ffdroider | 2fcbef2bf5b78f4e5205397a80b7f393762d78331166930b682dde2da4a16858

Analysis

max time kernel
152s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
22-10-2022 21:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2fcbef2bf5b78f4e5205397a80b7f393762d78331166930b682dde2da4a16858.exe
Size

521KB
MD5

5fe1f92b221d98a8504139a2792265f8
SHA1

5faf25f3ee80a45b85f4d1fb971ab9cfd1ff174d
SHA256

2fcbef2bf5b78f4e5205397a80b7f393762d78331166930b682dde2da4a16858
SHA512

b40a7cb1cfd119883e3ae5126b50a73641f184daa49eddc620728a1a2c8e4b5c2e6154bad5a0b6faf053c8049144208ffe4e209611df94e995489b9257ff362d
SSDEEP

12288:kQi3ceLI4OjuBxPnk6tnq6m6URA3Phmyawo+sdsikeEDmBlyZC3:kQiF7nphh/8+sdkvmOQ3

Score

10^/10

ffdroider nymaim smokeloader backdoor evasion persistence stealer trojan vmprotect

Malware Config

Extracted

Family

nymaim

45.139.105.171

85.31.46.167

Signatures

Detects Smokeloader packer 4 IoCs

resource	yara_rule
behavioral1/memory/4152-191-0x0000000000400000-0x0000000000409000-memory.dmp	family_smokeloader
behavioral1/memory/4416-195-0x00000000001F0000-0x00000000001F9000-memory.dmp	family_smokeloader
behavioral1/memory/4152-197-0x0000000000400000-0x0000000000409000-memory.dmp	family_smokeloader
behavioral1/memory/4152-198-0x0000000000400000-0x0000000000409000-memory.dmp	family_smokeloader

FFDroider
Stealer targeting social media platform users first seen in April 2022.
stealer ffdroider
NyMaim
NyMaim is a malware with various capabilities written in C++ and first seen in 2013.
trojan nymaim

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3584	3344	rundll32.exe	35

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518
Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	PowerOff.exe

Executes dropped EXE 11 IoCs

pid	Process
4972	2fcbef2bf5b78f4e5205397a80b7f393762d78331166930b682dde2da4a16858.tmp
2444	PowerOff.exe
3804	Nohucunybe.exe
3492	Nohucunybe.exe
6688	GcleanerEU.exe
6836	gcleaner.exe
7116	random.exe
3060	pb1117.exe
4416	toolspab3.exe
1132	random.exe
4152	toolspab3.exe

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/files/0x0001000000022e0f-173.dat	vmprotect
behavioral1/files/0x0001000000022e0f-172.dat	vmprotect
behavioral1/memory/3060-177-0x0000000140000000-0x0000000140617000-memory.dmp	vmprotect

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	PowerOff.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	Nohucunybe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	random.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	gcleaner.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	GcleanerEU.exe

Loads dropped DLL 2 IoCs

pid	Process
4972	2fcbef2bf5b78f4e5205397a80b7f393762d78331166930b682dde2da4a16858.tmp
1436	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Windows Portable Devices\\Nohucunybe.exe\""	PowerOff.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4416 set thread context of 4152	4416	toolspab3.exe	127

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Uninstall Information\ICANCMJWHS\poweroff.exe	PowerOff.exe
File created	C:\Program Files (x86)\Windows Portable Devices\Nohucunybe.exe	PowerOff.exe
File created	C:\Program Files (x86)\Windows Portable Devices\Nohucunybe.exe.config	PowerOff.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 19 IoCs

pid	pid_target	Process	procid_target
3964	6688	WerFault.exe	93
2636	6836	WerFault.exe	98
1068	6688	WerFault.exe	93
4440	6836	WerFault.exe	98
5000	6688	WerFault.exe	93
1960	6836	WerFault.exe	98
3588	6688	WerFault.exe	93
2756	6836	WerFault.exe	98
3300	1436	WerFault.exe	128
4500	6688	WerFault.exe	93
3304	6836	WerFault.exe	98
5040	6688	WerFault.exe	93
3252	6836	WerFault.exe	98
3372	6688	WerFault.exe	93
952	6836	WerFault.exe	98
3056	6688	WerFault.exe	93
3184	6836	WerFault.exe	98
5216	6836	WerFault.exe	98
5340	6688	WerFault.exe	93

