formbook | 069edc860955f7f56fe2c18cfd9d46e26b95831325541ab3cc92bba11f30fa3b

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20220414-en
submitted
21-05-2022 11:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CONTRACTS DOCUMENTS.exe
Size

215KB
MD5

b5a64ee18bd52e91671491580ae349da
SHA1

0a5ec3756c34db4a9eb9a1e54a0867f9c98c6f3d
SHA256

380b98b82eca0b9f9ea4a86ea9ee60c579bc68d75a75db5d800074a8c50a0a52
SHA512

9fc1a1faed034a8e1247e1b6daeb83bbcc4f58ce3aadd5df21213837de5d3252c8801aeb7031be6c73fa00cc23ef85d218b724b0da3d9f6cbcd7dd3eaec9c6f9

Score

10^/10

formbook nfl rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

nfl

Decoy

giacamp.net

qb51.party

mashalevine.com

russiasexdating.com

jitangyy.com

morockin.com

karoreiss.com

tractionhero.today

bienvenueenprovence.net

stormharbour.info

61999h.com

tryandcert.com

bestwaytosuccess.com

laobaochang.com

otomatiktente.com

rehpb.info

ivpdqb.info

dc-wv-wv-ie-q.com

goingmagic.com

cimachain.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 13 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1688-61-0x0000000000400000-0x000000000042A000-memory.dmp	formbook
behavioral1/memory/2004-74-0x0000000000400000-0x000000000042A000-memory.dmp	formbook
behavioral1/memory/2024-80-0x0000000000080000-0x00000000000AA000-memory.dmp	formbook
behavioral1/memory/320-85-0x0000000000080000-0x00000000000AA000-memory.dmp	formbook
behavioral1/memory/1152-98-0x0000000000400000-0x000000000042A000-memory.dmp	formbook
behavioral1/memory/1348-110-0x0000000000080000-0x00000000000AA000-memory.dmp	formbook
behavioral1/memory/1352-115-0x00000000000C0000-0x00000000000EA000-memory.dmp	formbook
behavioral1/memory/1604-119-0x0000000000400000-0x000000000042A000-memory.dmp	formbook
behavioral1/memory/1280-127-0x0000000000180000-0x00000000001AA000-memory.dmp	formbook
behavioral1/memory/1832-133-0x0000000000400000-0x000000000042A000-memory.dmp	formbook
behavioral1/memory/1224-140-0x0000000000080000-0x00000000000AA000-memory.dmp	formbook
behavioral1/memory/1656-146-0x0000000000400000-0x000000000042A000-memory.dmp	formbook
behavioral1/memory/588-161-0x0000000000400000-0x000000000042A000-memory.dmp	formbook

Drops startup file 2 IoCs

Processes:

CONTRACTS DOCUMENTS.exeCONTRACTS DOCUMENTS.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe	CONTRACTS DOCUMENTS.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe	CONTRACTS DOCUMENTS.exe

Suspicious use of SetThreadContext 49 IoCs

Processes:

CONTRACTS DOCUMENTS.exeRegAsm.exeCONTRACTS DOCUMENTS.exeRegAsm.exeCONTRACTS DOCUMENTS.exeRegAsm.exewlanext.exeCONTRACTS DOCUMENTS.exeRegAsm.exeCONTRACTS DOCUMENTS.exeRegAsm.exeCONTRACTS DOCUMENTS.exeRegAsm.exeCONTRACTS DOCUMENTS.exeRegAsm.exeCONTRACTS DOCUMENTS.exeRegAsm.exeCONTRACTS DOCUMENTS.exeCONTRACTS DOCUMENTS.exeRegAsm.exeRegAsm.exeCONTRACTS DOCUMENTS.exeRegAsm.exeCONTRACTS DOCUMENTS.exeRegAsm.exeCONTRACTS DOCUMENTS.exeRegAsm.exeCONTRACTS DOCUMENTS.exeRegAsm.exeCONTRACTS DOCUMENTS.exeRegAsm.exeCONTRACTS DOCUMENTS.exeRegAsm.exeCONTRACTS DOCUMENTS.exeRegAsm.exeCONTRACTS DOCUMENTS.exeRegAsm.exeCONTRACTS DOCUMENTS.exeRegAsm.exe

