netwalker | f4656a9af30e98ed2103194f798fa00fd1686618e3e62fba6b15c9959135b7be

Analysis

max time kernel
146s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23-09-2024 17:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f4656a9af30e98ed2103194f798fa00fd1686618e3e62fba6b15c9959135b7be.ps1
Size

5.1MB
MD5

b1f0093b89561c6123070165bd2261e2
SHA1

aac57162dc1311f07a869f7163bd30e0d62dcc0e
SHA256

f4656a9af30e98ed2103194f798fa00fd1686618e3e62fba6b15c9959135b7be
SHA512

637b40a33fc8e5d478128242f621ceefcb158b1d411898fbf4bb2e7352fd214befd58c308297108d631d5b4e4b44f953ac51676b02ef20e8de9dc122ef0ba797
SSDEEP

24576:3lWHR7hoxn6yTYo1oc8UcMIh/MuwL+zn4ltC3O+wXCwNLaLRcfIAM1Bq9p0IQWwS:l

Score

10^/10

netwalker execution ransomware

Malware Config

Extracted

Path

C:\Program Files\Crashpad\034FBF-Readme.txt

Family

netwalker

Ransom Note

Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .034fbf -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_034fbf: 6pzO0ksWWHns4oqqZZJKdaVFTeItOrhvBJxx/Sy9iBfQpTskzE hasOBh6VNbQ5eJLMO2t3HWtjbHBMpXn6VieRod/y4V9eJ2L0Sb SEOOF14Fb8uB+mkJeANj4Arr/E+HNznRmRRlX/S2WZrV9CGOfo /qCDqgPiGt449qG+ytjYfvyi7e1SYLEQVsasgNf3NmoNRViDUP pBXnCczkFx0BeEEopqv2wRhxdLvutmt4V+axKxGNLCtr1qzp0O ERZwvDKErpp+gM0yXwOR3LnqdNAT+NzKF39q6kDQ==}

URLs

http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Signatures

Netwalker Ransomware
Ransomware family with multiple versions. Also known as MailTo.
ransomware netwalker
Renames multiple (6765) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

Processes:

Explorer.EXE

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-black\MedTile.scale-100.png	Explorer.EXE
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Arial.xml	Explorer.EXE
File opened for modification	C:\Program Files\Java\jre-1.8\lib\deploy\messages_ko.properties	Explorer.EXE
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\pt-br\034FBF-Readme.txt	Explorer.EXE
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription1-pl.xrm-ms	Explorer.EXE
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ffd27a_256x240.png	Explorer.EXE
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-black_scale-180.png	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\sv-se\ui-strings.js	Explorer.EXE
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PowerPointInterProviderRanker.bin	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Dial\Zview.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Square71x71\PaintSmallTile.scale-125.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-36_contrast-black.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\GenericMailMediumTile.scale-200.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Glyph_0xe806.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_split.scale-125_8wekyb3d8bbwe\Win10\MicrosoftSolitaireSmallTile.scale-125.jpg	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\PhotosWideTile.contrast-white_scale-100.png	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\ru-ru\PlayStore_icon.svg	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-100_kzf8qxf38zg5c\Assets\Images\SkypeLargeTile.scale-100_contrast-black.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\WideLogo.scale-200_contrast-white.png	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\tr-tr\ui-strings.js	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio_Model_CX.winmd	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1808.3.0_x64__8wekyb3d8bbwe\Microsoft.Advertising\vpaid.html	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\_Resources\14.rsrc	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-20_altform-unplated.png	Explorer.EXE
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription5-ul-oob.xrm-ms	Explorer.EXE
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-ppd.xrm-ms	Explorer.EXE
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_KMS_Client_AE-ul-oob.xrm-ms	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Google.scale-250.png	Explorer.EXE
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription4-ppd.xrm-ms	Explorer.EXE
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\ContemporaryPhotoAlbum.potx	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\checkmark.png	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\themes\dark\rhp_world_icon.png	Explorer.EXE
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Trial-ul-oob.xrm-ms	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-256_altform-unplated_contrast-high.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\SmallLogo.scale-100_contrast-black.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-16_contrast-black.png	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\fr-fr\ui-strings.js	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_fillandsign_18.svg	Explorer.EXE
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Trial-ul-oob.xrm-ms	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.scale-400.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\MediaInkToolbar.xbf	Explorer.EXE
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\hu-hu\034FBF-Readme.txt	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-white\LargeTile.scale-200.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GameBar_AppList.scale-125.png	Explorer.EXE
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\my\LC_MESSAGES\vlc.mo	Explorer.EXE
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ClientARMRefer_eula.txt	Explorer.EXE
File opened for modification	C:\Program Files\Java\jdk-1.8\lib\jconsole.jar	Explorer.EXE
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Subtle Solids.eftx	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\bg.pak.DATA	Explorer.EXE
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\034FBF-Readme.txt	Explorer.EXE
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\nl-nl\034FBF-Readme.txt	Explorer.EXE
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\sk-sk\034FBF-Readme.txt	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sv-se\ui-strings.js	Explorer.EXE
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-36_altform-unplated_contrast-white.png	Explorer.EXE
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG_F_COL.HXK	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\LinkedInboxWideTile.scale-125.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\ImagePlaceholderWhite.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Date.targetsize-64_contrast-black.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailBadge.scale-400.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\StopwatchWideTile.contrast-white_scale-200.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\188.png	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\eu-es\ui-strings.js	Explorer.EXE