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab3.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab3.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
5236	taskkill.exe
5400	taskkill.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	62	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3492	Nohucunybe.exe
3492	Nohucunybe.exe
3492	Nohucunybe.exe
3492	Nohucunybe.exe
3492	Nohucunybe.exe
3492	Nohucunybe.exe
3492	Nohucunybe.exe
3492	Nohucunybe.exe
3492	Nohucunybe.exe
3492	Nohucunybe.exe
3492	Nohucunybe.exe
3492	Nohucunybe.exe
3492	Nohucunybe.exe
3492	Nohucunybe.exe
3492	Nohucunybe.exe
3492	Nohucunybe.exe
3492	Nohucunybe.exe
3492	Nohucunybe.exe
3492	Nohucunybe.exe
3492	Nohucunybe.exe
3492	Nohucunybe.exe
3492	Nohucunybe.exe
3492	Nohucunybe.exe
3492	Nohucunybe.exe
3492	Nohucunybe.exe
3492	Nohucunybe.exe
3492	Nohucunybe.exe
3492	Nohucunybe.exe
3492	Nohucunybe.exe
3492	Nohucunybe.exe
3492	Nohucunybe.exe
3492	Nohucunybe.exe
3492	Nohucunybe.exe
3492	Nohucunybe.exe
3492	Nohucunybe.exe
3492	Nohucunybe.exe
3492	Nohucunybe.exe
3492	Nohucunybe.exe
3492	Nohucunybe.exe
3492	Nohucunybe.exe
3492	Nohucunybe.exe
3492	Nohucunybe.exe
3492	Nohucunybe.exe
3492	Nohucunybe.exe
3492	Nohucunybe.exe
3492	Nohucunybe.exe
3492	Nohucunybe.exe
3492	Nohucunybe.exe
3492	Nohucunybe.exe
3492	Nohucunybe.exe
3492	Nohucunybe.exe
3492	Nohucunybe.exe
3492	Nohucunybe.exe
3492	Nohucunybe.exe
3492	Nohucunybe.exe
3492	Nohucunybe.exe
3492	Nohucunybe.exe
3492	Nohucunybe.exe
3492	Nohucunybe.exe
3492	Nohucunybe.exe
3492	Nohucunybe.exe
3492	Nohucunybe.exe
3492	Nohucunybe.exe
3492	Nohucunybe.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2724	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4152	toolspab3.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	2444	PowerOff.exe
Token: SeDebugPrivilege	3804	Nohucunybe.exe
Token: SeDebugPrivilege	3492	Nohucunybe.exe
Token: SeShutdownPrivilege	2724	Process not Found
Token: SeCreatePagefilePrivilege	2724	Process not Found
Token: SeShutdownPrivilege	2724	Process not Found
Token: SeCreatePagefilePrivilege	2724	Process not Found
Token: SeDebugPrivilege	5236	taskkill.exe
Token: SeShutdownPrivilege	2724	Process not Found
Token: SeCreatePagefilePrivilege	2724	Process not Found
Token: SeDebugPrivilege	5400	taskkill.exe
Token: SeShutdownPrivilege	2724	Process not Found
Token: SeCreatePagefilePrivilege	2724	Process not Found
Token: SeShutdownPrivilege	2724	Process not Found
Token: SeCreatePagefilePrivilege	2724	Process not Found
Token: SeShutdownPrivilege	2724	Process not Found
Token: SeCreatePagefilePrivilege	2724	Process not Found
Token: SeShutdownPrivilege	2724	Process not Found
Token: SeCreatePagefilePrivilege	2724	Process not Found
Token: SeShutdownPrivilege	2724	Process not Found
Token: SeCreatePagefilePrivilege	2724	Process not Found