description	pid	process	target process
PID 1744 set thread context of 1688	1744	CONTRACTS DOCUMENTS.exe	RegAsm.exe
PID 1688 set thread context of 1264	1688	RegAsm.exe	Explorer.EXE
PID 1688 set thread context of 1264	1688	RegAsm.exe	Explorer.EXE
PID 1624 set thread context of 2004	1624	CONTRACTS DOCUMENTS.exe	RegAsm.exe
PID 2004 set thread context of 1264	2004	RegAsm.exe	Explorer.EXE
PID 524 set thread context of 580	524	CONTRACTS DOCUMENTS.exe	RegAsm.exe
PID 580 set thread context of 1264	580	RegAsm.exe	Explorer.EXE
PID 2024 set thread context of 1264	2024	wlanext.exe	Explorer.EXE
PID 1712 set thread context of 1152	1712	CONTRACTS DOCUMENTS.exe	RegAsm.exe
PID 1152 set thread context of 1264	1152	RegAsm.exe	Explorer.EXE
PID 580 set thread context of 1264	580	RegAsm.exe	Explorer.EXE
PID 1028 set thread context of 1604	1028	CONTRACTS DOCUMENTS.exe	RegAsm.exe
PID 1604 set thread context of 1264	1604	RegAsm.exe	Explorer.EXE
PID 2036 set thread context of 1832	2036	CONTRACTS DOCUMENTS.exe	RegAsm.exe
PID 1832 set thread context of 1264	1832	RegAsm.exe	Explorer.EXE
PID 1636 set thread context of 1656	1636	CONTRACTS DOCUMENTS.exe	RegAsm.exe
PID 1656 set thread context of 1264	1656	RegAsm.exe	Explorer.EXE
PID 1188 set thread context of 1704	1188	CONTRACTS DOCUMENTS.exe	RegAsm.exe
PID 1704 set thread context of 1264	1704	RegAsm.exe	Explorer.EXE
PID 1656 set thread context of 1264	1656	RegAsm.exe	Explorer.EXE
PID 1256 set thread context of 588	1256	CONTRACTS DOCUMENTS.exe	RegAsm.exe
PID 1740 set thread context of 1884	1740	CONTRACTS DOCUMENTS.exe	RegAsm.exe
PID 588 set thread context of 1264	588	RegAsm.exe	Explorer.EXE
PID 1884 set thread context of 1264	1884	RegAsm.exe	Explorer.EXE
PID 1704 set thread context of 1264	1704	RegAsm.exe	Explorer.EXE
PID 1516 set thread context of 1620	1516	CONTRACTS DOCUMENTS.exe	RegAsm.exe
PID 1620 set thread context of 1264	1620	RegAsm.exe	Explorer.EXE
PID 1884 set thread context of 1264	1884	RegAsm.exe	Explorer.EXE
PID 588 set thread context of 1264	588	RegAsm.exe	Explorer.EXE
PID 1316 set thread context of 1220	1316	CONTRACTS DOCUMENTS.exe	RegAsm.exe
PID 1220 set thread context of 1264	1220	RegAsm.exe	Explorer.EXE
PID 1620 set thread context of 1264	1620	RegAsm.exe	Explorer.EXE
PID 984 set thread context of 956	984	CONTRACTS DOCUMENTS.exe	RegAsm.exe
PID 956 set thread context of 1264	956	RegAsm.exe	Explorer.EXE
PID 1220 set thread context of 1264	1220	RegAsm.exe	Explorer.EXE
PID 916 set thread context of 876	916	CONTRACTS DOCUMENTS.exe	RegAsm.exe
PID 876 set thread context of 1264	876	RegAsm.exe	Explorer.EXE
PID 2012 set thread context of 1836	2012	CONTRACTS DOCUMENTS.exe	RegAsm.exe
PID 1836 set thread context of 1264	1836	RegAsm.exe	Explorer.EXE
PID 876 set thread context of 1264	876	RegAsm.exe	Explorer.EXE
PID 1120 set thread context of 1308	1120	CONTRACTS DOCUMENTS.exe	RegAsm.exe
PID 1308 set thread context of 1264	1308	RegAsm.exe	Explorer.EXE
PID 1360 set thread context of 1232	1360	CONTRACTS DOCUMENTS.exe	RegAsm.exe
PID 1232 set thread context of 1264	1232	RegAsm.exe	Explorer.EXE
PID 1824 set thread context of 1904	1824	CONTRACTS DOCUMENTS.exe	RegAsm.exe
PID 1904 set thread context of 1264	1904	RegAsm.exe	Explorer.EXE
PID 1780 set thread context of 952	1780	CONTRACTS DOCUMENTS.exe	RegAsm.exe
PID 952 set thread context of 1264	952	RegAsm.exe	Explorer.EXE
PID 1904 set thread context of 1264	1904	RegAsm.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Gathers network information 2 TTPs 3 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exeipconfig.exeNETSTAT.EXE

pid process

320 ipconfig.exe
1224 ipconfig.exe
1748 NETSTAT.EXE

pid	process
320	ipconfig.exe
1224	ipconfig.exe
1748	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

CONTRACTS DOCUMENTS.exe

pid	process
1744	CONTRACTS DOCUMENTS.exe
1744	CONTRACTS DOCUMENTS.exe
1744	CONTRACTS DOCUMENTS.exe
1744	CONTRACTS DOCUMENTS.exe
1744	CONTRACTS DOCUMENTS.exe
1744	CONTRACTS DOCUMENTS.exe
1744	CONTRACTS DOCUMENTS.exe
1744	CONTRACTS DOCUMENTS.exe
1744	CONTRACTS DOCUMENTS.exe
1744	CONTRACTS DOCUMENTS.exe
1744	CONTRACTS DOCUMENTS.exe
1744	CONTRACTS DOCUMENTS.exe
1744	CONTRACTS DOCUMENTS.exe
1744	CONTRACTS DOCUMENTS.exe
1744	CONTRACTS DOCUMENTS.exe
1744	CONTRACTS DOCUMENTS.exe
1744	CONTRACTS DOCUMENTS.exe
1744	CONTRACTS DOCUMENTS.exe
1744	CONTRACTS DOCUMENTS.exe
1744	CONTRACTS DOCUMENTS.exe
1744	CONTRACTS DOCUMENTS.exe
1744	CONTRACTS DOCUMENTS.exe
1744	CONTRACTS DOCUMENTS.exe
1744	CONTRACTS DOCUMENTS.exe
1744	CONTRACTS DOCUMENTS.exe
1744	CONTRACTS DOCUMENTS.exe
1744	CONTRACTS DOCUMENTS.exe
1744	CONTRACTS DOCUMENTS.exe
1744	CONTRACTS DOCUMENTS.exe
1744	CONTRACTS DOCUMENTS.exe
1744	CONTRACTS DOCUMENTS.exe
1744	CONTRACTS DOCUMENTS.exe
1744	CONTRACTS DOCUMENTS.exe
1744	CONTRACTS DOCUMENTS.exe
1744	CONTRACTS DOCUMENTS.exe
1744	CONTRACTS DOCUMENTS.exe
1744	CONTRACTS DOCUMENTS.exe
1744	CONTRACTS DOCUMENTS.exe
1744	CONTRACTS DOCUMENTS.exe
1744	CONTRACTS DOCUMENTS.exe
1744	CONTRACTS DOCUMENTS.exe
1744	CONTRACTS DOCUMENTS.exe
1744	CONTRACTS DOCUMENTS.exe
1744	CONTRACTS DOCUMENTS.exe
1744	CONTRACTS DOCUMENTS.exe
1744	CONTRACTS DOCUMENTS.exe
1744	CONTRACTS DOCUMENTS.exe
1744	CONTRACTS DOCUMENTS.exe
1744	CONTRACTS DOCUMENTS.exe
1744	CONTRACTS DOCUMENTS.exe
1744	CONTRACTS DOCUMENTS.exe
1744	CONTRACTS DOCUMENTS.exe
1744	CONTRACTS DOCUMENTS.exe
1744	CONTRACTS DOCUMENTS.exe
1744	CONTRACTS DOCUMENTS.exe
1744	CONTRACTS DOCUMENTS.exe
1744	CONTRACTS DOCUMENTS.exe
1744	CONTRACTS DOCUMENTS.exe
1744	CONTRACTS DOCUMENTS.exe
1744	CONTRACTS DOCUMENTS.exe
1744	CONTRACTS DOCUMENTS.exe
1744	CONTRACTS DOCUMENTS.exe
1744	CONTRACTS DOCUMENTS.exe
1744	CONTRACTS DOCUMENTS.exe

