djvu | b268fc37ac06fb1fed12412b6c62578d9e6d5ee9becd843f226d075fd80b53fd

Analysis

max time kernel
150s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
21-09-2022 20:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b268fc37ac06fb1fed12412b6c62578d9e6d5ee9becd843f226d075fd80b53fd.exe
Size

173KB
MD5

40dc83728f9400865041f16615bb596d
SHA1

094f240c203ab96ba0533c83ae0fea7b3878e06a
SHA256

b268fc37ac06fb1fed12412b6c62578d9e6d5ee9becd843f226d075fd80b53fd
SHA512

e4a6449eebac49abefae326b4349b3afb599f9e34d34b03bcd0ddf327b7c4be8d3d93f45f3e369a99a2f66b652a9899663b220d8ed7c4c9057d1387b7aeec8a2
SSDEEP

3072:qMqLsW5AfsLuB0jg/MrEXwbURi/BN6aO/Pk9Dn:ILsvIIXwbURiWa

Score

10^/10

djvu raccoon smokeloader 7394a7fc5da9794209d8b0503ca4abf4 backdoor collection discovery persistence ransomware stealer trojan

Malware Config

Extracted

Family

djvu

http://acacaca.org/lancer/get.php

Attributes

extension
.aabn
offline_id
MyudhIExJux2oRQXw95TT1oAPu7mvqRMzxr1eet1
payload_url
http://rgyui.top/dl/build2.exe
http://acacaca.org/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-4Xcf4IX21n Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@bestyourmail.ch Reserve e-mail address to contact us: datarestorehelp@airmail.cc Your personal ID: 0565Jhyjd

rsa_pubkey.plain

Extracted

Family

raccoon

Botnet

7394a7fc5da9794209d8b0503ca4abf4

http://45.61.137.163

rc4.plain

Signatures

Detected Djvu ransomware 10 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3364-156-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3364-158-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3364-161-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1376-162-0x0000000002310000-0x000000000242B000-memory.dmp	family_djvu
behavioral1/memory/3364-167-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3364-172-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/596-182-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/596-180-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/596-185-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/596-201-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Detects Smokeloader packer 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4716-133-0x00000000022C0000-0x00000000022C9000-memory.dmp	family_smokeloader
behavioral1/memory/4524-165-0x00000000005C0000-0x00000000005C9000-memory.dmp	family_smokeloader

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file
Executes dropped EXE 11 IoCs

Processes:

C4BC.exeC76D.exeC9DF.exeC76D.exeC76D.exeC76D.exebuild3.exeC4BC.exe55C5.exe59BE.exemstsca.exe

pid process

2980 C4BC.exe
1376 C76D.exe
4524 C9DF.exe
3364 C76D.exe
4968 C76D.exe
596 C76D.exe
4996 build3.exe
1976 C4BC.exe
3032 55C5.exe
976 59BE.exe
4132 mstsca.exe

pid	process
2980	C4BC.exe
1376	C76D.exe
4524	C9DF.exe
3364	C76D.exe
4968	C76D.exe
596	C76D.exe
4996	build3.exe
1976	C4BC.exe
3032	55C5.exe
976	59BE.exe
4132	mstsca.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

C76D.exeC4BC.exeC76D.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	C76D.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	C4BC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	C76D.exe

Loads dropped DLL 2 IoCs

Processes:

regsvr32.exe

pid process

2020 regsvr32.exe
2020 regsvr32.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

2032 icacls.exe

pid	process
2020	regsvr32.exe
2020	regsvr32.exe

pid	process
2032	icacls.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

C76D.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\512903ce-be2f-46fb-8f10-1b92cfb66ddb\\C76D.exe\" --AutoStart"	C76D.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

27 api.2ip.ua
28 api.2ip.ua
36 api.2ip.ua

flow	ioc
27	api.2ip.ua
28	api.2ip.ua
36	api.2ip.ua

Suspicious use of SetThreadContext 3 IoCs

Processes:

C76D.exeC76D.exeC4BC.exe

description	pid	process	target process
PID 1376 set thread context of 3364	1376	C76D.exe	C76D.exe
PID 4968 set thread context of 596	4968	C76D.exe	C76D.exe
PID 2980 set thread context of 1976	2980	C4BC.exe	C4BC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

C9DF.exeb268fc37ac06fb1fed12412b6c62578d9e6d5ee9becd843f226d075fd80b53fd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	C9DF.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	C9DF.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	C9DF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	b268fc37ac06fb1fed12412b6c62578d9e6d5ee9becd843f226d075fd80b53fd.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	b268fc37ac06fb1fed12412b6c62578d9e6d5ee9becd843f226d075fd80b53fd.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	b268fc37ac06fb1fed12412b6c62578d9e6d5ee9becd843f226d075fd80b53fd.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

