djvu | 007ae7550fcc0e7368a9ebd1dcc6066145f256af24847075cde83233ced10d00

Analysis

max time kernel
157s
max time network
176s
platform
windows10_x64
resource
win10-en-20211208
submitted
03-02-2022 17:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

007ae7550fcc0e7368a9ebd1dcc6066145f256af24847075cde83233ced10d00.exe
Size

828KB
MD5

9501470fe5ea3232193373b54c6d8987
SHA1

f5eaf1fc0691910e9b35d080219f226e8935eb72
SHA256

007ae7550fcc0e7368a9ebd1dcc6066145f256af24847075cde83233ced10d00
SHA512

869946fa03e34de6a51239dd10d8bef9a24adce20807918fb71fdf676cd0dd4dab6fb710c02f20cebdac4e9d2008b53608fbc9379b02b1f62cf0e269782d4e88

Score

10^/10

djvu vidar 517 discovery persistence ransomware spyware stealer

Malware Config

Extracted

Family

djvu

http://fuyt.org/test1/get.php

Attributes

extension
.bbbw
offline_id
jYeuANkMCJOEtaXsN8JcBUuEjwSP20EGT4t2Nct1
payload_url
http://lencu.top/dl/build2.exe
http://fuyt.org/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-qqj8MrDVtG Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@sysmail.ch Reserve e-mail address to contact us: helprestoremanager@airmail.cc Your personal ID: 0382UIhfSd

rsa_pubkey.plain

Extracted

Family

vidar

Version

49.8

Botnet

517

https://c.im/@prophef3

https://qoto.org/@prophef41

Attributes

profile_id
517

Signatures

Detected Djvu ransomware 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1972-116-0x00000000023A0000-0x00000000024BB000-memory.dmp	family_djvu
behavioral1/memory/2112-117-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2112-118-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2880-128-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Vidar Stealer 3 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/2904-132-0x0000000000400000-0x0000000000553000-memory.dmp	family_vidar
behavioral1/memory/2904-133-0x0000000000400000-0x0000000000553000-memory.dmp	family_vidar
behavioral1/memory/2904-136-0x0000000000400000-0x0000000000553000-memory.dmp	family_vidar

Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

build2.exe

pid process

2904 build2.exe
Loads dropped DLL 2 IoCs

Processes:

build2.exe

pid process

2904 build2.exe
2904 build2.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

2780 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2904	build2.exe

pid	process
2904	build2.exe
2904	build2.exe

pid	process
2780	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

007ae7550fcc0e7368a9ebd1dcc6066145f256af24847075cde83233ced10d00.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\990e3ece-a982-4807-9edf-c2774dfa40c5\\007ae7550fcc0e7368a9ebd1dcc6066145f256af24847075cde83233ced10d00.exe\" --AutoStart"	007ae7550fcc0e7368a9ebd1dcc6066145f256af24847075cde83233ced10d00.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 api.2ip.ua
4 api.2ip.ua
14 api.2ip.ua
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

build2.exe

pid process

2904 build2.exe

flow	ioc
3	api.2ip.ua
4	api.2ip.ua
14	api.2ip.ua

pid	process
2904	build2.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

007ae7550fcc0e7368a9ebd1dcc6066145f256af24847075cde83233ced10d00.exe007ae7550fcc0e7368a9ebd1dcc6066145f256af24847075cde83233ced10d00.exe

description	pid	process	target process
PID 1972 set thread context of 2112	1972	007ae7550fcc0e7368a9ebd1dcc6066145f256af24847075cde83233ced10d00.exe	007ae7550fcc0e7368a9ebd1dcc6066145f256af24847075cde83233ced10d00.exe
PID 3736 set thread context of 2880	3736	007ae7550fcc0e7368a9ebd1dcc6066145f256af24847075cde83233ced10d00.exe	007ae7550fcc0e7368a9ebd1dcc6066145f256af24847075cde83233ced10d00.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1780 2904 WerFault.exe build2.exe

pid	pid_target	process	target process
1780	2904	WerFault.exe	build2.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

007ae7550fcc0e7368a9ebd1dcc6066145f256af24847075cde83233ced10d00.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	007ae7550fcc0e7368a9ebd1dcc6066145f256af24847075cde83233ced10d00.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	007ae7550fcc0e7368a9ebd1dcc6066145f256af24847075cde83233ced10d00.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

