Overview

overview

10

Static

static

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

8

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

8

ฺฺฺK...ฺฺ

windows10_x64

3

ฺฺฺK...ฺฺ

windows10_x64

3

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

1

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

8

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

1

ฺฺฺK...ฺฺ

windows10_x64

8

Resubmissions

19-01-2021 19:24

210119-s26yznnqsn 10

19-11-2020 13:14

201119-s41ec6lt86 10

Analysis

  • max time kernel
    1783s
  • max time network
    1718s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    19-11-2020 13:14

Sharing

Copy URL
Twitter E-mail

General

  • Target

    5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe

Score
10/10
discoverypersistenceransomwareupx

Malware Config

Extracted

Path

C:\_readme.txt

Ransom Note
ATTENTION! Don't worry my friend, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-T9WE5uiVT6 Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: blower@india.com Reserve e-mail address to contact us: blower@firemail.cc Your personal ID: 046Sdsd3273yifhsisySD60h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
Emails

blower@india.com

blower@firemail.cc

URLs

https://we.tl/t-T9WE5uiVT6

Signatures

  • Executes dropped EXE 24 IoCs
  • Modifies Installed Components in the registry 2 TTPs
    persistence
  • Modifies extensions of user files 7 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • UPX packed file 25 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 34 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 30 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 12 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies registry class 29 IoCs
  • Modifies system certificate store 2 TTPs 10 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 45 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    "C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe"
    Adds Run key to start application
    Modifies system certificate store
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of WriteProcessMemory
    PID:3920
    • C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295" /deny *S-1-1-0:(OI)(CI)(DE,DC)
      Modifies file permissions
      PID:3944
    • C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
      "C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Admin IsNotAutoStart IsNotTask
      Modifies extensions of user files
      Drops desktop.ini file(s)
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3932
      • C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
        "C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --ForNetRes "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1 IsNotAutoStart IsNotTask
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        PID:2112
        • C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
          "C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 2112 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
          Suspicious behavior: EnumeratesProcesses
          PID:2352
      • C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
        "C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 3932 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
        Suspicious behavior: EnumeratesProcesses
        PID:2404
  • C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe --Task
    Executes dropped EXE
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of WriteProcessMemory
    PID:1840
    • C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
      "C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --ForNetRes "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1 IsNotAutoStart IsTask
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2924
      • C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
        "C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 2924 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        PID:1040
    • C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
      "C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 1840 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:3104
  • C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2908 -s 5808
    Program crash
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of AdjustPrivilegeToken
    PID:1992
  • C:\Windows\explorer.exe
    explorer.exe
    Enumerates connected drives
    Checks SCSI registry key(s)
    Modifies registry class
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of FindShellTrayWindow
    Suspicious use of SendNotifyMessage
    PID:3040
  • C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
    "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
    Suspicious use of SetWindowsHookEx
    PID:2252
  • C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
    Enumerates system info in registry
    Modifies registry class
    Suspicious use of SetWindowsHookEx
    PID:1368
  • C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe --Task
    Executes dropped EXE
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of WriteProcessMemory
    PID:1976
    • C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
      "C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --ForNetRes "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1 IsNotAutoStart IsTask
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3184
      • C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
        "C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 3184 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        PID:1992
    • C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
      "C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 1976 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:3528
  • C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe --Task
    Executes dropped EXE
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of WriteProcessMemory
    PID:3616
    • C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
      "C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --ForNetRes "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1 IsNotAutoStart IsTask
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2232
      • C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
        "C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 2232 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        PID:2188
    • C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
      "C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 3616 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:4004
  • C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe --Task
    Executes dropped EXE
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of WriteProcessMemory
    PID:3360
    • C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
      "C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --ForNetRes "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1 IsNotAutoStart IsTask
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3704
      • C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
        "C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 3704 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        PID:2292
    • C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
      "C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 3360 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:688
  • C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe --Task
    Executes dropped EXE
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of WriteProcessMemory
    PID:2824
    • C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
      "C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --ForNetRes "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1 IsNotAutoStart IsTask
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3752
      • C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
        "C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 3752 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        PID:3080
    • C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
      "C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 2824 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:3508
  • C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe --Task
    Executes dropped EXE
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of WriteProcessMemory
    PID:3636
    • C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
      "C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --ForNetRes "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1 IsNotAutoStart IsTask
      Executes dropped EXE
      PID:400
      • C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
        "C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 400 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
        Executes dropped EXE
        PID:3236
    • C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
      "C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 3636 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
      Executes dropped EXE
      PID:32

