djvu | 6c9b2f6352c5240b039bef393bcdc9ccc81356ec35ed5bd221fcdebe80be4e35

Analysis

max time kernel
150s
max time network
152s
platform
windows10_x64
resource
win10-20220414-en
submitted
29-06-2022 19:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6c9b2f6352c5240b039bef393bcdc9ccc81356ec35ed5bd221fcdebe80be4e35.exe
Size

280KB
MD5

8126ab5887e145821e5e134015cf1fc6
SHA1

7c29eb1405474af6827bcdf3ae30c98366b4f284
SHA256

6c9b2f6352c5240b039bef393bcdc9ccc81356ec35ed5bd221fcdebe80be4e35
SHA512

87fdc2ac0cb8dcf65adb12ac4dfbb4fccbb9aad87647c6b7a05dfff38f8bcdd478438eb4665ef6d36f241b34b483c0c88593aeb1b1fa7995d616d00177dfc4e5

Score

10^/10

djvu recordbreaker redline vidar 517 mario2 collection discovery infostealer persistence ransomware spyware stealer suricata

Malware Config

Extracted

Family

djvu

http://acacaca.org/lancer/get.php

Attributes

extension
.llqq
offline_id
YfcXKGLzjXMjQRwrhUHzsXjmASQ6mo4zjmEj9st1
payload_url
http://rgyui.top/dl/build2.exe

http://acacaca.org/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-OIgf49CYf3 Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0507Jhyjd

rsa_pubkey.plain

Extracted

Family

vidar

Version

52.7

Botnet

517

https://t.me/tg_superch

https://climatejustice.social/@olegf9844

Attributes

profile_id
517

Extracted

Family

redline

Botnet

mario2

193.106.191.129:80

Attributes

auth_value
4ef7e3fec3a418b2f0233b604d0560d9

Signatures

Detected Djvu ransomware 7 IoCs

resource	yara_rule
behavioral1/memory/4204-274-0x0000000000424141-mapping.dmp	family_djvu
behavioral1/memory/3924-279-0x00000000028B0000-0x00000000029CB000-memory.dmp	family_djvu
behavioral1/memory/4204-329-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4204-377-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1012-404-0x0000000000424141-mapping.dmp	family_djvu
behavioral1/memory/1012-451-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1012-678-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
RecordBreaker
RecordBreaker is an information stealer capable of downloading and executing secondary payloads written in C++.
stealer recordbreaker
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 1 IoCs

resource	yara_rule
behavioral1/memory/432-874-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
suricata: ET MALWARE Generic Stealer Config Download Request
suricata: ET MALWARE Generic Stealer Config Download Request
suricata
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata
suricata: ET MALWARE W32/Agent.OGR!tr.pws Stealer
suricata: ET MALWARE W32/Agent.OGR!tr.pws Stealer
suricata
suricata: ET MALWARE Win32/Filecoder.STOP Variant Public Key Download
suricata: ET MALWARE Win32/Filecoder.STOP Variant Public Key Download
suricata
suricata: ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key
suricata: ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key
suricata
suricata: ET MALWARE Win32/RecordBreaker CnC Checkin
suricata: ET MALWARE Win32/RecordBreaker CnC Checkin
suricata
suricata: ET MALWARE Win32/Vodkagats Loader Requesting Payload
suricata: ET MALWARE Win32/Vodkagats Loader Requesting Payload
suricata

Vidar Stealer 3 IoCs

stealer

resource	yara_rule
behavioral1/memory/4136-654-0x000000000042300C-mapping.dmp	family_vidar
behavioral1/memory/4136-681-0x0000000000400000-0x000000000045D000-memory.dmp	family_vidar
behavioral1/memory/4136-906-0x0000000000400000-0x000000000045D000-memory.dmp	family_vidar

Downloads MZ/PE file

Executes dropped EXE 13 IoCs

pid	Process
1968	4C6A.exe
4784	8212.exe
3924	AAB9.exe
4204	AAB9.exe
4644	AAB9.exe
1012	AAB9.exe
2136	CF88.exe
1800	build2.exe
4424	E004.exe
4136	build2.exe
5064	E004.exe
3700	5F56.exe
4856	SmartClock.exe

Deletes itself 1 IoCs

pid	Process
2836	Process not Found

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk	5F56.exe

Loads dropped DLL 2 IoCs

pid	Process
4136	build2.exe
4136	build2.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4248	icacls.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\0f6583b2-4bc7-46ad-9b21-83fa2239d1ae\\AAB9.exe\" --AutoStart"	AAB9.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
26	api.2ip.ua
27	api.2ip.ua
36	api.2ip.ua

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 3924 set thread context of 4204	3924	AAB9.exe	69
PID 4644 set thread context of 1012	4644	AAB9.exe	73
PID 1800 set thread context of 4136	1800	build2.exe	80
PID 4424 set thread context of 5064	4424	E004.exe	81
PID 1968 set thread context of 432	1968	4C6A.exe	82

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6c9b2f6352c5240b039bef393bcdc9ccc81356ec35ed5bd221fcdebe80be4e35.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	CF88.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	CF88.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	CF88.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6c9b2f6352c5240b039bef393bcdc9ccc81356ec35ed5bd221fcdebe80be4e35.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6c9b2f6352c5240b039bef393bcdc9ccc81356ec35ed5bd221fcdebe80be4e35.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	build2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	build2.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	AAB9.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	AAB9.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4856	SmartClock.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2344	6c9b2f6352c5240b039bef393bcdc9ccc81356ec35ed5bd221fcdebe80be4e35.exe
2344	6c9b2f6352c5240b039bef393bcdc9ccc81356ec35ed5bd221fcdebe80be4e35.exe
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2836	Process not Found