Suspicious behavior: MapViewOfSection 64 IoCs

Processes:

CONTRACTS DOCUMENTS.exeRegAsm.exeCONTRACTS DOCUMENTS.exeRegAsm.exewlanext.exeCONTRACTS DOCUMENTS.exeRegAsm.exeCONTRACTS DOCUMENTS.exeRegAsm.exeCONTRACTS DOCUMENTS.exeRegAsm.exeCONTRACTS DOCUMENTS.exeRegAsm.exeCONTRACTS DOCUMENTS.exeRegAsm.exeCONTRACTS DOCUMENTS.exeRegAsm.exeCONTRACTS DOCUMENTS.exeRegAsm.exeCONTRACTS DOCUMENTS.exeRegAsm.exeCONTRACTS DOCUMENTS.exeRegAsm.exeCONTRACTS DOCUMENTS.exeRegAsm.exeCONTRACTS DOCUMENTS.exeRegAsm.exe

pid	process
1744	CONTRACTS DOCUMENTS.exe
1688	RegAsm.exe
1688	RegAsm.exe
1624	CONTRACTS DOCUMENTS.exe
2004	RegAsm.exe
1688	RegAsm.exe
1688	RegAsm.exe
2004	RegAsm.exe
2004	RegAsm.exe
2024	wlanext.exe
524	CONTRACTS DOCUMENTS.exe
580	RegAsm.exe
2024	wlanext.exe
1712	CONTRACTS DOCUMENTS.exe
1152	RegAsm.exe
580	RegAsm.exe
580	RegAsm.exe
580	RegAsm.exe
1152	RegAsm.exe
1152	RegAsm.exe
1028	CONTRACTS DOCUMENTS.exe
1028	CONTRACTS DOCUMENTS.exe
1604	RegAsm.exe
1604	RegAsm.exe
1604	RegAsm.exe
2036	CONTRACTS DOCUMENTS.exe
1832	RegAsm.exe
1832	RegAsm.exe
1832	RegAsm.exe
1636	CONTRACTS DOCUMENTS.exe
1656	RegAsm.exe
1188	CONTRACTS DOCUMENTS.exe
1704	RegAsm.exe
1656	RegAsm.exe
1256	CONTRACTS DOCUMENTS.exe
588	RegAsm.exe
1704	RegAsm.exe
1740	CONTRACTS DOCUMENTS.exe
1884	RegAsm.exe
1656	RegAsm.exe
1656	RegAsm.exe
1704	RegAsm.exe
1704	RegAsm.exe
1516	CONTRACTS DOCUMENTS.exe
1516	CONTRACTS DOCUMENTS.exe
1620	RegAsm.exe
588	RegAsm.exe
1884	RegAsm.exe
1884	RegAsm.exe
1884	RegAsm.exe
588	RegAsm.exe
588	RegAsm.exe
1316	CONTRACTS DOCUMENTS.exe
1220	RegAsm.exe
1620	RegAsm.exe
1620	RegAsm.exe
1620	RegAsm.exe
984	CONTRACTS DOCUMENTS.exe
956	RegAsm.exe
1220	RegAsm.exe
956	RegAsm.exe
956	RegAsm.exe
1220	RegAsm.exe
1220	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 55 IoCs

Processes:

CONTRACTS DOCUMENTS.exeRegAsm.exeCONTRACTS DOCUMENTS.exeRegAsm.exewlanext.exeipconfig.exeCONTRACTS DOCUMENTS.exeRegAsm.exeCONTRACTS DOCUMENTS.exeRegAsm.execontrol.exemstsc.exeCONTRACTS DOCUMENTS.exeRegAsm.exenetsh.exeCONTRACTS DOCUMENTS.exeRegAsm.exeipconfig.exeCONTRACTS DOCUMENTS.exeRegAsm.exeCONTRACTS DOCUMENTS.exeRegAsm.exeCONTRACTS DOCUMENTS.exeRegAsm.exeCONTRACTS DOCUMENTS.exeRegAsm.execscript.exeNETSTAT.EXECONTRACTS DOCUMENTS.exeRegAsm.execontrol.execontrol.exeCONTRACTS DOCUMENTS.exeRegAsm.exemsiexec.exeCONTRACTS DOCUMENTS.exeRegAsm.exemsiexec.execmd.exeCONTRACTS DOCUMENTS.exeRegAsm.exeCONTRACTS DOCUMENTS.exeRegAsm.exenetsh.exeCONTRACTS DOCUMENTS.exeRegAsm.exewlanext.exemsiexec.exeCONTRACTS DOCUMENTS.exeRegAsm.exewuapp.exeCONTRACTS DOCUMENTS.exeRegAsm.exeCONTRACTS DOCUMENTS.exeRegAsm.exe

