djvu | 356d062896f00acbc36de0e0a68cf762c269386230d66009a2ceea92f7b22d2b

Analysis

max time kernel
150s
max time network
145s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
22-09-2022 12:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

356d062896f00acbc36de0e0a68cf762c269386230d66009a2ceea92f7b22d2b.exe
Size

280KB
MD5

231968c7ccf7b87cc4f934e489f87a46
SHA1

d3294362646a550a547a42797127273f6c80ea06
SHA256

356d062896f00acbc36de0e0a68cf762c269386230d66009a2ceea92f7b22d2b
SHA512

895976c7a445c1c58ea2cada7b2bb60822e897059082fe0e6d8fa1bd9c73d70d2aad8a274b87139600e02efb5ecc637093eef14259a4645f59dc0780045665a0
SSDEEP

6144:3SLwXcv+Ahx8oLIpOwvyu2g6NJK9KWyQjMWv0fNigavwVftzC:3S0M2Ah7SOwvyu2BJK9KmjMVfwA+

Score

10^/10

djvu raccoon redline smokeloader 7394a7fc5da9794209d8b0503ca4abf4 logsdiller cloud (sup: @mr_golds)backdoor collection discovery infostealer persistence ransomware spyware stealer trojan

Malware Config

Extracted

Family

djvu

http://acacaca.org/lancer/get.php

Attributes

extension
.aabn
offline_id
MyudhIExJux2oRQXw95TT1oAPu7mvqRMzxr1eet1
payload_url
http://rgyui.top/dl/build2.exe
http://acacaca.org/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-4Xcf4IX21n Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@bestyourmail.ch Reserve e-mail address to contact us: datarestorehelp@airmail.cc Your personal ID: 0565Jhyjd

rsa_pubkey.plain

Extracted

Family

raccoon

Botnet

7394a7fc5da9794209d8b0503ca4abf4

http://45.8.145.203

rc4.plain

Extracted

Family

redline

Botnet

LogsDiller Cloud (Sup: @mr_golds)

77.73.134.27:8163

Attributes

auth_value
56c6f7b9024c076f0a96931453da7e56

Signatures

Detected Djvu ransomware 7 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3540-268-0x00000000022C0000-0x00000000023DB000-memory.dmp	family_djvu
behavioral1/memory/4996-279-0x0000000000424141-mapping.dmp	family_djvu
behavioral1/memory/4996-416-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4996-533-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2464-562-0x0000000000424141-mapping.dmp	family_djvu
behavioral1/memory/2464-634-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2464-814-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1944-489-0x00000000004A0000-0x00000000004A9000-memory.dmp	family_smokeloader

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/74480-1050-0x000000000057217A-mapping.dmp	family_redline
behavioral1/memory/74480-1291-0x0000000000550000-0x0000000000578000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file
Executes dropped EXE 10 IoCs

Processes:

1F7F.exe2676.exe3A3D.exe1F7F.exe1F7F.exe1F7F.exebuild2.exebuild2.exeDE3E.exeE729.exe

pid process

3540 1F7F.exe
1944 2676.exe
1932 3A3D.exe
4996 1F7F.exe
3464 1F7F.exe
2464 1F7F.exe
3540 build2.exe
3776 build2.exe
3932 DE3E.exe
4924 E729.exe
Deletes itself 1 IoCs

Processes:

pid process

3012
Loads dropped DLL 6 IoCs

Processes:

regsvr32.exe3A3D.exebuild2.exe

pid process

4356 regsvr32.exe
1932 3A3D.exe
1932 3A3D.exe
1932 3A3D.exe
3776 build2.exe
3776 build2.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

1780 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3540	1F7F.exe
1944	2676.exe
1932	3A3D.exe
4996	1F7F.exe
3464	1F7F.exe
2464	1F7F.exe
3540	build2.exe
3776	build2.exe
3932	DE3E.exe
4924	E729.exe

pid	process
3012

pid	process
4356	regsvr32.exe
1932	3A3D.exe
1932	3A3D.exe
1932	3A3D.exe
3776	build2.exe
3776	build2.exe

pid	process
1780	icacls.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

1F7F.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\19d571df-bb1b-42ce-9374-476e8a706ea1\\1F7F.exe\" --AutoStart"	1F7F.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6 api.2ip.ua
7 api.2ip.ua
18 api.2ip.ua
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

3A3D.exe

pid process

1932 3A3D.exe
1932 3A3D.exe

flow	ioc
6	api.2ip.ua
7	api.2ip.ua
18	api.2ip.ua

pid	process
1932	3A3D.exe
1932	3A3D.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

1F7F.exe1F7F.exebuild2.exeE729.exe

description	pid	process	target process
PID 3540 set thread context of 4996	3540	1F7F.exe	1F7F.exe
PID 3464 set thread context of 2464	3464	1F7F.exe	1F7F.exe
PID 3540 set thread context of 3776	3540	build2.exe	build2.exe
PID 4924 set thread context of 74480	4924	E729.exe	AppLaunch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

