njrat | 607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9

Analysis

max time kernel
172s
max time network
190s
platform
windows7_x64
resource
win7-20220715-en
resource tags

arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system
submitted
31-07-2022 04:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe
Size

1.1MB
MD5

58b70dc435e70d62b6a0d4ed80c13b3b
SHA1

62215c17f29509df0ed5992f71072e7ba787423c
SHA256

607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9
SHA512

6b1e05d9b24d26b1efd96e59f7615fb9a7bf2bbf26b17c626174de00d73852634bceaa4a484687c1b568bc264e76e1b661542728f451e01154f36c14dfb38714

Score

10^/10

njrat hacked evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

188.164.251.215:1800

Mutex

ea23cb1a51efb6050b655e959a876166

Attributes

reg_key
ea23cb1a51efb6050b655e959a876166
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 7 IoCs

Processes:

steamwebhelper.exe607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exesteamwebhelper.exe607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exewinlogon.exewinlogon.exewinlogon.exe

pid	process
836	steamwebhelper.exe
976	607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe
1736	steamwebhelper.exe
1396	607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe
1948	winlogon.exe
2012	winlogon.exe
1616	winlogon.exe

Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

2008 netsh.exe
Deletes itself 1 IoCs

Processes:

607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe

pid process

1396 607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe

pid	process
2008	netsh.exe

Drops startup file 3 IoCs

Processes:

winlogon.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ea23cb1a51efb6050b655e959a876166.exe	winlogon.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ea23cb1a51efb6050b655e959a876166.exe	winlogon.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ea23cb1a51efb6050b655e959a876166.exe\:ZONE.identifier:$DATA	winlogon.exe

Loads dropped DLL 9 IoCs

Processes:

607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exesteamwebhelper.exesteamwebhelper.exewinlogon.exe

pid	process
1884	607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe
1884	607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe
836	steamwebhelper.exe
1884	607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe
1884	607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe
1736	steamwebhelper.exe
1736	steamwebhelper.exe
1948	winlogon.exe
1948	winlogon.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

winlogon.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run\ea23cb1a51efb6050b655e959a876166 = "\"C:\\Users\\Admin\\AppData\\Roaming\\winlogon.exe\" .."	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ea23cb1a51efb6050b655e959a876166 = "\"C:\\Users\\Admin\\AppData\\Roaming\\winlogon.exe\" .."	winlogon.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

steamwebhelper.exe607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exewinlogon.exe

description	pid	process	target process
PID 836 set thread context of 1736	836	steamwebhelper.exe	steamwebhelper.exe
PID 1884 set thread context of 1396	1884	607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe	607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe
PID 1948 set thread context of 1616	1948	winlogon.exe	winlogon.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NTFS ADS 3 IoCs

Processes:

cmd.execmd.execmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Temp\607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe:ZONE.identifier	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\steamwebhelper.exe:ZONE.identifier	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\winlogon.exe:ZONE.identifier	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe

pid	process
1396	607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe
1396	607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe
1396	607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe
1396	607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe
1396	607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe
1396	607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe
1396	607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe
1396	607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe
1396	607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe
1396	607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe
1396	607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe
1396	607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe
1396	607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe
1396	607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe
1396	607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe
1396	607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe
1396	607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe
1396	607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe
1396	607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe
1396	607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe
1396	607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe
1396	607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe
1396	607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe
1396	607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe
1396	607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe
1396	607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe
1396	607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe
1396	607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe
1396	607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe
1396	607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe
1396	607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe
1396	607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe
1396	607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe
1396	607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe
1396	607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe
1396	607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe
1396	607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe
1396	607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe
1396	607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe
1396	607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe
1396	607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe
1396	607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe
1396	607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe
1396	607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe
1396	607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe
1396	607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe
1396	607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe
1396	607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe
1396	607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe
1396	607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe
1396	607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe
1396	607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe
1396	607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe
1396	607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe
1396	607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe
1396	607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe
1396	607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe
1396	607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe
1396	607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe
1396	607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe
1396	607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe
1396	607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe
1396	607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe
1396	607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