5028 schtasks.exe
2812 schtasks.exe

pid	process
5028	schtasks.exe
2812	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

b268fc37ac06fb1fed12412b6c62578d9e6d5ee9becd843f226d075fd80b53fd.exe

pid	process
4716	b268fc37ac06fb1fed12412b6c62578d9e6d5ee9becd843f226d075fd80b53fd.exe
4716	b268fc37ac06fb1fed12412b6c62578d9e6d5ee9becd843f226d075fd80b53fd.exe
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2576

pid	process
2576

Suspicious behavior: MapViewOfSection 24 IoCs

Processes:

b268fc37ac06fb1fed12412b6c62578d9e6d5ee9becd843f226d075fd80b53fd.exeC9DF.exe

pid	process
4716	b268fc37ac06fb1fed12412b6c62578d9e6d5ee9becd843f226d075fd80b53fd.exe
2576
2576
2576
2576
4524	C9DF.exe
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

C4BC.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2980	C4BC.exe
Token: SeShutdownPrivilege	2576
Token: SeCreatePagefilePrivilege	2576
Token: SeShutdownPrivilege	2576
Token: SeCreatePagefilePrivilege	2576
Token: SeDebugPrivilege	4332	powershell.exe
Token: SeShutdownPrivilege	2576
Token: SeCreatePagefilePrivilege	2576
Token: SeShutdownPrivilege	2576
Token: SeCreatePagefilePrivilege	2576
Token: SeShutdownPrivilege	2576
Token: SeCreatePagefilePrivilege	2576
Token: SeShutdownPrivilege	2576
Token: SeCreatePagefilePrivilege	2576
Token: SeShutdownPrivilege	2576
Token: SeCreatePagefilePrivilege	2576
Token: SeShutdownPrivilege	2576
Token: SeCreatePagefilePrivilege	2576
Token: SeShutdownPrivilege	2576
Token: SeCreatePagefilePrivilege	2576
Token: SeShutdownPrivilege	2576
Token: SeCreatePagefilePrivilege	2576
Token: SeShutdownPrivilege	2576
Token: SeCreatePagefilePrivilege	2576