2676.exe356d062896f00acbc36de0e0a68cf762c269386230d66009a2ceea92f7b22d2b.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2676.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	356d062896f00acbc36de0e0a68cf762c269386230d66009a2ceea92f7b22d2b.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	356d062896f00acbc36de0e0a68cf762c269386230d66009a2ceea92f7b22d2b.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	356d062896f00acbc36de0e0a68cf762c269386230d66009a2ceea92f7b22d2b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2676.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2676.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

build2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	build2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	build2.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2700 timeout.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

4564 taskkill.exe

pid	process
2700	timeout.exe

pid	process
4564	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

356d062896f00acbc36de0e0a68cf762c269386230d66009a2ceea92f7b22d2b.exe

pid	process
1928	356d062896f00acbc36de0e0a68cf762c269386230d66009a2ceea92f7b22d2b.exe
1928	356d062896f00acbc36de0e0a68cf762c269386230d66009a2ceea92f7b22d2b.exe
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3012

pid	process
3012

Suspicious behavior: MapViewOfSection 24 IoCs

Processes:

356d062896f00acbc36de0e0a68cf762c269386230d66009a2ceea92f7b22d2b.exe2676.exe

pid	process
1928	356d062896f00acbc36de0e0a68cf762c269386230d66009a2ceea92f7b22d2b.exe
3012
3012
3012
3012
1944	2676.exe
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012

Suspicious use of AdjustPrivilegeToken 29 IoCs

Processes:

taskkill.exepowershell.exeAppLaunch.exe

description	pid	process
Token: SeShutdownPrivilege	3012
Token: SeCreatePagefilePrivilege	3012
Token: SeShutdownPrivilege	3012
Token: SeCreatePagefilePrivilege	3012
Token: SeShutdownPrivilege	3012
Token: SeCreatePagefilePrivilege	3012
Token: SeShutdownPrivilege	3012
Token: SeCreatePagefilePrivilege	3012
Token: SeShutdownPrivilege	3012
Token: SeCreatePagefilePrivilege	3012
Token: SeDebugPrivilege	4564	taskkill.exe
Token: SeShutdownPrivilege	3012
Token: SeCreatePagefilePrivilege	3012
Token: SeShutdownPrivilege	3012
Token: SeCreatePagefilePrivilege	3012
Token: SeShutdownPrivilege	3012
Token: SeCreatePagefilePrivilege	3012
Token: SeShutdownPrivilege	3012
Token: SeCreatePagefilePrivilege	3012
Token: SeShutdownPrivilege	3012
Token: SeCreatePagefilePrivilege	3012
Token: SeShutdownPrivilege	3012
Token: SeCreatePagefilePrivilege	3012
Token: SeDebugPrivilege	74704	powershell.exe
Token: SeDebugPrivilege	74480	AppLaunch.exe
Token: SeShutdownPrivilege	3012
Token: SeCreatePagefilePrivilege	3012
Token: SeShutdownPrivilege	3012
Token: SeCreatePagefilePrivilege	3012