description	pid	process
Token: SeDebugPrivilege	1744	CONTRACTS DOCUMENTS.exe
Token: SeDebugPrivilege	1688	RegAsm.exe
Token: SeDebugPrivilege	1624	CONTRACTS DOCUMENTS.exe
Token: SeDebugPrivilege	2004	RegAsm.exe
Token: SeDebugPrivilege	2024	wlanext.exe
Token: SeDebugPrivilege	320	ipconfig.exe
Token: SeDebugPrivilege	524	CONTRACTS DOCUMENTS.exe
Token: SeDebugPrivilege	580	RegAsm.exe
Token: SeDebugPrivilege	1712	CONTRACTS DOCUMENTS.exe
Token: SeDebugPrivilege	1152	RegAsm.exe
Token: SeDebugPrivilege	1348	control.exe
Token: SeDebugPrivilege	1352	mstsc.exe
Token: SeDebugPrivilege	1028	CONTRACTS DOCUMENTS.exe
Token: SeDebugPrivilege	1604	RegAsm.exe
Token: SeDebugPrivilege	1280	netsh.exe
Token: SeDebugPrivilege	2036	CONTRACTS DOCUMENTS.exe
Token: SeDebugPrivilege	1832	RegAsm.exe
Token: SeDebugPrivilege	1224	ipconfig.exe
Token: SeDebugPrivilege	1636	CONTRACTS DOCUMENTS.exe
Token: SeDebugPrivilege	1656	RegAsm.exe
Token: SeDebugPrivilege	1188	CONTRACTS DOCUMENTS.exe
Token: SeDebugPrivilege	1704	RegAsm.exe
Token: SeDebugPrivilege	1256	CONTRACTS DOCUMENTS.exe
Token: SeDebugPrivilege	588	RegAsm.exe
Token: SeDebugPrivilege	1740	CONTRACTS DOCUMENTS.exe
Token: SeDebugPrivilege	1884	RegAsm.exe
Token: SeDebugPrivilege	1752	cscript.exe
Token: SeDebugPrivilege	1748	NETSTAT.EXE
Token: SeDebugPrivilege	1516	CONTRACTS DOCUMENTS.exe
Token: SeDebugPrivilege	1620	RegAsm.exe
Token: SeDebugPrivilege	284	control.exe
Token: SeDebugPrivilege	1056	control.exe
Token: SeDebugPrivilege	1316	CONTRACTS DOCUMENTS.exe
Token: SeDebugPrivilege	1220	RegAsm.exe
Token: SeDebugPrivilege	1860	msiexec.exe
Token: SeDebugPrivilege	984	CONTRACTS DOCUMENTS.exe
Token: SeDebugPrivilege	956	RegAsm.exe
Token: SeDebugPrivilege	1560	msiexec.exe
Token: SeDebugPrivilege	2032	cmd.exe
Token: SeDebugPrivilege	916	CONTRACTS DOCUMENTS.exe
Token: SeDebugPrivilege	876	RegAsm.exe
Token: SeDebugPrivilege	2012	CONTRACTS DOCUMENTS.exe
Token: SeDebugPrivilege	1836	RegAsm.exe
Token: SeDebugPrivilege	968	netsh.exe
Token: SeDebugPrivilege	1120	CONTRACTS DOCUMENTS.exe
Token: SeDebugPrivilege	1308	RegAsm.exe
Token: SeDebugPrivilege	1184	wlanext.exe
Token: SeDebugPrivilege	980	msiexec.exe
Token: SeDebugPrivilege	1360	CONTRACTS DOCUMENTS.exe
Token: SeDebugPrivilege	1232	RegAsm.exe
Token: SeDebugPrivilege	1384	wuapp.exe
Token: SeDebugPrivilege	1824	CONTRACTS DOCUMENTS.exe
Token: SeDebugPrivilege	1904	RegAsm.exe
Token: SeDebugPrivilege	1780	CONTRACTS DOCUMENTS.exe
Token: SeDebugPrivilege	952	RegAsm.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1264 Explorer.EXE
1264 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1264 Explorer.EXE
1264 Explorer.EXE

pid	process
1264	Explorer.EXE
1264	Explorer.EXE

pid	process
1264	Explorer.EXE
1264	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

CONTRACTS DOCUMENTS.exeExplorer.EXECONTRACTS DOCUMENTS.exewlanext.exeCONTRACTS DOCUMENTS.exeCONTRACTS DOCUMENTS.exe