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exe

pid	Process
1460	powershell.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	Explorer.EXE

Modifies registry class 2 IoCs

Processes:

Explorer.EXE

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exeExplorer.EXE

pid	Process
1460	powershell.exe
1460	powershell.exe
1460	powershell.exe
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

powershell.exeExplorer.EXEvssvc.exe

description	pid	Process
Token: SeDebugPrivilege	1460	powershell.exe
Token: SeDebugPrivilege	3476	Explorer.EXE
Token: SeImpersonatePrivilege	3476	Explorer.EXE
Token: SeBackupPrivilege	3592	vssvc.exe
Token: SeRestorePrivilege	3592	vssvc.exe
Token: SeAuditPrivilege	3592	vssvc.exe
Token: SeShutdownPrivilege	3476	Explorer.EXE
Token: SeCreatePagefilePrivilege	3476	Explorer.EXE
Token: SeShutdownPrivilege	3476	Explorer.EXE
Token: SeCreatePagefilePrivilege	3476	Explorer.EXE
Token: SeShutdownPrivilege	3476	Explorer.EXE
Token: SeCreatePagefilePrivilege	3476	Explorer.EXE
Token: SeShutdownPrivilege	3476	Explorer.EXE
Token: SeCreatePagefilePrivilege	3476	Explorer.EXE

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

powershell.execsc.execsc.exeExplorer.EXE

description	pid	Process	procid_target
PID 1460 wrote to memory of 320	1460	powershell.exe	88
PID 1460 wrote to memory of 320	1460	powershell.exe	88
PID 320 wrote to memory of 4536	320	csc.exe	89
PID 320 wrote to memory of 4536	320	csc.exe	89
PID 1460 wrote to memory of 3116	1460	powershell.exe	90
PID 1460 wrote to memory of 3116	1460	powershell.exe	90
PID 3116 wrote to memory of 3204	3116	csc.exe	91
PID 3116 wrote to memory of 3204	3116	csc.exe	91
PID 1460 wrote to memory of 3476	1460	powershell.exe	56
PID 3476 wrote to memory of 4448	3476	Explorer.EXE	101
PID 3476 wrote to memory of 4448	3476	Explorer.EXE	101