Processes:

607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exewinlogon.exe

description	pid	process
Token: SeDebugPrivilege	1396	607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe
Token: SeDebugPrivilege	1616	winlogon.exe
Token: 33	1616	winlogon.exe
Token: SeIncBasePriorityPrivilege	1616	winlogon.exe
Token: 33	1616	winlogon.exe
Token: SeIncBasePriorityPrivilege	1616	winlogon.exe
Token: 33	1616	winlogon.exe
Token: SeIncBasePriorityPrivilege	1616	winlogon.exe
Token: 33	1616	winlogon.exe
Token: SeIncBasePriorityPrivilege	1616	winlogon.exe
Token: 33	1616	winlogon.exe
Token: SeIncBasePriorityPrivilege	1616	winlogon.exe
Token: 33	1616	winlogon.exe
Token: SeIncBasePriorityPrivilege	1616	winlogon.exe
Token: 33	1616	winlogon.exe
Token: SeIncBasePriorityPrivilege	1616	winlogon.exe
Token: 33	1616	winlogon.exe
Token: SeIncBasePriorityPrivilege	1616	winlogon.exe
Token: 33	1616	winlogon.exe
Token: SeIncBasePriorityPrivilege	1616	winlogon.exe

Suspicious use of WriteProcessMemory 61 IoCs

Processes:

607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exesteamwebhelper.exesteamwebhelper.exewinlogon.exewinlogon.exe