description	pid	process	target process
PID 1744 wrote to memory of 1688	1744	CONTRACTS DOCUMENTS.exe	RegAsm.exe
PID 1744 wrote to memory of 1688	1744	CONTRACTS DOCUMENTS.exe	RegAsm.exe
PID 1744 wrote to memory of 1688	1744	CONTRACTS DOCUMENTS.exe	RegAsm.exe
PID 1744 wrote to memory of 1688	1744	CONTRACTS DOCUMENTS.exe	RegAsm.exe
PID 1744 wrote to memory of 1688	1744	CONTRACTS DOCUMENTS.exe	RegAsm.exe
PID 1744 wrote to memory of 1688	1744	CONTRACTS DOCUMENTS.exe	RegAsm.exe
PID 1744 wrote to memory of 1688	1744	CONTRACTS DOCUMENTS.exe	RegAsm.exe
PID 1744 wrote to memory of 1688	1744	CONTRACTS DOCUMENTS.exe	RegAsm.exe
PID 1744 wrote to memory of 1624	1744	CONTRACTS DOCUMENTS.exe	CONTRACTS DOCUMENTS.exe
PID 1744 wrote to memory of 1624	1744	CONTRACTS DOCUMENTS.exe	CONTRACTS DOCUMENTS.exe
PID 1744 wrote to memory of 1624	1744	CONTRACTS DOCUMENTS.exe	CONTRACTS DOCUMENTS.exe
PID 1744 wrote to memory of 1624	1744	CONTRACTS DOCUMENTS.exe	CONTRACTS DOCUMENTS.exe
PID 1264 wrote to memory of 2024	1264	Explorer.EXE	wlanext.exe
PID 1264 wrote to memory of 2024	1264	Explorer.EXE	wlanext.exe
PID 1264 wrote to memory of 2024	1264	Explorer.EXE	wlanext.exe
PID 1264 wrote to memory of 2024	1264	Explorer.EXE	wlanext.exe
PID 1624 wrote to memory of 2004	1624	CONTRACTS DOCUMENTS.exe	RegAsm.exe
PID 1624 wrote to memory of 2004	1624	CONTRACTS DOCUMENTS.exe	RegAsm.exe
PID 1624 wrote to memory of 2004	1624	CONTRACTS DOCUMENTS.exe	RegAsm.exe
PID 1624 wrote to memory of 2004	1624	CONTRACTS DOCUMENTS.exe	RegAsm.exe
PID 1624 wrote to memory of 2004	1624	CONTRACTS DOCUMENTS.exe	RegAsm.exe
PID 1624 wrote to memory of 2004	1624	CONTRACTS DOCUMENTS.exe	RegAsm.exe
PID 1624 wrote to memory of 2004	1624	CONTRACTS DOCUMENTS.exe	RegAsm.exe
PID 1624 wrote to memory of 2004	1624	CONTRACTS DOCUMENTS.exe	RegAsm.exe
PID 1264 wrote to memory of 320	1264	Explorer.EXE	ipconfig.exe
PID 1264 wrote to memory of 320	1264	Explorer.EXE	ipconfig.exe
PID 1264 wrote to memory of 320	1264	Explorer.EXE	ipconfig.exe
PID 1264 wrote to memory of 320	1264	Explorer.EXE	ipconfig.exe
PID 1624 wrote to memory of 524	1624	CONTRACTS DOCUMENTS.exe	CONTRACTS DOCUMENTS.exe
PID 1624 wrote to memory of 524	1624	CONTRACTS DOCUMENTS.exe	CONTRACTS DOCUMENTS.exe
PID 1624 wrote to memory of 524	1624	CONTRACTS DOCUMENTS.exe	CONTRACTS DOCUMENTS.exe
PID 1624 wrote to memory of 524	1624	CONTRACTS DOCUMENTS.exe	CONTRACTS DOCUMENTS.exe
PID 2024 wrote to memory of 1288	2024	wlanext.exe	cmd.exe
PID 2024 wrote to memory of 1288	2024	wlanext.exe	cmd.exe
PID 2024 wrote to memory of 1288	2024	wlanext.exe	cmd.exe
PID 2024 wrote to memory of 1288	2024	wlanext.exe	cmd.exe
PID 524 wrote to memory of 580	524	CONTRACTS DOCUMENTS.exe	RegAsm.exe
PID 524 wrote to memory of 580	524	CONTRACTS DOCUMENTS.exe	RegAsm.exe
PID 524 wrote to memory of 580	524	CONTRACTS DOCUMENTS.exe	RegAsm.exe
PID 524 wrote to memory of 580	524	CONTRACTS DOCUMENTS.exe	RegAsm.exe
PID 524 wrote to memory of 580	524	CONTRACTS DOCUMENTS.exe	RegAsm.exe
PID 524 wrote to memory of 580	524	CONTRACTS DOCUMENTS.exe	RegAsm.exe
PID 524 wrote to memory of 580	524	CONTRACTS DOCUMENTS.exe	RegAsm.exe
PID 524 wrote to memory of 580	524	CONTRACTS DOCUMENTS.exe	RegAsm.exe
PID 524 wrote to memory of 1712	524	CONTRACTS DOCUMENTS.exe	CONTRACTS DOCUMENTS.exe
PID 524 wrote to memory of 1712	524	CONTRACTS DOCUMENTS.exe	CONTRACTS DOCUMENTS.exe
PID 524 wrote to memory of 1712	524	CONTRACTS DOCUMENTS.exe	CONTRACTS DOCUMENTS.exe
PID 524 wrote to memory of 1712	524	CONTRACTS DOCUMENTS.exe	CONTRACTS DOCUMENTS.exe
PID 1712 wrote to memory of 1152	1712	CONTRACTS DOCUMENTS.exe	RegAsm.exe
PID 1712 wrote to memory of 1152	1712	CONTRACTS DOCUMENTS.exe	RegAsm.exe
PID 1712 wrote to memory of 1152	1712	CONTRACTS DOCUMENTS.exe	RegAsm.exe
PID 1712 wrote to memory of 1152	1712	CONTRACTS DOCUMENTS.exe	RegAsm.exe
PID 1712 wrote to memory of 1152	1712	CONTRACTS DOCUMENTS.exe	RegAsm.exe
PID 1712 wrote to memory of 1152	1712	CONTRACTS DOCUMENTS.exe	RegAsm.exe
PID 1712 wrote to memory of 1152	1712	CONTRACTS DOCUMENTS.exe	RegAsm.exe
PID 1712 wrote to memory of 1152	1712	CONTRACTS DOCUMENTS.exe	RegAsm.exe
PID 1712 wrote to memory of 1028	1712	CONTRACTS DOCUMENTS.exe	CONTRACTS DOCUMENTS.exe
PID 1712 wrote to memory of 1028	1712	CONTRACTS DOCUMENTS.exe	CONTRACTS DOCUMENTS.exe
PID 1712 wrote to memory of 1028	1712	CONTRACTS DOCUMENTS.exe	CONTRACTS DOCUMENTS.exe
PID 1712 wrote to memory of 1028	1712	CONTRACTS DOCUMENTS.exe	CONTRACTS DOCUMENTS.exe
PID 1264 wrote to memory of 1348	1264	Explorer.EXE	control.exe
PID 1264 wrote to memory of 1348	1264	Explorer.EXE	control.exe
PID 1264 wrote to memory of 1348	1264	Explorer.EXE	control.exe
PID 1264 wrote to memory of 1348	1264	Explorer.EXE	control.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1264