007ae7550fcc0e7368a9ebd1dcc6066145f256af24847075cde83233ced10d00.exe007ae7550fcc0e7368a9ebd1dcc6066145f256af24847075cde83233ced10d00.exebuild2.exeWerFault.exe

pid	process
2112	007ae7550fcc0e7368a9ebd1dcc6066145f256af24847075cde83233ced10d00.exe
2112	007ae7550fcc0e7368a9ebd1dcc6066145f256af24847075cde83233ced10d00.exe
2880	007ae7550fcc0e7368a9ebd1dcc6066145f256af24847075cde83233ced10d00.exe
2880	007ae7550fcc0e7368a9ebd1dcc6066145f256af24847075cde83233ced10d00.exe
2904	build2.exe
2904	build2.exe
2904	build2.exe
2904	build2.exe
2904	build2.exe
2904	build2.exe
2904	build2.exe
2904	build2.exe
1780	WerFault.exe
1780	WerFault.exe
1780	WerFault.exe
1780	WerFault.exe
1780	WerFault.exe
1780	WerFault.exe
1780	WerFault.exe
1780	WerFault.exe
1780	WerFault.exe
1780	WerFault.exe
1780	WerFault.exe
1780	WerFault.exe
1780	WerFault.exe
1780	WerFault.exe
1780	WerFault.exe
1780	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 1780 WerFault.exe
Token: SeBackupPrivilege 1780 WerFault.exe
Token: SeDebugPrivilege 1780 WerFault.exe

description	pid	process
Token: SeRestorePrivilege	1780	WerFault.exe
Token: SeBackupPrivilege	1780	WerFault.exe
Token: SeDebugPrivilege	1780	WerFault.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

007ae7550fcc0e7368a9ebd1dcc6066145f256af24847075cde83233ced10d00.exe007ae7550fcc0e7368a9ebd1dcc6066145f256af24847075cde83233ced10d00.exe007ae7550fcc0e7368a9ebd1dcc6066145f256af24847075cde83233ced10d00.exe007ae7550fcc0e7368a9ebd1dcc6066145f256af24847075cde83233ced10d00.exe

C:\Users\Admin\AppData\Local\Temp\007ae7550fcc0e7368a9ebd1dcc6066145f256af24847075cde83233ced10d00.exe
"C:\Users\Admin\AppData\Local\Temp\007ae7550fcc0e7368a9ebd1dcc6066145f256af24847075cde83233ced10d00.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1972

C:\Users\Admin\AppData\Local\Temp\007ae7550fcc0e7368a9ebd1dcc6066145f256af24847075cde83233ced10d00.exe
"C:\Users\Admin\AppData\Local\Temp\007ae7550fcc0e7368a9ebd1dcc6066145f256af24847075cde83233ced10d00.exe"
2⤵
- Adds Run key to start application
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2112

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\990e3ece-a982-4807-9edf-c2774dfa40c5" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:2780

C:\Users\Admin\AppData\Local\Temp\007ae7550fcc0e7368a9ebd1dcc6066145f256af24847075cde83233ced10d00.exe
"C:\Users\Admin\AppData\Local\Temp\007ae7550fcc0e7368a9ebd1dcc6066145f256af24847075cde83233ced10d00.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3736

C:\Users\Admin\AppData\Local\Temp\007ae7550fcc0e7368a9ebd1dcc6066145f256af24847075cde83233ced10d00.exe
"C:\Users\Admin\AppData\Local\Temp\007ae7550fcc0e7368a9ebd1dcc6066145f256af24847075cde83233ced10d00.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2880

C:\Users\Admin\AppData\Local\28bf96a8-8143-41c9-93a8-4a93fba3c118\build2.exe
"C:\Users\Admin\AppData\Local\28bf96a8-8143-41c9-93a8-4a93fba3c118\build2.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2904 -s 1468
6⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1780

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Permissions Modification

T1222

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
MD5
33d1c53ba363f4e01e8a56e97a76aac1

SHA1
36b1eedb6d1e2d2898043c05f650957af0f283c9

SHA256
df3dd95a78c64e43870744ef82a86970015a666c69babd1671d26a9bfc8d7377

SHA512
786bd8f6d1b42b568261bf12a305f98a49258335d1308a1df2776ef0adbb4ce71c8c13d89105a72f098eadd52921b9784ec69b0485af21ec4c30c16e311a04a4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
MD5
f7dcb24540769805e5bb30d193944dce