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

regsvr32.exe1F7F.exe1F7F.exe1F7F.exe1F7F.exebuild2.exebuild2.execmd.exe

description	pid	process	target process
PID 3012 wrote to memory of 3692	3012		regsvr32.exe
PID 3012 wrote to memory of 3692	3012		regsvr32.exe
PID 3692 wrote to memory of 4356	3692	regsvr32.exe	regsvr32.exe
PID 3692 wrote to memory of 4356	3692	regsvr32.exe	regsvr32.exe
PID 3692 wrote to memory of 4356	3692	regsvr32.exe	regsvr32.exe
PID 3012 wrote to memory of 3540	3012		1F7F.exe
PID 3012 wrote to memory of 3540	3012		1F7F.exe
PID 3012 wrote to memory of 3540	3012		1F7F.exe
PID 3012 wrote to memory of 1944	3012		2676.exe
PID 3012 wrote to memory of 1944	3012		2676.exe
PID 3012 wrote to memory of 1944	3012		2676.exe
PID 3012 wrote to memory of 1932	3012		3A3D.exe
PID 3012 wrote to memory of 1932	3012		3A3D.exe
PID 3012 wrote to memory of 1932	3012		3A3D.exe
PID 3540 wrote to memory of 4996	3540	1F7F.exe	1F7F.exe
PID 3540 wrote to memory of 4996	3540	1F7F.exe	1F7F.exe
PID 3540 wrote to memory of 4996	3540	1F7F.exe	1F7F.exe
PID 3540 wrote to memory of 4996	3540	1F7F.exe	1F7F.exe
PID 3540 wrote to memory of 4996	3540	1F7F.exe	1F7F.exe
PID 3540 wrote to memory of 4996	3540	1F7F.exe	1F7F.exe
PID 3540 wrote to memory of 4996	3540	1F7F.exe	1F7F.exe
PID 3540 wrote to memory of 4996	3540	1F7F.exe	1F7F.exe
PID 3540 wrote to memory of 4996	3540	1F7F.exe	1F7F.exe
PID 3540 wrote to memory of 4996	3540	1F7F.exe	1F7F.exe
PID 3012 wrote to memory of 3684	3012		explorer.exe
PID 3012 wrote to memory of 3684	3012		explorer.exe
PID 3012 wrote to memory of 3684	3012		explorer.exe
PID 3012 wrote to memory of 3684	3012		explorer.exe
PID 3012 wrote to memory of 4724	3012		explorer.exe
PID 3012 wrote to memory of 4724	3012		explorer.exe
PID 3012 wrote to memory of 4724	3012		explorer.exe
PID 4996 wrote to memory of 1780	4996	1F7F.exe	icacls.exe
PID 4996 wrote to memory of 1780	4996	1F7F.exe	icacls.exe
PID 4996 wrote to memory of 1780	4996	1F7F.exe	icacls.exe
PID 4996 wrote to memory of 3464	4996	1F7F.exe	1F7F.exe
PID 4996 wrote to memory of 3464	4996	1F7F.exe	1F7F.exe
PID 4996 wrote to memory of 3464	4996	1F7F.exe	1F7F.exe
PID 3464 wrote to memory of 2464	3464	1F7F.exe	1F7F.exe
PID 3464 wrote to memory of 2464	3464	1F7F.exe	1F7F.exe
PID 3464 wrote to memory of 2464	3464	1F7F.exe	1F7F.exe
PID 3464 wrote to memory of 2464	3464	1F7F.exe	1F7F.exe
PID 3464 wrote to memory of 2464	3464	1F7F.exe	1F7F.exe
PID 3464 wrote to memory of 2464	3464	1F7F.exe	1F7F.exe
PID 3464 wrote to memory of 2464	3464	1F7F.exe	1F7F.exe
PID 3464 wrote to memory of 2464	3464	1F7F.exe	1F7F.exe
PID 3464 wrote to memory of 2464	3464	1F7F.exe	1F7F.exe
PID 3464 wrote to memory of 2464	3464	1F7F.exe	1F7F.exe
PID 2464 wrote to memory of 3540	2464	1F7F.exe	build2.exe
PID 2464 wrote to memory of 3540	2464	1F7F.exe	build2.exe
PID 2464 wrote to memory of 3540	2464	1F7F.exe	build2.exe
PID 3540 wrote to memory of 3776	3540	build2.exe	build2.exe
PID 3540 wrote to memory of 3776	3540	build2.exe	build2.exe
PID 3540 wrote to memory of 3776	3540	build2.exe	build2.exe
PID 3540 wrote to memory of 3776	3540	build2.exe	build2.exe
PID 3540 wrote to memory of 3776	3540	build2.exe	build2.exe
PID 3540 wrote to memory of 3776	3540	build2.exe	build2.exe
PID 3540 wrote to memory of 3776	3540	build2.exe	build2.exe
PID 3540 wrote to memory of 3776	3540	build2.exe	build2.exe
PID 3540 wrote to memory of 3776	3540	build2.exe	build2.exe
PID 3776 wrote to memory of 5092	3776	build2.exe	cmd.exe
PID 3776 wrote to memory of 5092	3776	build2.exe	cmd.exe
PID 3776 wrote to memory of 5092	3776	build2.exe	cmd.exe
PID 5092 wrote to memory of 4564	5092	cmd.exe	taskkill.exe
PID 5092 wrote to memory of 4564	5092	cmd.exe	taskkill.exe

outlook_office_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

outlook_win_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

C:\Users\Admin\AppData\Local\Temp\356d062896f00acbc36de0e0a68cf762c269386230d66009a2ceea92f7b22d2b.exe
"C:\Users\Admin\AppData\Local\Temp\356d062896f00acbc36de0e0a68cf762c269386230d66009a2ceea92f7b22d2b.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1928

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\1E46.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:3692

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\1E46.dll
2⤵
- Loads dropped DLL
PID:4356

C:\Users\Admin\AppData\Local\Temp\1F7F.exe
C:\Users\Admin\AppData\Local\Temp\1F7F.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3540

C:\Users\Admin\AppData\Local\Temp\1F7F.exe
C:\Users\Admin\AppData\Local\Temp\1F7F.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4996

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\19d571df-bb1b-42ce-9374-476e8a706ea1" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:1780

C:\Users\Admin\AppData\Local\Temp\1F7F.exe
"C:\Users\Admin\AppData\Local\Temp\1F7F.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3464

C:\Users\Admin\AppData\Local\Temp\1F7F.exe
"C:\Users\Admin\AppData\Local\Temp\1F7F.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2464

C:\Users\Admin\AppData\Local\ca3de7f1-b01a-4648-976c-1fa2718ec1c0\build2.exe
"C:\Users\Admin\AppData\Local\ca3de7f1-b01a-4648-976c-1fa2718ec1c0\build2.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3540

C:\Users\Admin\AppData\Local\ca3de7f1-b01a-4648-976c-1fa2718ec1c0\build2.exe
"C:\Users\Admin\AppData\Local\ca3de7f1-b01a-4648-976c-1fa2718ec1c0\build2.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:3776

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" \/c taskkill /im build2.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\ca3de7f1-b01a-4648-976c-1fa2718ec1c0\build2.exe" & del C:\PrograData\*.dll & exit
7⤵
- Suspicious use of WriteProcessMemory
PID:5092