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3476
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\f4656a9af30e98ed2103194f798fa00fd1686618e3e62fba6b15c9959135b7be.ps1
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1460
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\u2dnnj0h\u2dnnj0h.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:320
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD2C1.tmp" "c:\Users\Admin\AppData\Local\Temp\u2dnnj0h\CSC1627F0DB4BCF48819872F3AEF969D3D7.TMP"
      4⤵
      PID:4536
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bylamoim\bylamoim.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3116
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD34E.tmp" "c:\Users\Admin\AppData\Local\Temp\bylamoim\CSC5E16C2547E74105937C2B72C99F96DF.TMP"
      4⤵
      PID:3204
- C:\Windows\system32\notepad.exe
  C:\Windows\system32\notepad.exe "C:\Users\Admin\Desktop\034FBF-Readme.txt"
  2⤵
  PID:4448

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Crashpad\034FBF-Readme.txt

Filesize
1KB

MD5
a01e818e75d4ed56870fc2d782dbb3e7

SHA1
9525abab8866783df75ce4aea9e8f5325ec89f3f

SHA256
dcbfa38bb2bb1cbe84541a23b3622055b51ad81585288b738e24d69250029d5e

SHA512
ca2b81c0b0d0d6b5bbcd145a29c3c4a96e9d048206020287c60629ae229f500066b463a48f40f317946966d66fc49ad21fc3db38fab1631cfe827986e167639d

Download Submit
C:\ProgramData\Microsoft\ClickToRun\DeploymentConfig.2.xml.034fbf

Filesize
1KB

MD5
75283e54be02050a141dd1da4e0a47a8

SHA1
5152586aa5dcbd8f6eae65ffb5db5dd7b4850139

SHA256
2376a81d36d8eba6454d5d6d8ebb2971e06f63c07a395198bfc12ffd08fbd96f

SHA512
f0e60663f90f9fecbfc282ff9fde62fb8030ac153a01ce93c304453153c60bcbd7ad34ed2c07a4d85cce116d0c4d4a58a0ceb26e777f3b494df767299716a9cf

Download Submit
C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\DeploymentConfiguration.xml.034fbf

Filesize
910B

MD5
1548077e5f9dbae0243d88257a550974

SHA1
3f3c8ee402acde9ef01425e74778556414c62c65

SHA256
11c59bbb8e13600b47862f27092cd14cc84246ce5f74a80c893f3fc089b20766

SHA512
a74990416190ab471ac9709cfcbab624fa447aaf0dc08684202437855fb6bcb4df7023df97fd2e7ccf034e7e1faa9d1cae9ac2ac3c780d4586bd9111a2cc9a0e

Download Submit
C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\Manifest.xml

Filesize
3.3MB

MD5
31ccd80c9e091d3ce3d6a2718ea38b60

SHA1
2bb3965b3a20cdc2da97b22a9fc0fb7036c1fc34

SHA256
47d8c39f4b8d76c236fab48baced5967c73539f8fd45aaa900d0449fa0cde960

SHA512
d4c7935e277f7a55c3e77b467499302c3531fff1d7297dc66e7933af9878d82097e4fe73878c73844e30b3cda6de1ed644d3ce4c4218d20af02a1f0b31f233d0

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\wordEtw.man.034fbf

Filesize
1.1MB

MD5
b78d818d1da5d4f37e744e2e61c6a543

SHA1
ceaf0a8d4df6ca0c6804bf8ac26e269a78a35fc0

SHA256
baa05cf4f74ff26909f2f3bca9d58f76e809bc145978a24fbf6d2380c882e079

SHA512
14e39faf1d295f9bc47ccf8aed2d2fa14fdceafb1c5e7dee8622bcb170f522e0ea270616edd5a3f307133081187efcdb6c53380bfc59fa759d471eb181318e35

Download Submit
C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.ASM-WindowsDefault.json.034fbf

Filesize
182KB

MD5
cab63e44f85f8316bd588eb345cc2c67

SHA1
441dbe845254ffc62620ee411fbd55cc3da6608c

SHA256
bc5ba1dfc731124c5286c0ae9ed40f1580d04bc809a2c7f92b547d30ceb7656e

SHA512
f5aaa29cc8c1f1b4e1907dca8f124067ee095e4b756bbb32d88d6461535fcffcc8806ea711ddd1b79cbb9520dae2630986a560024dfc4b96fe547c9aa7c180f8