Network

MITRE ATT&CK Matrix

Collection

Command and Control

Credential Access

Defense Evasion

Modify Registry

3
T1112

Install Root Certificate

1
T1130

File Permissions Modification

1
T1222

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Peripheral Device Discovery

2
T1120

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Registry Run Keys / Startup Folder

2
T1060

Privilege Escalation

Replay Monitor

00:00 00:00

Downloads

  • C:\ProgramData\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000001.db.kropun
    Download Submit
  • C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db.kropun
    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
    Download Submit
  • C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    MD5

    ead18f3a909685922d7213714ea9a183

    SHA1

    1270bd7fd62acc00447b30f066bb23f4745869bf

    SHA256

    5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18

    SHA512

    6e532d9c3d186e4dac38823ae9152056346e283613f0caf088b21a1b3e5f4f6cf3bad8c407168b1072895a386e3be0b8c11ad1cb326d3d3ff0eb8562052def91

    Download Submit
  • C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    MD5

    ead18f3a909685922d7213714ea9a183

    SHA1

    1270bd7fd62acc00447b30f066bb23f4745869bf

    SHA256

    5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18

    SHA512

    6e532d9c3d186e4dac38823ae9152056346e283613f0caf088b21a1b3e5f4f6cf3bad8c407168b1072895a386e3be0b8c11ad1cb326d3d3ff0eb8562052def91

    Download Submit
  • C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    MD5

    ead18f3a909685922d7213714ea9a183

    SHA1

    1270bd7fd62acc00447b30f066bb23f4745869bf

    SHA256

    5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18

    SHA512

    6e532d9c3d186e4dac38823ae9152056346e283613f0caf088b21a1b3e5f4f6cf3bad8c407168b1072895a386e3be0b8c11ad1cb326d3d3ff0eb8562052def91

    Download Submit
  • C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    MD5

    ead18f3a909685922d7213714ea9a183

    SHA1

    1270bd7fd62acc00447b30f066bb23f4745869bf

    SHA256

    5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18

    SHA512

    6e532d9c3d186e4dac38823ae9152056346e283613f0caf088b21a1b3e5f4f6cf3bad8c407168b1072895a386e3be0b8c11ad1cb326d3d3ff0eb8562052def91

    Download Submit
  • C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    MD5

    ead18f3a909685922d7213714ea9a183

    SHA1

    1270bd7fd62acc00447b30f066bb23f4745869bf

    SHA256

    5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18

    SHA512

    6e532d9c3d186e4dac38823ae9152056346e283613f0caf088b21a1b3e5f4f6cf3bad8c407168b1072895a386e3be0b8c11ad1cb326d3d3ff0eb8562052def91

    Download Submit
  • C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    MD5

    ead18f3a909685922d7213714ea9a183

    SHA1

    1270bd7fd62acc00447b30f066bb23f4745869bf

    SHA256

    5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18

    SHA512

    6e532d9c3d186e4dac38823ae9152056346e283613f0caf088b21a1b3e5f4f6cf3bad8c407168b1072895a386e3be0b8c11ad1cb326d3d3ff0eb8562052def91

    Download Submit
  • C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    MD5

    ead18f3a909685922d7213714ea9a183

    SHA1

    1270bd7fd62acc00447b30f066bb23f4745869bf

    SHA256

    5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18

    SHA512

    6e532d9c3d186e4dac38823ae9152056346e283613f0caf088b21a1b3e5f4f6cf3bad8c407168b1072895a386e3be0b8c11ad1cb326d3d3ff0eb8562052def91