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 4636 wrote to memory of 4972	4636	2fcbef2bf5b78f4e5205397a80b7f393762d78331166930b682dde2da4a16858.exe	82
PID 4636 wrote to memory of 4972	4636	2fcbef2bf5b78f4e5205397a80b7f393762d78331166930b682dde2da4a16858.exe	82
PID 4636 wrote to memory of 4972	4636	2fcbef2bf5b78f4e5205397a80b7f393762d78331166930b682dde2da4a16858.exe	82
PID 4972 wrote to memory of 2444	4972	2fcbef2bf5b78f4e5205397a80b7f393762d78331166930b682dde2da4a16858.tmp	83
PID 4972 wrote to memory of 2444	4972	2fcbef2bf5b78f4e5205397a80b7f393762d78331166930b682dde2da4a16858.tmp	83
PID 2444 wrote to memory of 3804	2444	PowerOff.exe	87
PID 2444 wrote to memory of 3804	2444	PowerOff.exe	87
PID 2444 wrote to memory of 3492	2444	PowerOff.exe	88
PID 2444 wrote to memory of 3492	2444	PowerOff.exe	88
PID 3492 wrote to memory of 5572	3492	Nohucunybe.exe	91
PID 3492 wrote to memory of 5572	3492	Nohucunybe.exe	91
PID 5572 wrote to memory of 6688	5572	cmd.exe	93
PID 5572 wrote to memory of 6688	5572	cmd.exe	93
PID 5572 wrote to memory of 6688	5572	cmd.exe	93
PID 3492 wrote to memory of 6732	3492	Nohucunybe.exe	95
PID 3492 wrote to memory of 6732	3492	Nohucunybe.exe	95
PID 6732 wrote to memory of 6836	6732	cmd.exe	98
PID 6732 wrote to memory of 6836	6732	cmd.exe	98
PID 6732 wrote to memory of 6836	6732	cmd.exe	98
PID 3492 wrote to memory of 6928	3492	Nohucunybe.exe	99
PID 3492 wrote to memory of 6928	3492	Nohucunybe.exe	99
PID 3492 wrote to memory of 6996	3492	Nohucunybe.exe	101
PID 3492 wrote to memory of 6996	3492	Nohucunybe.exe	101
PID 3492 wrote to memory of 7064	3492	Nohucunybe.exe	103
PID 3492 wrote to memory of 7064	3492	Nohucunybe.exe	103
PID 6928 wrote to memory of 7116	6928	cmd.exe	105
PID 6928 wrote to memory of 7116	6928	cmd.exe	105
PID 6928 wrote to memory of 7116	6928	cmd.exe	105
PID 6996 wrote to memory of 3060	6996	cmd.exe	107
PID 6996 wrote to memory of 3060	6996	cmd.exe	107
PID 7064 wrote to memory of 4416	7064	cmd.exe	111
PID 7064 wrote to memory of 4416	7064	cmd.exe	111
PID 7064 wrote to memory of 4416	7064	cmd.exe	111
PID 7116 wrote to memory of 1132	7116	random.exe	113
PID 7116 wrote to memory of 1132	7116	random.exe	113
PID 7116 wrote to memory of 1132	7116	random.exe	113
PID 4416 wrote to memory of 4152	4416	toolspab3.exe	127
PID 4416 wrote to memory of 4152	4416	toolspab3.exe	127
PID 4416 wrote to memory of 4152	4416	toolspab3.exe	127
PID 3584 wrote to memory of 1436	3584	rundll32.exe	128
PID 3584 wrote to memory of 1436	3584	rundll32.exe	128
PID 3584 wrote to memory of 1436	3584	rundll32.exe	128
PID 4416 wrote to memory of 4152	4416	toolspab3.exe	127
PID 4416 wrote to memory of 4152	4416	toolspab3.exe	127
PID 4416 wrote to memory of 4152	4416	toolspab3.exe	127
PID 6836 wrote to memory of 5156	6836	gcleaner.exe	149
PID 6836 wrote to memory of 5156	6836	gcleaner.exe	149
PID 6836 wrote to memory of 5156	6836	gcleaner.exe	149
PID 5156 wrote to memory of 5236	5156	cmd.exe	153
PID 5156 wrote to memory of 5236	5156	cmd.exe	153
PID 5156 wrote to memory of 5236	5156	cmd.exe	153
PID 6688 wrote to memory of 5256	6688	GcleanerEU.exe	154
PID 6688 wrote to memory of 5256	6688	GcleanerEU.exe	154
PID 6688 wrote to memory of 5256	6688	GcleanerEU.exe	154
PID 5256 wrote to memory of 5400	5256	cmd.exe	158
PID 5256 wrote to memory of 5400	5256	cmd.exe	158
PID 5256 wrote to memory of 5400	5256	cmd.exe	158

