djvu | 8db223a1ffa1b3b3788ee9f0e050cc64f7b5cbefa8745e95e00391f7babcce58

Analysis

max time kernel
152s
max time network
135s
platform
windows10_x64
resource
win10-en-20211014
submitted
10-11-2021 05:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

08cb82859479b33dc1d0738b985db28c.exe
Size

228KB
MD5

08cb82859479b33dc1d0738b985db28c
SHA1

2162cec3e4a16e4b9c610004011473965cf300f8
SHA256

8db223a1ffa1b3b3788ee9f0e050cc64f7b5cbefa8745e95e00391f7babcce58
SHA512

a69a4eacb8ced14dc55fca39d43d6182fe8d600d4da9fb938298fc151866a26777b45a527bcb2cc099d734111dbeb70224ed16e9b590c8b76b057b905eb7c912

Score

10^/10

djvu redline smokeloader vidar 706 z0rm1on backdoor discovery infostealer persistence ransomware spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://nusurtal4f.net/

http://netomishnetojuk.net/

http://escalivrouter.net/

http://nick22doom4.net/

http://wrioshtivsio.su/

http://nusotiso4.su/

http://rickkhtovkka.biz/

http://palisotoliso.net/

rc4.i32

Extracted

Family

djvu

http://pqkl.org/lancer/get.php

Attributes

extension
.irfk
offline_id
7HKlLI6NrOQGMaTs5PqjvV1UcZ3VOcIeyFiH3Wt1
payload_url
http://kotob.top/dl/build2.exe
http://pqkl.org/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-dFmA3YqXzs Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0346uSifke

rsa_pubkey.plain

Extracted

Family

vidar

Version

48.1

Botnet

706

https://koyu.space/@rspich

Attributes

profile_id
706

Extracted

Family

redline

Botnet

z0rm1on

45.153.186.153:56675

Signatures

Detected Djvu ransomware 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2040-124-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2040-125-0x0000000000424141-mapping.dmp	family_djvu
behavioral2/memory/2040-128-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/824-127-0x0000000004860000-0x000000000497B000-memory.dmp	family_djvu
behavioral2/memory/728-135-0x0000000000424141-mapping.dmp	family_djvu
behavioral2/memory/728-144-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2804-176-0x0000000004940000-0x000000000496E000-memory.dmp	family_redline
behavioral2/memory/2804-182-0x0000000004C30000-0x0000000004C5C000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Vidar Stealer 2 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/2216-168-0x0000000004850000-0x0000000004925000-memory.dmp	family_vidar
behavioral2/memory/2216-169-0x0000000000400000-0x0000000002BAC000-memory.dmp	family_vidar

Downloads MZ/PE file
Executes dropped EXE 8 IoCs

Processes:

872D.exe872D.exe872D.exe872D.exe9F4A.exe9QvqyDn8Mt.ExeB748.exeCDEE.exe

pid process

824 872D.exe
2040 872D.exe
1700 872D.exe
728 872D.exe
3716 9F4A.exe
1940 9QvqyDn8Mt.Exe
2216 B748.exe
2804 CDEE.exe
Deletes itself 1 IoCs

Processes:

pid process

3024
Loads dropped DLL 4 IoCs

Processes:

08cb82859479b33dc1d0738b985db28c.exeregsvr32.exeB748.exe

pid process

2800 08cb82859479b33dc1d0738b985db28c.exe
3292 regsvr32.exe
2216 B748.exe
2216 B748.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

1492 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
824	872D.exe
2040	872D.exe
1700	872D.exe
728	872D.exe
3716	9F4A.exe
1940	9QvqyDn8Mt.Exe
2216	B748.exe
2804	CDEE.exe

pid	process
3024

pid	process
1492	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

872D.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\6cdb2e91-de99-4c91-819e-22b8b375e52d\\872D.exe\" --AutoStart"	872D.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

35 api.2ip.ua
36 api.2ip.ua
42 api.2ip.ua
Suspicious use of SetThreadContext 2 IoCs

Processes:

872D.exe872D.exe

description pid process target process

PID 824 set thread context of 2040 824 872D.exe 872D.exe
PID 1700 set thread context of 728 1700 872D.exe 872D.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	ioc
35	api.2ip.ua
36	api.2ip.ua
42	api.2ip.ua

description	pid	process	target process
PID 824 set thread context of 2040	824	872D.exe	872D.exe
PID 1700 set thread context of 728	1700	872D.exe	872D.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

