hxxps://github[.]com/LotusTrojan/Virus-Maker-VB

Analysis

max time kernel
1800s
max time network
2618s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2024 12:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/LotusTrojan/Virus-Maker-VB

Score

8^/10

discovery exploit persistence

Malware Config

Signatures

Downloads MZ/PE file

Drops file in Drivers directory 64 IoCs

Processes:

cmd.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\en-US\i8042prt.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\BthMini.SYS	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\pmem.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\ipfltdrv.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\lltdio.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\mountmgr.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\storvsc.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\usbuhci.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\disk.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\mrxsmb20.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\raspptp.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\Dumpstorport.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\filetrace.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\xboxgip.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\mountmgr.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\pcmcia.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\ndistapi.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\acpipagr.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\volume.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\usbd.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\acpiex.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\tunnel.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\kbdhid.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\tcpipreg.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\mouclass.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\rfxvmt.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\scsiport.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\sermouse.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\Microsoft.Bluetooth.AvrcpTransport.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\sdbus.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\mstee.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\amdppm.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\CAD.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\wudfpf.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\portcls.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\raspppoe.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\USBXHCI.SYS	cmd.exe
File opened for modification	C:\Windows\System32\drivers\werkernel.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\Acx01000.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\IndirectKmd.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\KNetPwrDepBroker.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\volsnap.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\fvevol.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\IndirectKmd.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\tcpip.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\gmreadme.txt	cmd.exe
File opened for modification	C:\Windows\System32\drivers\ipnat.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\monitor.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\vmgid.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\dxgmms2.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\scfilter.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\fileinfo.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\rootmdm.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\tcpip.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\bttflt.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\Dmpusbstor.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\winnat.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\mmcss.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\TsUsbFlt.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\disk.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\WUDFPf.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\sdstor.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\serenum.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\UMDF\en-US\SensorsHid.dll.mui	cmd.exe

Manipulates Digital Signatures 2 IoCs
Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

Processes:

cmd.exe

description ioc process

File opened for modification C:\Windows\System32\wintrust.dll cmd.exe
File opened for modification C:\Windows\System32\WindowsPowerShell\v1.0\pwrshsip.dll cmd.exe
Possible privilege escalation attempt 2 IoCs
exploit

Processes:

icacls.exetakeown.exe

pid process

4308 icacls.exe
2156 takeown.exe
Boot or Logon Autostart Execution: Print Processors 1 TTPs 1 IoCs
Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation.
persistence

Print Processors
T1547.012

Processes:

cmd.exe

description ioc process

File opened for modification C:\Windows\System32\spool\prtprocs\x64\winprint.dll cmd.exe
Executes dropped EXE 1 IoCs

Processes:

Virus Maker.exe

pid process

456 Virus Maker.exe
Modifies file permissions 1 TTPs 2 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exeicacls.exe

pid process

2156 takeown.exe
4308 icacls.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

86 raw.githubusercontent.com
87 raw.githubusercontent.com

description	ioc	process
File opened for modification	C:\Windows\System32\wintrust.dll	cmd.exe
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\pwrshsip.dll	cmd.exe

pid	process
4308	icacls.exe
2156	takeown.exe

description	ioc	process
File opened for modification	C:\Windows\System32\spool\prtprocs\x64\winprint.dll	cmd.exe

pid	process
456	Virus Maker.exe

pid	process
2156	takeown.exe
4308	icacls.exe

flow	ioc
86	raw.githubusercontent.com
87	raw.githubusercontent.com

Drops file in System32 directory 64 IoCs

Processes:

cmd.exe

description	ioc	process
File opened for modification	C:\Windows\System32\vidcap.ax	cmd.exe
File opened for modification	C:\Windows\System32\en-US\mprdim.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\lv-LV\SyncRes.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\es-ES\runas.exe.mui	cmd.exe
File opened for modification	C:\Windows\System32\fr-FR\wshqos.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\itss.dll	cmd.exe
File opened for modification	C:\Windows\System32\wbem\en-US\NetTCPIP_uninstall.mfl	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\C_WPD~1.INF\c_wpd.inf	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\fr-FR\rndiscmp.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\fr-FR\netbxnda.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\en-US\rdvvmtransport.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\ja-jp\racpldlg.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\wlidcli.dll	cmd.exe
File opened for modification	C:\Windows\System32\WsmPty.xsl	cmd.exe
File opened for modification	C:\Windows\System32\config\SYSTEM~1\AppData\Local\MICROS~1\Office\OTele\OFFICE~1.DB	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\es-ES\c_netdriver.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\it-IT\c_media.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\ja-JP\termmou.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\uk-UA\FileHistory.exe.mui	cmd.exe
File opened for modification	C:\Windows\System32\uk-UA\Licenses\_Default\PROFES~1\license.rtf	cmd.exe
File opened for modification	C:\Windows\System32\wbem\en-US\mstsc.mfl	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\es-ES\netv1x64.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\fr-FR\RDCameraDriver.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netathr10x.inf_amd64_2691c4f95b80eb3b\eeprom_ar6320_3p0_NFA354xp.bin	cmd.exe
File opened for modification	C:\Windows\System32\mcicda.dll	cmd.exe
File opened for modification	C:\Windows\System32\migwiz\dlmanifests\gpmgmt-DL.man	cmd.exe
File opened for modification	C:\Windows\System32\uk-UA\esrb.rs.mui	cmd.exe
File opened for modification	C:\Windows\System32\uk-UA\ieunatt.exe.mui	cmd.exe
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\PSDesiredStateConfiguration.format.ps1xml	cmd.exe
File opened for modification	C:\Windows\System32\downlevel\api-ms-win-security-base-l1-1-0.dll	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\es-ES\iaLPSSi_I2C.INF_loc	cmd.exe
File opened for modification	C:\Windows\System32\wininitext.dll	cmd.exe
File opened for modification	C:\Windows\System32\ja-jp\stobject.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\spp\tokens\skus\CSVLK-~1\csvlk-pack-Volume-CSVLK-3-ul-store-rtm.xrm-ms	cmd.exe
File opened for modification	C:\Windows\System32\Windows.Payments.dll	cmd.exe
File opened for modification	C:\Windows\System32\fphc.dll	cmd.exe
File opened for modification	C:\Windows\System32\fr-FR\AboutSettingsHandlers.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\en-US\rdpendp.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\fr-FR\mstscax.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\fr-FR\wcncsvc.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\RMapi.dll	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\fr-FR\netip6.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\fr-FR\xboxgipSynthetic.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\wscsvc.dll	cmd.exe
File opened for modification	C:\Windows\System32\WSDPrintProxy.DLL	cmd.exe
File opened for modification	C:\Windows\System32\zh-CN\chspy.spd	cmd.exe
File opened for modification	C:\Windows\System32\de-DE\quickassist.exe.mui	cmd.exe
File opened for modification	C:\Windows\System32\es-ES\RmClient.exe.mui	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\winusb.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\en-US\PlayToDevice.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\en-US\smbwmiv2.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\en-US\TrustedSignalCredProv.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\msvidc32.dll	cmd.exe
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\Modules\NetEventPacketCapture\MSFT_NetEventVmSwitchProvider.format.ps1xml	cmd.exe
File opened for modification	C:\Windows\System32\catsrvps.dll	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\itSAS35i.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\en-US\sppcommdlg.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\fr-FR\taskbarcpl.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\it-IT\CredProv2faHelper.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\it-IT\dxdiag.exe.mui	cmd.exe
File opened for modification	C:\Windows\System32\spp\tokens\skus\PR3CDC~1\ProfessionalWorkstation-Retail-1-ul-store-rtm.xrm-ms	cmd.exe
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\Modules\APPVCL~1\ja\Microsoft.AppV.AppVClientPowerShell.resources.dll	cmd.exe
File opened for modification	C:\Windows\System32\en-US\XblAuthManager.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\es-ES\IEAdvpack.dll.mui	cmd.exe

Modifies termsrv.dll 1 TTPs 1 IoCs
Commonly used to allow simultaneous RDP sessions.

Remote Desktop Protocol
T1021.001

Processes:

cmd.exe

description ioc process

File opened for modification C:\Windows\System32\termsrv.dll cmd.exe

description	ioc	process
File opened for modification	C:\Windows\System32\termsrv.dll	cmd.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 1 IoCs

Processes:

msedge.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\Unconfirmed 763099.crdownload:SmartScreen msedge.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

2280 NOTEPAD.EXE
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exe

pid process

4708 msedge.exe
4708 msedge.exe
2800 msedge.exe
2800 msedge.exe
3776 identity_helper.exe
3776 identity_helper.exe
2388 msedge.exe
2388 msedge.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