    Download Submit
  • C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    MD5

    ead18f3a909685922d7213714ea9a183

    SHA1

    1270bd7fd62acc00447b30f066bb23f4745869bf

    SHA256

    5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18

    SHA512

    6e532d9c3d186e4dac38823ae9152056346e283613f0caf088b21a1b3e5f4f6cf3bad8c407168b1072895a386e3be0b8c11ad1cb326d3d3ff0eb8562052def91

    Download Submit
  • C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    MD5

    ead18f3a909685922d7213714ea9a183

    SHA1

    1270bd7fd62acc00447b30f066bb23f4745869bf

    SHA256

    5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18

    SHA512

    6e532d9c3d186e4dac38823ae9152056346e283613f0caf088b21a1b3e5f4f6cf3bad8c407168b1072895a386e3be0b8c11ad1cb326d3d3ff0eb8562052def91

    Download Submit
  • C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    MD5

    ead18f3a909685922d7213714ea9a183

    SHA1

    1270bd7fd62acc00447b30f066bb23f4745869bf

    SHA256

    5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18

    SHA512

    6e532d9c3d186e4dac38823ae9152056346e283613f0caf088b21a1b3e5f4f6cf3bad8c407168b1072895a386e3be0b8c11ad1cb326d3d3ff0eb8562052def91

    Download Submit
  • C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    MD5

    ead18f3a909685922d7213714ea9a183

    SHA1

    1270bd7fd62acc00447b30f066bb23f4745869bf

    SHA256

    5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18

    SHA512

    6e532d9c3d186e4dac38823ae9152056346e283613f0caf088b21a1b3e5f4f6cf3bad8c407168b1072895a386e3be0b8c11ad1cb326d3d3ff0eb8562052def91

    Download Submit
  • C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    MD5

    ead18f3a909685922d7213714ea9a183

    SHA1

    1270bd7fd62acc00447b30f066bb23f4745869bf

    SHA256

    5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18

    SHA512

    6e532d9c3d186e4dac38823ae9152056346e283613f0caf088b21a1b3e5f4f6cf3bad8c407168b1072895a386e3be0b8c11ad1cb326d3d3ff0eb8562052def91

    Download Submit
  • C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    MD5

    ead18f3a909685922d7213714ea9a183

    SHA1

    1270bd7fd62acc00447b30f066bb23f4745869bf

    SHA256

    5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18

    SHA512

    6e532d9c3d186e4dac38823ae9152056346e283613f0caf088b21a1b3e5f4f6cf3bad8c407168b1072895a386e3be0b8c11ad1cb326d3d3ff0eb8562052def91

    Download Submit
  • C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    MD5

    ead18f3a909685922d7213714ea9a183

    SHA1

    1270bd7fd62acc00447b30f066bb23f4745869bf

    SHA256

    5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18

    SHA512

    6e532d9c3d186e4dac38823ae9152056346e283613f0caf088b21a1b3e5f4f6cf3bad8c407168b1072895a386e3be0b8c11ad1cb326d3d3ff0eb8562052def91

    Download Submit
  • C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    MD5

    ead18f3a909685922d7213714ea9a183

    SHA1

    1270bd7fd62acc00447b30f066bb23f4745869bf

    SHA256

    5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18

    SHA512

    6e532d9c3d186e4dac38823ae9152056346e283613f0caf088b21a1b3e5f4f6cf3bad8c407168b1072895a386e3be0b8c11ad1cb326d3d3ff0eb8562052def91

    Download Submit
  • C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    MD5

    ead18f3a909685922d7213714ea9a183

    SHA1

    1270bd7fd62acc00447b30f066bb23f4745869bf

    SHA256

    5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18

    SHA512

    6e532d9c3d186e4dac38823ae9152056346e283613f0caf088b21a1b3e5f4f6cf3bad8c407168b1072895a386e3be0b8c11ad1cb326d3d3ff0eb8562052def91

    Download Submit
  • C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    MD5

    ead18f3a909685922d7213714ea9a183

    SHA1

    1270bd7fd62acc00447b30f066bb23f4745869bf

    SHA256

    5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18

    SHA512

    6e532d9c3d186e4dac38823ae9152056346e283613f0caf088b21a1b3e5f4f6cf3bad8c407168b1072895a386e3be0b8c11ad1cb326d3d3ff0eb8562052def91