C:\Windows\SysWOW64\taskkill.exe
taskkill /im build2.exe /f
8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4564

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
8⤵
- Delays execution with timeout.exe
PID:2700

C:\Users\Admin\AppData\Local\Temp\2676.exe
C:\Users\Admin\AppData\Local\Temp\2676.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1944

C:\Users\Admin\AppData\Local\Temp\3A3D.exe
C:\Users\Admin\AppData\Local\Temp\3A3D.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1932

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:3684

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4724

C:\Users\Admin\AppData\Local\Temp\DE3E.exe
C:\Users\Admin\AppData\Local\Temp\DE3E.exe
1⤵
- Executes dropped EXE
PID:3932

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAyADMA
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:74704

C:\Users\Admin\AppData\Local\Temp\E729.exe
C:\Users\Admin\AppData\Local\Temp\E729.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4924

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:74480

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3560

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:15324

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:29608

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:46596

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:65200

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:74516

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:74672

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:74540

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4132

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
Filesize
2KB

MD5
32958182234a80a5b2589418864f6117

SHA1
598276140fd27d8931dbe02625e3378ad9085b8d

SHA256
a6f4c0928ecef1052acb557bf148d4d06206afaa0d334d30ef676d8b4b89fdb2

SHA512
04157e1f291fb8e11e8134fa321d6473ff7ed55c7848170ac9c6db4dd9e42d8303c40746ce56f4112f26c5ea730703ad00fa52fdf57377c81221473210e49dfa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize
1KB

MD5
0d870ca424457579d4bd345ac1ec6c3c

SHA1
fc3d8924e13b4fc5eca7cabd4967eea3d4db1690

SHA256
cf9df8d62ec78ca20a50633047af6c913dc2d10f15823795e8d86042c7b05ed0

SHA512
a1e731ae03b1a2259f8e1afc86058aabb3b8ce3b0141f08ea18b6c7003c55aeb135d40bba38ebf1f76174eb1ad758fbec10841dee1ed704fb0285e36b2f7d66b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
Filesize
488B

MD5
a591c43ed1b7c7a9d466a4216b7721f7

SHA1
e6ad282a98a81da3fbbc34e01ad8416e96aa2336

SHA256
adaa93b96a702abbb877a908a236c920d7476aa9569c23b1c98b06f59aaa7f8e

SHA512
ed4ad939f066b495a585ffb1f77cd43ddf98233c6c681239b7d7e0880bda5c81196c6c5911d070383aa4458f9d213f033c542b720b0da8c6483fb8506c809f5d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize
482B

MD5
73b9080b53fe2f3fc51108dc2917699b

SHA1
fc0dc9f239951698e3d503793cb9d65632cbc963

SHA256
5afab82596f9a40dc0cb7c6e6d193aaf345fdb53db6b57d51a636ea2e70f9da0

SHA512
eea8517f98aa809d07a2bc13cc6469b4d76f52f361cb9049cb5997383c5642cac077c0682f7a9db78745d13a0dd22380fcc65b2be9f0e0a52a33ca481b9b9c9c

Download Submit
C:\Users\Admin\AppData\Local\19d571df-bb1b-42ce-9374-476e8a706ea1\1F7F.exe
Filesize
665KB

MD5
76e6696f56054c936deceabdd72b2106

SHA1
d976af42d7dab3b8b63bf591b662b83cfa449f7f

SHA256
7a407b98c83a3dc82fe9d02fc88bf4c2bd9df05c921d57410f1de8c0d07ae6f2

SHA512
bc41bbb6efd9086a045b7a7f348b0063f48c6e7a6bd2eae7d313d3596cb75c2c602109f9f6c6f24abdc658a3fd835dcb4a705f8d62869aa616184c6af33e022c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1E46.dll
Filesize
1.4MB

MD5
3ee96204441d27dcc2de050ede40c2a3

SHA1
3b2d387ca9663b7b1abf4531f85545c9df0cb076

SHA256
4061b94fcb0ddf184beead8d29d4d5b135e4d813b3b6ba237b1ddcc5e62c8cda

SHA512
133688d048d6dc96e8df8d792e46c247da24879fb07467fcd5a35b9631083816fc90aa9a4d74a5e63d1d85901e75973d827e41a32b9eb34596a2532a27384e39

Download Submit
C:\Users\Admin\AppData\Local\Temp\1F7F.exe
Filesize
665KB

MD5
76e6696f56054c936deceabdd72b2106

SHA1
d976af42d7dab3b8b63bf591b662b83cfa449f7f

SHA256
7a407b98c83a3dc82fe9d02fc88bf4c2bd9df05c921d57410f1de8c0d07ae6f2

SHA512
bc41bbb6efd9086a045b7a7f348b0063f48c6e7a6bd2eae7d313d3596cb75c2c602109f9f6c6f24abdc658a3fd835dcb4a705f8d62869aa616184c6af33e022c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1F7F.exe
Filesize
665KB