2800 msedge.exe
2800 msedge.exe
2800 msedge.exe
2800 msedge.exe
2800 msedge.exe
2800 msedge.exe
2800 msedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 763099.crdownload:SmartScreen	msedge.exe

pid	process
2280	NOTEPAD.EXE

pid	process
4708	msedge.exe
4708	msedge.exe
2800	msedge.exe
2800	msedge.exe
3776	identity_helper.exe
3776	identity_helper.exe
2388	msedge.exe
2388	msedge.exe

Suspicious use of FindShellTrayWindow 37 IoCs

Processes:

msedge.exe

pid	process
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 2800 wrote to memory of 2272	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 2272	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 804	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 804	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 804	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 804	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 804	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 804	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 804	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 804	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 804	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 804	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 804	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 804	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 804	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 804	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 804	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 804	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 804	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 804	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 804	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 804	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 804	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 804	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 804	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 804	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 804	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 804	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 804	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 804	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 804	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 804	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 804	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 804	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 804	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 804	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 804	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 804	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 804	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 804	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 804	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 804	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 4708	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 4708	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 4260	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 4260	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 4260	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 4260	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 4260	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 4260	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 4260	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 4260	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 4260	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 4260	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 4260	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 4260	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 4260	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 4260	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 4260	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 4260	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 4260	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 4260	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 4260	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 4260	2800	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/LotusTrojan/Virus-Maker-VB
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2800

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe808046f8,0x7ffe80804708,0x7ffe80804718
2⤵
PID:2272

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,13375584071556775736,7650675328294145310,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
2⤵
PID:804

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,13375584071556775736,7650675328294145310,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4708

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2072,13375584071556775736,7650675328294145310,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2904 /prefetch:8
2⤵
PID:4260

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,13375584071556775736,7650675328294145310,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
2⤵
PID:2628

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,13375584071556775736,7650675328294145310,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
2⤵
PID:4428

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,13375584071556775736,7650675328294145310,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5572 /prefetch:8
2⤵
PID:4368

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,13375584071556775736,7650675328294145310,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5572 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3776

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,13375584071556775736,7650675328294145310,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5088 /prefetch:1
2⤵
PID:3472

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,13375584071556775736,7650675328294145310,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2352 /prefetch:1
2⤵
PID:3440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,13375584071556775736,7650675328294145310,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
2⤵
PID:4664

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,13375584071556775736,7650675328294145310,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3548 /prefetch:1
2⤵
PID:4460

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2072,13375584071556775736,7650675328294145310,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5116 /prefetch:8
2⤵
PID:4552

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,13375584071556775736,7650675328294145310,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2300 /prefetch:1
2⤵
PID:2216

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2072,13375584071556775736,7650675328294145310,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6196 /prefetch:8
2⤵
PID:1716

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2072,13375584071556775736,7650675328294145310,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6056 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2388

C:\Users\Admin\Downloads\Virus Maker.exe
"C:\Users\Admin\Downloads\Virus Maker.exe"
2⤵
- Executes dropped EXE
PID:456

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5012

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4116

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\bro.bat
1⤵
- Opens file in notepad (likely ransom note)
PID:2280

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\bro.bat"
1⤵
- Drops file in Drivers directory
- Manipulates Digital Signatures
- Boot or Logon Autostart Execution: Print Processors
- Drops file in System32 directory
- Modifies termsrv.dll
PID:404

C:\Windows\system32\takeown.exe
takeown C:\Windows\System32
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2156

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4308

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
477462b6ad8eaaf8d38f5e3a4daf17b0

SHA1
86174e670c44767c08a39cc2a53c09c318326201

SHA256
e6bbd4933b9baa1df4bb633319174de07db176ec215e71c8568d27c5c577184d

SHA512
a0acc2ef7fd0fcf413572eeb94d1e38aa6a682195cc03d6eaaaa0bc9e5f4b2c0033da0b835f4617aebc52069d0a10b52fc31ed53c2fe7943a480b55b7481dd4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
b704c9ca0493bd4548ac9c69dc4a4f27

SHA1
a3e5e54e630dabe55ca18a798d9f5681e0620ba7

SHA256
2ebd5229b9dc642afba36a27c7ac12d90196b1c50985c37e94f4c17474e15411

SHA512
69c8116fb542b344a8c55e2658078bd3e0d3564b1e4c889b072dbc99d2b070dacbc4394dedbc22a4968a8cf9448e71f69ec71ded018c1bacc0e195b3b3072d32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
86d1eec673a4dcc2ab91ede6e088d0e3