    Download Submit
  • C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    MD5

    ead18f3a909685922d7213714ea9a183

    SHA1

    1270bd7fd62acc00447b30f066bb23f4745869bf

    SHA256

    5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18

    SHA512

    6e532d9c3d186e4dac38823ae9152056346e283613f0caf088b21a1b3e5f4f6cf3bad8c407168b1072895a386e3be0b8c11ad1cb326d3d3ff0eb8562052def91

    Download Submit
  • C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    MD5

    ead18f3a909685922d7213714ea9a183

    SHA1

    1270bd7fd62acc00447b30f066bb23f4745869bf

    SHA256

    5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18

    SHA512

    6e532d9c3d186e4dac38823ae9152056346e283613f0caf088b21a1b3e5f4f6cf3bad8c407168b1072895a386e3be0b8c11ad1cb326d3d3ff0eb8562052def91

    Download Submit
  • C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    MD5

    ead18f3a909685922d7213714ea9a183

    SHA1

    1270bd7fd62acc00447b30f066bb23f4745869bf

    SHA256

    5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18

    SHA512

    6e532d9c3d186e4dac38823ae9152056346e283613f0caf088b21a1b3e5f4f6cf3bad8c407168b1072895a386e3be0b8c11ad1cb326d3d3ff0eb8562052def91

    Download Submit
  • C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    MD5

    ead18f3a909685922d7213714ea9a183

    SHA1

    1270bd7fd62acc00447b30f066bb23f4745869bf

    SHA256

    5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18

    SHA512

    6e532d9c3d186e4dac38823ae9152056346e283613f0caf088b21a1b3e5f4f6cf3bad8c407168b1072895a386e3be0b8c11ad1cb326d3d3ff0eb8562052def91

    Download Submit
  • C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    MD5

    ead18f3a909685922d7213714ea9a183

    SHA1

    1270bd7fd62acc00447b30f066bb23f4745869bf

    SHA256

    5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18

    SHA512

    6e532d9c3d186e4dac38823ae9152056346e283613f0caf088b21a1b3e5f4f6cf3bad8c407168b1072895a386e3be0b8c11ad1cb326d3d3ff0eb8562052def91

    Download Submit
  • C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    MD5

    ead18f3a909685922d7213714ea9a183

    SHA1

    1270bd7fd62acc00447b30f066bb23f4745869bf

    SHA256

    5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18

    SHA512

    6e532d9c3d186e4dac38823ae9152056346e283613f0caf088b21a1b3e5f4f6cf3bad8c407168b1072895a386e3be0b8c11ad1cb326d3d3ff0eb8562052def91

    Download Submit
  • C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    MD5

    ead18f3a909685922d7213714ea9a183

    SHA1

    1270bd7fd62acc00447b30f066bb23f4745869bf

    SHA256

    5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18

    SHA512

    6e532d9c3d186e4dac38823ae9152056346e283613f0caf088b21a1b3e5f4f6cf3bad8c407168b1072895a386e3be0b8c11ad1cb326d3d3ff0eb8562052def91

    Download Submit
  • C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    MD5

    ead18f3a909685922d7213714ea9a183

    SHA1

    1270bd7fd62acc00447b30f066bb23f4745869bf

    SHA256

    5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18

    SHA512

    6e532d9c3d186e4dac38823ae9152056346e283613f0caf088b21a1b3e5f4f6cf3bad8c407168b1072895a386e3be0b8c11ad1cb326d3d3ff0eb8562052def91