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
2344	6c9b2f6352c5240b039bef393bcdc9ccc81356ec35ed5bd221fcdebe80be4e35.exe
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2136	CF88.exe

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2836	Process not Found
Token: SeCreatePagefilePrivilege	2836	Process not Found
Token: SeShutdownPrivilege	2836	Process not Found
Token: SeCreatePagefilePrivilege	2836	Process not Found
Token: SeShutdownPrivilege	2836	Process not Found
Token: SeCreatePagefilePrivilege	2836	Process not Found
Token: SeShutdownPrivilege	2836	Process not Found
Token: SeCreatePagefilePrivilege	2836	Process not Found
Token: SeShutdownPrivilege	2836	Process not Found
Token: SeCreatePagefilePrivilege	2836	Process not Found
Token: SeShutdownPrivilege	2836	Process not Found
Token: SeCreatePagefilePrivilege	2836	Process not Found
Token: SeShutdownPrivilege	2836	Process not Found
Token: SeCreatePagefilePrivilege	2836	Process not Found
Token: SeShutdownPrivilege	2836	Process not Found
Token: SeCreatePagefilePrivilege	2836	Process not Found
Token: SeShutdownPrivilege	2836	Process not Found
Token: SeCreatePagefilePrivilege	2836	Process not Found
Token: SeShutdownPrivilege	2836	Process not Found
Token: SeCreatePagefilePrivilege	2836	Process not Found
Token: SeShutdownPrivilege	2836	Process not Found
Token: SeCreatePagefilePrivilege	2836	Process not Found
Token: SeShutdownPrivilege	2836	Process not Found
Token: SeCreatePagefilePrivilege	2836	Process not Found
Token: SeShutdownPrivilege	2836	Process not Found
Token: SeCreatePagefilePrivilege	2836	Process not Found
Token: SeShutdownPrivilege	2836	Process not Found
Token: SeCreatePagefilePrivilege	2836	Process not Found
Token: SeShutdownPrivilege	2836	Process not Found
Token: SeCreatePagefilePrivilege	2836	Process not Found
Token: SeShutdownPrivilege	2836	Process not Found
Token: SeCreatePagefilePrivilege	2836	Process not Found
Token: SeDebugPrivilege	432	InstallUtil.exe
Token: SeShutdownPrivilege	2836	Process not Found
Token: SeCreatePagefilePrivilege	2836	Process not Found
Token: SeShutdownPrivilege	2836	Process not Found
Token: SeCreatePagefilePrivilege	2836	Process not Found
Token: SeShutdownPrivilege	2836	Process not Found
Token: SeCreatePagefilePrivilege	2836	Process not Found

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2836	Process not Found

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2836	Process not Found
2836	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2836 wrote to memory of 1968	2836	Process not Found	66
PID 2836 wrote to memory of 1968	2836	Process not Found	66
PID 2836 wrote to memory of 1968	2836	Process not Found	66
PID 2836 wrote to memory of 4784	2836	Process not Found	67
PID 2836 wrote to memory of 4784	2836	Process not Found	67
PID 2836 wrote to memory of 4784	2836	Process not Found	67
PID 2836 wrote to memory of 3924	2836	Process not Found	68
PID 2836 wrote to memory of 3924	2836	Process not Found	68
PID 2836 wrote to memory of 3924	2836	Process not Found	68
PID 3924 wrote to memory of 4204	3924	AAB9.exe	69
PID 3924 wrote to memory of 4204	3924	AAB9.exe	69
PID 3924 wrote to memory of 4204	3924	AAB9.exe	69
PID 3924 wrote to memory of 4204	3924	AAB9.exe	69
PID 3924 wrote to memory of 4204	3924	AAB9.exe	69
PID 3924 wrote to memory of 4204	3924	AAB9.exe	69
PID 3924 wrote to memory of 4204	3924	AAB9.exe	69
PID 3924 wrote to memory of 4204	3924	AAB9.exe	69
PID 3924 wrote to memory of 4204	3924	AAB9.exe	69
PID 3924 wrote to memory of 4204	3924	AAB9.exe	69
PID 4204 wrote to memory of 4248	4204	AAB9.exe	70
PID 4204 wrote to memory of 4248	4204	AAB9.exe	70
PID 4204 wrote to memory of 4248	4204	AAB9.exe	70
PID 4204 wrote to memory of 4644	4204	AAB9.exe	71
PID 4204 wrote to memory of 4644	4204	AAB9.exe	71
PID 4204 wrote to memory of 4644	4204	AAB9.exe	71
PID 4644 wrote to memory of 1012	4644	AAB9.exe	73
PID 4644 wrote to memory of 1012	4644	AAB9.exe	73
PID 4644 wrote to memory of 1012	4644	AAB9.exe	73
PID 4644 wrote to memory of 1012	4644	AAB9.exe	73
PID 4644 wrote to memory of 1012	4644	AAB9.exe	73
PID 4644 wrote to memory of 1012	4644	AAB9.exe	73
PID 4644 wrote to memory of 1012	4644	AAB9.exe	73
PID 4644 wrote to memory of 1012	4644	AAB9.exe	73
PID 4644 wrote to memory of 1012	4644	AAB9.exe	73
PID 4644 wrote to memory of 1012	4644	AAB9.exe	73
PID 2836 wrote to memory of 2136	2836	Process not Found	74
PID 2836 wrote to memory of 2136	2836	Process not Found	74
PID 2836 wrote to memory of 2136	2836	Process not Found	74
PID 1012 wrote to memory of 1800	1012	AAB9.exe	75
PID 1012 wrote to memory of 1800	1012	AAB9.exe	75
PID 1012 wrote to memory of 1800	1012	AAB9.exe	75
PID 2836 wrote to memory of 4424	2836	Process not Found	76
PID 2836 wrote to memory of 4424	2836	Process not Found	76
PID 2836 wrote to memory of 4424	2836	Process not Found	76
PID 2836 wrote to memory of 1408	2836	Process not Found	78
PID 2836 wrote to memory of 1408	2836	Process not Found	78
PID 2836 wrote to memory of 1408	2836	Process not Found	78
PID 2836 wrote to memory of 1408	2836	Process not Found	78
PID 2836 wrote to memory of 4816	2836	Process not Found	79
PID 2836 wrote to memory of 4816	2836	Process not Found	79
PID 2836 wrote to memory of 4816	2836	Process not Found	79
PID 1800 wrote to memory of 4136	1800	build2.exe	80
PID 1800 wrote to memory of 4136	1800	build2.exe	80
PID 1800 wrote to memory of 4136	1800	build2.exe	80
PID 1800 wrote to memory of 4136	1800	build2.exe	80
PID 1800 wrote to memory of 4136	1800	build2.exe	80
PID 1800 wrote to memory of 4136	1800	build2.exe	80
PID 1800 wrote to memory of 4136	1800	build2.exe	80
PID 1800 wrote to memory of 4136	1800	build2.exe	80
PID 4424 wrote to memory of 5064	4424	E004.exe	81
PID 4424 wrote to memory of 5064	4424	E004.exe	81
PID 4424 wrote to memory of 5064	4424	E004.exe	81
PID 4424 wrote to memory of 5064	4424	E004.exe	81
PID 4424 wrote to memory of 5064	4424	E004.exe	81