SHA1
a5fc225450df518826bd96226ba6b750bed2f849

SHA256
ec8da24deb9b91eaa142dff62ed0e9f045d5351c1acf4eb3b3dd7d3365974601

SHA512
eefea99bf4912588fc1bb26c603463b6caa5845adeceb682cffea9af76a28fb561b0c58fc8ee1a89dac85dc0c95a0f50bf596efa68c9cf5b8e6e9343efee0cb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
595B

MD5
38814757bed1b394fc225f44c1384214

SHA1
5c0405a2964d8b5ea3736d4c3f182d97bf7ead67

SHA256
0aca0d43c630d3477c5f6e619a56e1841ee38d8ac699270935615d1fb06af69e

SHA512
65a80226f2be9fd62d40d1d321a489839bdcff093d40e6e67860a01a6ea4bbfc33e435218cdbaefcd8ef62514540d83a81043280d659bea85e3c1828af52f45c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
678B

MD5
1d9bf44973c18a2a639d1ed1eb792d88

SHA1
4ca08303ca556d377ec860d8e8526a257afba41a

SHA256
425622de3fd0a3557af7b98894d3e97dbbb3f0624b64567df01c3097e0383647

SHA512
3a682153587571be751d257cb4aeeea94af2315a138c9836d68a51328863b741707674c9fa879c78edfb6b322648cadc5ecab1eb6025b267d086e23c9e2aa36b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
4cc265ae851b0fe14a5a7801460aa76a

SHA1
1c44b50f9aec621b5e3771d7388300fc3574ff86

SHA256
47ae42997f1d78d7b505d304c5d3c7321832f3d5e16f9af1f7d187e653889058

SHA512
b0ff599fe47484431c866e7109202f0d679dba246ba1854ea5b25530e3cf471a979d00efd5086b9dc1f27a7d1e4672c2cfefb6ab44aa5c5ba7919442aa8a85b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
adabe229b4b701fea1bb3c323d62e814

SHA1
8b112c9165e824fcdf98cb64b1d2792741eb2943

SHA256
513550206d0387418c93c57c6daa7462efb1f4990dbfe4475bd012fcc6579560

SHA512
dc988b937e28522ed96780304a9213341a9ea7f6280fa7493c7f5dac567bcf5c217ce1501eb4a6e9476e66ebb31c512881e355088fbce6aad63edec3284f1d57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
dbb5a0c4504ee122d0a6a46530d0066d

SHA1
709fcf91a4be91488ecae537785760179b1e42ed

SHA256
e35a0373ac9eee9da25a3a9a2aaa7f770279d72138d7655b6fe15c6570db36b2

SHA512
17f296e0b2802250df2bfb95aaeb84b592504fa205282436b5055c4d06361426e9573bda36f57a7e5cd44a0dba9d4773059267908996e2bd050deccfc341e85d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
281501ee4d0b8414a6f373cb43f2cb5d

SHA1
9c6688ba064a85ae11f5483caa22e86b3a2a3bbf

SHA256
80f01656bcfefdee91304f1b3cfb121160d89dd215f70532a1c3790b8a729e88

SHA512
30acd2d34a603c5e9aec65b0335434dd24739a473a31415d744e2e50be571be5d1515d1eccf40da908786716871a170987f3da26a87a070bccad00bb58f62c99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
15252235f21cc9e37d8294e63138d927

SHA1
8fd9ea221ff37011ae9a19c067b4e3cdd87d8f27

SHA256
4b0b4e2996af206538f0358b7cce2da21b0e7f22897f46b8a2555586ba4082ce

SHA512
5db4c7c182ba9b0387a849460297423d44ebe7c90f0838eb202e51987df380b0459460d1387acb7be5d808a20e1faf0bbfde1d6cea42649eaff3ded59dffdc97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
1f62c604efc249ef6a41a720f90d7da6

SHA1
5a458f95a595d8659e425c56f7df913e83a929d3

SHA256
0f071b91bd2bbc76c08e8c7c9a513e2700140c8bd3fd85352af9d347ed88afba

SHA512
5ce8664179c394a2b69c08d164273ea826295621a22e3ef8e947893ba51999113a8e7d3079bd6f9cd3a3730fa91fe456e90161925a6975041fe489974e01eb24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
0b2f74472565bcab6664c65b3462090a