Download Submit
C:\ProgramData\Microsoft\Diagnosis\osver.txt.034fbf

Filesize
270B

MD5
255636abb58f35ca074aca0156b2e1bc

SHA1
b4ba1757a060f9f97a3d971fedd9edfd0ea0458d

SHA256
802277fc2dfd4efdf92d7bad4185af2ecafe0a228a78221902e2bf14a6d0e9a6

SHA512
eed60ecf844f9ca031f0a3bdb6d6de62f9cdc8b51e099b754a4d191fa04d2ea17c714f83f2c175966097998fd5fe9cdfb16fa11799ecbe216e2bab84ab695950

Download Submit
C:\ProgramData\Microsoft\DiagnosticLogCSP\Collectors\DiagnosticLogCSP_Collector_DeviceProvisioning_2024_8_2_12_27_22.etl.034fbf

Filesize
256KB

MD5
521a722b7f65bad07a967b9cbd94575b

SHA1
a9bbbdcf86ce1c767715e37302b4e69bbd0db540

SHA256
9cf044dfad3bcf42ee5eb862b0476b01faa76a7645aa9ec85020c4e2ea5bb12b

SHA512
27db684a3c583821c102d71ff3f32898ac9358ee911aa9c326bcc0a0c23f9fb2d14a91dd10cfa989b4a825b632e29771530e9274d87bd2762564c1289de9853d

Download Submit
C:\ProgramData\Microsoft\IdentityCRL\production\wlidsvcconfig.xml.034fbf

Filesize
14KB

MD5
122eb0f502cd1cb8759d9911a648c972

SHA1
9f70f3f3d01852146a7cdb90c9669c259a6a3cf0

SHA256
945eb8cf3911e1899b09837356e08cfefbbd39e53e15fdc99d72a68e270cd260

SHA512
88d83ef0886199025a4f0b5af9af61b7f99a42d7998131d83ae8f01e18e8c75cf14e28a7d3a10c3684c71b52854714b1121f127f1975d05f915660e1c8618d30

Download Submit
C:\ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\154E23D0-C644-4E6F-8CE6-5069272F999F.vsch.034fbf

Filesize
482B

MD5
ead3281c94cc3898402405516263aec2

SHA1
1c3e863fef112dac8d744b35ab075b24eaba9666

SHA256
8dd0128e36d34dc777af8fb46d0744ef610604565db40f8db25876ea5cff39b5

SHA512
62cd15e985373bac6b11667b89c8bec0a1883375b980acfdd8c7d88ab0844be1d2f7c51c9b256ee46f60e6abc2eb35fd8ef998dc050acfffe9093fb269febad8

Download Submit
C:\ProgramData\Microsoft\Windows\AppxProvisioning.xml.034fbf

Filesize
20KB

MD5
4223f172a213fd41b5f3d5dd1dbce448

SHA1
c56172c55dffa57225a9fc2bd5b632ad0cfdcf2b

SHA256
c34d2e0a0427e073e90bf0be34b7aefd63da98ff7a94ccdca98312db81b46d53

SHA512
f706f3f908ea34e538bfb863bed3c1ba6e2b168e559f3258436efa6accefcc489547f8ba9a4cc48e205c1dce63c3ff36090b37bb645bde60eead93f6621fc8ea

Download Submit
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\2e267d1c-9ef4-8ee3-57be-e11f61eb9d03.xml.034fbf

Filesize
3KB

MD5
5465146601e0ba768ad2ad119b1d676f

SHA1
ec30dfaf430f7be05bbb732c4de5cef537c20046

SHA256
03b0909a566042b913fe651735bbe16c98d740cb4d798d0787bb59aa0d7dd79e

SHA512
ef4ec00da63f81ad32bf54227a99073fd85ed83b9ae8f2d25ff7aed86783ba5c601f53cf20fe34a03069f0b3ca014e79675a03d7eb1fa55a4da263f00c5ab0c7