MD5
76e6696f56054c936deceabdd72b2106

SHA1
d976af42d7dab3b8b63bf591b662b83cfa449f7f

SHA256
7a407b98c83a3dc82fe9d02fc88bf4c2bd9df05c921d57410f1de8c0d07ae6f2

SHA512
bc41bbb6efd9086a045b7a7f348b0063f48c6e7a6bd2eae7d313d3596cb75c2c602109f9f6c6f24abdc658a3fd835dcb4a705f8d62869aa616184c6af33e022c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1F7F.exe
Filesize
665KB

MD5
76e6696f56054c936deceabdd72b2106

SHA1
d976af42d7dab3b8b63bf591b662b83cfa449f7f

SHA256
7a407b98c83a3dc82fe9d02fc88bf4c2bd9df05c921d57410f1de8c0d07ae6f2

SHA512
bc41bbb6efd9086a045b7a7f348b0063f48c6e7a6bd2eae7d313d3596cb75c2c602109f9f6c6f24abdc658a3fd835dcb4a705f8d62869aa616184c6af33e022c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1F7F.exe
Filesize
665KB

MD5
76e6696f56054c936deceabdd72b2106

SHA1
d976af42d7dab3b8b63bf591b662b83cfa449f7f

SHA256
7a407b98c83a3dc82fe9d02fc88bf4c2bd9df05c921d57410f1de8c0d07ae6f2

SHA512
bc41bbb6efd9086a045b7a7f348b0063f48c6e7a6bd2eae7d313d3596cb75c2c602109f9f6c6f24abdc658a3fd835dcb4a705f8d62869aa616184c6af33e022c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1F7F.exe
Filesize
665KB

MD5
76e6696f56054c936deceabdd72b2106

SHA1
d976af42d7dab3b8b63bf591b662b83cfa449f7f

SHA256
7a407b98c83a3dc82fe9d02fc88bf4c2bd9df05c921d57410f1de8c0d07ae6f2

SHA512
bc41bbb6efd9086a045b7a7f348b0063f48c6e7a6bd2eae7d313d3596cb75c2c602109f9f6c6f24abdc658a3fd835dcb4a705f8d62869aa616184c6af33e022c

Download Submit
C:\Users\Admin\AppData\Local\Temp\2676.exe
Filesize
280KB

MD5
1ad355eaceec1ed77801e4a285e6beb2

SHA1
04ed5b9879a19ff228610e9fdf4b831c996f731e

SHA256
6325f021e1e75b4d29cda66e853143e4bcdb314d29791fb009096f25938890cc

SHA512
4ae122237370c027d458bf94cde8623a4652087af4379c14f0bd904e85b7c413577e2ac9e2c2b64efe27270b4b20903ea6d685083a8645f2c137772c8c6ec1c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\2676.exe
Filesize
280KB

MD5
1ad355eaceec1ed77801e4a285e6beb2

SHA1
04ed5b9879a19ff228610e9fdf4b831c996f731e

SHA256
6325f021e1e75b4d29cda66e853143e4bcdb314d29791fb009096f25938890cc

SHA512
4ae122237370c027d458bf94cde8623a4652087af4379c14f0bd904e85b7c413577e2ac9e2c2b64efe27270b4b20903ea6d685083a8645f2c137772c8c6ec1c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\3A3D.exe
Filesize
6.6MB

MD5
4c9e48dcb47c4b46eca3a51605c71d2d

SHA1
581847ba15f650291ebc111e95ed938476d16090

SHA256
baa1661c6a590204e4e87e5ab7c5ed622c988f28d9c4ccf72a5db2883dc8c47e

SHA512
99932cb133e382a3416e56690b4ab670f7d279e466abbb50f562705f41d8cf1ef4547357c8e310d7358c4de5c47b201d6e573426f8ef0912e9c03deee5314ec0

Download Submit
C:\Users\Admin\AppData\Local\Temp\3A3D.exe
Filesize
6.6MB

MD5
4c9e48dcb47c4b46eca3a51605c71d2d

SHA1
581847ba15f650291ebc111e95ed938476d16090

SHA256
baa1661c6a590204e4e87e5ab7c5ed622c988f28d9c4ccf72a5db2883dc8c47e

SHA512
99932cb133e382a3416e56690b4ab670f7d279e466abbb50f562705f41d8cf1ef4547357c8e310d7358c4de5c47b201d6e573426f8ef0912e9c03deee5314ec0

Download Submit
C:\Users\Admin\AppData\Local\Temp\DE3E.exe
Filesize
1.1MB

MD5
137b9eea525bfc1e54784bb2f450b8b9

SHA1
e34f7a90d8f1994413184f819d23869e7bb273b1

SHA256
1b4b2a3aaa2f2c85b12f84e346b947230bbe6ae2af7883f2019549ba6c295d26

SHA512
3aeff673467741685ff1819dc5089a7088c12d9d16cc0f72507c1703c4f85639eb28801feeec8bf71a1d500938cb556db724e6f0e4d3876aea7517b6fcdccb8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DE3E.exe
Filesize
1.1MB