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

regsvr32.exeC76D.exeC76D.exeC4BC.exeC76D.exeC76D.exebuild3.exe

description	pid	process	target process
PID 2576 wrote to memory of 2980	2576		C4BC.exe
PID 2576 wrote to memory of 2980	2576		C4BC.exe
PID 2576 wrote to memory of 2980	2576		C4BC.exe
PID 2576 wrote to memory of 4876	2576		regsvr32.exe
PID 2576 wrote to memory of 4876	2576		regsvr32.exe
PID 4876 wrote to memory of 2020	4876	regsvr32.exe	regsvr32.exe
PID 4876 wrote to memory of 2020	4876	regsvr32.exe	regsvr32.exe
PID 4876 wrote to memory of 2020	4876	regsvr32.exe	regsvr32.exe
PID 2576 wrote to memory of 1376	2576		C76D.exe
PID 2576 wrote to memory of 1376	2576		C76D.exe
PID 2576 wrote to memory of 1376	2576		C76D.exe
PID 2576 wrote to memory of 4524	2576		C9DF.exe
PID 2576 wrote to memory of 4524	2576		C9DF.exe
PID 2576 wrote to memory of 4524	2576		C9DF.exe
PID 2576 wrote to memory of 1212	2576		explorer.exe
PID 2576 wrote to memory of 1212	2576		explorer.exe
PID 2576 wrote to memory of 1212	2576		explorer.exe
PID 2576 wrote to memory of 1212	2576		explorer.exe
PID 2576 wrote to memory of 1084	2576		explorer.exe
PID 2576 wrote to memory of 1084	2576		explorer.exe
PID 2576 wrote to memory of 1084	2576		explorer.exe
PID 1376 wrote to memory of 3364	1376	C76D.exe	C76D.exe
PID 1376 wrote to memory of 3364	1376	C76D.exe	C76D.exe
PID 1376 wrote to memory of 3364	1376	C76D.exe	C76D.exe
PID 1376 wrote to memory of 3364	1376	C76D.exe	C76D.exe
PID 1376 wrote to memory of 3364	1376	C76D.exe	C76D.exe
PID 1376 wrote to memory of 3364	1376	C76D.exe	C76D.exe
PID 1376 wrote to memory of 3364	1376	C76D.exe	C76D.exe
PID 1376 wrote to memory of 3364	1376	C76D.exe	C76D.exe
PID 1376 wrote to memory of 3364	1376	C76D.exe	C76D.exe
PID 1376 wrote to memory of 3364	1376	C76D.exe	C76D.exe
PID 3364 wrote to memory of 2032	3364	C76D.exe	icacls.exe
PID 3364 wrote to memory of 2032	3364	C76D.exe	icacls.exe
PID 3364 wrote to memory of 2032	3364	C76D.exe	icacls.exe
PID 3364 wrote to memory of 4968	3364	C76D.exe	C76D.exe
PID 3364 wrote to memory of 4968	3364	C76D.exe	C76D.exe
PID 3364 wrote to memory of 4968	3364	C76D.exe	C76D.exe
PID 2980 wrote to memory of 4332	2980	C4BC.exe	powershell.exe
PID 2980 wrote to memory of 4332	2980	C4BC.exe	powershell.exe
PID 2980 wrote to memory of 4332	2980	C4BC.exe	powershell.exe
PID 4968 wrote to memory of 596	4968	C76D.exe	C76D.exe
PID 4968 wrote to memory of 596	4968	C76D.exe	C76D.exe
PID 4968 wrote to memory of 596	4968	C76D.exe	C76D.exe
PID 4968 wrote to memory of 596	4968	C76D.exe	C76D.exe
PID 4968 wrote to memory of 596	4968	C76D.exe	C76D.exe
PID 4968 wrote to memory of 596	4968	C76D.exe	C76D.exe
PID 4968 wrote to memory of 596	4968	C76D.exe	C76D.exe
PID 4968 wrote to memory of 596	4968	C76D.exe	C76D.exe
PID 4968 wrote to memory of 596	4968	C76D.exe	C76D.exe
PID 4968 wrote to memory of 596	4968	C76D.exe	C76D.exe
PID 596 wrote to memory of 4996	596	C76D.exe	build3.exe
PID 596 wrote to memory of 4996	596	C76D.exe	build3.exe
PID 596 wrote to memory of 4996	596	C76D.exe	build3.exe
PID 4996 wrote to memory of 5028	4996	build3.exe	schtasks.exe
PID 4996 wrote to memory of 5028	4996	build3.exe	schtasks.exe
PID 4996 wrote to memory of 5028	4996	build3.exe	schtasks.exe
PID 2980 wrote to memory of 1976	2980	C4BC.exe	C4BC.exe
PID 2980 wrote to memory of 1976	2980	C4BC.exe	C4BC.exe
PID 2980 wrote to memory of 1976	2980	C4BC.exe	C4BC.exe
PID 2980 wrote to memory of 1976	2980	C4BC.exe	C4BC.exe
PID 2980 wrote to memory of 1976	2980	C4BC.exe	C4BC.exe
PID 2980 wrote to memory of 1976	2980	C4BC.exe	C4BC.exe
PID 2980 wrote to memory of 1976	2980	C4BC.exe	C4BC.exe
PID 2980 wrote to memory of 1976	2980	C4BC.exe	C4BC.exe

outlook_office_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

outlook_win_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

C:\Users\Admin\AppData\Local\Temp\b268fc37ac06fb1fed12412b6c62578d9e6d5ee9becd843f226d075fd80b53fd.exe
"C:\Users\Admin\AppData\Local\Temp\b268fc37ac06fb1fed12412b6c62578d9e6d5ee9becd843f226d075fd80b53fd.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4716

C:\Users\Admin\AppData\Local\Temp\C4BC.exe
C:\Users\Admin\AppData\Local\Temp\C4BC.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2980

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQA1AA==
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4332

C:\Users\Admin\AppData\Local\Temp\C4BC.exe
C:\Users\Admin\AppData\Local\Temp\C4BC.exe
2⤵
- Executes dropped EXE
PID:1976

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\C615.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:4876

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\C615.dll
2⤵
- Loads dropped DLL
PID:2020

C:\Users\Admin\AppData\Local\Temp\C76D.exe
C:\Users\Admin\AppData\Local\Temp\C76D.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1376

C:\Users\Admin\AppData\Local\Temp\C76D.exe
C:\Users\Admin\AppData\Local\Temp\C76D.exe
2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3364

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\512903ce-be2f-46fb-8f10-1b92cfb66ddb" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:2032