08cb82859479b33dc1d0738b985db28c.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	08cb82859479b33dc1d0738b985db28c.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	08cb82859479b33dc1d0738b985db28c.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	08cb82859479b33dc1d0738b985db28c.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

B748.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	B748.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	B748.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1480 timeout.exe
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

1808 taskkill.exe
1648 taskkill.exe

pid	process
1480	timeout.exe

pid	process
1808	taskkill.exe
1648	taskkill.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

872D.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	872D.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	872D.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

08cb82859479b33dc1d0738b985db28c.exe

pid	process
2800	08cb82859479b33dc1d0738b985db28c.exe
2800	08cb82859479b33dc1d0738b985db28c.exe
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3024
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

08cb82859479b33dc1d0738b985db28c.exe

pid process

2800 08cb82859479b33dc1d0738b985db28c.exe

pid	process
3024

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

taskkill.exeCDEE.exetaskkill.exe

description	pid	process
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeDebugPrivilege	1808	taskkill.exe
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeDebugPrivilege	2804	CDEE.exe
Token: SeDebugPrivilege	1648	taskkill.exe
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

872D.exe872D.exe872D.exe9F4A.exemshta.execmd.exe9QvqyDn8Mt.Exemshta.exemshta.execmd.exe

description	pid	process	target process
PID 3024 wrote to memory of 824	3024		872D.exe
PID 3024 wrote to memory of 824	3024		872D.exe
PID 3024 wrote to memory of 824	3024		872D.exe
PID 824 wrote to memory of 2040	824	872D.exe	872D.exe
PID 824 wrote to memory of 2040	824	872D.exe	872D.exe
PID 824 wrote to memory of 2040	824	872D.exe	872D.exe
PID 824 wrote to memory of 2040	824	872D.exe	872D.exe
PID 824 wrote to memory of 2040	824	872D.exe	872D.exe
PID 824 wrote to memory of 2040	824	872D.exe	872D.exe
PID 824 wrote to memory of 2040	824	872D.exe	872D.exe
PID 824 wrote to memory of 2040	824	872D.exe	872D.exe
PID 824 wrote to memory of 2040	824	872D.exe	872D.exe
PID 824 wrote to memory of 2040	824	872D.exe	872D.exe
PID 2040 wrote to memory of 1492	2040	872D.exe	icacls.exe
PID 2040 wrote to memory of 1492	2040	872D.exe	icacls.exe
PID 2040 wrote to memory of 1492	2040	872D.exe	icacls.exe
PID 2040 wrote to memory of 1700	2040	872D.exe	872D.exe
PID 2040 wrote to memory of 1700	2040	872D.exe	872D.exe
PID 2040 wrote to memory of 1700	2040	872D.exe	872D.exe
PID 1700 wrote to memory of 728	1700	872D.exe	872D.exe
PID 1700 wrote to memory of 728	1700	872D.exe	872D.exe
PID 1700 wrote to memory of 728	1700	872D.exe	872D.exe
PID 1700 wrote to memory of 728	1700	872D.exe	872D.exe
PID 1700 wrote to memory of 728	1700	872D.exe	872D.exe
PID 1700 wrote to memory of 728	1700	872D.exe	872D.exe
PID 1700 wrote to memory of 728	1700	872D.exe	872D.exe
PID 1700 wrote to memory of 728	1700	872D.exe	872D.exe
PID 1700 wrote to memory of 728	1700	872D.exe	872D.exe
PID 1700 wrote to memory of 728	1700	872D.exe	872D.exe
PID 3024 wrote to memory of 3716	3024		9F4A.exe
PID 3024 wrote to memory of 3716	3024		9F4A.exe
PID 3024 wrote to memory of 3716	3024		9F4A.exe
PID 3716 wrote to memory of 1056	3716	9F4A.exe	mshta.exe
PID 3716 wrote to memory of 1056	3716	9F4A.exe	mshta.exe
PID 3716 wrote to memory of 1056	3716	9F4A.exe	mshta.exe
PID 1056 wrote to memory of 1424	1056	mshta.exe	cmd.exe
PID 1056 wrote to memory of 1424	1056	mshta.exe	cmd.exe
PID 1056 wrote to memory of 1424	1056	mshta.exe	cmd.exe
PID 1424 wrote to memory of 1940	1424	cmd.exe	9QvqyDn8Mt.Exe
PID 1424 wrote to memory of 1940	1424	cmd.exe	9QvqyDn8Mt.Exe
PID 1424 wrote to memory of 1940	1424	cmd.exe	9QvqyDn8Mt.Exe
PID 1424 wrote to memory of 1808	1424	cmd.exe	taskkill.exe
PID 1424 wrote to memory of 1808	1424	cmd.exe	taskkill.exe
PID 1424 wrote to memory of 1808	1424	cmd.exe	taskkill.exe
PID 1940 wrote to memory of 2388	1940	9QvqyDn8Mt.Exe	mshta.exe
PID 1940 wrote to memory of 2388	1940	9QvqyDn8Mt.Exe	mshta.exe
PID 1940 wrote to memory of 2388	1940	9QvqyDn8Mt.Exe	mshta.exe
PID 2388 wrote to memory of 4040	2388	mshta.exe	cmd.exe
PID 2388 wrote to memory of 4040	2388	mshta.exe	cmd.exe
PID 2388 wrote to memory of 4040	2388	mshta.exe	cmd.exe
PID 1940 wrote to memory of 2464	1940	9QvqyDn8Mt.Exe	mshta.exe
PID 1940 wrote to memory of 2464	1940	9QvqyDn8Mt.Exe	mshta.exe
PID 1940 wrote to memory of 2464	1940	9QvqyDn8Mt.Exe	mshta.exe
PID 2464 wrote to memory of 1580	2464	mshta.exe	cmd.exe
PID 2464 wrote to memory of 1580	2464	mshta.exe	cmd.exe
PID 2464 wrote to memory of 1580	2464	mshta.exe	cmd.exe
PID 1580 wrote to memory of 2908	1580	cmd.exe	cmd.exe
PID 1580 wrote to memory of 2908	1580	cmd.exe	cmd.exe
PID 1580 wrote to memory of 2908	1580	cmd.exe	cmd.exe
PID 1580 wrote to memory of 3772	1580	cmd.exe	cmd.exe
PID 1580 wrote to memory of 3772	1580	cmd.exe	cmd.exe
PID 1580 wrote to memory of 3772	1580	cmd.exe	cmd.exe
PID 1580 wrote to memory of 3292	1580	cmd.exe	regsvr32.exe
PID 1580 wrote to memory of 3292	1580	cmd.exe	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\08cb82859479b33dc1d0738b985db28c.exe
"C:\Users\Admin\AppData\Local\Temp\08cb82859479b33dc1d0738b985db28c.exe"
1⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2800