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

C:\Users\Admin\AppData\Local\Temp\6c9b2f6352c5240b039bef393bcdc9ccc81356ec35ed5bd221fcdebe80be4e35.exe
"C:\Users\Admin\AppData\Local\Temp\6c9b2f6352c5240b039bef393bcdc9ccc81356ec35ed5bd221fcdebe80be4e35.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2344

C:\Users\Admin\AppData\Local\Temp\4C6A.exe
C:\Users\Admin\AppData\Local\Temp\4C6A.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1968
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:432

C:\Users\Admin\AppData\Local\Temp\8212.exe
C:\Users\Admin\AppData\Local\Temp\8212.exe
1⤵
- Executes dropped EXE
PID:4784

C:\Users\Admin\AppData\Local\Temp\AAB9.exe
C:\Users\Admin\AppData\Local\Temp\AAB9.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3924
- C:\Users\Admin\AppData\Local\Temp\AAB9.exe
  C:\Users\Admin\AppData\Local\Temp\AAB9.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies system certificate store
  - Suspicious use of WriteProcessMemory
  PID:4204
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Users\Admin\AppData\Local\0f6583b2-4bc7-46ad-9b21-83fa2239d1ae" /deny *S-1-1-0:(OI)(CI)(DE,DC)
    3⤵
    - Modifies file permissions
    PID:4248
- - C:\Users\Admin\AppData\Local\Temp\AAB9.exe
    "C:\Users\Admin\AppData\Local\Temp\AAB9.exe" --Admin IsNotAutoStart IsNotTask
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4644
  - - C:\Users\Admin\AppData\Local\Temp\AAB9.exe
      "C:\Users\Admin\AppData\Local\Temp\AAB9.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1012
    - - C:\Users\Admin\AppData\Local\853e71c2-cd40-46c6-a182-01d135a73319\build2.exe
        
        "C:\Users\Admin\AppData\Local\853e71c2-cd40-46c6-a182-01d135a73319\build2.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1800
      - C:\Users\Admin\AppData\Local\853e71c2-cd40-46c6-a182-01d135a73319\build2.exe
        
        "C:\Users\Admin\AppData\Local\853e71c2-cd40-46c6-a182-01d135a73319\build2.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks processor information in registry
        
        PID:4136

C:\Users\Admin\AppData\Local\Temp\CF88.exe
C:\Users\Admin\AppData\Local\Temp\CF88.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2136

C:\Users\Admin\AppData\Local\Temp\E004.exe
C:\Users\Admin\AppData\Local\Temp\E004.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4424
- C:\Users\Admin\AppData\Local\Temp\E004.exe
  "C:\Users\Admin\AppData\Local\Temp\E004.exe"
  2⤵
  - Executes dropped EXE
  PID:5064

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:1408

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4816

C:\Users\Admin\AppData\Local\Temp\5F56.exe
C:\Users\Admin\AppData\Local\Temp\5F56.exe
1⤵
- Executes dropped EXE
- Drops startup file
PID:3700
- C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
  "C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: AddClipboardFormatListener
  PID:4856

