe4ff2eda2a3775961dfd03

Download Submit
C:\Windows\SysWOW64\wanvnfdv\nhpnmaw.exe
Filesize
13.0MB

MD5
1763445c80f58b9816d82b99cc37075b

SHA1
57cb33fa5f808a2d2341f2bd1b79fce120f21370

SHA256
a4450fb81c8e3c0890759bf1e1184aebd761bb77cbe84738dbacfe7e831f3c1c

SHA512
6fd164399fa6c2f34261d90e6b679f0cd5c2d47d1a5aa04dc2257ab8ec19af13e0225ce29792f2dc2904d5f2abfeae8f05d69a2fdfe4ff2eda2a3775961dfd03

Download Submit
memory/212-134-0x00000000004D8000-0x00000000004E9000-memory.dmp

Filesize
68KB

Download
memory/212-135-0x0000000002070000-0x0000000002079000-memory.dmp

Filesize
36KB

Download
memory/212-136-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/212-133-0x00000000004D8000-0x00000000004E9000-memory.dmp

Filesize
68KB

Download
memory/372-203-0x0000000000000000-mapping.dmp

Download
memory/624-186-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/624-188-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/624-185-0x0000000000000000-mapping.dmp

Download
memory/624-191-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/804-142-0x0000000000000000-mapping.dmp

Download
memory/840-153-0x0000000000000000-mapping.dmp

Download
memory/896-137-0x00000000013F0000-0x0000000001406000-memory.dmp

Filesize
88KB

Download
memory/896-200-0x0000000007730000-0x0000000007746000-memory.dmp

Filesize
88KB

Download
memory/1140-235-0x0000000000000000-mapping.dmp

Download
memory/1240-222-0x0000000000000000-mapping.dmp

Download
memory/1428-156-0x0000000000000000-mapping.dmp

Download
memory/1428-190-0x0000000002240000-0x000000000235B000-memory.dmp

Filesize
1.1MB

Download
memory/1428-189-0x0000000002068000-0x00000000020F9000-memory.dmp

Filesize
580KB

Download
memory/1736-204-0x0000000000000000-mapping.dmp

Download
memory/1888-155-0x0000000000000000-mapping.dmp

Download
memory/1980-218-0x0000000000000000-mapping.dmp

Download
memory/2168-236-0x0000000000000000-mapping.dmp

Download
memory/2216-151-0x0000000000000000-mapping.dmp

Download
memory/2236-197-0x0000000000060000-0x0000000000170000-memory.dmp

Filesize
1.1MB

Download
memory/2236-194-0x0000000000000000-mapping.dmp

Download
memory/2236-206-0x0000000004970000-0x0000000004F14000-memory.dmp

Filesize
5.6MB

Download
memory/2236-201-0x00000000049E0000-0x00000000049EA000-memory.dmp

Filesize
40KB

Download
memory/2236-199-0x0000000004A10000-0x0000000004AA2000-memory.dmp

Filesize
584KB

Download
memory/2236-198-0x0000000004F20000-0x00000000054C4000-memory.dmp

Filesize
5.6MB

Download
memory/2292-229-0x0000000000000000-mapping.dmp

Download
memory/2508-230-0x0000000000000000-mapping.dmp

Download
memory/2592-166-0x000000000054A000-0x0000000000557000-memory.dmp

Filesize
52KB

Download
memory/2592-175-0x000000000054A000-0x0000000000557000-memory.dmp

Filesize
52KB

Download
memory/2592-176-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2940-170-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/2940-183-0x0000000000400000-0x00000000008CA000-memory.dmp