C:\Users\Admin\AppData\Local\Temp\872D.exe
C:\Users\Admin\AppData\Local\Temp\872D.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:824

C:\Users\Admin\AppData\Local\Temp\872D.exe
C:\Users\Admin\AppData\Local\Temp\872D.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\6cdb2e91-de99-4c91-819e-22b8b375e52d" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:1492

C:\Users\Admin\AppData\Local\Temp\872D.exe
"C:\Users\Admin\AppData\Local\Temp\872D.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1700

C:\Users\Admin\AppData\Local\Temp\872D.exe
"C:\Users\Admin\AppData\Local\Temp\872D.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Executes dropped EXE
PID:728

C:\Users\Admin\AppData\Local\Temp\9F4A.exe
C:\Users\Admin\AppData\Local\Temp\9F4A.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3716

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbsCrIpT: cLOSe( CReateoBJECt( "WscrIpT.sHEll").rUN( "C:\Windows\system32\cmd.exe /Q /R type ""C:\Users\Admin\AppData\Local\Temp\9F4A.exe"" > 9QvqyDn8Mt.Exe&& stARt 9QvQYDN8MT.EXE -PkCqqHUkE43wIVRS &IF """" == """" for %A IN ( ""C:\Users\Admin\AppData\Local\Temp\9F4A.exe"" ) do taskkill /IM ""%~nxA"" -f ", 0 , tRUE ))
2⤵
- Suspicious use of WriteProcessMemory
PID:1056

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /Q /R type "C:\Users\Admin\AppData\Local\Temp\9F4A.exe" > 9QvqyDn8Mt.Exe&& stARt 9QvQYDN8MT.EXE -PkCqqHUkE43wIVRS &IF "" == "" for %A IN ("C:\Users\Admin\AppData\Local\Temp\9F4A.exe" ) do taskkill /IM "%~nxA" -f
3⤵
- Suspicious use of WriteProcessMemory
PID:1424

C:\Users\Admin\AppData\Local\Temp\9QvqyDn8Mt.Exe
9QvQYDN8MT.EXE -PkCqqHUkE43wIVRS
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1940