C:\Users\Admin\AppData\Local\Temp\CONTRACTS DOCUMENTS.exe
"C:\Users\Admin\AppData\Local\Temp\CONTRACTS DOCUMENTS.exe"
2⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1744

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1688

C:\Users\Admin\AppData\Local\Temp\CONTRACTS DOCUMENTS.exe
"C:\Users\Admin\AppData\Local\Temp\CONTRACTS DOCUMENTS.exe"
3⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1624

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2004

C:\Users\Admin\AppData\Local\Temp\CONTRACTS DOCUMENTS.exe
"C:\Users\Admin\AppData\Local\Temp\CONTRACTS DOCUMENTS.exe"
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:524

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:580

C:\Users\Admin\AppData\Local\Temp\CONTRACTS DOCUMENTS.exe
"C:\Users\Admin\AppData\Local\Temp\CONTRACTS DOCUMENTS.exe"
5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1712

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
6⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1152

C:\Users\Admin\AppData\Local\Temp\CONTRACTS DOCUMENTS.exe
"C:\Users\Admin\AppData\Local\Temp\CONTRACTS DOCUMENTS.exe"
6⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1028

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
7⤵
PID:1608

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
7⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1604

C:\Users\Admin\AppData\Local\Temp\CONTRACTS DOCUMENTS.exe
"C:\Users\Admin\AppData\Local\Temp\CONTRACTS DOCUMENTS.exe"
7⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2036

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
8⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1832

C:\Users\Admin\AppData\Local\Temp\CONTRACTS DOCUMENTS.exe
"C:\Users\Admin\AppData\Local\Temp\CONTRACTS DOCUMENTS.exe"
8⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1636

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
9⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1656

C:\Windows\SysWOW64\cscript.exe
"C:\Windows\SysWOW64\cscript.exe"
10⤵
- Suspicious use of AdjustPrivilegeToken
PID:1752

C:\Users\Admin\AppData\Local\Temp\CONTRACTS DOCUMENTS.exe
"C:\Users\Admin\AppData\Local\Temp\CONTRACTS DOCUMENTS.exe"
9⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1188

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
10⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1704

C:\Users\Admin\AppData\Local\Temp\CONTRACTS DOCUMENTS.exe
"C:\Users\Admin\AppData\Local\Temp\CONTRACTS DOCUMENTS.exe"
10⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1256

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
11⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:588

C:\Users\Admin\AppData\Local\Temp\CONTRACTS DOCUMENTS.exe
"C:\Users\Admin\AppData\Local\Temp\CONTRACTS DOCUMENTS.exe"
11⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1740

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
12⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1884

C:\Users\Admin\AppData\Local\Temp\CONTRACTS DOCUMENTS.exe
"C:\Users\Admin\AppData\Local\Temp\CONTRACTS DOCUMENTS.exe"
12⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1516

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
13⤵
PID:2044

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
13⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1620

C:\Users\Admin\AppData\Local\Temp\CONTRACTS DOCUMENTS.exe
"C:\Users\Admin\AppData\Local\Temp\CONTRACTS DOCUMENTS.exe"
13⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1316

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
14⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1220

C:\Users\Admin\AppData\Local\Temp\CONTRACTS DOCUMENTS.exe
"C:\Users\Admin\AppData\Local\Temp\CONTRACTS DOCUMENTS.exe"
14⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:984

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
15⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:956

C:\Users\Admin\AppData\Local\Temp\CONTRACTS DOCUMENTS.exe
"C:\Users\Admin\AppData\Local\Temp\CONTRACTS DOCUMENTS.exe"
15⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:916

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
16⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:876

C:\Windows\SysWOW64\wlanext.exe
"C:\Windows\SysWOW64\wlanext.exe"
17⤵
- Suspicious use of AdjustPrivilegeToken
PID:1184

C:\Users\Admin\AppData\Local\Temp\CONTRACTS DOCUMENTS.exe
"C:\Users\Admin\AppData\Local\Temp\CONTRACTS DOCUMENTS.exe"
16⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2012

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
17⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1836

C:\Users\Admin\AppData\Local\Temp\CONTRACTS DOCUMENTS.exe
"C:\Users\Admin\AppData\Local\Temp\CONTRACTS DOCUMENTS.exe"
17⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1120

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
18⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1308

C:\Users\Admin\AppData\Local\Temp\CONTRACTS DOCUMENTS.exe
"C:\Users\Admin\AppData\Local\Temp\CONTRACTS DOCUMENTS.exe"
18⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1360

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
19⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1232

C:\Users\Admin\AppData\Local\Temp\CONTRACTS DOCUMENTS.exe
"C:\Users\Admin\AppData\Local\Temp\CONTRACTS DOCUMENTS.exe"
19⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1824

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
20⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1904

C:\Users\Admin\AppData\Local\Temp\CONTRACTS DOCUMENTS.exe
"C:\Users\Admin\AppData\Local\Temp\CONTRACTS DOCUMENTS.exe"
20⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1780

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
21⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:952

C:\Users\Admin\AppData\Local\Temp\CONTRACTS DOCUMENTS.exe
"C:\Users\Admin\AppData\Local\Temp\CONTRACTS DOCUMENTS.exe"
21⤵
PID:440

C:\Windows\SysWOW64\wlanext.exe
"C:\Windows\SysWOW64\wlanext.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1288

C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\SysWOW64\ipconfig.exe"
2⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:320

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe"
2⤵
PID:1500

C:\Windows\SysWOW64\control.exe
"C:\Windows\SysWOW64\control.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1348

C:\Windows\SysWOW64\mstsc.exe
"C:\Windows\SysWOW64\mstsc.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1352

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1280

C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\SysWOW64\ipconfig.exe"
2⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:1224

C:\Windows\SysWOW64\cmmon32.exe
"C:\Windows\SysWOW64\cmmon32.exe"
2⤵
PID:592

C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\SysWOW64\NETSTAT.EXE"
2⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:1748