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java\Get Help.url.034fbf

Filesize
443B

MD5
baf8aae8e760d79b61b430898528d52e

SHA1
c3208f291222ef328251bc2fd4ec94b2250c07bf

SHA256
27a66b83a27fcb128db67cdffb0d10f2992dbd0d4c21fed0ea6505b9d6ceef1b

SHA512
30a1fcbf5b67f816e0e65dcbf4bb6a3bdb6060d50c4015353ec973ec062a0b95fef67d7ba1321214f6a98f8a3cadecfa35fb3c51125626e738366d0f93702412

Download Submit
C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\state.rsm.034fbf

Filesize
894B

MD5
acc23f3da4434183fb3e39ac3f0a0b9d

SHA1
9e5e6d4e9586b58f48050319200fcfe05273ca30

SHA256
eef0e9f386515a079f7d91698e4bc4686a33bae372502e8b9323a8852e8a0906

SHA512
e756f9e5ad4dca3ec878f0cb55601d8fd57f00465700cf2dda4a4db9d2e86cbfd4bb3ef243dd4e0d30afc274319b26f0969eeeaa5f122005c4be46fd3c5b294d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD2C1.tmp

Filesize
1KB

MD5
98563b8c94d47d1b2658df07b31a6b31

SHA1
20986eece74f050aec48cd954af23d8c772217f4

SHA256
d1273c2c13322f12bda22608bdd78b305fff36efd3b70f001ad498962d2b3584

SHA512
1aeac9b1f8ed055f524121c65b0611eef9f4b47984c4e21589a812af01ea8097515d47014e90b05ae59fd33cf69b82cb8bffe521368e6a48c02f7647e9fe7408

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD34E.tmp

Filesize
1KB

MD5
182dab4676806ad35755972847422d8e

SHA1
4b0f7f9e579cc6d9c029a627643c95a3e701d9fa

SHA256
930d00e5a1e80cd6711555717aff3ff22bbe5eafd614175aacb7ad0a311ab0e6

SHA512
0ab90fb8c360c8809c41c8c0d4587f60b6ef4f2a1c369abbe1062e0369abca341c53f1dd434eb4dcccf64e02b23bb4fe014dfc8d32a2e021c5510806e74261a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5bkxry3z.arr.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bylamoim\bylamoim.dll

Filesize
4KB

MD5
53e3e0bec64bf9e854ade244e2c1c32c

SHA1
b4a30263d37171ab0ae4eedb2f7c2ab74b74d688

SHA256
6db359671ecf7ecee10bb2192b74c723a83dd50fe759cff99305e5f65d068430

SHA512
e5668ecc4e609b654c73b1f81e580225e08a7ddadf92e632ae76da1cf5375af170b9aca5e19327ebfdc117954237410a74d6adccf68224e30d74305482aeae34

Download Submit
C:\Users\Admin\AppData\Local\Temp\u2dnnj0h\u2dnnj0h.dll

Filesize
6KB

MD5
0380796d88a4cfacc94c00e776c42a10

SHA1
2b411eee2b23e1dcc964e0c8792bc30f59ffcb69

SHA256
d324beb50af513a5d56f6b1d6a047063ce1b0f9f674814a4912d379282cacbe3

SHA512
6b0032ab4e6cb51f9e775b06c8f87032d816d7d8701444e6a0c08596d55c5dfe085447d23ab8f417f740007824507eb6feef513673c1918c615266891ae8c916

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bylamoim\CSC5E16C2547E74105937C2B72C99F96DF.TMP