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
727B

MD5
d5961e2b0bfff47585def7a142032bc7

SHA1
bac522f2bfe929d0a9865bbae4997c966a981239

SHA256
8855e233725857c9cfb28ff44edde267c39f56150228c7505f6ce328fdae846a

SHA512
46846503eb0e45b98465a78402b2c443eae6d7cbe0b1d8a09399a6a8408444e92a932fb8e1c99fe6505c26d0379d00b026e9fc608e1a2e2af7131a20e7c59f1e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
471B

MD5
b315b3f5f97226f5dd9e59adbdac03e4

SHA1
e7f513b703598517413b702f6a7e5db0f479e31a

SHA256
16b96325c2dbd241387842c4d464d1098827cbd97abd940647e7893a12243fea

SHA512
5650e2c7e80debdd930c016c674390e2fa5c6d7bbdade707785708f4dddecf5a0650bb0c2a52e1015f3c32e510901a70da9fc0e99898b97a6ed945bdb31e1c3b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
402B

MD5
9c5fbd13d9e83e2528c34b4d6ffc7a50

SHA1
deb8fd5406e8bb3f81e38b2f7011ab3bf9678494

SHA256
bfd29335896103ad12f685531b17568cf0a47e8ae8b6ed4da287f931ac06dfd8

SHA512
aa5dc590c7e5cda6ef162c9d9d77905b107172659f89d29345642c18eade94bdc94d85812738281487273ebcaaaa30409f72b83808a3b7fda431e9ada066b183

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
396B

MD5
41853a9f548933cc4c32bd3ae70e63e4

SHA1
f66dad0ea69c4a3483fc21ada34fd87fb98bc94c

SHA256
786fb303fb18e222d5e446cb76808baa7501cf623d6a3dd39a80c87676dd0571

SHA512
b46f987755f95e78dcf046b8e7dfdc1f7e0a2d0ba2cd7f866adf19f99fc15200fd4b6a4994fed00d2064187051cd4bc5260af03147acfa78a011047a46c92f7f

Download Submit
C:\Users\Admin\AppData\Local\0f6583b2-4bc7-46ad-9b21-83fa2239d1ae\AAB9.exe

Filesize
797KB

MD5
05dbd5df04d04a904d03888123e8fbcb

SHA1
1ad702ad4643e57d14a26315f1398f63f361a864

SHA256
f1d75877f0208ac88b0b9bb1bb02f8d8f7d963ddf5908499639455e9dcfe802a

SHA512
eb5d6632f1e7d095724f12f655ae7ed398dccec89645300f1ded6098368b7448c869aab312f16129497e4e20460f06b2c8eebd57c4ed67969f13cba908b57131

Download Submit
C:\Users\Admin\AppData\Local\853e71c2-cd40-46c6-a182-01d135a73319\build2.exe

Filesize
427KB

MD5
aadd654ebf06002831444be8a618c0ab

SHA1
7a7723b9dd5116fe9ad8198c32fd309cacade1b4

SHA256
b457355c3e2120c2bbf8593ad7d60583359dc87f934a13f70c86b58bad23740c

SHA512
1e9da3d4820c414bb8bc12ea5edfb76ff4aa584487401f9708b56c0f4ba3a25d180d36027a681df438786de2302dc636b0d65ce86eda0da4ef6835a2495c2ea8

Download Submit
C:\Users\Admin\AppData\Local\853e71c2-cd40-46c6-a182-01d135a73319\build2.exe

Filesize
427KB

MD5
aadd654ebf06002831444be8a618c0ab

SHA1
7a7723b9dd5116fe9ad8198c32fd309cacade1b4

SHA256
b457355c3e2120c2bbf8593ad7d60583359dc87f934a13f70c86b58bad23740c

SHA512
1e9da3d4820c414bb8bc12ea5edfb76ff4aa584487401f9708b56c0f4ba3a25d180d36027a681df438786de2302dc636b0d65ce86eda0da4ef6835a2495c2ea8

Download Submit
C:\Users\Admin\AppData\Local\853e71c2-cd40-46c6-a182-01d135a73319\build2.exe

Filesize
427KB

MD5
aadd654ebf06002831444be8a618c0ab

SHA1
7a7723b9dd5116fe9ad8198c32fd309cacade1b4

SHA256
b457355c3e2120c2bbf8593ad7d60583359dc87f934a13f70c86b58bad23740c

SHA512
1e9da3d4820c414bb8bc12ea5edfb76ff4aa584487401f9708b56c0f4ba3a25d180d36027a681df438786de2302dc636b0d65ce86eda0da4ef6835a2495c2ea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\4C6A.exe

Filesize
1.6MB

MD5
df9cc49add3e01f23c63b0f73469f752

SHA1
6f8199ae9280e13671f5eb5715b093cd93f6732e

SHA256
b18d30fdfaa2f3469131da279fe2a64ed3cf6c1cbc8785ea1ba6e7596ae85419

SHA512
09100b76b4d0ba5a417da4a68977ed0a9eba8563cc5866e0cf912234ebded7598c482967e1812c143868c43c49eb882f82588dfafc041698b814c564decfc9b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\4C6A.exe