description	pid	process	target process
PID 1884 wrote to memory of 836	1884	607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe	steamwebhelper.exe
PID 1884 wrote to memory of 836	1884	607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe	steamwebhelper.exe
PID 1884 wrote to memory of 836	1884	607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe	steamwebhelper.exe
PID 1884 wrote to memory of 836	1884	607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe	steamwebhelper.exe
PID 1884 wrote to memory of 1960	1884	607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe	cmd.exe
PID 1884 wrote to memory of 1960	1884	607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe	cmd.exe
PID 1884 wrote to memory of 1960	1884	607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe	cmd.exe
PID 1884 wrote to memory of 1960	1884	607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe	cmd.exe
PID 836 wrote to memory of 680	836	steamwebhelper.exe	cmd.exe
PID 836 wrote to memory of 680	836	steamwebhelper.exe	cmd.exe
PID 836 wrote to memory of 680	836	steamwebhelper.exe	cmd.exe
PID 836 wrote to memory of 680	836	steamwebhelper.exe	cmd.exe
PID 836 wrote to memory of 1736	836	steamwebhelper.exe	steamwebhelper.exe
PID 836 wrote to memory of 1736	836	steamwebhelper.exe	steamwebhelper.exe
PID 836 wrote to memory of 1736	836	steamwebhelper.exe	steamwebhelper.exe
PID 836 wrote to memory of 1736	836	steamwebhelper.exe	steamwebhelper.exe
PID 836 wrote to memory of 1736	836	steamwebhelper.exe	steamwebhelper.exe
PID 836 wrote to memory of 1736	836	steamwebhelper.exe	steamwebhelper.exe
PID 836 wrote to memory of 1736	836	steamwebhelper.exe	steamwebhelper.exe
PID 1884 wrote to memory of 976	1884	607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe	607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe
PID 1884 wrote to memory of 976	1884	607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe	607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe
PID 1884 wrote to memory of 976	1884	607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe	607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe
PID 1884 wrote to memory of 976	1884	607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe	607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe
PID 1884 wrote to memory of 1396	1884	607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe	607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe
PID 1884 wrote to memory of 1396	1884	607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe	607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe
PID 1884 wrote to memory of 1396	1884	607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe	607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe
PID 1884 wrote to memory of 1396	1884	607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe	607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe
PID 836 wrote to memory of 1736	836	steamwebhelper.exe	steamwebhelper.exe
PID 1884 wrote to memory of 1396	1884	607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe	607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe
PID 836 wrote to memory of 1736	836	steamwebhelper.exe	steamwebhelper.exe
PID 1884 wrote to memory of 1396	1884	607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe	607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe
PID 1884 wrote to memory of 1396	1884	607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe	607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe
PID 1884 wrote to memory of 1396	1884	607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe	607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe
PID 1884 wrote to memory of 1396	1884	607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe	607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe
PID 1884 wrote to memory of 1396	1884	607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe	607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe
PID 1884 wrote to memory of 1396	1884	607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe	607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe
PID 1736 wrote to memory of 1948	1736	steamwebhelper.exe	winlogon.exe
PID 1736 wrote to memory of 1948	1736	steamwebhelper.exe	winlogon.exe
PID 1736 wrote to memory of 1948	1736	steamwebhelper.exe	winlogon.exe
PID 1736 wrote to memory of 1948	1736	steamwebhelper.exe	winlogon.exe
PID 1948 wrote to memory of 1316	1948	winlogon.exe	cmd.exe
PID 1948 wrote to memory of 1316	1948	winlogon.exe	cmd.exe
PID 1948 wrote to memory of 1316	1948	winlogon.exe	cmd.exe
PID 1948 wrote to memory of 1316	1948	winlogon.exe	cmd.exe
PID 1948 wrote to memory of 2012	1948	winlogon.exe	winlogon.exe
PID 1948 wrote to memory of 2012	1948	winlogon.exe	winlogon.exe
PID 1948 wrote to memory of 2012	1948	winlogon.exe	winlogon.exe
PID 1948 wrote to memory of 2012	1948	winlogon.exe	winlogon.exe
PID 1948 wrote to memory of 1616	1948	winlogon.exe	winlogon.exe
PID 1948 wrote to memory of 1616	1948	winlogon.exe	winlogon.exe
PID 1948 wrote to memory of 1616	1948	winlogon.exe	winlogon.exe
PID 1948 wrote to memory of 1616	1948	winlogon.exe	winlogon.exe
PID 1948 wrote to memory of 1616	1948	winlogon.exe	winlogon.exe
PID 1948 wrote to memory of 1616	1948	winlogon.exe	winlogon.exe
PID 1948 wrote to memory of 1616	1948	winlogon.exe	winlogon.exe
PID 1948 wrote to memory of 1616	1948	winlogon.exe	winlogon.exe
PID 1948 wrote to memory of 1616	1948	winlogon.exe	winlogon.exe
PID 1616 wrote to memory of 2008	1616	winlogon.exe	netsh.exe
PID 1616 wrote to memory of 2008	1616	winlogon.exe	netsh.exe
PID 1616 wrote to memory of 2008	1616	winlogon.exe	netsh.exe
PID 1616 wrote to memory of 2008	1616	winlogon.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe
"C:\Users\Admin\AppData\Local\Temp\607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1884

C:\Users\Admin\AppData\Roaming\steamwebhelper.exe
"C:\Users\Admin\AppData\Roaming\steamwebhelper.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:836

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > "C:\Users\Admin\AppData\Roaming\steamwebhelper.exe":ZONE.identifier & exit
3⤵
- NTFS ADS
PID:680

C:\Users\Admin\AppData\Roaming\steamwebhelper.exe
"C:\Users\Admin\AppData\Roaming\steamwebhelper.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1736

C:\Users\Admin\AppData\Roaming\winlogon.exe
"C:\Users\Admin\AppData\Roaming\winlogon.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1948

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > "C:\Users\Admin\AppData\Roaming\winlogon.exe":ZONE.identifier & exit
5⤵
- NTFS ADS
PID:1316

C:\Users\Admin\AppData\Roaming\winlogon.exe
"C:\Users\Admin\AppData\Roaming\winlogon.exe"
5⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1616

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\winlogon.exe" "winlogon.exe" ENABLE
6⤵
- Modifies Windows Firewall
PID:2008

C:\Users\Admin\AppData\Roaming\winlogon.exe
"C:\Users\Admin\AppData\Roaming\winlogon.exe"
5⤵
- Executes dropped EXE
PID:2012