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbsCrIpT: cLOSe( CReateoBJECt( "WscrIpT.sHEll").rUN( "C:\Windows\system32\cmd.exe /Q /R type ""C:\Users\Admin\AppData\Local\Temp\9QvqyDn8Mt.Exe"" > 9QvqyDn8Mt.Exe&& stARt 9QvQYDN8MT.EXE -PkCqqHUkE43wIVRS &IF ""-PkCqqHUkE43wIVRS "" == """" for %A IN ( ""C:\Users\Admin\AppData\Local\Temp\9QvqyDn8Mt.Exe"" ) do taskkill /IM ""%~nxA"" -f ", 0 , tRUE ))
5⤵
- Suspicious use of WriteProcessMemory
PID:2388

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /Q /R type "C:\Users\Admin\AppData\Local\Temp\9QvqyDn8Mt.Exe" > 9QvqyDn8Mt.Exe&& stARt 9QvQYDN8MT.EXE -PkCqqHUkE43wIVRS &IF "-PkCqqHUkE43wIVRS " == "" for %A IN ("C:\Users\Admin\AppData\Local\Temp\9QvqyDn8Mt.Exe" ) do taskkill /IM "%~nxA" -f
6⤵
PID:4040

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbscRiPT: cLoSE( CreaTEoBjeCT("WSCRIpt.shelL" ).rUn ( "C:\Windows\system32\cmd.exe /q /c echO | Set /P = ""MZ"" > Z7hM_OPG.W & COpy /b /y Z7HM_OPG.W+ M97FmK.B + D2sZGB.P QzUC.Q3F & dEL M97FmK.B D2szGB.P Z7hM_Opg.W& sTarT regsvr32 -s .\QzUC.Q3F " , 0 ,True ) )
5⤵
- Suspicious use of WriteProcessMemory
PID:2464

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /q /c echO | Set /P = "MZ" > Z7hM_OPG.W& COpy /b /y Z7HM_OPG.W+ M97FmK.B + D2sZGB.P QzUC.Q3F & dEL M97FmK.B D2szGB.P Z7hM_Opg.W& sTarT regsvr32 -s .\QzUC.Q3F
6⤵
- Suspicious use of WriteProcessMemory
PID:1580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echO "
7⤵
PID:2908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" Set /P = "MZ" 1>Z7hM_OPG.W"
7⤵
PID:3772

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 -s .\QzUC.Q3F
7⤵
- Loads dropped DLL
PID:3292

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM "9F4A.exe" -f
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1808

C:\Users\Admin\AppData\Local\Temp\B748.exe
C:\Users\Admin\AppData\Local\Temp\B748.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:2216

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im B748.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\B748.exe" & del C:\ProgramData\*.dll & exit
2⤵
PID:3160

C:\Windows\SysWOW64\taskkill.exe
taskkill /im B748.exe /f
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1648

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
3⤵
- Delays execution with timeout.exe
PID:1480

C:\Users\Admin\AppData\Local\Temp\CDEE.exe
C:\Users\Admin\AppData\Local\Temp\CDEE.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2804

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Permissions Modification

T1222

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\freebl3.dll
MD5
ef2834ac4ee7d6724f255beaf527e635

SHA1
5be8c1e73a21b49f353c2ecfa4108e43a883cb7b

SHA256
a770ecba3b08bbabd0a567fc978e50615f8b346709f8eb3cfacf3faab24090ba

SHA512
c6ea0e4347cbd7ef5e80ae8c0afdca20ea23ac2bdd963361dfaf562a9aed58dcbc43f89dd826692a064d76c3f4b3e92361af7b79a6d16a75d9951591ae3544d2

Download Submit
C:\ProgramData\mozglue.dll
MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
C:\ProgramData\msvcp140.dll
MD5
109f0f02fd37c84bfc7508d4227d7ed5

SHA1
ef7420141bb15ac334d3964082361a460bfdb975

SHA256
334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

SHA512
46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

Download Submit
C:\ProgramData\nss3.dll
MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
C:\ProgramData\softokn3.dll
MD5
a2ee53de9167bf0d6c019303b7ca84e5

SHA1
2a3c737fa1157e8483815e98b666408a18c0db42

SHA256
43536adef2ddcc811c28d35fa6ce3031029a2424ad393989db36169ff2995083

SHA512
45b56432244f86321fa88fbcca6a0d2a2f7f4e0648c1d7d7b1866adc9daa5eddd9f6bb73662149f279c9ab60930dad1113c8337cb5e6ec9eed5048322f65f7d8

Download Submit
C:\ProgramData\vcruntime140.dll
MD5
7587bf9cb4147022cd5681b015183046