Filesize
1.6MB

MD5
df9cc49add3e01f23c63b0f73469f752

SHA1
6f8199ae9280e13671f5eb5715b093cd93f6732e

SHA256
b18d30fdfaa2f3469131da279fe2a64ed3cf6c1cbc8785ea1ba6e7596ae85419

SHA512
09100b76b4d0ba5a417da4a68977ed0a9eba8563cc5866e0cf912234ebded7598c482967e1812c143868c43c49eb882f82588dfafc041698b814c564decfc9b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\5F56.exe

Filesize
725KB

MD5
9e38b026309bc734e745b59653f2b6f2

SHA1
6f60fda1fae89555573f518e2d408982eafd6e94

SHA256
c6bd957353e6040f0461bd732d8a16917edeba61aeb4067803dd480a5ec2f59b

SHA512
a8d4bc81a5c195eeba5f6fd274a35599f9eaef73a8cd9f2399326717254d38abb537778cd1ab1ce480b3db7dec2a8785b26881ba10967871e08cbc2f949c7867

Download Submit
C:\Users\Admin\AppData\Local\Temp\5F56.exe

Filesize
725KB

MD5
9e38b026309bc734e745b59653f2b6f2

SHA1
6f60fda1fae89555573f518e2d408982eafd6e94

SHA256
c6bd957353e6040f0461bd732d8a16917edeba61aeb4067803dd480a5ec2f59b

SHA512
a8d4bc81a5c195eeba5f6fd274a35599f9eaef73a8cd9f2399326717254d38abb537778cd1ab1ce480b3db7dec2a8785b26881ba10967871e08cbc2f949c7867

Download Submit
C:\Users\Admin\AppData\Local\Temp\8212.exe

Filesize
6.6MB

MD5
a840af25865513286606284b38490add

SHA1
3ab6eaaa2457f3afc1a37645152a91efa95751af

SHA256
26923ba499b7c445e86e76c616dee82cd5699de4bdfcf61d3e09562b36f2fbad

SHA512
fec4a023ac03aa0733d6e4f11dd9f79c1329b2b73acd543e85b96d2fd32de4374a26250dd36f82919e32bd022fa3e753c8bf09cdb9e92670314ba0f7ef38ceb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\8212.exe

Filesize
6.6MB

MD5
a840af25865513286606284b38490add

SHA1
3ab6eaaa2457f3afc1a37645152a91efa95751af

SHA256
26923ba499b7c445e86e76c616dee82cd5699de4bdfcf61d3e09562b36f2fbad

SHA512
fec4a023ac03aa0733d6e4f11dd9f79c1329b2b73acd543e85b96d2fd32de4374a26250dd36f82919e32bd022fa3e753c8bf09cdb9e92670314ba0f7ef38ceb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\AAB9.exe

Filesize
797KB

MD5
05dbd5df04d04a904d03888123e8fbcb

SHA1
1ad702ad4643e57d14a26315f1398f63f361a864

SHA256
f1d75877f0208ac88b0b9bb1bb02f8d8f7d963ddf5908499639455e9dcfe802a

SHA512
eb5d6632f1e7d095724f12f655ae7ed398dccec89645300f1ded6098368b7448c869aab312f16129497e4e20460f06b2c8eebd57c4ed67969f13cba908b57131

Download Submit
C:\Users\Admin\AppData\Local\Temp\AAB9.exe

Filesize
797KB

MD5
05dbd5df04d04a904d03888123e8fbcb

SHA1
1ad702ad4643e57d14a26315f1398f63f361a864

SHA256
f1d75877f0208ac88b0b9bb1bb02f8d8f7d963ddf5908499639455e9dcfe802a

SHA512
eb5d6632f1e7d095724f12f655ae7ed398dccec89645300f1ded6098368b7448c869aab312f16129497e4e20460f06b2c8eebd57c4ed67969f13cba908b57131

Download Submit
C:\Users\Admin\AppData\Local\Temp\AAB9.exe

Filesize
797KB

MD5
05dbd5df04d04a904d03888123e8fbcb

SHA1
1ad702ad4643e57d14a26315f1398f63f361a864

SHA256
f1d75877f0208ac88b0b9bb1bb02f8d8f7d963ddf5908499639455e9dcfe802a

SHA512
eb5d6632f1e7d095724f12f655ae7ed398dccec89645300f1ded6098368b7448c869aab312f16129497e4e20460f06b2c8eebd57c4ed67969f13cba908b57131

Download Submit
C:\Users\Admin\AppData\Local\Temp\AAB9.exe

Filesize
797KB

MD5
05dbd5df04d04a904d03888123e8fbcb

SHA1
1ad702ad4643e57d14a26315f1398f63f361a864

SHA256
f1d75877f0208ac88b0b9bb1bb02f8d8f7d963ddf5908499639455e9dcfe802a

SHA512
eb5d6632f1e7d095724f12f655ae7ed398dccec89645300f1ded6098368b7448c869aab312f16129497e4e20460f06b2c8eebd57c4ed67969f13cba908b57131

Download Submit
C:\Users\Admin\AppData\Local\Temp\AAB9.exe

Filesize
797KB

MD5
05dbd5df04d04a904d03888123e8fbcb

SHA1
1ad702ad4643e57d14a26315f1398f63f361a864

SHA256
f1d75877f0208ac88b0b9bb1bb02f8d8f7d963ddf5908499639455e9dcfe802a

SHA512
eb5d6632f1e7d095724f12f655ae7ed398dccec89645300f1ded6098368b7448c869aab312f16129497e4e20460f06b2c8eebd57c4ed67969f13cba908b57131