Filesize
652B

MD5
8bd8befe4021b77efdaa0783afa62c6f

SHA1
80b5092d8e51bfd87729ae885a70dcb5e7a9265c

SHA256
c45ad30558d23d82271739822569d5286143ef0397d6b0053d795c313812822f

SHA512
0e847a9e4ff31073ffeef536deaea337074b7d961a0c6adf02ad2693fbc08969fb78f3970ed0e3806ce2ff7f5b55c7e8330e65f6878e669f1cdd400fa0848be7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bylamoim\bylamoim.0.cs

Filesize
2KB

MD5
b1f397a0d765a49ba2554b815326cfd7

SHA1
511ef931b96f19ee08dec8763b606701147244a1

SHA256
d39f9608c7e9805f327550e7cd98ed2b716dc2a4549ca4123215fe5331a9b36d

SHA512
f34a8edb867d39f0dc53de1708a65570d1fd2d0a57e5908f3a222f0edb77d65f719a491b93e697a0233cf9a443c2387cb34549264befc100bc6a2d436cd0b254

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bylamoim\bylamoim.cmdline

Filesize
369B

MD5
2b0c40375698bac6509ac2f7cff4ab8b

SHA1
4a79a92aec275ab6ddff282747c7d150f67a19b2

SHA256
3abbb0a9e76a1dbcd66cfe99cef212b48bf1521990cd6c0f7ea80ba5c05af24d

SHA512
a8c4e8de9129cf6d7e37aa45770f070fc3bc08760e57558382228381b0b1c179a6f3c794d61bbc58b6ff415fe9929eb5a4a3ef0701368a351e182229e3d7192b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\u2dnnj0h\CSC1627F0DB4BCF48819872F3AEF969D3D7.TMP

Filesize
652B

MD5
32cfc466fbc6cb8e39d282717c034c85

SHA1
8ada26bb651e0bdc540c7a2594ac0a7377f7adb5

SHA256
82ca392a650dd05d3892dcc83aefd70bb7cb3cc5f9549107b4e4e2d7045a812f

SHA512
9d40d39c55bc2d4d826c079d99f7e47c6514b5ad492c62f7c55f6c9ef7b2f99f79067223bf4112aca32ffe500231a59a2b7da34a383611b90fb47ae0f76c6484

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\u2dnnj0h\u2dnnj0h.0.cs

Filesize
10KB

MD5
220274c8b5ea2af3a7c625d0c4985fc2

SHA1
2f5228308d3808946552e53ef5b9829b8764b741

SHA256
b00f4040bfc94627cc06e351d43d4b6fdaa1161b20b702956b564e18c3a37ee1

SHA512
da40fd6d5a9daeb3c42cfa3d92df0fcb71b1b9ab00577afe165c539e95f26cba80958b74140067b93deb66807de60f0d533e232ec49d0a28b798f6d339037c69

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\u2dnnj0h\u2dnnj0h.cmdline

Filesize
369B

MD5
04a01a91df7ef77d340490f3ae3b5295

SHA1
a571894c797296f6676c07b60204280fcf4f8049

SHA256
2f7ad8133424031a94b72ffcbf650edb4f9672bf92dfb0ffb57ae0dca0cb2fa8

SHA512
2a72a615d00228275b67686a6da716cbeef0718125386809049a36dd4c996e29475254353d168a50e2d052f566e2ade15915dd14b63882f8d7c22e32a1e29329