C:\Users\Admin\AppData\Local\Temp\C76D.exe
"C:\Users\Admin\AppData\Local\Temp\C76D.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4968

C:\Users\Admin\AppData\Local\Temp\C76D.exe
"C:\Users\Admin\AppData\Local\Temp\C76D.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:596

C:\Users\Admin\AppData\Local\bbdfbff1-a5ef-4827-8765-d5b5c813188d\build3.exe
"C:\Users\Admin\AppData\Local\bbdfbff1-a5ef-4827-8765-d5b5c813188d\build3.exe"
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4996

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
6⤵
- Creates scheduled task(s)
PID:5028

C:\Users\Admin\AppData\Local\Temp\C9DF.exe
C:\Users\Admin\AppData\Local\Temp\C9DF.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4524

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:1212

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1084

C:\Users\Admin\AppData\Local\Temp\55C5.exe
C:\Users\Admin\AppData\Local\Temp\55C5.exe
1⤵
- Executes dropped EXE
PID:3032

C:\Users\Admin\AppData\Local\Temp\59BE.exe
C:\Users\Admin\AppData\Local\Temp\59BE.exe
1⤵
- Executes dropped EXE
PID:976

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3552

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3496

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3236

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3712

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1804

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4872

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:5024

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:5072

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4448

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
- Executes dropped EXE
PID:4132

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
2⤵
- Creates scheduled task(s)
PID:2812

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
Filesize
2KB

MD5
1c626eac6241b02b0082a76f150a3a8a

SHA1
b7c0c6ae1d3d5a2beaf4c4f3744cac6285f04858

SHA256
412116af67c3a894bee8821158ee91447ca6cfe0d5b43d0524e6c5af5defaf69

SHA512
8550f0ec9a9c5f152a3b5eb49a91084d3201589373b8d381233926f1ac34bd0c276fa1e3c9da75bd8297f417d9f566f4bf6b882107c7255522f745e6d446802a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize
1KB

MD5
48e98893438d04fa64bb49bbdafbf960

SHA1
e28578281fc80cb97275a94aa0e9da0db8285b87

SHA256
2ad261d743636a48688f1d3a1a9def925c6a7642db3dea12b8c23e5aac46719d

SHA512
9eb1160e51ce79e0a7055a053ac5f25d2ff8d7277f8af146c188a1bd24deddd12df219aeb410f072b26ccaa114b88d7680d474c86736a0ab3187ec7ee08c73b0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
Filesize
488B

MD5
467aea6e1a50f3b7642972834fffdd46

SHA1
d887cbdf6cf192b36009efaaad065aef45137290

SHA256
3c146c50fd52d2a2aab131ddf45522890d927b1556a3b7838b9c8d8b249db7b5

SHA512
b6cd3ab450397860f637ea137d188b4e23f2fc5db076906d37746ae1941d134b824e99b9a02f526ed6240fd5bd34f670643a7ca7f630df6de247390c948c2e08

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize
482B

MD5
54b3b150faf28d11dacb71ef331cb90b

SHA1
fc27673652a60518083c4b1cbe057802c55c6c6d

SHA256
ea06404a0972c61f8c15431780d83e834f6b6601ef01d6a35e8e39fed10c3dff

SHA512
020896f7f6b973869540071eb779fff9f3d5c003260ca2879746ebf6cf5500bf008ae2dd2847381c477be98a7cdc8a218bd7a59bdf850c362532eb7c55d5aa0a

Download Submit
C:\Users\Admin\AppData\Local\512903ce-be2f-46fb-8f10-1b92cfb66ddb\C76D.exe
Filesize
665KB

MD5
76e6696f56054c936deceabdd72b2106

SHA1
d976af42d7dab3b8b63bf591b662b83cfa449f7f

SHA256
7a407b98c83a3dc82fe9d02fc88bf4c2bd9df05c921d57410f1de8c0d07ae6f2

SHA512
bc41bbb6efd9086a045b7a7f348b0063f48c6e7a6bd2eae7d313d3596cb75c2c602109f9f6c6f24abdc658a3fd835dcb4a705f8d62869aa616184c6af33e022c

Download Submit
C:\Users\Admin\AppData\Local\Temp\55C5.exe
Filesize
259KB

MD5
28ada9cb1aaa7e50f6018be80cc571a2

SHA1
4774c68897eeb67cb68677dcc358b20b55f38872

SHA256
4e77411086020d24cbd19de80d49641f1dbc25779f186f292844baca30445539

SHA512
82f7aa5881df3a0efb1887a89ce04a3a6664fcd147199fd7e1e822fe5790c523cf66b5289accda325feb8ca940acf0f6b53a52ed8c97138d09eb9c8c40857ea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\55C5.exe
Filesize
259KB