SHA1
f2106306a8f6f0da5afb7fc765cfa0757ad5a628

SHA256
c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

SHA512
0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
MD5
d8ec7917c33f103a7288af33cae7de14

SHA1
285babb225e06e84a4050f140d21970ecd9d39ee

SHA256
467d7ceb2f929daba1e910064fad42123bb2ecd65f57423900bb3777e88b7e89

SHA512
9accf32dbfd9260dbfee95982c6487882828f86f3e090f598d6f426760c093886ba68ec664b7db942027320c1eb95029c45c98ea139308a491d0b15dab6aad79

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
026c2a59b797991b8379df56c6ea513a

SHA1
266a2e055410708de4db7e704b4ed449006a1f2b

SHA256
21ed5e42cf0d63dffeb9e5d3711e6b760f84d8c8c1715d5f8bf9ea047a1dbabe

SHA512
809116817fd88a722ccaa7703a850e103e034aa20b351f50f5b29ee198352568a6aa06cd78b75c19e03757230d30058366f3c25aa043c02d9f7d5301f457cb80

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
MD5
82fc0920fbd4b6ffdde3240d48ff5669

SHA1
b28a5396ceb2c093d01fdc005fc1d2c3639fb89a

SHA256
3d06db1139b3831352726eb0cbb0aed7e8132d57b61141de10cd7e391f8005ff

SHA512
624784459a648f2dcae66ca49ae0dd72cb93bb81174218358d3b11e105872336ec1dac2f0de01f838ea321fa61606b05da4e2172d58e2968171da505c3bdb071

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
5990d6f289c7c955c6e8a9f597e946bb

SHA1
d42f64e5f64b56e56460ab45750d77908b9550ea

SHA256
8221bfde7e621b7bd57fb7f17a2cad19702976b65a050f76f1623e2fa5442519

SHA512
9f4d4d646e0c6c41412ba024d302a498a35a41a992456d17796ddea9b3f17ec5a35def7bd86f50ca1f5b4677db74e3edd9e0a4cd48412072a861c6c49a673370

Download Submit
C:\Users\Admin\AppData\Local\6cdb2e91-de99-4c91-819e-22b8b375e52d\872D.exe
MD5
eb9c73e540da58c65f2624d33dba9e28

SHA1
88b0906beeb2d2105cb52bb9a155197b9ea2fd99

SHA256
c6636e2da0b85f59afe657c17e3bd580de60534ae6547536631deb21f80405dd

SHA512
c10e4c216b00abece9808814725a5b0aff5b466185506525c53ae2b414e10df70d44712586c4f81721570c92a3371d3a8205c8a4b90ca0554e6de9fb94d6fea5

Download Submit
C:\Users\Admin\AppData\Local\Temp\872D.exe
MD5
eb9c73e540da58c65f2624d33dba9e28

SHA1
88b0906beeb2d2105cb52bb9a155197b9ea2fd99

SHA256
c6636e2da0b85f59afe657c17e3bd580de60534ae6547536631deb21f80405dd

SHA512
c10e4c216b00abece9808814725a5b0aff5b466185506525c53ae2b414e10df70d44712586c4f81721570c92a3371d3a8205c8a4b90ca0554e6de9fb94d6fea5

Download Submit
C:\Users\Admin\AppData\Local\Temp\872D.exe
MD5
eb9c73e540da58c65f2624d33dba9e28

SHA1
88b0906beeb2d2105cb52bb9a155197b9ea2fd99

SHA256
c6636e2da0b85f59afe657c17e3bd580de60534ae6547536631deb21f80405dd

SHA512
c10e4c216b00abece9808814725a5b0aff5b466185506525c53ae2b414e10df70d44712586c4f81721570c92a3371d3a8205c8a4b90ca0554e6de9fb94d6fea5

Download Submit
C:\Users\Admin\AppData\Local\Temp\872D.exe
MD5
eb9c73e540da58c65f2624d33dba9e28

SHA1
88b0906beeb2d2105cb52bb9a155197b9ea2fd99

SHA256
c6636e2da0b85f59afe657c17e3bd580de60534ae6547536631deb21f80405dd

SHA512
c10e4c216b00abece9808814725a5b0aff5b466185506525c53ae2b414e10df70d44712586c4f81721570c92a3371d3a8205c8a4b90ca0554e6de9fb94d6fea5

Download Submit
C:\Users\Admin\AppData\Local\Temp\872D.exe
MD5
eb9c73e540da58c65f2624d33dba9e28