    Download Submit
  • C:\Users\All Users\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000001.db
    Download Submit
  • C:\Users\All Users\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db
    Download Submit
  • C:\Users\All Users\Microsoft\Windows\WER\ReportQueue\AppCrash_Explorer.EXE_28cfa8b3d0f0ccca608b49d257b92547f98ab5ba_41822faa_cab_08bf4fcd\Report.wer
    Download Submit
  • C:\Users\All Users\Microsoft\Windows\WER\ReportQueue\AppCrash_Explorer.EXE_28cfa8b3d0f0ccca608b49d257b92547f98ab5ba_41822faa_cab_08bf4fcd\WER4F61.tmp.appcompat.txt
    Download Submit
  • C:\Users\All Users\Microsoft\Windows\WER\ReportQueue\AppCrash_Explorer.EXE_28cfa8b3d0f0ccca608b49d257b92547f98ab5ba_41822faa_cab_08bf4fcd\memory.hdmp
    Download Submit
  • C:\Users\All Users\Microsoft\Windows\WER\ReportQueue\AppCrash_Explorer.EXE_28cfa8b3d0f0ccca608b49d257b92547f98ab5ba_41822faa_cab_08bf4fcd\minidump.mdmp
    Download Submit
  • C:\Users\All Users\Microsoft\Windows\WER\Temp\WER4E27.tmp.WERInternalMetadata.xml
    Download Submit
  • memory/32-299-0x0000000000750000-0x0000000000790000-memory.dmp
    Filesize

    256KB

    Download
  • memory/32-298-0x00000000021E0000-0x00000000021E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/32-294-0x0000000000000000-mapping.dmp
    Download
  • memory/400-297-0x0000000002110000-0x0000000002111000-memory.dmp
    Filesize

    4KB

    Download
  • memory/400-293-0x0000000000000000-mapping.dmp
    Download
  • memory/400-300-0x0000000000510000-0x0000000000550000-memory.dmp
    Filesize

    256KB

    Download
  • memory/688-252-0x0000000000000000-mapping.dmp
    Download
  • memory/688-258-0x0000000000600000-0x0000000000640000-memory.dmp
    Filesize

    256KB

    Download
  • memory/1040-165-0x00000000021A0000-0x00000000021A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1040-153-0x0000000000000000-mapping.dmp
    Download
  • memory/1040-205-0x00000000006E0000-0x0000000000720000-memory.dmp
    Filesize

    256KB

    Download
  • memory/1840-19-0x0000000002150000-0x0000000002151000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1840-20-0x000000000077A000-0x00000000007BA000-memory.dmp
    Filesize

    256KB

    Download
  • memory/1840-21-0x0000000002150000-0x0000000002151000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1976-209-0x0000000000680000-0x00000000006C0000-memory.dmp
    Filesize