Download Submit
memory/1460-25-0x000001D7B21B0000-0x000001D7B21B8000-memory.dmp

Filesize
32KB

Download
memory/1460-45-0x00007FFAD5833000-0x00007FFAD5835000-memory.dmp

Filesize
8KB

Download
memory/1460-43-0x00007FFAD5830000-0x00007FFAD62F1000-memory.dmp

Filesize
10.8MB

Download
memory/1460-42-0x00007FFAD5830000-0x00007FFAD62F1000-memory.dmp

Filesize
10.8MB

Download
memory/1460-41-0x00007FFAD5830000-0x00007FFAD62F1000-memory.dmp

Filesize
10.8MB

Download
memory/1460-39-0x000001D7B23E0000-0x000001D7B23E8000-memory.dmp

Filesize
32KB

Download
memory/1460-12-0x00007FFAD5830000-0x00007FFAD62F1000-memory.dmp

Filesize
10.8MB

Download
memory/1460-11-0x00007FFAD5830000-0x00007FFAD62F1000-memory.dmp

Filesize
10.8MB

Download
memory/1460-6137-0x00007FFAD5830000-0x00007FFAD62F1000-memory.dmp

Filesize
10.8MB

Download
memory/1460-10-0x000001D7AFFC0000-0x000001D7AFFE2000-memory.dmp

Filesize
136KB

Download
memory/1460-3563-0x00007FFAD5830000-0x00007FFAD62F1000-memory.dmp

Filesize
10.8MB

Download
memory/1460-0-0x00007FFAD5833000-0x00007FFAD5835000-memory.dmp

Filesize
8KB

Download
memory/3476-76-0x0000000002410000-0x000000000242B000-memory.dmp

Filesize
108KB

Download
memory/3476-107-0x0000000002410000-0x000000000242B000-memory.dmp

Filesize
108KB

Download
memory/3476-89-0x0000000002410000-0x000000000242B000-memory.dmp

Filesize
108KB

Download
memory/3476-88-0x0000000002410000-0x000000000242B000-memory.dmp

Filesize
108KB

Download
memory/3476-87-0x0000000002410000-0x000000000242B000-memory.dmp

Filesize
108KB

Download
memory/3476-86-0x0000000002410000-0x000000000242B000-memory.dmp

Filesize
108KB

Download
memory/3476-84-0x0000000002410000-0x000000000242B000-memory.dmp

Filesize
108KB

Download
memory/3476-82-0x0000000002410000-0x000000000242B000-memory.dmp

Filesize
108KB

Download
memory/3476-81-0x0000000002410000-0x000000000242B000-memory.dmp

Filesize
108KB

Download
memory/3476-79-0x0000000002410000-0x000000000242B000-memory.dmp

Filesize
108KB

Download
memory/3476-78-0x0000000002410000-0x000000000242B000-memory.dmp

Filesize
108KB

Download
memory/3476-92-0x0000000002410000-0x000000000242B000-memory.dmp

Filesize
108KB

Download
memory/3476-75-0x0000000002410000-0x000000000242B000-memory.dmp

Filesize
108KB

Download
memory/3476-74-0x0000000002410000-0x000000000242B000-memory.dmp

Filesize
108KB

Download
memory/3476-73-0x0000000002410000-0x000000000242B000-memory.dmp

Filesize
108KB

Download
memory/3476-72-0x0000000002410000-0x000000000242B000-memory.dmp

Filesize
108KB

Download
memory/3476-70-0x0000000002410000-0x000000000242B000-memory.dmp

Filesize
108KB

Download
memory/3476-69-0x0000000002410000-0x000000000242B000-memory.dmp

Filesize
108KB

Download
memory/3476-68-0x0000000002410000-0x000000000242B000-memory.dmp

Filesize
108KB

Download
memory/3476-66-0x0000000002410000-0x000000000242B000-memory.dmp

Filesize
108KB

Download
memory/3476-65-0x0000000002410000-0x000000000242B000-memory.dmp

Filesize
108KB

Download
memory/3476-93-0x0000000002410000-0x000000000242B000-memory.dmp

Filesize
108KB

Download
memory/3476-64-0x0000000002410000-0x000000000242B000-memory.dmp

Filesize
108KB

Download
memory/3476-95-0x0000000002410000-0x000000000242B000-memory.dmp

Filesize
108KB

Download
memory/3476-63-0x0000000002410000-0x000000000242B000-memory.dmp

Filesize
108KB