SHA1
88b0906beeb2d2105cb52bb9a155197b9ea2fd99

SHA256
c6636e2da0b85f59afe657c17e3bd580de60534ae6547536631deb21f80405dd

SHA512
c10e4c216b00abece9808814725a5b0aff5b466185506525c53ae2b414e10df70d44712586c4f81721570c92a3371d3a8205c8a4b90ca0554e6de9fb94d6fea5

Download Submit
C:\Users\Admin\AppData\Local\Temp\872D.exe
MD5
eb9c73e540da58c65f2624d33dba9e28

SHA1
88b0906beeb2d2105cb52bb9a155197b9ea2fd99

SHA256
c6636e2da0b85f59afe657c17e3bd580de60534ae6547536631deb21f80405dd

SHA512
c10e4c216b00abece9808814725a5b0aff5b466185506525c53ae2b414e10df70d44712586c4f81721570c92a3371d3a8205c8a4b90ca0554e6de9fb94d6fea5

Download Submit
C:\Users\Admin\AppData\Local\Temp\9F4A.exe
MD5
6ab3d79acb3c1d8df1dc9fe2e051d9b3

SHA1
fb4ab2318f3044340bf7213bd65c171b335e4136

SHA256
668c74238b6973b10c1ed24657982189a20e8105ba489395dbb44963d4bbdca0

SHA512
6e1d76b19bd7761e85f786ecfcd50211216b23b94ff2f11b975a3d31cf20b8e7f9e3104962d840d0eefa25f4a5aec08e6305033db0ae6e852cabf57647a4743b

Download Submit
C:\Users\Admin\AppData\Local\Temp\9F4A.exe
MD5
6ab3d79acb3c1d8df1dc9fe2e051d9b3

SHA1
fb4ab2318f3044340bf7213bd65c171b335e4136

SHA256
668c74238b6973b10c1ed24657982189a20e8105ba489395dbb44963d4bbdca0

SHA512
6e1d76b19bd7761e85f786ecfcd50211216b23b94ff2f11b975a3d31cf20b8e7f9e3104962d840d0eefa25f4a5aec08e6305033db0ae6e852cabf57647a4743b

Download Submit
C:\Users\Admin\AppData\Local\Temp\9QvqyDn8Mt.Exe
MD5
6ab3d79acb3c1d8df1dc9fe2e051d9b3

SHA1
fb4ab2318f3044340bf7213bd65c171b335e4136

SHA256
668c74238b6973b10c1ed24657982189a20e8105ba489395dbb44963d4bbdca0

SHA512
6e1d76b19bd7761e85f786ecfcd50211216b23b94ff2f11b975a3d31cf20b8e7f9e3104962d840d0eefa25f4a5aec08e6305033db0ae6e852cabf57647a4743b

Download Submit
C:\Users\Admin\AppData\Local\Temp\9QvqyDn8Mt.Exe
MD5
6ab3d79acb3c1d8df1dc9fe2e051d9b3

SHA1
fb4ab2318f3044340bf7213bd65c171b335e4136

SHA256
668c74238b6973b10c1ed24657982189a20e8105ba489395dbb44963d4bbdca0

SHA512
6e1d76b19bd7761e85f786ecfcd50211216b23b94ff2f11b975a3d31cf20b8e7f9e3104962d840d0eefa25f4a5aec08e6305033db0ae6e852cabf57647a4743b

Download Submit
C:\Users\Admin\AppData\Local\Temp\B748.exe
MD5
37a6e875a30a26c10ab006500e689d2d

SHA1
c366173ce30dfc2729eb3ff6f105307a82f89050

SHA256
1a82c4391133cfdd3287427cf43508fffd02d809671f3171ab4f73d276001177

SHA512
1c5eec4fc5f00b05c37c9abdb83d4e3fbb4882fdef7d575cce4648f9064f928d2b3f45f6ac338a7f382582319e325023e75e2756cedad0a1dcdd45e12972f1b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\B748.exe
MD5
37a6e875a30a26c10ab006500e689d2d

SHA1
c366173ce30dfc2729eb3ff6f105307a82f89050

SHA256
1a82c4391133cfdd3287427cf43508fffd02d809671f3171ab4f73d276001177

SHA512
1c5eec4fc5f00b05c37c9abdb83d4e3fbb4882fdef7d575cce4648f9064f928d2b3f45f6ac338a7f382582319e325023e75e2756cedad0a1dcdd45e12972f1b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\CDEE.exe
MD5
32595b3d480c6e01af5dcb585528ea08