SHA1
f621170113d96da4da9588713b51a0580517e0a7

SHA256
8a9480eeccc06cdb30aeed65009388d30a9034bcf2a3355c5474bd66419ac9d1

SHA512
7f46268818951abfdc4bb888642ac0f0416ddcd8ba85b03a57bba8f942e290620de51ac06b609781c4ffb36e0c698fe513b3819d7966af6e4ff85a09afe9f138

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
e52950d1d9bcb59f21bda1198bef1046

SHA1
dd9c089d511ee4400377b2a9383afe56a21be7b3

SHA256
9a83b8b503eed3a0ee86ecfa6d295a39b0ede9b8aa971341064cc91c473738d6

SHA512
65a6785044b20c4c3cdb4c5b64d396436fed4bb5d214e5548cafb22fb651bce76183cd6d0c1ad6df702267e775ac8ebceb48af6502e85981da800ba9c65a599a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57855c.TMP
Filesize
1KB

MD5
db79801a49cbb68bf8133ab311fa6e24

SHA1
4579a40b2162828a0335365cb8d0abc2fe45cfe3

SHA256
81bd84e8b13db1ef137672a9ef1177aa09f0d13abc9ac8c177ff54497ba83cda

SHA512
a743d3c2aa7183a99e35c0e8984eae892f31e206383268ecfc739a19f606ad8f5d2a996dd8f02c80aa51c13c302f6cd2abe3225f4e63af634095d7f50e61fdab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
4e62f37998f1de4fe4d34bd27640e6d5

SHA1
fedf443116a0beed9fbcc4a661660744ce0b1dc2

SHA256
e94d967cbef6ea352deb8a808748d87df686252d4ab82e364a0de76dd3c37a90

SHA512
c3c45ca7749711e71fd993480251815e44ca4977f6e6652f7b8daa1002bfd4d3b3340b2875757da90612590fb6aeb03b3f8f6ccc3e740c884e02df3f0ea71434

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
cdb3987a4863b47a290b91dabd1cf73e

SHA1
62752d7a69edd7c799686b4087e62c06469c7a08

SHA256
9620a03a074aa27a35381c1d2a24878c8b78994767ec5f8d374c9c40c6efefa7

SHA512
46c70ced19c92b94b94c9939ae54448ef35c63c238f81e0f5bfd6e21cb233509ae29f57eebf5ac1b65967d0b1b383b3901a17286330f474bf744ab1734de956a

Download Submit
C:\Users\Admin\Desktop\bro.bat
Filesize
83B

MD5
57b50a6ac39ca6bb5def00ab473eebb8

SHA1
2c9c6131c56461bf0d845182294cfd89262aa655

SHA256
51a7bacfcd60d7d7ceaa35b07097f9ae9215b95d1cae22eb1e80d5f9a21d4935

SHA512
b59642aeb6fa9dd5674807319a6064c2508b5c02dd4093bd7cdf1b4a1183b4a5faee55c155c4fc3009b6f0545cac1a1e32ea7ac4333ec3504abbec9e69bcc71b

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 763099.crdownload
Filesize
4.0MB

MD5
584f1f458f1f7fbe966cea5fded1fd91

SHA1
5e97ba311228796ac9cfd0556d96cb6c22111a3a

SHA256
0dfa569df3b8b2b075d29cd63c5a35a5473b89b355fad0af2c5aa148346edc70

SHA512
572f3593a6d3c7efb612f42ab647ab33073ef1c64ab46697b3e0024c9425cf20e307b0b815e742e65b2be728b084662e4ae53e730dd3263e9a5825c52392a7c3

Download Submit
\??\pipe\LOCAL\crashpad_2800_RWZQAQMQLGVLTHZP
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/456-355-0x0000000005580000-0x000000000561C000-memory.dmp

Filesize
624KB

Download
memory/456-356-0x0000000005BD0000-0x0000000006174000-memory.dmp

Filesize
5.6MB

Download
memory/456-354-0x00000000008B0000-0x0000000000CB8000-memory.dmp

Filesize
4.0MB

Download
memory/456-362-0x0000000005620000-0x00000000056B2000-memory.dmp

Filesize
584KB

Download
memory/456-363-0x0000000005560000-0x000000000556A000-memory.dmp

Filesize
40KB

Download
memory/456-364-0x0000000005820000-0x0000000005876000-memory.dmp

Filesize
344KB

Download