C:\Users\Admin\AppData\Local\Temp\2fcbef2bf5b78f4e5205397a80b7f393762d78331166930b682dde2da4a16858.exe
"C:\Users\Admin\AppData\Local\Temp\2fcbef2bf5b78f4e5205397a80b7f393762d78331166930b682dde2da4a16858.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4636
- C:\Users\Admin\AppData\Local\Temp\is-NODLL.tmp\2fcbef2bf5b78f4e5205397a80b7f393762d78331166930b682dde2da4a16858.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-NODLL.tmp\2fcbef2bf5b78f4e5205397a80b7f393762d78331166930b682dde2da4a16858.tmp" /SL5="$40056,254182,170496,C:\Users\Admin\AppData\Local\Temp\2fcbef2bf5b78f4e5205397a80b7f393762d78331166930b682dde2da4a16858.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4972
- - C:\Users\Admin\AppData\Local\Temp\is-LER58.tmp\PowerOff.exe
    "C:\Users\Admin\AppData\Local\Temp\is-LER58.tmp\PowerOff.exe" /S /UID=95
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Checks computer location settings
    - Adds Run key to start application
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2444
  - - C:\Users\Admin\AppData\Local\Temp\7b-4240e-3d7-69a95-6c0c09ad5f9e4\Nohucunybe.exe
      "C:\Users\Admin\AppData\Local\Temp\7b-4240e-3d7-69a95-6c0c09ad5f9e4\Nohucunybe.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3804
  - - C:\Users\Admin\AppData\Local\Temp\23-70c86-c9d-d76bc-54b669615e0f5\Nohucunybe.exe
      "C:\Users\Admin\AppData\Local\Temp\23-70c86-c9d-d76bc-54b669615e0f5\Nohucunybe.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3492
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\qqnajzx3.kwc\GcleanerEU.exe /eufive & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:5572
      - C:\Users\Admin\AppData\Local\Temp\qqnajzx3.kwc\GcleanerEU.exe
        
        C:\Users\Admin\AppData\Local\Temp\qqnajzx3.kwc\GcleanerEU.exe /eufive
        6⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:6688
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6688 -s 452
        7⤵
        Program crash
        
        PID:3964
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6688 -s 764
        7⤵
        Program crash
        
        PID:1068
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6688 -s 772
        7⤵
        Program crash
        
        PID:5000
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6688 -s 792
        7⤵
        Program crash
        
        PID:3588
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6688 -s 776
        7⤵
        Program crash
        
        PID:4500
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6688 -s 984
        7⤵
        Program crash
        
        PID:5040
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6688 -s 1000
        7⤵
        Program crash
        
        PID:3372
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6688 -s 1356
        7⤵
        Program crash
        
        PID:3056
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "GcleanerEU.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\qqnajzx3.kwc\GcleanerEU.exe" & exit
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:5256
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "GcleanerEU.exe" /f
        8⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5400
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6688 -s 492
        7⤵
        Program crash
        
        PID:5340
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\vay4jdn3.azl\gcleaner.exe /mixfive & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:6732
      - C:\Users\Admin\AppData\Local\Temp\vay4jdn3.azl\gcleaner.exe
        
        C:\Users\Admin\AppData\Local\Temp\vay4jdn3.azl\gcleaner.exe /mixfive
        6⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:6836
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6836 -s 452
        7⤵
        Program crash
        
        PID:2636
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6836 -s 764
        7⤵
        Program crash
        
        PID:4440
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6836 -s 772
        7⤵
        Program crash
        
        PID:1960
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6836 -s 772
        7⤵
        Program crash
        
        PID:2756
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6836 -s 776
        7⤵
        Program crash
        
        PID:3304
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6836 -s 984
        7⤵
        Program crash
        
        PID:3252
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6836 -s 1016
        7⤵
        Program crash
        
        PID:952
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6836 -s 1368
        7⤵
        Program crash
        
        PID:3184
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "gcleaner.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\vay4jdn3.azl\gcleaner.exe" & exit
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:5156
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "gcleaner.exe" /f
        8⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5236
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6836 -s 492
        7⤵
        Program crash
        
        PID:5216
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\iyvyqpuz.oyk\random.exe & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:6928
      - C:\Users\Admin\AppData\Local\Temp\iyvyqpuz.oyk\random.exe
        
        C:\Users\Admin\AppData\Local\Temp\iyvyqpuz.oyk\random.exe
        6⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:7116
        
        C:\Users\Admin\AppData\Local\Temp\iyvyqpuz.oyk\random.exe
        
        "C:\Users\Admin\AppData\Local\Temp\iyvyqpuz.oyk\random.exe" -q
        7⤵
        Executes dropped EXE
        
        PID:1132
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\bfcrpedz.stv\pb1117.exe & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:6996
      - C:\Users\Admin\AppData\Local\Temp\bfcrpedz.stv\pb1117.exe
        
        C:\Users\Admin\AppData\Local\Temp\bfcrpedz.stv\pb1117.exe
        6⤵
        Executes dropped EXE
        