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > "C:\Users\Admin\AppData\Local\Temp\607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe":ZONE.identifier & exit
2⤵
- NTFS ADS
PID:1960

C:\Users\Admin\AppData\Local\Temp\607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe
"C:\Users\Admin\AppData\Local\Temp\607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe"
2⤵
- Executes dropped EXE
PID:976

C:\Users\Admin\AppData\Local\Temp\607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe
"C:\Users\Admin\AppData\Local\Temp\607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe"
2⤵
- Executes dropped EXE
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1396

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
340B

MD5
85733434751504259f109a3d21c6aa3b

SHA1
5b5c1e8102efe7d7e3746ff46778ca224db29939

SHA256
2bf887e5fb134b40f56538554a4cd6c39c3719b8d9bc2e4af6175d066da172a7

SHA512
eec98f7e1c46207a5547c4d175dac3bb3f090e54177b6dc17c470e01f4603a4993f9a03c836932057636b842fa62d48a3b5e9f82ee77e1510a300b61e97bfd8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe
Filesize
1.1MB

MD5
58b70dc435e70d62b6a0d4ed80c13b3b

SHA1
62215c17f29509df0ed5992f71072e7ba787423c

SHA256
607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9

SHA512
6b1e05d9b24d26b1efd96e59f7615fb9a7bf2bbf26b17c626174de00d73852634bceaa4a484687c1b568bc264e76e1b661542728f451e01154f36c14dfb38714

Download Submit
C:\Users\Admin\AppData\Local\Temp\607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe
Filesize
1.1MB

MD5
58b70dc435e70d62b6a0d4ed80c13b3b

SHA1
62215c17f29509df0ed5992f71072e7ba787423c

SHA256
607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9

SHA512
6b1e05d9b24d26b1efd96e59f7615fb9a7bf2bbf26b17c626174de00d73852634bceaa4a484687c1b568bc264e76e1b661542728f451e01154f36c14dfb38714

Download Submit
C:\Users\Admin\AppData\Local\Temp\607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe
Filesize
1.1MB

MD5
58b70dc435e70d62b6a0d4ed80c13b3b

SHA1
62215c17f29509df0ed5992f71072e7ba787423c

SHA256
607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9

SHA512
6b1e05d9b24d26b1efd96e59f7615fb9a7bf2bbf26b17c626174de00d73852634bceaa4a484687c1b568bc264e76e1b661542728f451e01154f36c14dfb38714

Download Submit
C:\Users\Admin\AppData\Roaming\steamwebhelper.exe
Filesize
98KB

MD5
25c3b01d4ee482185f3ba97b0beb9dc3

SHA1
9891e5b55f43291a2dce6d101f7edda56054af81

SHA256
db693fd10c1cc971b7843c6416405718679677f8f31ee165c0a420c82b1bf012

SHA512
84f3cb289b104bd9e8ca59876671969ead90f3af91c0ee5c36c1658999bf3ba724f1452f263878f8a10ff20f2e14cf80fefd9a6b661bcd9896a3b37935c7af6d

Download Submit
C:\Users\Admin\AppData\Roaming\steamwebhelper.exe
Filesize
98KB

MD5
25c3b01d4ee482185f3ba97b0beb9dc3

SHA1
9891e5b55f43291a2dce6d101f7edda56054af81

SHA256
db693fd10c1cc971b7843c6416405718679677f8f31ee165c0a420c82b1bf012

SHA512
84f3cb289b104bd9e8ca59876671969ead90f3af91c0ee5c36c1658999bf3ba724f1452f263878f8a10ff20f2e14cf80fefd9a6b661bcd9896a3b37935c7af6d