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1464

C:\Windows\SysWOW64\control.exe
"C:\Windows\SysWOW64\control.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:284

C:\Windows\SysWOW64\control.exe
"C:\Windows\SysWOW64\control.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1056

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1860

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1560

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2032

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:968

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:980

C:\Windows\SysWOW64\wuapp.exe
"C:\Windows\SysWOW64\wuapp.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1384

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe
Filesize
216KB

MD5
3be793cc456c24741f474e0a7e9e9dda

SHA1
23f715eb3ea125162234fa5aedbe3e79a4287412

SHA256
b9a289e4b32a9d4592cf63aad42628937ce83fb51be4742f1fd8c1ddf747b389

SHA512
34a02e675d57ca4e0d1b32cc68ac99bca9858fad49611e6103077977b04afb91d8b0f6daf8bd104b3ea8fae7a16b233deb76f96e9a0bfe0df76a8b8942844ce0

Download Submit
memory/284-196-0x0000000000000000-mapping.dmp

Download
memory/320-86-0x0000000001FD0000-0x00000000022D3000-memory.dmp

Filesize
3.0MB

Download
memory/320-82-0x0000000000000000-mapping.dmp

Download
memory/320-84-0x00000000003A0000-0x00000000003AA000-memory.dmp

Filesize
40KB

Download
memory/320-85-0x0000000000080000-0x00000000000AA000-memory.dmp

Filesize
168KB

Download
memory/440-297-0x0000000000000000-mapping.dmp

Download
memory/524-71-0x0000000000000000-mapping.dmp

Download
memory/580-93-0x00000000001C0000-0x00000000001D4000-memory.dmp

Filesize
80KB

Download
memory/580-104-0x0000000000200000-0x0000000000214000-memory.dmp

Filesize
80KB

Download
memory/580-88-0x000000000041B620-mapping.dmp

Download
memory/580-92-0x0000000000E50000-0x0000000001153000-memory.dmp

Filesize
3.0MB

Download
memory/588-162-0x0000000002260000-0x0000000002563000-memory.dmp

Filesize
3.0MB

Download
memory/588-163-0x00000000001E0000-0x00000000001F4000-memory.dmp

Filesize
80KB

Download
memory/588-159-0x000000000041B620-mapping.dmp

Download
memory/588-161-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/876-238-0x000000000041B620-mapping.dmp

Download
memory/916-221-0x0000000000000000-mapping.dmp

Download
memory/952-295-0x000000000041B620-mapping.dmp

Download
memory/956-219-0x000000000041B620-mapping.dmp

Download
memory/968-254-0x0000000000000000-mapping.dmp

Download
memory/980-269-0x0000000000000000-mapping.dmp

Download
memory/984-206-0x0000000000000000-mapping.dmp

Download
memory/1028-101-0x0000000000000000-mapping.dmp

Download
memory/1056-195-0x0000000000000000-mapping.dmp

Download
memory/1120-247-0x0000000000000000-mapping.dmp

Download
memory/1152-96-0x000000000041B620-mapping.dmp

Download
memory/1152-98-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1152-99-0x00000000001E0000-0x00000000001F4000-memory.dmp