Download Submit
C:\Users\Admin\AppData\Local\Temp\CF88.exe

Filesize
279KB

MD5
0fa8df95b548edddd6952654dfcf2b65

SHA1
7d37ec9b7dce276b86ec3a9087e0a977e9aed846

SHA256
e6c4d30c751e64d6f17afc3eb1d7cfbff6db2ef7cefc56588a7b73ffe94aff15

SHA512
63ded38629428652d7ed8b155520fc59675b9aeb29fdaba6bb2498a4403e4cc1fce96500e795bb2ea3b7cda3f0bbcca915259c880d5b308b9d2fa3728a68f3e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\CF88.exe

Filesize
279KB

MD5
0fa8df95b548edddd6952654dfcf2b65

SHA1
7d37ec9b7dce276b86ec3a9087e0a977e9aed846

SHA256
e6c4d30c751e64d6f17afc3eb1d7cfbff6db2ef7cefc56588a7b73ffe94aff15

SHA512
63ded38629428652d7ed8b155520fc59675b9aeb29fdaba6bb2498a4403e4cc1fce96500e795bb2ea3b7cda3f0bbcca915259c880d5b308b9d2fa3728a68f3e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\E004.exe

Filesize
1.0MB

MD5
4d0ae02492413cf68cf272e98b034769

SHA1
8f803aed2a5af8d6d1d758865ede835c38d1a43d

SHA256
e56d384cfb275975f64cf8d59484df6d305fb41d0f98dcbce30b0497d09d173b

SHA512
c2e29fb9b70001a5f7f84ebb13c66d20f694aee0f90d12a648656e49b28e670bff1770bcd6fd403e515c0c8cdf811f035c9a24e10c22491082152c6c373748c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\E004.exe

Filesize
1.0MB

MD5
4d0ae02492413cf68cf272e98b034769

SHA1
8f803aed2a5af8d6d1d758865ede835c38d1a43d

SHA256
e56d384cfb275975f64cf8d59484df6d305fb41d0f98dcbce30b0497d09d173b

SHA512
c2e29fb9b70001a5f7f84ebb13c66d20f694aee0f90d12a648656e49b28e670bff1770bcd6fd403e515c0c8cdf811f035c9a24e10c22491082152c6c373748c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\E004.exe

Filesize
1.0MB

MD5
4d0ae02492413cf68cf272e98b034769

SHA1
8f803aed2a5af8d6d1d758865ede835c38d1a43d

SHA256
e56d384cfb275975f64cf8d59484df6d305fb41d0f98dcbce30b0497d09d173b

SHA512
c2e29fb9b70001a5f7f84ebb13c66d20f694aee0f90d12a648656e49b28e670bff1770bcd6fd403e515c0c8cdf811f035c9a24e10c22491082152c6c373748c0

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

Filesize
725KB

MD5
9e38b026309bc734e745b59653f2b6f2

SHA1
6f60fda1fae89555573f518e2d408982eafd6e94

SHA256
c6bd957353e6040f0461bd732d8a16917edeba61aeb4067803dd480a5ec2f59b

SHA512
a8d4bc81a5c195eeba5f6fd274a35599f9eaef73a8cd9f2399326717254d38abb537778cd1ab1ce480b3db7dec2a8785b26881ba10967871e08cbc2f949c7867

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

Filesize
725KB

MD5
9e38b026309bc734e745b59653f2b6f2

SHA1
6f60fda1fae89555573f518e2d408982eafd6e94

SHA256
c6bd957353e6040f0461bd732d8a16917edeba61aeb4067803dd480a5ec2f59b

SHA512
a8d4bc81a5c195eeba5f6fd274a35599f9eaef73a8cd9f2399326717254d38abb537778cd1ab1ce480b3db7dec2a8785b26881ba10967871e08cbc2f949c7867

Download Submit
\ProgramData\mozglue.dll

Filesize
133KB

MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
\ProgramData\nss3.dll

Filesize
1.2MB

MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
memory/432-902-0x0000000005140000-0x000000000518B000-memory.dmp

Filesize
300KB

Download
memory/432-946-0x0000000007CF0000-0x0000000007EB2000-memory.dmp

Filesize
1.8MB

Download
memory/432-950-0x00000000070C0000-0x0000000007110000-memory.dmp

Filesize
320KB

Download
memory/432-874-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/432-895-0x0000000005690000-0x0000000005C96000-memory.dmp

Filesize
6.0MB

Download
memory/432-896-0x00000000050A0000-0x00000000050B2000-memory.dmp

Filesize
72KB

Download
memory/432-897-0x00000000051D0000-0x00000000052DA000-memory.dmp

Filesize
1.0MB

Download
memory/432-900-0x0000000005100000-0x000000000513E000-memory.dmp

Filesize
248KB

Download
memory/432-947-0x00000000083F0000-0x000000000891C000-memory.dmp

Filesize
5.2MB

Download
memory/432-930-0x0000000006260000-0x00000000062C6000-memory.dmp

Filesize
408KB

Download
memory/432-938-0x0000000006460000-0x00000000064D6000-memory.dmp

Filesize
472KB

Download
memory/432-944-0x0000000006770000-0x000000000678E000-memory.dmp

Filesize
120KB

Download
memory/432-940-0x0000000006B70000-0x000000000706E000-memory.dmp

Filesize
5.0MB

Download
memory/432-939-0x00000000065D0000-0x0000000006662000-memory.dmp

Filesize
584KB

Download
memory/1012-451-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1012-678-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1408-797-0x0000000000AA0000-0x0000000000B0B000-memory.dmp