        PID:3060
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\jfdfhl44.k2d\toolspab3.exe & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:7064
      - C:\Users\Admin\AppData\Local\Temp\jfdfhl44.k2d\toolspab3.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfdfhl44.k2d\toolspab3.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4416
        
        C:\Users\Admin\AppData\Local\Temp\jfdfhl44.k2d\toolspab3.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfdfhl44.k2d\toolspab3.exe
        7⤵
        Executes dropped EXE
        Checks SCSI registry key(s)
        Suspicious behavior: MapViewOfSection
        
        PID:4152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 6688 -ip 6688
1⤵
PID:4592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 6836 -ip 6836
1⤵
PID:548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 6688 -ip 6688
1⤵
PID:1712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 6836 -ip 6836
1⤵
PID:1856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 6688 -ip 6688
1⤵
PID:2804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 6836 -ip 6836
1⤵
PID:1044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 6688 -ip 6688
1⤵
PID:2852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 6836 -ip 6836
1⤵
PID:3808

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
1⤵
- Loads dropped DLL
PID:1436
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 600
  2⤵
  - Program crash
  PID:3300

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:3584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 6688 -ip 6688
1⤵
PID:4220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1436 -ip 1436
1⤵
PID:2560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 6836 -ip 6836
1⤵
PID:2760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 6688 -ip 6688
1⤵
PID:4076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 6836 -ip 6836
1⤵
PID:2328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 6836 -ip 6836
1⤵
PID:3960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 6688 -ip 6688
1⤵
PID:3544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 6688 -ip 6688
1⤵
PID:2428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 6836 -ip 6836
1⤵
PID:376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 6836 -ip 6836
1⤵
PID:5176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 6688 -ip 6688
1⤵
PID:5276

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Software Discovery

T1518

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\23-70c86-c9d-d76bc-54b669615e0f5\Kenessey.txt

Filesize
9B

MD5
97384261b8bbf966df16e5ad509922db

SHA1
2fc42d37fee2c81d767e09fb298b70c748940f86

SHA256
9c0d294c05fc1d88d698034609bb81c0c69196327594e4c69d2915c80fd9850c

SHA512
b77fe2d86fbc5bd116d6a073eb447e76a74add3fa0d0b801f97535963241be3cdce1dbcaed603b78f020d0845b2d4bfc892ceb2a7d1c8f1d98abc4812ef5af21

Download Submit
C:\Users\Admin\AppData\Local\Temp\23-70c86-c9d-d76bc-54b669615e0f5\Nohucunybe.exe

Filesize
420KB

MD5
cb90d473ea62e95a2767bbe3d91c4c64

SHA1
61af0628fe380db4c09a8b34ff97a030b313800a

SHA256
512627bd32c8c842ea80f63d03fe491a1e8b9494b0083fb62c0d3ced93951223

SHA512
e56a94fa9adb28bbfe6862419d177154a98bba4f7105df9c49eb20f19cf51e8844771d925cdbb55df75740e18b5bd204e7ba0f89d4208ca0233fffbc5372bedd

Download Submit
C:\Users\Admin\AppData\Local\Temp\23-70c86-c9d-d76bc-54b669615e0f5\Nohucunybe.exe

Filesize
420KB

MD5
cb90d473ea62e95a2767bbe3d91c4c64

SHA1
61af0628fe380db4c09a8b34ff97a030b313800a

SHA256
512627bd32c8c842ea80f63d03fe491a1e8b9494b0083fb62c0d3ced93951223

SHA512
e56a94fa9adb28bbfe6862419d177154a98bba4f7105df9c49eb20f19cf51e8844771d925cdbb55df75740e18b5bd204e7ba0f89d4208ca0233fffbc5372bedd

Download Submit
C:\Users\Admin\AppData\Local\Temp\23-70c86-c9d-d76bc-54b669615e0f5\Nohucunybe.exe.config

Filesize
1KB

MD5
98d2687aec923f98c37f7cda8de0eb19

SHA1
f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7

SHA256
8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465

SHA512
95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

Download Submit
C:\Users\Admin\AppData\Local\Temp\7b-4240e-3d7-69a95-6c0c09ad5f9e4\Nohucunybe.exe

Filesize
315KB

MD5
a1539d5a565503b26710d24a173eb641

SHA1
4982821c94b1c32d56d2395c4ef53a8fee852e25

SHA256
7332f18f1e9b01188e8a64feeb3cfec5013256048efa38d3c7b8173e9f466748

SHA512
d0bc439dcc68943fb3a7a3521e298035f66dd55ca34da86280a6f20d35007d2766ef1c892af5c0763e07dbd4032b4106d7928a9e3d9528cfd9aadab60e744878