Filesize
4.8MB

Download
memory/2940-172-0x0000000000400000-0x00000000008CA000-memory.dmp

Filesize
4.8MB

Download
memory/2940-171-0x0000000000400000-0x00000000008CA000-memory.dmp

Filesize
4.8MB

Download
memory/2940-181-0x0000000000400000-0x00000000008CA000-memory.dmp

Filesize
4.8MB

Download
memory/2940-169-0x00000000001B0000-0x00000000001F3000-memory.dmp

Filesize
268KB

Download
memory/2940-173-0x0000000000400000-0x00000000008CA000-memory.dmp

Filesize
4.8MB

Download
memory/2940-174-0x0000000000400000-0x00000000008CA000-memory.dmp

Filesize
4.8MB

Download
memory/2940-167-0x0000000000400000-0x00000000008CA000-memory.dmp

Filesize
4.8MB

Download
memory/2940-178-0x0000000076FE0000-0x0000000077183000-memory.dmp

Filesize
1.6MB

Download
memory/2940-168-0x0000000000400000-0x00000000008CA000-memory.dmp

Filesize
4.8MB

Download
memory/2940-163-0x0000000000000000-mapping.dmp

Download
memory/2940-184-0x0000000000400000-0x00000000008CA000-memory.dmp

Filesize
4.8MB

Download
memory/2984-144-0x0000000002090000-0x00000000020A3000-memory.dmp

Filesize
76KB

Download
memory/2984-141-0x000000000080F000-0x000000000081D000-memory.dmp

Filesize
56KB

Download
memory/2984-138-0x0000000000000000-mapping.dmp

Download
memory/2984-143-0x000000000080F000-0x000000000081D000-memory.dmp

Filesize
56KB

Download
memory/2984-145-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3004-221-0x0000000000000000-mapping.dmp

Download
memory/3020-207-0x0000000000000000-mapping.dmp

Download
memory/3260-205-0x0000000000000000-mapping.dmp

Download
memory/3372-149-0x0000000000000000-mapping.dmp

Download
memory/3448-152-0x0000000000000000-mapping.dmp

Download
memory/3448-234-0x0000000000000000-mapping.dmp

Download
memory/3468-177-0x0000000000000000-mapping.dmp

Download
memory/3468-179-0x0000000000440000-0x0000000000455000-memory.dmp

Filesize
84KB

Download
memory/3676-225-0x0000000005710000-0x0000000005D28000-memory.dmp

Filesize
6.1MB

Download
memory/3676-231-0x0000000005510000-0x0000000005576000-memory.dmp

Filesize
408KB

Download
memory/3676-239-0x0000000007DB0000-0x00000000082DC000-memory.dmp

Filesize
5.2MB

Download
memory/3676-238-0x00000000070A0000-0x0000000007262000-memory.dmp

Filesize
1.8MB

Download
memory/3676-237-0x0000000006780000-0x00000000067D0000-memory.dmp

Filesize
320KB

Download
memory/3676-223-0x0000000000000000-mapping.dmp

Download
memory/3676-224-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3676-233-0x00000000064B0000-0x00000000064CE000-memory.dmp

Filesize
120KB

Download
memory/3676-226-0x0000000005170000-0x0000000005182000-memory.dmp

Filesize
72KB

Download
memory/3676-227-0x00000000052A0000-0x00000000053AA000-memory.dmp

Filesize
1.0MB

Download
memory/3676-228-0x00000000051D0000-0x000000000520C000-memory.dmp

Filesize
240KB

Download
memory/3676-232-0x00000000060B0000-0x0000000006126000-memory.dmp

Filesize
472KB

Download
memory/3736-217-0x00000000004D0000-0x00000000005E0000-memory.dmp

Filesize
1.1MB

Download
memory/3736-219-0x0000000004DF0000-0x0000000005394000-memory.dmp

Filesize
5.6MB

Download
memory/3736-214-0x0000000000000000-mapping.dmp

Download
memory/3824-220-0x0000000000000000-mapping.dmp

Download
memory/3904-202-0x0000000000000000-mapping.dmp

Download
memory/4080-146-0x0000000000000000-mapping.dmp

Download
memory/4080-160-0x000000000066F000-0x00000000006DB000-memory.dmp

Filesize
432KB

Download
memory/4080-161-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/4080-159-0x000000000066F000-0x00000000006DB000-memory.dmp

Filesize
432KB

Download
memory/4080-162-0x0000000002070000-0x000000000211C000-memory.dmp

Filesize
688KB

Download