MD5
137b9eea525bfc1e54784bb2f450b8b9

SHA1
e34f7a90d8f1994413184f819d23869e7bb273b1

SHA256
1b4b2a3aaa2f2c85b12f84e346b947230bbe6ae2af7883f2019549ba6c295d26

SHA512
3aeff673467741685ff1819dc5089a7088c12d9d16cc0f72507c1703c4f85639eb28801feeec8bf71a1d500938cb556db724e6f0e4d3876aea7517b6fcdccb8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\E729.exe
Filesize
2.6MB

MD5
d5ecc2fd366dbd8d0cd3e9e8c8f5dbd8

SHA1
ed7413773b7c9154c9aeed9d173f61577522e0db

SHA256
576f224909dc7872b8c5bb4902d177f273c8d680c783454b1d43ad46bed7e983

SHA512
858db48785bef29d7d58bf2ff2b7e6c00537e63d2c571741d86ccd293d77abdaa19deab3a68352dae67e650e8da8a20ed7f38e1716af66e589c1c0d58de94bd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\E729.exe
Filesize
2.6MB

MD5
d5ecc2fd366dbd8d0cd3e9e8c8f5dbd8

SHA1
ed7413773b7c9154c9aeed9d173f61577522e0db

SHA256
576f224909dc7872b8c5bb4902d177f273c8d680c783454b1d43ad46bed7e983

SHA512
858db48785bef29d7d58bf2ff2b7e6c00537e63d2c571741d86ccd293d77abdaa19deab3a68352dae67e650e8da8a20ed7f38e1716af66e589c1c0d58de94bd5

Download Submit
C:\Users\Admin\AppData\Local\ca3de7f1-b01a-4648-976c-1fa2718ec1c0\build2.exe
Filesize
246KB

MD5
4e08ecaa075b90f30327bf200d23130b

SHA1
f7b67a7abbe3815bd758933f7c4712bd4d4ec4b2

SHA256
6c11af0bbd346329224255d38a07fb9db5828881d3520ab4623c7a5fc09ecd47

SHA512
e7deeafe000b034cd4d71776cd1285e33d295a830f3459506dd7332e8c1c61b43ec2fdc406c22ba5262aa62a795421492f7e54602bfe08102b8b2a000d150bb7

Download Submit
C:\Users\Admin\AppData\Local\ca3de7f1-b01a-4648-976c-1fa2718ec1c0\build2.exe
Filesize
246KB

MD5
4e08ecaa075b90f30327bf200d23130b

SHA1
f7b67a7abbe3815bd758933f7c4712bd4d4ec4b2

SHA256
6c11af0bbd346329224255d38a07fb9db5828881d3520ab4623c7a5fc09ecd47

SHA512
e7deeafe000b034cd4d71776cd1285e33d295a830f3459506dd7332e8c1c61b43ec2fdc406c22ba5262aa62a795421492f7e54602bfe08102b8b2a000d150bb7

Download Submit
C:\Users\Admin\AppData\Local\ca3de7f1-b01a-4648-976c-1fa2718ec1c0\build2.exe
Filesize
246KB

MD5
4e08ecaa075b90f30327bf200d23130b

SHA1
f7b67a7abbe3815bd758933f7c4712bd4d4ec4b2

SHA256
6c11af0bbd346329224255d38a07fb9db5828881d3520ab4623c7a5fc09ecd47

SHA512
e7deeafe000b034cd4d71776cd1285e33d295a830f3459506dd7332e8c1c61b43ec2fdc406c22ba5262aa62a795421492f7e54602bfe08102b8b2a000d150bb7

Download Submit
\ProgramData\mozglue.dll
Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
\ProgramData\nss3.dll
Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
\Users\Admin\AppData\LocalLow\mozglue.dll
Filesize
612KB

MD5
f07d9977430e762b563eaadc2b94bbfa

SHA1
da0a05b2b8d269fb73558dfcf0ed5c167f6d3877

SHA256
4191faf7e5eb105a0f4c5c6ed3e9e9c71014e8aa39bbee313bc92d1411e9e862

SHA512
6afd512e4099643bba3fc7700dd72744156b78b7bda10263ba1f8571d1e282133a433215a9222a7799f9824f244a2bc80c2816a62de1497017a4b26d562b7eaf

Download Submit
\Users\Admin\AppData\LocalLow\nss3.dll
Filesize
1.9MB

MD5
f67d08e8c02574cbc2f1122c53bfb976

SHA1
6522992957e7e4d074947cad63189f308a80fcf2

SHA256
c65b7afb05ee2b2687e6280594019068c3d3829182dfe8604ce4adf2116cc46e

SHA512
2e9d0a211d2b085514f181852fae6e7ca6aed4d29f396348bedb59c556e39621810a9a74671566a49e126ec73a60d0f781fa9085eb407df1eefd942c18853be5

Download Submit
\Users\Admin\AppData\LocalLow\sqlite3.dll
Filesize
1.0MB

MD5
dbf4f8dcefb8056dc6bae4b67ff810ce

SHA1
bbac1dd8a07c6069415c04b62747d794736d0689

SHA256
47b64311719000fa8c432165a0fdcdfed735d5b54977b052de915b1cbbbf9d68

SHA512
b572ca2f2e4a5cc93e4fcc7a18c0ae6df888aa4c55bc7da591e316927a4b5cfcbdda6e60018950be891ff3b26f470cc5cce34d217c2d35074322ab84c32a25d1