SHA1
e26c583c562293356794937d9e2e6155d15449ee

SHA256
6b88c6ac55bbd6fea0ebe5a760d1ad2cfce251c59d0151a1400701cb927e36ea

SHA512
cb5ad678b0ef642bf492f32079fe77e8be20c02de267f04b545df346b25f3e4eb98bb568c4c2c483bb88f7d1826863cb515b570d620766e52476c8ee2931ea94

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
785fba5418a4df5e682d7a4da4ef7103

SHA1
3afe4a04cd5a58d6b51221f5a3aa2b6ee6112d33

SHA256
87f5330cc843ef52a6175dbe88046fbe75f140800a1c934b676d05b9fef2fe66

SHA512
b712943187ee2a64371be31cef6fb4d39ace66d1c308a5f3ec73cfcd684ac78d9cd9a57e0d4294f88c51c9a32c9c23955b75d4939085b2f57939befa86e1ad96

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
MD5
0613d7807deaf2ddb01357660b794228

SHA1
634c5569d5a72a81592e009b24754c2874a5017e

SHA256
fc3d44458b53e02aabc196832311c36048242ec594e8b1c89d45d22e9943cf3e

SHA512
812910fd4e8f687dffd1f6023410ef53bd50a0b183d80f09886bfa4e21023ebdc001cb9995400031daa49d07a169a24c366a91f365b2b70487545fb901329c6c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
MD5
0536f09e36923bb6a6c081e28220394d

SHA1
75e4c2bbed6d45079bc2ac30c21c7f118d64feb7

SHA256
897d213db662ccfb7d5c8f9a1cec37053b8fd8915756c3bf48f6efe22b91fd92

SHA512
fd014c4d5cd9e1eef393a03d890c3de972c2687f3fc7ee1652538fd354216ec7473b98042131e06b5e95d227af69c25773b54945670c7fae1b25680a6e31137f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
33aca28f29a9d0c74f7743c46f896452

SHA1
f411a7602a856635e26504718009e1718c486156

SHA256
9df52b66f98b228d7f165cef3f0c8d5ef496a7602ce1d05f204ab6b0e2d01229

SHA512
3dde89c1b3bf53380bb8349eb42ea86af38b9f8c1e474964a5c58ceb0da30cdcc9a7d3d8f40c58d0f611bfecbc8d0524dc129c082394a9015faf081426444a1b

Download Submit
C:\Users\Admin\AppData\Local\28bf96a8-8143-41c9-93a8-4a93fba3c118\build2.exe
MD5
a96bef4d3678039d2325d8eb11a28064

SHA1
584b93829a5d0b7f8be36aadc4b4254d5905f71b

SHA256
2a16d83ed34f45fe29d37579d4b45385a4c92900ad1ed71473449af3a9062e96

SHA512
d7af7152b37524fc93f40cb3884adec1a683c84c141dda4d3eac4333e2a6c7ceb029b6b17e1d90c3f836a634bf7af7f3cf6963ae97a94265df936f9fcf812cce

Download Submit
C:\Users\Admin\AppData\Local\28bf96a8-8143-41c9-93a8-4a93fba3c118\build2.exe
MD5
a96bef4d3678039d2325d8eb11a28064

SHA1
584b93829a5d0b7f8be36aadc4b4254d5905f71b

SHA256
2a16d83ed34f45fe29d37579d4b45385a4c92900ad1ed71473449af3a9062e96

SHA512
d7af7152b37524fc93f40cb3884adec1a683c84c141dda4d3eac4333e2a6c7ceb029b6b17e1d90c3f836a634bf7af7f3cf6963ae97a94265df936f9fcf812cce

Download Submit
C:\Users\Admin\AppData\Local\990e3ece-a982-4807-9edf-c2774dfa40c5\007ae7550fcc0e7368a9ebd1dcc6066145f256af24847075cde83233ced10d00.exe
MD5
9501470fe5ea3232193373b54c6d8987