MD5
28ada9cb1aaa7e50f6018be80cc571a2

SHA1
4774c68897eeb67cb68677dcc358b20b55f38872

SHA256
4e77411086020d24cbd19de80d49641f1dbc25779f186f292844baca30445539

SHA512
82f7aa5881df3a0efb1887a89ce04a3a6664fcd147199fd7e1e822fe5790c523cf66b5289accda325feb8ca940acf0f6b53a52ed8c97138d09eb9c8c40857ea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\59BE.exe
Filesize
400KB

MD5
205884830abfd450bab6880b762f0710

SHA1
b3f6f668521b7f3cbc3ec65afd2f1a729b2382a1

SHA256
bd72caab9be0369fdf97d06a28f76c81dcdb8a92a05ba21a3b08c3edcf6856d2

SHA512
411045963d9a61706be5d2e2c8948c912a7a406787e8f6102e357d5effa8d155cf4bbbf762113c52440ac14627b791b2bff7340310a5879e7540459337dd6248

Download Submit
C:\Users\Admin\AppData\Local\Temp\C4BC.exe
Filesize
3.8MB

MD5
5de4381c4ebb62c0a5fa597a8d7a1e36

SHA1
aad96aa981a0185b2f8aa8676c66cb068cf7a088

SHA256
182949a2721465a9f79d6d18edfd3789d5833ef95c5fb9678405ce069cd9f8c9

SHA512
afe7c881e2c9797c00dc19de58866cc36baf82fe1036980e10eae73970781ed4023e8cdc5ffdcd3602e58916d14bc115b90274953d3c19346543d6f5e1c41069

Download Submit
C:\Users\Admin\AppData\Local\Temp\C4BC.exe
Filesize
3.8MB

MD5
5de4381c4ebb62c0a5fa597a8d7a1e36

SHA1
aad96aa981a0185b2f8aa8676c66cb068cf7a088

SHA256
182949a2721465a9f79d6d18edfd3789d5833ef95c5fb9678405ce069cd9f8c9

SHA512
afe7c881e2c9797c00dc19de58866cc36baf82fe1036980e10eae73970781ed4023e8cdc5ffdcd3602e58916d14bc115b90274953d3c19346543d6f5e1c41069

Download Submit
C:\Users\Admin\AppData\Local\Temp\C4BC.exe
Filesize
3.8MB

MD5
5de4381c4ebb62c0a5fa597a8d7a1e36

SHA1
aad96aa981a0185b2f8aa8676c66cb068cf7a088

SHA256
182949a2721465a9f79d6d18edfd3789d5833ef95c5fb9678405ce069cd9f8c9

SHA512
afe7c881e2c9797c00dc19de58866cc36baf82fe1036980e10eae73970781ed4023e8cdc5ffdcd3602e58916d14bc115b90274953d3c19346543d6f5e1c41069

Download Submit
C:\Users\Admin\AppData\Local\Temp\C615.dll
Filesize
1.4MB

MD5
3ee96204441d27dcc2de050ede40c2a3

SHA1
3b2d387ca9663b7b1abf4531f85545c9df0cb076

SHA256
4061b94fcb0ddf184beead8d29d4d5b135e4d813b3b6ba237b1ddcc5e62c8cda

SHA512
133688d048d6dc96e8df8d792e46c247da24879fb07467fcd5a35b9631083816fc90aa9a4d74a5e63d1d85901e75973d827e41a32b9eb34596a2532a27384e39

Download Submit
C:\Users\Admin\AppData\Local\Temp\C615.dll
Filesize
1.4MB

MD5
3ee96204441d27dcc2de050ede40c2a3

SHA1
3b2d387ca9663b7b1abf4531f85545c9df0cb076

SHA256
4061b94fcb0ddf184beead8d29d4d5b135e4d813b3b6ba237b1ddcc5e62c8cda

SHA512
133688d048d6dc96e8df8d792e46c247da24879fb07467fcd5a35b9631083816fc90aa9a4d74a5e63d1d85901e75973d827e41a32b9eb34596a2532a27384e39

Download Submit
C:\Users\Admin\AppData\Local\Temp\C615.dll
Filesize
1.4MB

MD5
3ee96204441d27dcc2de050ede40c2a3

SHA1
3b2d387ca9663b7b1abf4531f85545c9df0cb076

SHA256
4061b94fcb0ddf184beead8d29d4d5b135e4d813b3b6ba237b1ddcc5e62c8cda

SHA512
133688d048d6dc96e8df8d792e46c247da24879fb07467fcd5a35b9631083816fc90aa9a4d74a5e63d1d85901e75973d827e41a32b9eb34596a2532a27384e39