Download Submit
C:\Users\Admin\AppData\Roaming\steamwebhelper.exe
Filesize
98KB

MD5
25c3b01d4ee482185f3ba97b0beb9dc3

SHA1
9891e5b55f43291a2dce6d101f7edda56054af81

SHA256
db693fd10c1cc971b7843c6416405718679677f8f31ee165c0a420c82b1bf012

SHA512
84f3cb289b104bd9e8ca59876671969ead90f3af91c0ee5c36c1658999bf3ba724f1452f263878f8a10ff20f2e14cf80fefd9a6b661bcd9896a3b37935c7af6d

Download Submit
C:\Users\Admin\AppData\Roaming\steamwebhelper.exe
Filesize
98KB

MD5
25c3b01d4ee482185f3ba97b0beb9dc3

SHA1
9891e5b55f43291a2dce6d101f7edda56054af81

SHA256
db693fd10c1cc971b7843c6416405718679677f8f31ee165c0a420c82b1bf012

SHA512
84f3cb289b104bd9e8ca59876671969ead90f3af91c0ee5c36c1658999bf3ba724f1452f263878f8a10ff20f2e14cf80fefd9a6b661bcd9896a3b37935c7af6d

Download Submit
C:\Users\Admin\AppData\Roaming\winlogon.exe
Filesize
98KB

MD5
25c3b01d4ee482185f3ba97b0beb9dc3

SHA1
9891e5b55f43291a2dce6d101f7edda56054af81

SHA256
db693fd10c1cc971b7843c6416405718679677f8f31ee165c0a420c82b1bf012

SHA512
84f3cb289b104bd9e8ca59876671969ead90f3af91c0ee5c36c1658999bf3ba724f1452f263878f8a10ff20f2e14cf80fefd9a6b661bcd9896a3b37935c7af6d

Download Submit
C:\Users\Admin\AppData\Roaming\winlogon.exe
Filesize
98KB

MD5
25c3b01d4ee482185f3ba97b0beb9dc3

SHA1
9891e5b55f43291a2dce6d101f7edda56054af81

SHA256
db693fd10c1cc971b7843c6416405718679677f8f31ee165c0a420c82b1bf012

SHA512
84f3cb289b104bd9e8ca59876671969ead90f3af91c0ee5c36c1658999bf3ba724f1452f263878f8a10ff20f2e14cf80fefd9a6b661bcd9896a3b37935c7af6d

Download Submit
C:\Users\Admin\AppData\Roaming\winlogon.exe
Filesize
98KB

MD5
25c3b01d4ee482185f3ba97b0beb9dc3

SHA1
9891e5b55f43291a2dce6d101f7edda56054af81

SHA256
db693fd10c1cc971b7843c6416405718679677f8f31ee165c0a420c82b1bf012

SHA512
84f3cb289b104bd9e8ca59876671969ead90f3af91c0ee5c36c1658999bf3ba724f1452f263878f8a10ff20f2e14cf80fefd9a6b661bcd9896a3b37935c7af6d

Download Submit
C:\Users\Admin\AppData\Roaming\winlogon.exe
Filesize
98KB

MD5
25c3b01d4ee482185f3ba97b0beb9dc3

SHA1
9891e5b55f43291a2dce6d101f7edda56054af81

SHA256
db693fd10c1cc971b7843c6416405718679677f8f31ee165c0a420c82b1bf012

SHA512
84f3cb289b104bd9e8ca59876671969ead90f3af91c0ee5c36c1658999bf3ba724f1452f263878f8a10ff20f2e14cf80fefd9a6b661bcd9896a3b37935c7af6d

Download Submit
C:\Users\Admin\AppData\Roaming\winlogon.exe
Filesize
98KB

MD5
25c3b01d4ee482185f3ba97b0beb9dc3

SHA1
9891e5b55f43291a2dce6d101f7edda56054af81

SHA256
db693fd10c1cc971b7843c6416405718679677f8f31ee165c0a420c82b1bf012

SHA512
84f3cb289b104bd9e8ca59876671969ead90f3af91c0ee5c36c1658999bf3ba724f1452f263878f8a10ff20f2e14cf80fefd9a6b661bcd9896a3b37935c7af6d

Download Submit
\Users\Admin\AppData\Local\Temp\607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe
Filesize
1.1MB