    256KB

    Download
  • memory/1976-208-0x0000000002430000-0x0000000002431000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1992-135-0x0000021698560000-0x0000021698561000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1992-186-0x0000021698560000-0x0000021698561000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1992-72-0x0000021698560000-0x0000021698561000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1992-74-0x0000021698560000-0x0000021698561000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1992-76-0x0000021698560000-0x0000021698561000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1992-78-0x0000021698560000-0x0000021698561000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1992-80-0x0000021698560000-0x0000021698561000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1992-82-0x0000021698560000-0x0000021698561000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1992-57-0x0000021698560000-0x0000021698561000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1992-87-0x0000021698560000-0x0000021698561000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1992-89-0x0000021698560000-0x0000021698561000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1992-91-0x0000021698560000-0x0000021698561000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1992-93-0x0000021698560000-0x0000021698561000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1992-95-0x0000021698560000-0x0000021698561000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1992-97-0x0000021698560000-0x0000021698561000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1992-99-0x0000021698560000-0x0000021698561000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1992-101-0x0000021698560000-0x0000021698561000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1992-103-0x0000021698560000-0x0000021698561000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1992-107-0x0000021698560000-0x0000021698561000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1992-50-0x0000021698560000-0x0000021698561000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1992-113-0x0000021698560000-0x0000021698561000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1992-115-0x0000021698560000-0x0000021698561000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1992-117-0x0000021698560000-0x0000021698561000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1992-119-0x0000021698560000-0x0000021698561000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1992-121-0x0000021698560000-0x0000021698561000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1992-123-0x0000021698560000-0x0000021698561000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1992-125-0x0000021698560000-0x0000021698561000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1992-127-0x0000021698560000-0x0000021698561000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1992-129-0x0000021698560000-0x0000021698561000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1992-131-0x0000021698560000-0x0000021698561000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1992-133-0x0000021698560000-0x0000021698561000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1992-59-0x0000021698560000-0x0000021698561000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1992-137-0x0000021698560000-0x0000021698561000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1992-139-0x0000021698560000-0x0000021698561000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1992-141-0x0000021698560000-0x0000021698561000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1992-143-0x0000021698560000-0x0000021698561000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1992-145-0x0000021698560000-0x0000021698561000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1992-147-0x0000021698560000-0x0000021698561000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1992-149-0x0000021698560000-0x0000021698561000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1992-151-0x0000021698560000-0x0000021698561000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1992-61-0x0000021698560000-0x0000021698561000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1992-155-0x0000021698560000-0x0000021698561000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1992-157-0x0000021698560000-0x0000021698561000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1992-159-0x0000021698560000-0x0000021698561000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1992-161-0x0000021698560000-0x0000021698561000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1992-163-0x0000021698560000-0x0000021698561000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1992-54-0x0000021698560000-0x0000021698561000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1992-22-0x0000021698590000-0x0000021698591000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1992-166-0x0000021698560000-0x0000021698561000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1992-168-0x0000021698560000-0x0000021698561000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1992-170-0x0000021698560000-0x0000021698561000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1992-172-0x0000021698560000-0x0000021698561000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1992-174-0x0000021698560000-0x0000021698561000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1992-176-0x0000021698560000-0x0000021698561000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1992-178-0x0000021698560000-0x0000021698561000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1992-180-0x0000021698560000-0x0000021698561000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1992-182-0x0000021698560000-0x0000021698561000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1992-184-0x0000021698560000-0x0000021698561000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1992-23-0x0000021698590000-0x0000021698591000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1992-188-0x0000021698560000-0x0000021698561000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1992-190-0x0000021698560000-0x0000021698561000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1992-192-0x0000021698560000-0x0000021698561000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1992-194-0x0000021698560000-0x0000021698561000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1992-196-0x0000021698560000-0x0000021698561000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1992-198-0x0000021698560000-0x0000021698561000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1992-200-0x0000021698560000-0x0000021698561000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1992-202-0x0000021698560000-0x0000021698561000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1992-204-0x00000216A49B0000-0x00000216A49B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1992-67-0x0000021698560000-0x0000021698561000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1992-52-0x0000021698560000-0x0000021698561000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1992-65-0x0000021698560000-0x0000021698561000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1992-63-0x0000021698560000-0x0000021698561000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1992-85-0x0000021698560000-0x0000021698561000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1992-70-0x0000021698560000-0x0000021698561000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1992-111-0x0000021698560000-0x0000021698561000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1992-25-0x0000021699B00000-0x0000021699B01000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1992-48-0x0000021698560000-0x0000021698561000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1992-26-0x0000021699B00000-0x0000021699B01000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1992-46-0x0000021698560000-0x0000021698561000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1992-44-0x0000021698560000-0x0000021698561000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1992-42-0x0000021698560000-0x0000021698561000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1992-40-0x0000021698560000-0x0000021698561000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1992-38-0x0000021698560000-0x0000021698561000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1992-37-0x000002169A160000-0x000002169A161000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1992-227-0x0000000000680000-0x00000000006C0000-memory.dmp
    Filesize

    256KB

    Download
  • memory/1992-224-0x0000000000000000-mapping.dmp
    Download
  • memory/2112-12-0x0000000001FF0000-0x0000000001FF1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2112-9-0x0000000000000000-mapping.dmp
    Download
  • memory/2112-13-0x00000000008B0000-0x00000000008F0000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2188-247-0x00000000006E0000-0x0000000000720000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2188-244-0x0000000000000000-mapping.dmp
    Download
  • memory/2232-240-0x00000000021B0000-0x00000000021B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2232-243-0x00000000005A0000-0x00000000005E0000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2232-236-0x0000000000000000-mapping.dmp
    Download
  • memory/2292-259-0x0000000000000000-mapping.dmp
    Download
  • memory/2292-261-0x0000000002150000-0x0000000002151000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2292-262-0x0000000000640000-0x0000000000680000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2352-15-0x0000000000000000-mapping.dmp
    Download
  • memory/2352-17-0x00000000007F0000-0x0000000000830000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2352-16-0x00000000022F0000-0x00000000022F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2404-14-0x0000000000670000-0x00000000006B0000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2404-10-0x0000000000000000-mapping.dmp
    Download
  • memory/2404-11-0x00000000022D0000-0x00000000022D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2824-265-0x00000000007D0000-0x0000000000810000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2824-264-0x00000000022D0000-0x00000000022D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2924-69-0x0000000000620000-0x0000000000660000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2924-35-0x00000000021E0000-0x00000000021E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2924-30-0x0000000000000000-mapping.dmp
    Download
  • memory/3080-289-0x0000000000680000-0x00000000006C0000-memory.dmp
    Filesize