SHA1
fbd8ab91525695cb0b2f3958b2e29eced70cd3cc

SHA256
a11bcb6be9a8e8430727c3fe6c567f75310c855724b903767fd737b507c89cda

SHA512
bce32068987b32ab043617c57e5463b051dee3a23f7f79750575eb5bf19e9c1e49094d1c6803ec6c9443a06b67943117ef732d28b997b63566ba7434d6a350f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\CDEE.exe
MD5
32595b3d480c6e01af5dcb585528ea08

SHA1
fbd8ab91525695cb0b2f3958b2e29eced70cd3cc

SHA256
a11bcb6be9a8e8430727c3fe6c567f75310c855724b903767fd737b507c89cda

SHA512
bce32068987b32ab043617c57e5463b051dee3a23f7f79750575eb5bf19e9c1e49094d1c6803ec6c9443a06b67943117ef732d28b997b63566ba7434d6a350f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\D2szgB.p
MD5
1ac18e842586450b8c065b8403a1b5d7

SHA1
4891e5e072be28e193b7e9bfbe9c56a87f162fd3

SHA256
eb7fc9b84d805df0277ead4157e47ff380cb79b49705845fedffd41c983da865

SHA512
11afd16165ebe2f8241681c6483be60f12c0e5a22c5acb05c66dab92345710931c25f375acbf74cbb31223a7ce9033db0176f06c3f9562de4323112dc9855a8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\M97FmK.B
MD5
be460a4d10fb177a8cc6af3ba50f594d

SHA1
512be7c6a5d750f528d730f248273c80a94e9541

SHA256
efff4b8879cf928689753fe7a897569d9c1cb4b0126022efff9aaff0ce364bb9

SHA512
e00e4cf2f4c079517f0e064d61ba93528599f54a9ad01e78f7bf1f57b38e02235f50c2c20b5b4873cbab6f660337f7518d4eae556ebd4028602c464022f1b0eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\QzUC.Q3F
MD5
fbe899ef8e2fd479e6166e710c32290e

SHA1
20a4e4914650a4c2715abd1607004bdc98128958

SHA256
57626a7b1dfbe3865c93714abe741a38fd12b2907484778f441752dcb37a88b7

SHA512
80695bbea817d11fd3b130b276ff3fb1d205b124f3ffd00b7504e5cda0e85c1e04146ef06d9a394bbb5328b9d51c925b96fd39afb5a209268425738fc0773ff4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Z7hM_OPG.W
MD5
ac6ad5d9b99757c3a878f2d275ace198

SHA1
439baa1b33514fb81632aaf44d16a9378c5664fc

SHA256
9b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d

SHA512
bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b

Download Submit
\ProgramData\mozglue.dll
MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
\ProgramData\nss3.dll
MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
\Users\Admin\AppData\Local\Temp\1105.tmp
MD5
50741b3f2d7debf5d2bed63d88404029

SHA1
56210388a627b926162b36967045be06ffb1aad3

SHA256
f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c

SHA512
fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3

Download Submit
\Users\Admin\AppData\Local\Temp\QzUC.Q3F
MD5
fbe899ef8e2fd479e6166e710c32290e

SHA1
20a4e4914650a4c2715abd1607004bdc98128958

SHA256
57626a7b1dfbe3865c93714abe741a38fd12b2907484778f441752dcb37a88b7

SHA512
80695bbea817d11fd3b130b276ff3fb1d205b124f3ffd00b7504e5cda0e85c1e04146ef06d9a394bbb5328b9d51c925b96fd39afb5a209268425738fc0773ff4

Download Submit
memory/728-144-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/728-135-0x0000000000424141-mapping.dmp

Download
memory/824-127-0x0000000004860000-0x000000000497B000-memory.dmp

Filesize
1.1MB

Download
memory/824-123-0x00000000047C3000-0x0000000004855000-memory.dmp

Filesize
584KB

Download
memory/824-120-0x0000000000000000-mapping.dmp

Download
memory/1056-145-0x0000000000000000-mapping.dmp

Download
memory/1424-146-0x0000000000000000-mapping.dmp

Download
memory/1480-194-0x0000000000000000-mapping.dmp

Download
memory/1492-129-0x0000000000000000-mapping.dmp

Download
memory/1580-154-0x0000000000000000-mapping.dmp

Download
memory/1648-193-0x0000000000000000-mapping.dmp

Download
memory/1700-131-0x0000000000000000-mapping.dmp

Download
memory/1700-133-0x00000000048BF000-0x0000000004951000-memory.dmp

Filesize
584KB

Download
memory/1808-150-0x0000000000000000-mapping.dmp

Download
memory/1940-147-0x0000000000000000-mapping.dmp

Download
memory/2040-124-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2040-125-0x0000000000424141-mapping.dmp