Download Submit
\Users\Admin\AppData\Local\Temp\1E46.dll
Filesize
1.4MB

MD5
3ee96204441d27dcc2de050ede40c2a3

SHA1
3b2d387ca9663b7b1abf4531f85545c9df0cb076

SHA256
4061b94fcb0ddf184beead8d29d4d5b135e4d813b3b6ba237b1ddcc5e62c8cda

SHA512
133688d048d6dc96e8df8d792e46c247da24879fb07467fcd5a35b9631083816fc90aa9a4d74a5e63d1d85901e75973d827e41a32b9eb34596a2532a27384e39

Download Submit
memory/1780-496-0x0000000000000000-mapping.dmp

Download
memory/1928-147-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-141-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-152-0x0000000000510000-0x000000000065A000-memory.dmp

Filesize
1.3MB

Download
memory/1928-155-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1928-154-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-153-0x0000000000450000-0x00000000004FE000-memory.dmp

Filesize
696KB

Download
memory/1928-156-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-157-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-158-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1928-121-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-150-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-133-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-149-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-122-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-148-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-130-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-123-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-146-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-138-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-151-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-134-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-135-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-136-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-124-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-137-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-144-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-139-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-140-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-132-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-125-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-126-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-127-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-131-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-120-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-129-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-143-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-128-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-142-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1932-364-0x0000000000400000-0x0000000000E43000-memory.dmp

Filesize
10.3MB

Download
memory/1932-602-0x0000000000400000-0x0000000000E43000-memory.dmp

Filesize
10.3MB

Download
memory/1932-538-0x0000000000400000-0x0000000000E43000-memory.dmp

Filesize
10.3MB

Download
memory/1932-262-0x0000000000000000-mapping.dmp

Download
memory/1944-189-0x0000000000000000-mapping.dmp

Download
memory/1944-195-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1944-489-0x00000000004A0000-0x00000000004A9000-memory.dmp

Filesize
36KB

Download
memory/1944-490-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1944-488-0x00000000004D0000-0x000000000061A000-memory.dmp

Filesize
1.3MB

Download
memory/1944-547-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1944-194-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/2464-814-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2464-634-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2464-562-0x0000000000424141-mapping.dmp

Download
memory/2700-842-0x0000000000000000-mapping.dmp

Download
memory/3464-530-0x0000000000000000-mapping.dmp

Download
memory/3540-166-0x0000000000000000-mapping.dmp

Download
memory/3540-650-0x0000000000000000-mapping.dmp

Download
memory/3540-268-0x00000000022C0000-0x00000000023DB000-memory.dmp

Filesize
1.1MB

Download
memory/3540-266-0x0000000000690000-0x000000000073E000-memory.dmp

Filesize
696KB

Download
memory/3540-686-0x0000000002190000-0x00000000021D7000-memory.dmp

Filesize
284KB

Download
memory/3540-172-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/3540-177-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/3540-181-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/3540-185-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/3540-187-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/3540-188-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/3540-186-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/3540-184-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/3540-183-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/3540-182-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/3540-179-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/3540-176-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/3540-174-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/3540-171-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/3540-169-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/3560-925-0x0000000000000000-mapping.dmp

Download
memory/3560-1072-0x0000000002FF0000-0x0000000002FF7000-memory.dmp

Filesize
28KB

Download
memory/3560-1103-0x0000000002FE0000-0x0000000002FEB000-memory.dmp

Filesize
44KB

Download
memory/3684-440-0x0000000002B20000-0x0000000002B95000-memory.dmp

Filesize
468KB

Download
memory/3684-281-0x0000000000000000-mapping.dmp

Download
memory/3684-485-0x0000000002AB0000-0x0000000002B1B000-memory.dmp

Filesize
428KB

Download
memory/3684-441-0x0000000002AB0000-0x0000000002B1B000-memory.dmp

Filesize
428KB

Download
memory/3692-159-0x0000000000000000-mapping.dmp

Download
memory/3776-718-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3776-682-0x000000000042094D-mapping.dmp

Download
memory/3776-793-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3932-953-0x0000000008BC0000-0x0000000008C52000-memory.dmp

Filesize
584KB

Download
memory/3932-955-0x0000000008CB0000-0x0000000008CD2000-memory.dmp

Filesize
136KB

Download
memory/3932-909-0x0000000008A30000-0x0000000008B54000-memory.dmp

Filesize
1.1MB

Download
memory/3932-900-0x0000000000D00000-0x0000000000E24000-memory.dmp

Filesize
1.1MB

Download
memory/3932-865-0x0000000000000000-mapping.dmp

Download
memory/3932-962-0x0000000008CE0000-0x0000000009030000-memory.dmp

Filesize
3.3MB

Download
memory/4132-1448-0x0000000003290000-0x000000000329B000-memory.dmp

Filesize
44KB

Download
memory/4132-1447-0x00000000032A0000-0x00000000032A8000-memory.dmp

Filesize
32KB

Download
memory/4132-1125-0x0000000000000000-mapping.dmp

Download
memory/4356-178-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/4356-162-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/4356-191-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/4356-175-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/4356-161-0x0000000000000000-mapping.dmp