Filesize
428KB

Download
memory/1408-710-0x0000000000B10000-0x0000000000B84000-memory.dmp

Filesize
464KB

Download
memory/1408-712-0x0000000000AA0000-0x0000000000B0B000-memory.dmp

Filesize
428KB

Download
memory/1800-660-0x0000000002ECA000-0x0000000002EF5000-memory.dmp

Filesize
172KB

Download
memory/1800-639-0x0000000002C90000-0x0000000002D3E000-memory.dmp

Filesize
696KB

Download
memory/1800-637-0x0000000002ECA000-0x0000000002EF5000-memory.dmp

Filesize
172KB

Download
memory/1968-178-0x0000000077CE0000-0x0000000077E6E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-241-0x00000000027D0000-0x0000000002921000-memory.dmp

Filesize
1.3MB

Download
memory/1968-174-0x0000000077CE0000-0x0000000077E6E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-176-0x0000000077CE0000-0x0000000077E6E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-169-0x0000000077CE0000-0x0000000077E6E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-177-0x0000000077CE0000-0x0000000077E6E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-162-0x0000000077CE0000-0x0000000077E6E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-161-0x0000000077CE0000-0x0000000077E6E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-180-0x0000000077CE0000-0x0000000077E6E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-160-0x0000000077CE0000-0x0000000077E6E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-183-0x00000000023C0000-0x00000000027C1000-memory.dmp

Filesize
4.0MB

Download
memory/1968-185-0x00000000027D0000-0x0000000002921000-memory.dmp

Filesize
1.3MB

Download
memory/1968-743-0x000000000E980000-0x000000000EAC5000-memory.dmp

Filesize
1.3MB

Download
memory/1968-168-0x0000000077CE0000-0x0000000077E6E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-159-0x0000000077CE0000-0x0000000077E6E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-172-0x0000000077CE0000-0x0000000077E6E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-175-0x0000000077CE0000-0x0000000077E6E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-179-0x0000000077CE0000-0x0000000077E6E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-181-0x0000000077CE0000-0x0000000077E6E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-163-0x0000000077CE0000-0x0000000077E6E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-171-0x0000000077CE0000-0x0000000077E6E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-170-0x0000000077CE0000-0x0000000077E6E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-167-0x0000000077CE0000-0x0000000077E6E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-210-0x00000000023C0000-0x00000000027C1000-memory.dmp

Filesize
4.0MB

Download
memory/1968-158-0x0000000077CE0000-0x0000000077E6E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-173-0x0000000077CE0000-0x0000000077E6E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-166-0x0000000077CE0000-0x0000000077E6E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-164-0x0000000077CE0000-0x0000000077E6E000-memory.dmp