Download Submit
C:\Users\Admin\AppData\Local\Temp\7b-4240e-3d7-69a95-6c0c09ad5f9e4\Nohucunybe.exe

Filesize
315KB

MD5
a1539d5a565503b26710d24a173eb641

SHA1
4982821c94b1c32d56d2395c4ef53a8fee852e25

SHA256
7332f18f1e9b01188e8a64feeb3cfec5013256048efa38d3c7b8173e9f466748

SHA512
d0bc439dcc68943fb3a7a3521e298035f66dd55ca34da86280a6f20d35007d2766ef1c892af5c0763e07dbd4032b4106d7928a9e3d9528cfd9aadab60e744878

Download Submit
C:\Users\Admin\AppData\Local\Temp\7b-4240e-3d7-69a95-6c0c09ad5f9e4\Nohucunybe.exe.config

Filesize
1KB

MD5
98d2687aec923f98c37f7cda8de0eb19

SHA1
f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7

SHA256
8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465

SHA512
95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

Download Submit
C:\Users\Admin\AppData\Local\Temp\bfcrpedz.stv\pb1117.exe

Filesize
3.5MB

MD5
dc2712485f755f16c7b433cc159b6643

SHA1
f412179298a43ae14eff6e42188e852930a3effd

SHA256
ad87cd82ba357bb206397eed1726c69bd344803c72782fc277e64f7fd95ab04f

SHA512
4d7893b4689b27930b1a6006c4014988879d1c59cb3389d5a2ec399a69fd2d2ae7c51480672199e5ea626ac0bf38bed41a58d2e619698ea958715e0360282f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\bfcrpedz.stv\pb1117.exe

Filesize
3.5MB

MD5
dc2712485f755f16c7b433cc159b6643

SHA1
f412179298a43ae14eff6e42188e852930a3effd

SHA256
ad87cd82ba357bb206397eed1726c69bd344803c72782fc277e64f7fd95ab04f

SHA512
4d7893b4689b27930b1a6006c4014988879d1c59cb3389d5a2ec399a69fd2d2ae7c51480672199e5ea626ac0bf38bed41a58d2e619698ea958715e0360282f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dat

Filesize
557KB

MD5
76c3dbb1e9fea62090cdf53dadcbe28e

SHA1
d44b32d04adc810c6df258be85dc6b62bd48a307

SHA256
556fd54e5595d222cfa2bd353afa66d8d4d1fbb3003afed604672fceae991860

SHA512
de4ea57497cf26237430880742f59e8d2a0ac7e7a0b09ed7be590f36fbd08c9ced0ffe46eb69ec2215a9cff55720f24fffcae752cd282250b4da6b75a30b3a1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dll

Filesize
52KB

MD5
e2082e7d7eeb4a3d599472a33cbaca24

SHA1
add8cf241e8fa6ec1e18317a7f3972e900dd9ab7

SHA256
9e02e104e1ab52a1c33d650c34d05a641c53e8edd5471c7ee4f68f29c79d62c1

SHA512
ae880716e0a2db43797a55294e101ad92323a0f08443c0337c4abe4d049375821b04b08744889c992b2a01396e89702585e9a3688e6c795e208e3dd594a99e07

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dll

Filesize
52KB

MD5
e2082e7d7eeb4a3d599472a33cbaca24

SHA1
add8cf241e8fa6ec1e18317a7f3972e900dd9ab7

SHA256
9e02e104e1ab52a1c33d650c34d05a641c53e8edd5471c7ee4f68f29c79d62c1

SHA512
ae880716e0a2db43797a55294e101ad92323a0f08443c0337c4abe4d049375821b04b08744889c992b2a01396e89702585e9a3688e6c795e208e3dd594a99e07

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-LER58.tmp\PowerOff.exe

Filesize
375KB

MD5
52fc737d89c67101f7b8dc6361d5212f

SHA1
ad328b80bb00bb23ec33baabc27aaa18060acbb0

SHA256
f25346bf7c2b71015b0f735824b733a4c043f1b3086d2a232412d069a65b777a

SHA512
a4e3441bb7901f3b555e6d28faeebe089331b240331d67878cd429b4a40451e53ab2232ee9d0b7acb7cfa4a013da0df6328f84caa6e9e34ab96669a161530c13