    256KB

    Download
  • memory/3080-288-0x00000000020C0000-0x00000000020C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3080-286-0x0000000000000000-mapping.dmp
    Download
  • memory/3104-55-0x0000000000620000-0x0000000000660000-memory.dmp
    Filesize

    256KB

    Download
  • memory/3104-34-0x0000000002250000-0x0000000002251000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3104-31-0x0000000000000000-mapping.dmp
    Download
  • memory/3184-213-0x0000000002060000-0x0000000002061000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3184-210-0x0000000000000000-mapping.dmp
    Download
  • memory/3184-223-0x00000000006D0000-0x0000000000710000-memory.dmp
    Filesize

    256KB

    Download
  • memory/3236-304-0x00000000004E0000-0x0000000000520000-memory.dmp
    Filesize

    256KB

    Download
  • memory/3236-303-0x0000000002300000-0x0000000002301000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3236-301-0x0000000000000000-mapping.dmp
    Download
  • memory/3360-249-0x0000000002460000-0x0000000002461000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3360-250-0x00000000006F0000-0x0000000000730000-memory.dmp
    Filesize

    256KB

    Download
  • memory/3508-271-0x0000000002340000-0x0000000002341000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3508-273-0x00000000007D0000-0x0000000000810000-memory.dmp
    Filesize

    256KB

    Download
  • memory/3508-267-0x0000000000000000-mapping.dmp
    Download
  • memory/3528-222-0x0000000000730000-0x0000000000770000-memory.dmp
    Filesize

    256KB

    Download
  • memory/3528-211-0x0000000000000000-mapping.dmp
    Download
  • memory/3528-215-0x0000000002200000-0x0000000002201000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3616-234-0x00000000005E0000-0x0000000000620000-memory.dmp
    Filesize

    256KB

    Download
  • memory/3616-233-0x0000000002180000-0x0000000002181000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3636-291-0x0000000002380000-0x0000000002381000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3636-292-0x0000000000870000-0x00000000008B0000-memory.dmp
    Filesize

    256KB

    Download
  • memory/3704-257-0x00000000004F0000-0x0000000000530000-memory.dmp
    Filesize

    256KB

    Download
  • memory/3704-255-0x00000000022F0000-0x00000000022F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3704-251-0x0000000000000000-mapping.dmp
    Download
  • memory/3752-266-0x0000000000000000-mapping.dmp
    Download
  • memory/3752-272-0x0000000000530000-0x0000000000570000-memory.dmp
    Filesize

    256KB

    Download
  • memory/3752-270-0x00000000022A0000-0x00000000022A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3920-1-0x000000000082A000-0x000000000086A000-memory.dmp
    Filesize

    256KB

    Download
  • memory/3920-0-0x0000000002460000-0x0000000002461000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3932-6-0x0000000000700000-0x0000000000740000-memory.dmp
    Filesize

    256KB

    Download
  • memory/3932-5-0x0000000002200000-0x0000000002201000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3932-4-0x0000000000000000-mapping.dmp
    Download
  • memory/3944-2-0x0000000000000000-mapping.dmp
    Download
  • memory/4004-237-0x0000000000000000-mapping.dmp
    Download
  • memory/4004-242-0x00000000004E0000-0x0000000000520000-memory.dmp
    Filesize

    256KB

    Download