SHA1
f5eaf1fc0691910e9b35d080219f226e8935eb72

SHA256
007ae7550fcc0e7368a9ebd1dcc6066145f256af24847075cde83233ced10d00

SHA512
869946fa03e34de6a51239dd10d8bef9a24adce20807918fb71fdf676cd0dd4dab6fb710c02f20cebdac4e9d2008b53608fbc9379b02b1f62cf0e269782d4e88

Download Submit
\ProgramData\mozglue.dll
MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
\ProgramData\nss3.dll
MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
memory/1972-116-0x00000000023A0000-0x00000000024BB000-memory.dmp

Filesize
1.1MB

Download
memory/2112-118-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2112-117-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2880-128-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2904-134-0x0000000002320000-0x0000000002365000-memory.dmp

Filesize
276KB

Download
memory/2904-133-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/2904-135-0x00000000001F0000-0x00000000001F2000-memory.dmp

Filesize
8KB

Download
memory/2904-136-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/2904-137-0x00000000745B0000-0x0000000074772000-memory.dmp

Filesize
1.8MB

Download
memory/2904-138-0x00000000777C0000-0x00000000778B1000-memory.dmp

Filesize
964KB

Download
memory/2904-132-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/2904-131-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/2904-141-0x0000000072A90000-0x0000000072AB4000-memory.dmp