Filesize
80KB

Download
memory/1152-100-0x0000000000DC0000-0x00000000010C3000-memory.dmp

Filesize
3.0MB

Download
memory/1184-265-0x0000000000000000-mapping.dmp

Download
memory/1188-144-0x0000000000000000-mapping.dmp

Download
memory/1220-204-0x000000000041B620-mapping.dmp

Download
memory/1224-140-0x0000000000080000-0x00000000000AA000-memory.dmp

Filesize
168KB

Download
memory/1224-139-0x0000000000FE0000-0x0000000000FEA000-memory.dmp

Filesize
40KB

Download
memory/1224-141-0x0000000000CC0000-0x0000000000FC3000-memory.dmp

Filesize
3.0MB

Download
memory/1224-137-0x0000000000000000-mapping.dmp

Download
memory/1232-275-0x000000000041B620-mapping.dmp

Download
memory/1256-153-0x0000000000000000-mapping.dmp

Download
memory/1264-156-0x0000000008710000-0x00000000088AE000-memory.dmp

Filesize
1.6MB

Download
memory/1264-103-0x0000000006D60000-0x0000000006E7B000-memory.dmp

Filesize
1.1MB

Download
memory/1264-94-0x0000000006CA0000-0x0000000006D56000-memory.dmp

Filesize
728KB

Download
memory/1264-105-0x0000000006F90000-0x00000000070CD000-memory.dmp

Filesize
1.2MB

Download
memory/1264-106-0x00000000029A0000-0x0000000002A4D000-memory.dmp

Filesize
692KB

Download
memory/1264-149-0x00000000083F0000-0x00000000084CD000-memory.dmp

Filesize
884KB

Download
memory/1264-77-0x0000000004FE0000-0x00000000050BA000-memory.dmp

Filesize
872KB

Download
memory/1264-64-0x00000000068F0000-0x0000000006A49000-memory.dmp

Filesize
1.3MB

Download
memory/1264-158-0x00000000088B0000-0x000000000898B000-memory.dmp

Filesize
876KB

Download
memory/1264-68-0x0000000006B40000-0x0000000006C9E000-memory.dmp

Filesize
1.4MB

Download
memory/1264-122-0x0000000007600000-0x0000000007797000-memory.dmp

Filesize
1.6MB

Download
memory/1264-136-0x00000000077A0000-0x000000000788B000-memory.dmp

Filesize
940KB

Download
memory/1280-127-0x0000000000180000-0x00000000001AA000-memory.dmp

Filesize
168KB

Download
memory/1280-123-0x0000000000000000-mapping.dmp

Download
memory/1280-128-0x0000000000B70000-0x0000000000E73000-memory.dmp

Filesize
3.0MB

Download
memory/1280-126-0x0000000000F40000-0x0000000000F5B000-memory.dmp

Filesize
108KB

Download
memory/1288-81-0x0000000000000000-mapping.dmp

Download
memory/1308-258-0x000000000041B620-mapping.dmp

Download
memory/1316-189-0x0000000000000000-mapping.dmp

Download
memory/1348-107-0x0000000000000000-mapping.dmp

Download
memory/1348-109-0x00000000001A0000-0x00000000001BF000-memory.dmp

Filesize
124KB

Download
memory/1348-110-0x0000000000080000-0x00000000000AA000-memory.dmp

Filesize
168KB

Download
memory/1348-111-0x0000000001F30000-0x0000000002233000-memory.dmp

Filesize
3.0MB

Download
memory/1352-112-0x0000000000000000-mapping.dmp

Download
memory/1352-115-0x00000000000C0000-0x00000000000EA000-memory.dmp

Filesize
168KB

Download
memory/1352-114-0x0000000000860000-0x0000000000964000-memory.dmp

Filesize
1.0MB

Download
memory/1352-116-0x0000000002140000-0x0000000002443000-memory.dmp

Filesize
3.0MB

Download
memory/1360-264-0x0000000000000000-mapping.dmp

Download
memory/1384-283-0x0000000000000000-mapping.dmp

Download
memory/1516-172-0x0000000000000000-mapping.dmp

Download
memory/1560-229-0x0000000000000000-mapping.dmp

Download
memory/1604-117-0x000000000041B620-mapping.dmp

Download
memory/1604-120-0x0000000000DE0000-0x00000000010E3000-memory.dmp

Filesize
3.0MB

Download
memory/1604-121-0x00000000001D0000-0x00000000001E4000-memory.dmp

Filesize
80KB

Download
memory/1604-119-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1620-183-0x000000000041B620-mapping.dmp

Download
memory/1624-65-0x0000000000000000-mapping.dmp

Download
memory/1636-131-0x0000000000000000-mapping.dmp

Download
memory/1656-157-0x0000000000430000-0x0000000000444000-memory.dmp

Filesize
80KB

Download
memory/1656-147-0x0000000002130000-0x0000000002433000-memory.dmp

Filesize
3.0MB

Download
memory/1656-142-0x000000000041B620-mapping.dmp

Download
memory/1656-146-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1656-148-0x00000000003C0000-0x00000000003D4000-memory.dmp

Filesize
80KB

Download
memory/1688-61-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1688-62-0x0000000000D60000-0x0000000001063000-memory.dmp

Filesize
3.0MB

Download
memory/1688-63-0x0000000000270000-0x0000000000284000-memory.dmp

Filesize
80KB

Download
memory/1688-67-0x00000000002D0000-0x00000000002E4000-memory.dmp

Filesize
80KB

Download
memory/1688-58-0x000000000041B620-mapping.dmp

Download
memory/1704-155-0x00000000001D0000-0x00000000001E4000-memory.dmp

Filesize
80KB

Download
memory/1704-152-0x00000000021E0000-0x00000000024E3000-memory.dmp

Filesize
3.0MB

Download
memory/1704-166-0x0000000000210000-0x0000000000224000-memory.dmp

Filesize
80KB

Download
memory/1704-150-0x000000000041B620-mapping.dmp

Download
memory/1712-90-0x0000000000000000-mapping.dmp

Download
memory/1740-164-0x0000000000000000-mapping.dmp

Download
memory/1744-56-0x0000000075761000-0x0000000075763000-memory.dmp

Filesize
8KB

Download
memory/1744-60-0x0000000000290000-0x0000000000293000-memory.dmp

Filesize
12KB

Download
memory/1744-55-0x00000000004C0000-0x00000000004F8000-memory.dmp

Filesize
224KB

Download
memory/1744-57-0x0000000000280000-0x0000000000283000-memory.dmp

Filesize
12KB

Download
memory/1744-54-0x0000000000A50000-0x0000000000A8C000-memory.dmp

Filesize
240KB

Download
memory/1748-179-0x0000000000000000-mapping.dmp

Download
memory/1752-175-0x0000000000000000-mapping.dmp

Download
memory/1780-293-0x0000000000000000-mapping.dmp

Download
memory/1824-281-0x0000000000000000-mapping.dmp

Download
memory/1832-133-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1832-134-0x0000000000E60000-0x0000000001163000-memory.dmp

Filesize
3.0MB

Download
memory/1832-129-0x000000000041B620-mapping.dmp

Download
memory/1832-135-0x00000000003B0000-0x00000000003C4000-memory.dmp

Filesize
80KB

Download
memory/1836-245-0x000000000041B620-mapping.dmp

Download
memory/1860-214-0x0000000000000000-mapping.dmp

Download
memory/1884-167-0x000000000041B620-mapping.dmp

Download
memory/1904-287-0x000000000041B620-mapping.dmp

Download
memory/2004-75-0x0000000000D80000-0x0000000001083000-memory.dmp

Filesize
3.0MB

Download
memory/2004-69-0x000000000041B620-mapping.dmp

Download
memory/2004-74-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2004-76-0x00000000001C0000-0x00000000001D4000-memory.dmp

Filesize
80KB

Download
memory/2012-240-0x0000000000000000-mapping.dmp

Download
memory/2024-78-0x0000000000000000-mapping.dmp

Download
memory/2024-79-0x0000000000FC0000-0x0000000000FD6000-memory.dmp

Filesize
88KB

Download
memory/2024-80-0x0000000000080000-0x00000000000AA000-memory.dmp

Filesize
168KB

Download
memory/2024-87-0x0000000000B70000-0x0000000000E73000-memory.dmp

Filesize
3.0MB

Download
memory/2024-95-0x0000000000960000-0x00000000009F3000-memory.dmp

Filesize
588KB

Download
memory/2032-234-0x0000000000000000-mapping.dmp

Download
memory/2036-124-0x0000000000000000-mapping.dmp

Download