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-LER58.tmp\PowerOff.exe

Filesize
375KB

MD5
52fc737d89c67101f7b8dc6361d5212f

SHA1
ad328b80bb00bb23ec33baabc27aaa18060acbb0

SHA256
f25346bf7c2b71015b0f735824b733a4c043f1b3086d2a232412d069a65b777a

SHA512
a4e3441bb7901f3b555e6d28faeebe089331b240331d67878cd429b4a40451e53ab2232ee9d0b7acb7cfa4a013da0df6328f84caa6e9e34ab96669a161530c13

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-LER58.tmp\idp.dll

Filesize
216KB

MD5
8f995688085bced38ba7795f60a5e1d3

SHA1
5b1ad67a149c05c50d6e388527af5c8a0af4343a

SHA256
203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006

SHA512
043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NODLL.tmp\2fcbef2bf5b78f4e5205397a80b7f393762d78331166930b682dde2da4a16858.tmp

Filesize
805KB

MD5
bf8662a2311eb606e0549451323fa2ba

SHA1
79fbb3b94c91becb56d531806daab15cba55f31c

SHA256
4748736cfa0ff8f469c483cd864166c943d30ff9c3ba0f8cdf0b6b9378a89456

SHA512
e191a8a50e97800d3fb3cb449d01f1d06dda36d85845355f68d3038e30c3a2a7aa8d87e29f0f638ae85d2badd68eccc26a279f17fb91a38de2fa14a015ed3cc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\iyvyqpuz.oyk\random.exe

Filesize
87KB

MD5
ac3635badcc667c6f1a708bc2143c658

SHA1
71025552e16053b0f25e512befa8bba390ee5d01

SHA256
7ae7a78651ac33f816e91b7b23dcd45a4b6c9024fe302fc711280ecdcc6eb2ca

SHA512
99e8036b82943d61f9e5fc8eefbd6fabb3fef3bf9be70e3b4e1d8469cc403f4b8200bd6b644225d566071843b136c2c294c5775bd811fc3e894e369005778ac9

Download Submit
C:\Users\Admin\AppData\Local\Temp\iyvyqpuz.oyk\random.exe

Filesize
87KB

MD5
ac3635badcc667c6f1a708bc2143c658

SHA1
71025552e16053b0f25e512befa8bba390ee5d01

SHA256
7ae7a78651ac33f816e91b7b23dcd45a4b6c9024fe302fc711280ecdcc6eb2ca

SHA512
99e8036b82943d61f9e5fc8eefbd6fabb3fef3bf9be70e3b4e1d8469cc403f4b8200bd6b644225d566071843b136c2c294c5775bd811fc3e894e369005778ac9

Download Submit
C:\Users\Admin\AppData\Local\Temp\iyvyqpuz.oyk\random.exe

Filesize
87KB

MD5
ac3635badcc667c6f1a708bc2143c658

SHA1
71025552e16053b0f25e512befa8bba390ee5d01

SHA256
7ae7a78651ac33f816e91b7b23dcd45a4b6c9024fe302fc711280ecdcc6eb2ca

SHA512
99e8036b82943d61f9e5fc8eefbd6fabb3fef3bf9be70e3b4e1d8469cc403f4b8200bd6b644225d566071843b136c2c294c5775bd811fc3e894e369005778ac9

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfdfhl44.k2d\toolspab3.exe

Filesize
225KB

MD5
b7e29c10e814a51b8632cec696d9ca33

SHA1
a6af1b0b83db613c0467f2a00314447ed6c3a596

SHA256
4c8e2952c7faaa00c5252d8a49df3e73c9118af2a090e28e29cef09d750e860e

SHA512
80e181fea8812ab4b24bde3c92e17f449161d0f4b62ff5c0ab4721e30660828c3d93b7cf7fe2fea94966a8252b36d941d345bdb36b37d3aab29d6657e5ec87e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfdfhl44.k2d\toolspab3.exe

Filesize
225KB

MD5
b7e29c10e814a51b8632cec696d9ca33

SHA1
a6af1b0b83db613c0467f2a00314447ed6c3a596

SHA256
4c8e2952c7faaa00c5252d8a49df3e73c9118af2a090e28e29cef09d750e860e

SHA512
80e181fea8812ab4b24bde3c92e17f449161d0f4b62ff5c0ab4721e30660828c3d93b7cf7fe2fea94966a8252b36d941d345bdb36b37d3aab29d6657e5ec87e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfdfhl44.k2d\toolspab3.exe