Filesize
144KB

Download
memory/2904-142-0x0000000072AF0000-0x0000000072C24000-memory.dmp

Filesize
1.2MB

Download

description	pid	process	target process
PID 1972 wrote to memory of 2112	1972	007ae7550fcc0e7368a9ebd1dcc6066145f256af24847075cde83233ced10d00.exe	007ae7550fcc0e7368a9ebd1dcc6066145f256af24847075cde83233ced10d00.exe
PID 1972 wrote to memory of 2112	1972	007ae7550fcc0e7368a9ebd1dcc6066145f256af24847075cde83233ced10d00.exe	007ae7550fcc0e7368a9ebd1dcc6066145f256af24847075cde83233ced10d00.exe
PID 1972 wrote to memory of 2112	1972	007ae7550fcc0e7368a9ebd1dcc6066145f256af24847075cde83233ced10d00.exe	007ae7550fcc0e7368a9ebd1dcc6066145f256af24847075cde83233ced10d00.exe
PID 1972 wrote to memory of 2112	1972	007ae7550fcc0e7368a9ebd1dcc6066145f256af24847075cde83233ced10d00.exe	007ae7550fcc0e7368a9ebd1dcc6066145f256af24847075cde83233ced10d00.exe
PID 1972 wrote to memory of 2112	1972	007ae7550fcc0e7368a9ebd1dcc6066145f256af24847075cde83233ced10d00.exe	007ae7550fcc0e7368a9ebd1dcc6066145f256af24847075cde83233ced10d00.exe
PID 1972 wrote to memory of 2112	1972	007ae7550fcc0e7368a9ebd1dcc6066145f256af24847075cde83233ced10d00.exe	007ae7550fcc0e7368a9ebd1dcc6066145f256af24847075cde83233ced10d00.exe
PID 1972 wrote to memory of 2112	1972	007ae7550fcc0e7368a9ebd1dcc6066145f256af24847075cde83233ced10d00.exe	007ae7550fcc0e7368a9ebd1dcc6066145f256af24847075cde83233ced10d00.exe
PID 1972 wrote to memory of 2112	1972	007ae7550fcc0e7368a9ebd1dcc6066145f256af24847075cde83233ced10d00.exe	007ae7550fcc0e7368a9ebd1dcc6066145f256af24847075cde83233ced10d00.exe
PID 1972 wrote to memory of 2112	1972	007ae7550fcc0e7368a9ebd1dcc6066145f256af24847075cde83233ced10d00.exe	007ae7550fcc0e7368a9ebd1dcc6066145f256af24847075cde83233ced10d00.exe
PID 1972 wrote to memory of 2112	1972	007ae7550fcc0e7368a9ebd1dcc6066145f256af24847075cde83233ced10d00.exe	007ae7550fcc0e7368a9ebd1dcc6066145f256af24847075cde83233ced10d00.exe
PID 2112 wrote to memory of 2780	2112	007ae7550fcc0e7368a9ebd1dcc6066145f256af24847075cde83233ced10d00.exe	icacls.exe
PID 2112 wrote to memory of 2780	2112	007ae7550fcc0e7368a9ebd1dcc6066145f256af24847075cde83233ced10d00.exe	icacls.exe
PID 2112 wrote to memory of 2780	2112	007ae7550fcc0e7368a9ebd1dcc6066145f256af24847075cde83233ced10d00.exe	icacls.exe
PID 2112 wrote to memory of 3736	2112	007ae7550fcc0e7368a9ebd1dcc6066145f256af24847075cde83233ced10d00.exe	007ae7550fcc0e7368a9ebd1dcc6066145f256af24847075cde83233ced10d00.exe
PID 2112 wrote to memory of 3736	2112	007ae7550fcc0e7368a9ebd1dcc6066145f256af24847075cde83233ced10d00.exe	007ae7550fcc0e7368a9ebd1dcc6066145f256af24847075cde83233ced10d00.exe
PID 2112 wrote to memory of 3736	2112	007ae7550fcc0e7368a9ebd1dcc6066145f256af24847075cde83233ced10d00.exe	007ae7550fcc0e7368a9ebd1dcc6066145f256af24847075cde83233ced10d00.exe
PID 3736 wrote to memory of 2880	3736	007ae7550fcc0e7368a9ebd1dcc6066145f256af24847075cde83233ced10d00.exe	007ae7550fcc0e7368a9ebd1dcc6066145f256af24847075cde83233ced10d00.exe
PID 3736 wrote to memory of 2880	3736	007ae7550fcc0e7368a9ebd1dcc6066145f256af24847075cde83233ced10d00.exe	007ae7550fcc0e7368a9ebd1dcc6066145f256af24847075cde83233ced10d00.exe
PID 3736 wrote to memory of 2880	3736	007ae7550fcc0e7368a9ebd1dcc6066145f256af24847075cde83233ced10d00.exe	007ae7550fcc0e7368a9ebd1dcc6066145f256af24847075cde83233ced10d00.exe
PID 3736 wrote to memory of 2880	3736	007ae7550fcc0e7368a9ebd1dcc6066145f256af24847075cde83233ced10d00.exe	007ae7550fcc0e7368a9ebd1dcc6066145f256af24847075cde83233ced10d00.exe
PID 3736 wrote to memory of 2880	3736	007ae7550fcc0e7368a9ebd1dcc6066145f256af24847075cde83233ced10d00.exe	007ae7550fcc0e7368a9ebd1dcc6066145f256af24847075cde83233ced10d00.exe
PID 3736 wrote to memory of 2880	3736	007ae7550fcc0e7368a9ebd1dcc6066145f256af24847075cde83233ced10d00.exe	007ae7550fcc0e7368a9ebd1dcc6066145f256af24847075cde83233ced10d00.exe
PID 3736 wrote to memory of 2880	3736	007ae7550fcc0e7368a9ebd1dcc6066145f256af24847075cde83233ced10d00.exe	007ae7550fcc0e7368a9ebd1dcc6066145f256af24847075cde83233ced10d00.exe
PID 3736 wrote to memory of 2880	3736	007ae7550fcc0e7368a9ebd1dcc6066145f256af24847075cde83233ced10d00.exe	007ae7550fcc0e7368a9ebd1dcc6066145f256af24847075cde83233ced10d00.exe
PID 3736 wrote to memory of 2880	3736	007ae7550fcc0e7368a9ebd1dcc6066145f256af24847075cde83233ced10d00.exe	007ae7550fcc0e7368a9ebd1dcc6066145f256af24847075cde83233ced10d00.exe
PID 3736 wrote to memory of 2880	3736	007ae7550fcc0e7368a9ebd1dcc6066145f256af24847075cde83233ced10d00.exe	007ae7550fcc0e7368a9ebd1dcc6066145f256af24847075cde83233ced10d00.exe
PID 2880 wrote to memory of 2904	2880	007ae7550fcc0e7368a9ebd1dcc6066145f256af24847075cde83233ced10d00.exe	build2.exe
PID 2880 wrote to memory of 2904	2880	007ae7550fcc0e7368a9ebd1dcc6066145f256af24847075cde83233ced10d00.exe	build2.exe
PID 2880 wrote to memory of 2904	2880	007ae7550fcc0e7368a9ebd1dcc6066145f256af24847075cde83233ced10d00.exe	build2.exe