Filesize
1.6MB

Download
memory/2136-544-0x0000000000C60000-0x0000000000C69000-memory.dmp

Filesize
36KB

Download
memory/2136-652-0x0000000000400000-0x0000000000B38000-memory.dmp

Filesize
7.2MB

Download
memory/2136-542-0x0000000000C80000-0x0000000000DCA000-memory.dmp

Filesize
1.3MB

Download
memory/2136-547-0x0000000000400000-0x0000000000B38000-memory.dmp

Filesize
7.2MB

Download
memory/2344-150-0x0000000077CE0000-0x0000000077E6E000-memory.dmp

Filesize
1.6MB

Download
memory/2344-127-0x0000000077CE0000-0x0000000077E6E000-memory.dmp

Filesize
1.6MB

Download
memory/2344-119-0x0000000077CE0000-0x0000000077E6E000-memory.dmp

Filesize
1.6MB

Download
memory/2344-120-0x0000000077CE0000-0x0000000077E6E000-memory.dmp

Filesize
1.6MB

Download
memory/2344-121-0x0000000077CE0000-0x0000000077E6E000-memory.dmp

Filesize
1.6MB

Download
memory/2344-122-0x0000000077CE0000-0x0000000077E6E000-memory.dmp

Filesize
1.6MB

Download
memory/2344-123-0x0000000077CE0000-0x0000000077E6E000-memory.dmp

Filesize
1.6MB

Download
memory/2344-124-0x0000000077CE0000-0x0000000077E6E000-memory.dmp

Filesize
1.6MB

Download
memory/2344-126-0x0000000077CE0000-0x0000000077E6E000-memory.dmp

Filesize
1.6MB

Download
memory/2344-155-0x0000000000400000-0x0000000000B38000-memory.dmp

Filesize
7.2MB

Download
memory/2344-154-0x0000000077CE0000-0x0000000077E6E000-memory.dmp

Filesize
1.6MB

Download
memory/2344-153-0x0000000077CE0000-0x0000000077E6E000-memory.dmp

Filesize
1.6MB

Download
memory/2344-128-0x0000000077CE0000-0x0000000077E6E000-memory.dmp

Filesize
1.6MB

Download
memory/2344-152-0x0000000077CE0000-0x0000000077E6E000-memory.dmp

Filesize
1.6MB

Download
memory/2344-151-0x0000000077CE0000-0x0000000077E6E000-memory.dmp

Filesize
1.6MB

Download
memory/2344-129-0x0000000077CE0000-0x0000000077E6E000-memory.dmp

Filesize
1.6MB

Download
memory/2344-130-0x0000000077CE0000-0x0000000077E6E000-memory.dmp

Filesize
1.6MB

Download
memory/2344-149-0x0000000077CE0000-0x0000000077E6E000-memory.dmp

Filesize
1.6MB

Download
memory/2344-131-0x0000000077CE0000-0x0000000077E6E000-memory.dmp

Filesize
1.6MB

Download
memory/2344-132-0x0000000077CE0000-0x0000000077E6E000-memory.dmp

Filesize
1.6MB

Download
memory/2344-133-0x0000000077CE0000-0x0000000077E6E000-memory.dmp

Filesize
1.6MB

Download
memory/2344-134-0x0000000077CE0000-0x0000000077E6E000-memory.dmp

Filesize
1.6MB

Download
memory/2344-148-0x0000000077CE0000-0x0000000077E6E000-memory.dmp

Filesize
1.6MB

Download
memory/2344-147-0x0000000077CE0000-0x0000000077E6E000-memory.dmp

Filesize
1.6MB

Download
memory/2344-146-0x0000000000400000-0x0000000000B38000-memory.dmp

Filesize
7.2MB

Download
memory/2344-135-0x0000000077CE0000-0x0000000077E6E000-memory.dmp

Filesize
1.6MB

Download
memory/2344-136-0x0000000077CE0000-0x0000000077E6E000-memory.dmp

Filesize
1.6MB

Download
memory/2344-137-0x0000000077CE0000-0x0000000077E6E000-memory.dmp

Filesize
1.6MB

Download
memory/2344-138-0x0000000077CE0000-0x0000000077E6E000-memory.dmp

Filesize
1.6MB

Download
memory/2344-139-0x0000000077CE0000-0x0000000077E6E000-memory.dmp

Filesize
1.6MB

Download
memory/2344-140-0x0000000077CE0000-0x0000000077E6E000-memory.dmp

Filesize
1.6MB

Download
memory/2344-142-0x0000000077CE0000-0x0000000077E6E000-memory.dmp

Filesize
1.6MB

Download
memory/2344-118-0x0000000077CE0000-0x0000000077E6E000-memory.dmp

Filesize
1.6MB

Download
memory/2344-145-0x0000000077CE0000-0x0000000077E6E000-memory.dmp

Filesize
1.6MB

Download
memory/2344-141-0x0000000077CE0000-0x0000000077E6E000-memory.dmp

Filesize
1.6MB

Download
memory/2344-144-0x0000000000B90000-0x0000000000B99000-memory.dmp

Filesize
36KB

Download
memory/2344-143-0x0000000000BF0000-0x0000000000C9E000-memory.dmp

Filesize
696KB

Download
memory/3700-1003-0x0000000000400000-0x0000000000BA8000-memory.dmp

Filesize
7.7MB

Download
memory/3700-978-0x0000000000DF0000-0x0000000000E72000-memory.dmp

Filesize
520KB

Download
memory/3700-1013-0x0000000000400000-0x0000000000BA8000-memory.dmp

Filesize
7.7MB

Download
memory/3700-1010-0x0000000002890000-0x0000000002921000-memory.dmp

Filesize
580KB

Download
memory/3700-981-0x0000000002890000-0x0000000002921000-memory.dmp

Filesize
580KB

Download
memory/3924-277-0x0000000000CB0000-0x0000000000DFA000-memory.dmp

Filesize
1.3MB

Download
memory/3924-279-0x00000000028B0000-0x00000000029CB000-memory.dmp

Filesize
1.1MB

Download
memory/4136-681-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4136-906-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4204-329-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4204-377-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4424-602-0x0000000000030000-0x000000000017A000-memory.dmp

Filesize
1.3MB

Download
memory/4784-235-0x0000000000BF0000-0x000000000164C000-memory.dmp

Filesize
10.4MB

Download
memory/4784-191-0x0000000077CE0000-0x0000000077E6E000-memory.dmp

Filesize
1.6MB

Download
memory/4784-192-0x0000000077CE0000-0x0000000077E6E000-memory.dmp

Filesize
1.6MB

Download
memory/4784-195-0x0000000077CE0000-0x0000000077E6E000-memory.dmp

Filesize
1.6MB

Download
memory/4784-193-0x0000000077CE0000-0x0000000077E6E000-memory.dmp

Filesize
1.6MB

Download
memory/4784-196-0x0000000077CE0000-0x0000000077E6E000-memory.dmp

Filesize
1.6MB

Download
memory/4784-188-0x0000000077CE0000-0x0000000077E6E000-memory.dmp

Filesize
1.6MB

Download
memory/4784-190-0x0000000077CE0000-0x0000000077E6E000-memory.dmp

Filesize
1.6MB

Download
memory/4784-189-0x0000000077CE0000-0x0000000077E6E000-memory.dmp

Filesize
1.6MB

Download
memory/4816-627-0x00000000005C0000-0x00000000005CC000-memory.dmp

Filesize
48KB

Download
memory/4856-1050-0x0000000000D30000-0x0000000000DBB000-memory.dmp

Filesize
556KB

Download
memory/4856-1051-0x0000000000400000-0x0000000000BA8000-memory.dmp

Filesize
7.7MB

Download
memory/4856-1052-0x0000000000D30000-0x0000000000DBB000-memory.dmp

Filesize
556KB

Download