Download Submit
C:\Users\Admin\AppData\Local\Temp\C76D.exe
Filesize
665KB

MD5
76e6696f56054c936deceabdd72b2106

SHA1
d976af42d7dab3b8b63bf591b662b83cfa449f7f

SHA256
7a407b98c83a3dc82fe9d02fc88bf4c2bd9df05c921d57410f1de8c0d07ae6f2

SHA512
bc41bbb6efd9086a045b7a7f348b0063f48c6e7a6bd2eae7d313d3596cb75c2c602109f9f6c6f24abdc658a3fd835dcb4a705f8d62869aa616184c6af33e022c

Download Submit
C:\Users\Admin\AppData\Local\Temp\C76D.exe
Filesize
665KB

MD5
76e6696f56054c936deceabdd72b2106

SHA1
d976af42d7dab3b8b63bf591b662b83cfa449f7f

SHA256
7a407b98c83a3dc82fe9d02fc88bf4c2bd9df05c921d57410f1de8c0d07ae6f2

SHA512
bc41bbb6efd9086a045b7a7f348b0063f48c6e7a6bd2eae7d313d3596cb75c2c602109f9f6c6f24abdc658a3fd835dcb4a705f8d62869aa616184c6af33e022c

Download Submit
C:\Users\Admin\AppData\Local\Temp\C76D.exe
Filesize
665KB

MD5
76e6696f56054c936deceabdd72b2106

SHA1
d976af42d7dab3b8b63bf591b662b83cfa449f7f

SHA256
7a407b98c83a3dc82fe9d02fc88bf4c2bd9df05c921d57410f1de8c0d07ae6f2

SHA512
bc41bbb6efd9086a045b7a7f348b0063f48c6e7a6bd2eae7d313d3596cb75c2c602109f9f6c6f24abdc658a3fd835dcb4a705f8d62869aa616184c6af33e022c

Download Submit
C:\Users\Admin\AppData\Local\Temp\C76D.exe
Filesize
665KB

MD5
76e6696f56054c936deceabdd72b2106

SHA1
d976af42d7dab3b8b63bf591b662b83cfa449f7f

SHA256
7a407b98c83a3dc82fe9d02fc88bf4c2bd9df05c921d57410f1de8c0d07ae6f2

SHA512
bc41bbb6efd9086a045b7a7f348b0063f48c6e7a6bd2eae7d313d3596cb75c2c602109f9f6c6f24abdc658a3fd835dcb4a705f8d62869aa616184c6af33e022c

Download Submit
C:\Users\Admin\AppData\Local\Temp\C76D.exe
Filesize
665KB

MD5
76e6696f56054c936deceabdd72b2106

SHA1
d976af42d7dab3b8b63bf591b662b83cfa449f7f

SHA256
7a407b98c83a3dc82fe9d02fc88bf4c2bd9df05c921d57410f1de8c0d07ae6f2

SHA512
bc41bbb6efd9086a045b7a7f348b0063f48c6e7a6bd2eae7d313d3596cb75c2c602109f9f6c6f24abdc658a3fd835dcb4a705f8d62869aa616184c6af33e022c

Download Submit
C:\Users\Admin\AppData\Local\Temp\C9DF.exe
Filesize
173KB

MD5
86136e9d05b11141e16faae9ea8e2f76

SHA1
7eb67675097aca63208ddc27f665a770f2f9d508

SHA256
b1fdd94cb5124f81c7380ac1b1281fff796d0c0ed1c7f3852bcae114a7eb73a1

SHA512
c600e2fabcd48cd28e81cd2bea075a247dded9c3daa09b8fc3bd109be59c1f3e5bc62a0e054ae559d64a9bd2eb2c0fd3f4074cafd37e23ada5fd3a49b578b58b

Download Submit
C:\Users\Admin\AppData\Local\Temp\C9DF.exe
Filesize
173KB

MD5
86136e9d05b11141e16faae9ea8e2f76

SHA1
7eb67675097aca63208ddc27f665a770f2f9d508

SHA256
b1fdd94cb5124f81c7380ac1b1281fff796d0c0ed1c7f3852bcae114a7eb73a1

SHA512
c600e2fabcd48cd28e81cd2bea075a247dded9c3daa09b8fc3bd109be59c1f3e5bc62a0e054ae559d64a9bd2eb2c0fd3f4074cafd37e23ada5fd3a49b578b58b