MD5
58b70dc435e70d62b6a0d4ed80c13b3b

SHA1
62215c17f29509df0ed5992f71072e7ba787423c

SHA256
607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9

SHA512
6b1e05d9b24d26b1efd96e59f7615fb9a7bf2bbf26b17c626174de00d73852634bceaa4a484687c1b568bc264e76e1b661542728f451e01154f36c14dfb38714

Download Submit
\Users\Admin\AppData\Local\Temp\607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9.exe
Filesize
1.1MB

MD5
58b70dc435e70d62b6a0d4ed80c13b3b

SHA1
62215c17f29509df0ed5992f71072e7ba787423c

SHA256
607736aaaa0c9359fdaceb20ca9ece52d52e108b6592b4d8e7f49a6ca0bf28a9

SHA512
6b1e05d9b24d26b1efd96e59f7615fb9a7bf2bbf26b17c626174de00d73852634bceaa4a484687c1b568bc264e76e1b661542728f451e01154f36c14dfb38714

Download Submit
\Users\Admin\AppData\Roaming\steamwebhelper.exe
Filesize
98KB

MD5
25c3b01d4ee482185f3ba97b0beb9dc3

SHA1
9891e5b55f43291a2dce6d101f7edda56054af81

SHA256
db693fd10c1cc971b7843c6416405718679677f8f31ee165c0a420c82b1bf012

SHA512
84f3cb289b104bd9e8ca59876671969ead90f3af91c0ee5c36c1658999bf3ba724f1452f263878f8a10ff20f2e14cf80fefd9a6b661bcd9896a3b37935c7af6d

Download Submit
\Users\Admin\AppData\Roaming\steamwebhelper.exe
Filesize
98KB

MD5
25c3b01d4ee482185f3ba97b0beb9dc3

SHA1
9891e5b55f43291a2dce6d101f7edda56054af81

SHA256
db693fd10c1cc971b7843c6416405718679677f8f31ee165c0a420c82b1bf012

SHA512
84f3cb289b104bd9e8ca59876671969ead90f3af91c0ee5c36c1658999bf3ba724f1452f263878f8a10ff20f2e14cf80fefd9a6b661bcd9896a3b37935c7af6d

Download Submit
\Users\Admin\AppData\Roaming\steamwebhelper.exe
Filesize
98KB

MD5
25c3b01d4ee482185f3ba97b0beb9dc3

SHA1
9891e5b55f43291a2dce6d101f7edda56054af81

SHA256
db693fd10c1cc971b7843c6416405718679677f8f31ee165c0a420c82b1bf012

SHA512
84f3cb289b104bd9e8ca59876671969ead90f3af91c0ee5c36c1658999bf3ba724f1452f263878f8a10ff20f2e14cf80fefd9a6b661bcd9896a3b37935c7af6d

Download Submit
\Users\Admin\AppData\Roaming\winlogon.exe
Filesize
98KB

MD5
25c3b01d4ee482185f3ba97b0beb9dc3

SHA1
9891e5b55f43291a2dce6d101f7edda56054af81

SHA256
db693fd10c1cc971b7843c6416405718679677f8f31ee165c0a420c82b1bf012

SHA512
84f3cb289b104bd9e8ca59876671969ead90f3af91c0ee5c36c1658999bf3ba724f1452f263878f8a10ff20f2e14cf80fefd9a6b661bcd9896a3b37935c7af6d

Download Submit
\Users\Admin\AppData\Roaming\winlogon.exe
Filesize
98KB

MD5
25c3b01d4ee482185f3ba97b0beb9dc3

SHA1
9891e5b55f43291a2dce6d101f7edda56054af81

SHA256
db693fd10c1cc971b7843c6416405718679677f8f31ee165c0a420c82b1bf012

SHA512
84f3cb289b104bd9e8ca59876671969ead90f3af91c0ee5c36c1658999bf3ba724f1452f263878f8a10ff20f2e14cf80fefd9a6b661bcd9896a3b37935c7af6d