Download
memory/2040-128-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2216-163-0x0000000000000000-mapping.dmp

Download
memory/2216-168-0x0000000004850000-0x0000000004925000-memory.dmp

Filesize
852KB

Download
memory/2216-169-0x0000000000400000-0x0000000002BAC000-memory.dmp

Filesize
39.7MB

Download
memory/2388-151-0x0000000000000000-mapping.dmp

Download
memory/2464-153-0x0000000000000000-mapping.dmp

Download
memory/2800-118-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2800-117-0x00000000004B0000-0x00000000004B9000-memory.dmp

Filesize
36KB

Download
memory/2800-116-0x00000000004A0000-0x00000000004A8000-memory.dmp

Filesize
32KB

Download
memory/2804-184-0x0000000007830000-0x0000000007831000-memory.dmp

Filesize
4KB

Download
memory/2804-176-0x0000000004940000-0x000000000496E000-memory.dmp

Filesize
184KB

Download
memory/2804-177-0x0000000004650000-0x0000000004689000-memory.dmp

Filesize
228KB

Download
memory/2804-179-0x0000000007322000-0x0000000007323000-memory.dmp

Filesize
4KB

Download
memory/2804-180-0x0000000007330000-0x0000000007331000-memory.dmp

Filesize
4KB

Download
memory/2804-182-0x0000000004C30000-0x0000000004C5C000-memory.dmp

Filesize
176KB

Download
memory/2804-183-0x0000000007320000-0x0000000007321000-memory.dmp

Filesize
4KB

Download
memory/2804-181-0x0000000007323000-0x0000000007324000-memory.dmp

Filesize
4KB

Download
memory/2804-203-0x0000000008D10000-0x0000000008D11000-memory.dmp

Filesize
4KB

Download
memory/2804-185-0x0000000004E40000-0x0000000004E41000-memory.dmp

Filesize
4KB

Download
memory/2804-186-0x00000000071D0000-0x00000000071D1000-memory.dmp

Filesize
4KB

Download
memory/2804-187-0x00000000072E0000-0x00000000072E1000-memory.dmp

Filesize
4KB

Download
memory/2804-188-0x0000000007E80000-0x0000000007E81000-memory.dmp

Filesize
4KB

Download
memory/2804-189-0x0000000007324000-0x0000000007326000-memory.dmp

Filesize
8KB

Download
memory/2804-202-0x0000000008B30000-0x0000000008B31000-memory.dmp

Filesize
4KB

Download
memory/2804-201-0x0000000008430000-0x0000000008431000-memory.dmp

Filesize
4KB

Download
memory/2804-200-0x0000000008370000-0x0000000008371000-memory.dmp

Filesize
4KB

Download
memory/2804-178-0x0000000000400000-0x0000000002B5B000-memory.dmp

Filesize
39.4MB

Download
memory/2804-172-0x0000000000000000-mapping.dmp

Download
memory/2804-199-0x0000000008190000-0x0000000008191000-memory.dmp

Filesize
4KB

Download
memory/2804-198-0x0000000008110000-0x0000000008111000-memory.dmp

Filesize
4KB

Download
memory/2908-155-0x0000000000000000-mapping.dmp

Download
memory/3024-119-0x0000000001080000-0x0000000001096000-memory.dmp

Filesize
88KB

Download
memory/3160-192-0x0000000000000000-mapping.dmp

Download
memory/3292-196-0x0000000004FD0000-0x000000000506C000-memory.dmp

Filesize
624KB

Download
memory/3292-195-0x0000000004F20000-0x0000000004FD0000-memory.dmp

Filesize
704KB

Download
memory/3292-191-0x0000000004E60000-0x0000000004F16000-memory.dmp

Filesize
728KB

Download
memory/3292-190-0x0000000004CE0000-0x0000000004D97000-memory.dmp

Filesize
732KB

Download
memory/3292-160-0x0000000000000000-mapping.dmp

Download
memory/3292-166-0x0000000002C00000-0x0000000002D4A000-memory.dmp

Filesize
1.3MB

Download
memory/3716-141-0x0000000000000000-mapping.dmp

Download
memory/3772-156-0x0000000000000000-mapping.dmp

Download
memory/4040-152-0x0000000000000000-mapping.dmp

Download

pid	process
2800	08cb82859479b33dc1d0738b985db28c.exe
3292	regsvr32.exe
2216	B748.exe
2216	B748.exe