Filesize
225KB

MD5
b7e29c10e814a51b8632cec696d9ca33

SHA1
a6af1b0b83db613c0467f2a00314447ed6c3a596

SHA256
4c8e2952c7faaa00c5252d8a49df3e73c9118af2a090e28e29cef09d750e860e

SHA512
80e181fea8812ab4b24bde3c92e17f449161d0f4b62ff5c0ab4721e30660828c3d93b7cf7fe2fea94966a8252b36d941d345bdb36b37d3aab29d6657e5ec87e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\qqnajzx3.kwc\GcleanerEU.exe

Filesize
292KB

MD5
7453459c4f76f245cd94d05059740829

SHA1
ffe56e8966baff61860d88f1d4924774e30bd851

SHA256
2832baa04ea074ae90f4fa93bd634ee5c78bf8d0531699c356dc16b30a6f6572

SHA512
29f1568a33b2e949bb91b082c2bceae13528181a4228aec94781654801ae5982cbbf320081bef286fab85341cf80464a0537391b7297460b18b3076b2c09be4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\qqnajzx3.kwc\GcleanerEU.exe

Filesize
292KB

MD5
7453459c4f76f245cd94d05059740829

SHA1
ffe56e8966baff61860d88f1d4924774e30bd851

SHA256
2832baa04ea074ae90f4fa93bd634ee5c78bf8d0531699c356dc16b30a6f6572

SHA512
29f1568a33b2e949bb91b082c2bceae13528181a4228aec94781654801ae5982cbbf320081bef286fab85341cf80464a0537391b7297460b18b3076b2c09be4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vay4jdn3.azl\gcleaner.exe

Filesize
292KB

MD5
7453459c4f76f245cd94d05059740829

SHA1
ffe56e8966baff61860d88f1d4924774e30bd851

SHA256
2832baa04ea074ae90f4fa93bd634ee5c78bf8d0531699c356dc16b30a6f6572

SHA512
29f1568a33b2e949bb91b082c2bceae13528181a4228aec94781654801ae5982cbbf320081bef286fab85341cf80464a0537391b7297460b18b3076b2c09be4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vay4jdn3.azl\gcleaner.exe

Filesize
292KB

MD5
7453459c4f76f245cd94d05059740829

SHA1
ffe56e8966baff61860d88f1d4924774e30bd851

SHA256
2832baa04ea074ae90f4fa93bd634ee5c78bf8d0531699c356dc16b30a6f6572

SHA512
29f1568a33b2e949bb91b082c2bceae13528181a4228aec94781654801ae5982cbbf320081bef286fab85341cf80464a0537391b7297460b18b3076b2c09be4c

Download Submit
memory/2444-142-0x00007FFE18010000-0x00007FFE18AD1000-memory.dmp

Filesize
10.8MB

Download
memory/2444-151-0x00007FFE18010000-0x00007FFE18AD1000-memory.dmp

Filesize
10.8MB

Download
memory/2444-141-0x0000000000120000-0x0000000000186000-memory.dmp

Filesize
408KB

Download
memory/3060-177-0x0000000140000000-0x0000000140617000-memory.dmp

Filesize
6.1MB

Download
memory/3492-154-0x00007FFE180A0000-0x00007FFE18AD6000-memory.dmp

Filesize
10.2MB

Download
memory/3804-153-0x00007FFE180A0000-0x00007FFE18AD6000-memory.dmp

Filesize
10.2MB

Download
memory/4152-191-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4152-198-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4152-197-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4416-195-0x00000000001F0000-0x00000000001F9000-memory.dmp

Filesize
36KB

Download
memory/4416-193-0x0000000002D13000-0x0000000002D29000-memory.dmp

Filesize
88KB

Download
memory/4636-132-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4636-136-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4636-152-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/6688-204-0x0000000000400000-0x0000000002C37000-memory.dmp

Filesize
40.2MB

Download
memory/6688-185-0x0000000000400000-0x0000000002C37000-memory.dmp

Filesize
40.2MB

Download
memory/6688-181-0x0000000004720000-0x0000000004760000-memory.dmp

Filesize
256KB

Download
memory/6688-179-0x0000000002D43000-0x0000000002D6A000-memory.dmp

Filesize
156KB

Download
memory/6836-186-0x0000000002C40000-0x0000000002D40000-memory.dmp

Filesize
1024KB

Download
memory/6836-203-0x0000000000400000-0x0000000002C37000-memory.dmp

Filesize
40.2MB

Download
memory/6836-187-0x0000000000400000-0x0000000002C37000-memory.dmp

Filesize
40.2MB

Download