Download Submit
C:\Users\Admin\AppData\Local\bbdfbff1-a5ef-4827-8765-d5b5c813188d\build3.exe
Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Local\bbdfbff1-a5ef-4827-8765-d5b5c813188d\build3.exe
Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
memory/596-180-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/596-177-0x0000000000000000-mapping.dmp

Download
memory/596-201-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/596-182-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/596-185-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/976-215-0x0000000000000000-mapping.dmp

Download
memory/1084-154-0x0000000001000000-0x000000000100C000-memory.dmp

Filesize
48KB

Download
memory/1084-153-0x0000000000000000-mapping.dmp

Download
memory/1212-160-0x0000000000780000-0x00000000007F5000-memory.dmp

Filesize
468KB

Download
memory/1212-163-0x0000000000710000-0x000000000077B000-memory.dmp

Filesize
428KB

Download
memory/1212-152-0x0000000000000000-mapping.dmp

Download
memory/1376-142-0x0000000000000000-mapping.dmp

Download
memory/1376-162-0x0000000002310000-0x000000000242B000-memory.dmp

Filesize
1.1MB

Download
memory/1376-159-0x000000000212F000-0x00000000021C0000-memory.dmp

Filesize
580KB

Download
memory/1804-231-0x0000000000DB0000-0x0000000000DD7000-memory.dmp

Filesize
156KB

Download
memory/1804-229-0x0000000000000000-mapping.dmp

Download
memory/1804-230-0x0000000001000000-0x0000000001022000-memory.dmp

Filesize
136KB

Download
memory/1804-251-0x0000000001000000-0x0000000001022000-memory.dmp

Filesize
136KB

Download
memory/1976-206-0x0000000000000000-mapping.dmp

Download
memory/1976-211-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1976-210-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1976-207-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2020-200-0x00000000029B0000-0x0000000002A97000-memory.dmp

Filesize
924KB

Download
memory/2020-147-0x00000000024F0000-0x0000000002656000-memory.dmp

Filesize
1.4MB

Download
memory/2020-197-0x0000000002B60000-0x0000000002C08000-memory.dmp

Filesize
672KB

Download
memory/2020-174-0x0000000002790000-0x00000000028BC000-memory.dmp

Filesize
1.2MB

Download
memory/2020-175-0x00000000029B0000-0x0000000002A97000-memory.dmp

Filesize
924KB

Download
memory/2020-141-0x0000000000000000-mapping.dmp

Download
memory/2020-194-0x0000000002AA0000-0x0000000002B5C000-memory.dmp

Filesize
752KB

Download
memory/2032-168-0x0000000000000000-mapping.dmp

Download
memory/2812-249-0x0000000000000000-mapping.dmp

Download
memory/2980-148-0x0000000000EC0000-0x00000000012A0000-memory.dmp

Filesize
3.9MB

Download
memory/2980-136-0x0000000000000000-mapping.dmp

Download
memory/2980-170-0x0000000006A10000-0x0000000006A32000-memory.dmp

Filesize
136KB

Download
memory/3032-212-0x0000000000000000-mapping.dmp

Download
memory/3236-246-0x0000000000F40000-0x0000000000F45000-memory.dmp

Filesize
20KB

Download
memory/3236-223-0x0000000000000000-mapping.dmp

Download
memory/3236-225-0x0000000000F30000-0x0000000000F39000-memory.dmp

Filesize
36KB

Download
memory/3236-224-0x0000000000F40000-0x0000000000F45000-memory.dmp

Filesize
20KB

Download
memory/3364-167-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3364-155-0x0000000000000000-mapping.dmp

Download
memory/3364-172-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3364-161-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3364-158-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3364-156-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3496-220-0x0000000000000000-mapping.dmp