Download
memory/4356-517-0x0000000004960000-0x0000000004A47000-memory.dmp

Filesize
924KB

Download
memory/4356-196-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/4356-163-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/4356-173-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/4356-164-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/4356-170-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/4356-193-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/4356-167-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/4356-492-0x0000000004960000-0x0000000004A47000-memory.dmp

Filesize
924KB

Download
memory/4356-491-0x0000000004740000-0x000000000486C000-memory.dmp

Filesize
1.2MB

Download
memory/4356-190-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/4356-165-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/4564-798-0x0000000000000000-mapping.dmp

Download
memory/4724-317-0x0000000000B60000-0x0000000000B67000-memory.dmp

Filesize
28KB

Download
memory/4724-321-0x0000000000B50000-0x0000000000B5C000-memory.dmp

Filesize
48KB

Download
memory/4724-306-0x0000000000000000-mapping.dmp

Download
memory/4724-520-0x0000000000B50000-0x0000000000B5C000-memory.dmp

Filesize
48KB

Download
memory/4924-919-0x0000000000000000-mapping.dmp

Download
memory/4996-416-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4996-279-0x0000000000424141-mapping.dmp

Download
memory/4996-533-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/5092-791-0x0000000000000000-mapping.dmp

Download
memory/15324-961-0x00000000003B0000-0x00000000003B9000-memory.dmp

Filesize
36KB

Download
memory/15324-965-0x00000000003A0000-0x00000000003AF000-memory.dmp

Filesize
60KB

Download
memory/15324-942-0x0000000000000000-mapping.dmp

Download
memory/15324-1307-0x00000000003B0000-0x00000000003B9000-memory.dmp

Filesize
36KB

Download
memory/29608-1313-0x0000000002C60000-0x0000000002C69000-memory.dmp

Filesize
36KB

Download
memory/29608-960-0x0000000000000000-mapping.dmp

Download
memory/29608-1260-0x0000000002C70000-0x0000000002C75000-memory.dmp

Filesize
20KB

Download
memory/46596-983-0x0000000000110000-0x0000000000116000-memory.dmp

Filesize
24KB

Download
memory/46596-1362-0x0000000000110000-0x0000000000116000-memory.dmp

Filesize
24KB

Download
memory/46596-987-0x0000000000100000-0x000000000010C000-memory.dmp

Filesize
48KB

Download
memory/46596-978-0x0000000000000000-mapping.dmp

Download
memory/65200-998-0x0000000000000000-mapping.dmp

Download
memory/65200-1372-0x0000000002CD0000-0x0000000002CF7000-memory.dmp

Filesize
156KB

Download
memory/65200-1367-0x0000000002D00000-0x0000000002D22000-memory.dmp

Filesize
136KB

Download
memory/74480-1434-0x0000000008BE0000-0x0000000008C2B000-memory.dmp

Filesize
300KB

Download
memory/74480-1050-0x000000000057217A-mapping.dmp

Download
memory/74480-1291-0x0000000000550000-0x0000000000578000-memory.dmp

Filesize
160KB

Download
memory/74480-1406-0x0000000008F70000-0x0000000009576000-memory.dmp

Filesize
6.0MB

Download
memory/74480-1423-0x0000000008A70000-0x0000000008AAE000-memory.dmp

Filesize
248KB

Download
memory/74480-1417-0x0000000008A10000-0x0000000008A22000-memory.dmp

Filesize
72KB

Download
memory/74480-1411-0x0000000008AD0000-0x0000000008BDA000-memory.dmp

Filesize
1.0MB

Download
memory/74516-1418-0x0000000002790000-0x0000000002799000-memory.dmp

Filesize
36KB

Download
memory/74516-1025-0x0000000000000000-mapping.dmp

Download
memory/74516-1378-0x00000000027A0000-0x00000000027A5000-memory.dmp

Filesize
20KB

Download
memory/74540-1095-0x0000000000000000-mapping.dmp

Download
memory/74540-1110-0x0000000000CB0000-0x0000000000CBD000-memory.dmp

Filesize
52KB

Download
memory/74672-1422-0x0000000002750000-0x0000000002756000-memory.dmp

Filesize
24KB

Download
memory/74672-1426-0x0000000002740000-0x000000000274B000-memory.dmp

Filesize
44KB

Download
memory/74672-1061-0x0000000000000000-mapping.dmp

Download
memory/74704-1401-0x00000000078D0000-0x0000000007EF8000-memory.dmp

Filesize
6.2MB

Download
memory/74704-1065-0x0000000000000000-mapping.dmp

Download
memory/74704-1446-0x0000000007F00000-0x0000000007F66000-memory.dmp

Filesize
408KB

Download
memory/74704-1449-0x0000000008150000-0x00000000081B6000-memory.dmp

Filesize
408KB

Download
memory/74704-1377-0x0000000005040000-0x0000000005076000-memory.dmp

Filesize
216KB

Download
memory/74704-1457-0x0000000008510000-0x000000000852C000-memory.dmp

Filesize
112KB

Download