Download
memory/3476-61-0x0000000002410000-0x000000000242B000-memory.dmp

Filesize
108KB

Download
memory/3476-60-0x0000000002410000-0x000000000242B000-memory.dmp

Filesize
108KB

Download
memory/3476-59-0x0000000002410000-0x000000000242B000-memory.dmp

Filesize
108KB

Download
memory/3476-58-0x0000000002410000-0x000000000242B000-memory.dmp

Filesize
108KB

Download
memory/3476-57-0x0000000002410000-0x000000000242B000-memory.dmp

Filesize
108KB

Download
memory/3476-56-0x0000000002410000-0x000000000242B000-memory.dmp

Filesize
108KB

Download
memory/3476-90-0x0000000002410000-0x000000000242B000-memory.dmp

Filesize
108KB

Download
memory/3476-101-0x0000000002410000-0x000000000242B000-memory.dmp

Filesize
108KB

Download
memory/3476-96-0x0000000002410000-0x000000000242B000-memory.dmp

Filesize
108KB

Download
memory/3476-94-0x0000000002410000-0x000000000242B000-memory.dmp

Filesize
108KB

Download
memory/3476-91-0x0000000002410000-0x000000000242B000-memory.dmp

Filesize
108KB

Download
memory/3476-85-0x0000000002410000-0x000000000242B000-memory.dmp

Filesize
108KB

Download
memory/3476-54-0x0000000002410000-0x000000000242B000-memory.dmp

Filesize
108KB

Download
memory/3476-53-0x0000000002410000-0x000000000242B000-memory.dmp

Filesize
108KB

Download
memory/3476-52-0x0000000002410000-0x000000000242B000-memory.dmp

Filesize
108KB

Download
memory/3476-51-0x0000000002410000-0x000000000242B000-memory.dmp

Filesize
108KB

Download
memory/3476-49-0x0000000002410000-0x000000000242B000-memory.dmp

Filesize
108KB

Download
memory/3476-71-0x0000000002410000-0x000000000242B000-memory.dmp

Filesize
108KB

Download
memory/3476-67-0x0000000002410000-0x000000000242B000-memory.dmp

Filesize
108KB

Download
memory/3476-62-0x0000000002410000-0x000000000242B000-memory.dmp

Filesize
108KB

Download
memory/3476-55-0x0000000002410000-0x000000000242B000-memory.dmp

Filesize
108KB

Download
memory/3476-48-0x0000000002410000-0x000000000242B000-memory.dmp

Filesize
108KB

Download
memory/3476-46-0x0000000002410000-0x000000000242B000-memory.dmp

Filesize
108KB

Download
memory/3476-97-0x0000000002410000-0x000000000242B000-memory.dmp

Filesize
108KB

Download
memory/3476-98-0x0000000002410000-0x000000000242B000-memory.dmp

Filesize
108KB

Download
memory/3476-99-0x0000000002410000-0x000000000242B000-memory.dmp

Filesize
108KB

Download
memory/3476-100-0x0000000002410000-0x000000000242B000-memory.dmp

Filesize
108KB

Download
memory/3476-103-0x0000000002410000-0x000000000242B000-memory.dmp

Filesize
108KB

Download
memory/3476-104-0x0000000002410000-0x000000000242B000-memory.dmp

Filesize
108KB

Download
memory/3476-105-0x0000000002410000-0x000000000242B000-memory.dmp

Filesize
108KB

Download
memory/3476-102-0x0000000002410000-0x000000000242B000-memory.dmp

Filesize
108KB

Download
memory/3476-106-0x0000000002410000-0x000000000242B000-memory.dmp

Filesize
108KB

Download
memory/3476-108-0x0000000002410000-0x000000000242B000-memory.dmp

Filesize
108KB

Download
memory/3476-77-0x0000000002410000-0x000000000242B000-memory.dmp

Filesize
108KB

Download
memory/3476-50-0x0000000002410000-0x000000000242B000-memory.dmp

Filesize
108KB

Download
memory/3476-47-0x0000000002410000-0x000000000242B000-memory.dmp

Filesize
108KB

Download
memory/3476-44-0x0000000002410000-0x000000000242B000-memory.dmp

Filesize
108KB

Download