Download
memory/3496-222-0x00000000012B0000-0x00000000012BF000-memory.dmp

Filesize
60KB

Download
memory/3496-221-0x00000000012C0000-0x00000000012C9000-memory.dmp

Filesize
36KB

Download
memory/3496-245-0x00000000012C0000-0x00000000012C9000-memory.dmp

Filesize
36KB

Download
memory/3552-244-0x0000000000940000-0x0000000000947000-memory.dmp

Filesize
28KB

Download
memory/3552-219-0x0000000000930000-0x000000000093B000-memory.dmp

Filesize
44KB

Download
memory/3552-217-0x0000000000000000-mapping.dmp

Download
memory/3552-218-0x0000000000940000-0x0000000000947000-memory.dmp

Filesize
28KB

Download
memory/3712-226-0x0000000000000000-mapping.dmp

Download
memory/3712-250-0x00000000004B0000-0x00000000004B6000-memory.dmp

Filesize
24KB

Download
memory/3712-228-0x00000000004A0000-0x00000000004AC000-memory.dmp

Filesize
48KB

Download
memory/3712-227-0x00000000004B0000-0x00000000004B6000-memory.dmp

Filesize
24KB

Download
memory/4332-191-0x0000000004DA0000-0x0000000004E06000-memory.dmp

Filesize
408KB

Download
memory/4332-193-0x0000000005BC0000-0x0000000005BDE000-memory.dmp

Filesize
120KB

Download
memory/4332-192-0x00000000055C0000-0x0000000005626000-memory.dmp

Filesize
408KB

Download
memory/4332-195-0x0000000007220000-0x000000000789A000-memory.dmp

Filesize
6.5MB

Download
memory/4332-184-0x0000000004E20000-0x0000000005448000-memory.dmp

Filesize
6.2MB

Download
memory/4332-183-0x00000000022A0000-0x00000000022D6000-memory.dmp

Filesize
216KB

Download
memory/4332-196-0x00000000060D0000-0x00000000060EA000-memory.dmp

Filesize
104KB

Download
memory/4332-176-0x0000000000000000-mapping.dmp

Download
memory/4448-243-0x0000000000B60000-0x0000000000B6B000-memory.dmp

Filesize
44KB

Download
memory/4448-242-0x0000000000B70000-0x0000000000B78000-memory.dmp

Filesize
32KB

Download
memory/4448-241-0x0000000000000000-mapping.dmp

Download
memory/4448-255-0x0000000000B70000-0x0000000000B78000-memory.dmp

Filesize
32KB

Download
memory/4524-190-0x0000000000400000-0x0000000000586000-memory.dmp

Filesize
1.5MB

Download
memory/4524-166-0x0000000000400000-0x0000000000586000-memory.dmp

Filesize
1.5MB

Download
memory/4524-165-0x00000000005C0000-0x00000000005C9000-memory.dmp

Filesize
36KB

Download
memory/4524-164-0x0000000000699000-0x00000000006AA000-memory.dmp

Filesize
68KB

Download
memory/4524-149-0x0000000000000000-mapping.dmp

Download
memory/4716-135-0x0000000000400000-0x0000000000586000-memory.dmp

Filesize
1.5MB

Download
memory/4716-134-0x0000000000400000-0x0000000000586000-memory.dmp

Filesize
1.5MB

Download
memory/4716-133-0x00000000022C0000-0x00000000022C9000-memory.dmp

Filesize
36KB

Download
memory/4716-132-0x0000000000678000-0x0000000000689000-memory.dmp

Filesize
68KB

Download
memory/4872-234-0x00000000010D0000-0x00000000010D9000-memory.dmp

Filesize
36KB

Download
memory/4872-233-0x00000000010E0000-0x00000000010E5000-memory.dmp

Filesize
20KB

Download
memory/4872-252-0x00000000010E0000-0x00000000010E5000-memory.dmp

Filesize
20KB

Download
memory/4872-232-0x0000000000000000-mapping.dmp

Download
memory/4876-139-0x0000000000000000-mapping.dmp

Download
memory/4968-181-0x0000000000767000-0x00000000007F8000-memory.dmp

Filesize
580KB

Download
memory/4968-171-0x0000000000000000-mapping.dmp

Download
memory/4996-202-0x0000000000000000-mapping.dmp

Download
memory/5024-237-0x00000000012F0000-0x00000000012FB000-memory.dmp

Filesize
44KB

Download
memory/5024-236-0x0000000001300000-0x0000000001306000-memory.dmp

Filesize
24KB

Download
memory/5024-235-0x0000000000000000-mapping.dmp

Download
memory/5024-253-0x0000000001300000-0x0000000001306000-memory.dmp

Filesize
24KB

Download
memory/5028-205-0x0000000000000000-mapping.dmp

Download
memory/5072-240-0x0000000000DB0000-0x0000000000DBD000-memory.dmp

Filesize
52KB

Download
memory/5072-239-0x0000000000DC0000-0x0000000000DC7000-memory.dmp

Filesize
28KB

Download
memory/5072-238-0x0000000000000000-mapping.dmp

Download
memory/5072-254-0x0000000000DC0000-0x0000000000DC7000-memory.dmp

Filesize
28KB

Download