Download Submit
\Users\Admin\AppData\Roaming\winlogon.exe
Filesize
98KB

MD5
25c3b01d4ee482185f3ba97b0beb9dc3

SHA1
9891e5b55f43291a2dce6d101f7edda56054af81

SHA256
db693fd10c1cc971b7843c6416405718679677f8f31ee165c0a420c82b1bf012

SHA512
84f3cb289b104bd9e8ca59876671969ead90f3af91c0ee5c36c1658999bf3ba724f1452f263878f8a10ff20f2e14cf80fefd9a6b661bcd9896a3b37935c7af6d

Download Submit
\Users\Admin\AppData\Roaming\winlogon.exe
Filesize
98KB

MD5
25c3b01d4ee482185f3ba97b0beb9dc3

SHA1
9891e5b55f43291a2dce6d101f7edda56054af81

SHA256
db693fd10c1cc971b7843c6416405718679677f8f31ee165c0a420c82b1bf012

SHA512
84f3cb289b104bd9e8ca59876671969ead90f3af91c0ee5c36c1658999bf3ba724f1452f263878f8a10ff20f2e14cf80fefd9a6b661bcd9896a3b37935c7af6d

Download Submit
memory/680-63-0x0000000000000000-mapping.dmp

Download
memory/836-88-0x00000000744F0000-0x0000000074A9B000-memory.dmp

Filesize
5.7MB

Download
memory/836-57-0x0000000000000000-mapping.dmp

Download
memory/1316-140-0x0000000000000000-mapping.dmp

Download
memory/1396-107-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/1396-113-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/1396-83-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/1396-167-0x00000000744F0000-0x0000000074A9B000-memory.dmp

Filesize
5.7MB

Download
memory/1396-95-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/1396-98-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/1396-100-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/1396-102-0x000000000049A00A-mapping.dmp

Download
memory/1396-91-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/1396-105-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/1396-166-0x00000000744F0000-0x0000000074A9B000-memory.dmp

Filesize
5.7MB

Download
memory/1396-77-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/1396-110-0x00000000744F0000-0x0000000074A9B000-memory.dmp

Filesize
5.7MB

Download
memory/1396-132-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/1396-112-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/1396-79-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/1396-114-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/1396-115-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/1396-116-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/1396-117-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/1396-118-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/1396-121-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/1396-120-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/1396-123-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/1396-125-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/1396-126-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/1396-129-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/1396-130-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/1616-155-0x000000000040747E-mapping.dmp

Download
memory/1616-163-0x00000000744F0000-0x0000000074A9B000-memory.dmp

Filesize
5.7MB

Download
memory/1616-168-0x00000000744F0000-0x0000000074A9B000-memory.dmp

Filesize
5.7MB

Download
memory/1736-111-0x00000000744F0000-0x0000000074A9B000-memory.dmp

Filesize
5.7MB

Download
memory/1736-82-0x000000000040747E-mapping.dmp

Download
memory/1736-78-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1736-139-0x00000000744F0000-0x0000000074A9B000-memory.dmp

Filesize
5.7MB

Download
memory/1736-87-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1736-94-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1736-71-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1736-69-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1736-66-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1736-67-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1884-54-0x0000000075681000-0x0000000075683000-memory.dmp

Filesize
8KB

Download
memory/1884-106-0x00000000744F0000-0x0000000074A9B000-memory.dmp

Filesize
5.7MB

Download
memory/1884-90-0x00000000744F0000-0x0000000074A9B000-memory.dmp

Filesize
5.7MB

Download
memory/1948-159-0x00000000744F0000-0x0000000074A9B000-memory.dmp

Filesize
5.7MB

Download
memory/1948-135-0x0000000000000000-mapping.dmp

Download
memory/1948-141-0x00000000744F0000-0x0000000074A9B000-memory.dmp

Filesize
5.7MB

Download
memory/1960-62-0x0000000000000000-mapping.dmp

Download
memory/2008-164-0x0000000000000000-mapping.dmp

Download