djvu | e3032449abc9c33b26bed77108e5047d659e2f01bd61e348d80f2b0d1d4db905

Analysis

max time kernel
151s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
05-10-2022 10:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

272KB
MD5

c774e5b8dbc7ce39310b2275ea5a23c5
SHA1

23aa29d5a0236a02e7593279e1b618def7e77ec2
SHA256

e3032449abc9c33b26bed77108e5047d659e2f01bd61e348d80f2b0d1d4db905
SHA512

62bf01d8fd95fbbc2bcf4991a7b621452f529c92b136994e174849c3bdab5c8f9f5b13117b7e10cce652f6e7aef9350553bbf09b892d3c3a6df571f8c91555e2
SSDEEP

6144:HZfqbnZLEs10zuMybfgF3cDuzbgwu5WHwVf:HdqbZYs1dbIF3gunn

Score

10^/10

djvu smokeloader backdoor collection discovery persistence ransomware spyware stealer trojan

Malware Config

Extracted

Family

djvu

http://winnlinne.com/lancer/get.php

Attributes

extension
.adww
offline_id
z8lhl4oForVEc7gy9Ra8rSqjYMl3xiFRuIW4not1
payload_url
http://rgyui.top/dl/build2.exe
http://winnlinne.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-g28rVcqA58 Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@bestyourmail.ch Reserve e-mail address to contact us: datarestorehelp@airmail.cc Your personal ID: 0573Jhyjd

rsa_pubkey.plain

Signatures

Detected Djvu ransomware 11 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3012-151-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3012-153-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3012-159-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1856-155-0x0000000002170000-0x000000000228B000-memory.dmp	family_djvu
behavioral2/memory/3012-163-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3012-173-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3012-179-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2356-189-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2356-191-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2356-196-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2356-206-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Detects Smokeloader packer 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3020-133-0x0000000000590000-0x0000000000599000-memory.dmp	family_smokeloader
behavioral2/memory/4244-170-0x0000000000590000-0x0000000000599000-memory.dmp	family_smokeloader

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file

Executes dropped EXE 12 IoCs

Processes:

3B05.exe4084.exe426A.exe3B05.exe3B05.exe3B05.exebuild3.exeCD85.exeD1DC.exeDA78.exeE7A8.exemstsca.exe

pid	process
1856	3B05.exe
4008	4084.exe
4244	426A.exe
3012	3B05.exe
1752	3B05.exe
2356	3B05.exe
3884	build3.exe
1692	CD85.exe
3084	D1DC.exe
1068	DA78.exe
1548	E7A8.exe
1800	mstsca.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3B05.exe3B05.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	3B05.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	3B05.exe

Loads dropped DLL 2 IoCs

Processes:

regsvr32.exe

pid process

3568 regsvr32.exe
3568 regsvr32.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

3656 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3568	regsvr32.exe
3568	regsvr32.exe

pid	process
3656	icacls.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

3B05.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\e0cdf64d-ebd6-4345-b440-720dc96de939\\3B05.exe\" --AutoStart"	3B05.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

23 api.2ip.ua
24 api.2ip.ua
45 api.2ip.ua
Suspicious use of SetThreadContext 2 IoCs

Processes:

3B05.exe3B05.exe

description pid process target process

PID 1856 set thread context of 3012 1856 3B05.exe 3B05.exe
PID 1752 set thread context of 2356 1752 3B05.exe 3B05.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	ioc
23	api.2ip.ua
24	api.2ip.ua
45	api.2ip.ua

description	pid	process	target process
PID 1856 set thread context of 3012	1856	3B05.exe	3B05.exe
PID 1752 set thread context of 2356	1752	3B05.exe	3B05.exe

Program crash 9 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
912	4008	WerFault.exe	4084.exe
4676	4008	WerFault.exe	4084.exe
4196	4008	WerFault.exe	4084.exe
1860	4008	WerFault.exe	4084.exe
1468	4008	WerFault.exe	4084.exe
3924	4008	WerFault.exe	4084.exe
4176	4008	WerFault.exe	4084.exe
2052	4008	WerFault.exe	4084.exe
1648	4008	WerFault.exe	4084.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

426A.exefile.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	426A.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	426A.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	426A.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4944 schtasks.exe
1616 schtasks.exe

pid	process
4944	schtasks.exe
1616	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

file.exe

pid	process
3020	file.exe
3020	file.exe
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3048
Suspicious behavior: MapViewOfSection 24 IoCs

Processes:

file.exe426A.exe

pid process

3020 file.exe
3048
3048
3048
3048
4244 426A.exe
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048

pid	process
3048

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

wmic.exe

description	pid	process
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeIncreaseQuotaPrivilege	4452	wmic.exe
Token: SeSecurityPrivilege	4452	wmic.exe
Token: SeTakeOwnershipPrivilege	4452	wmic.exe
Token: SeLoadDriverPrivilege	4452	wmic.exe
Token: SeSystemProfilePrivilege	4452	wmic.exe
Token: SeSystemtimePrivilege	4452	wmic.exe
Token: SeProfSingleProcessPrivilege	4452	wmic.exe
Token: SeIncBasePriorityPrivilege	4452	wmic.exe
Token: SeCreatePagefilePrivilege	4452	wmic.exe
Token: SeBackupPrivilege	4452	wmic.exe
Token: SeRestorePrivilege	4452	wmic.exe
Token: SeShutdownPrivilege	4452	wmic.exe
Token: SeDebugPrivilege	4452	wmic.exe
Token: SeSystemEnvironmentPrivilege	4452	wmic.exe
Token: SeRemoteShutdownPrivilege	4452	wmic.exe
Token: SeUndockPrivilege	4452	wmic.exe
Token: SeManageVolumePrivilege	4452	wmic.exe
Token: 33	4452	wmic.exe
Token: 34	4452	wmic.exe
Token: 35	4452	wmic.exe
Token: 36	4452	wmic.exe
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeIncreaseQuotaPrivilege	4452	wmic.exe
Token: SeSecurityPrivilege	4452	wmic.exe
Token: SeTakeOwnershipPrivilege	4452	wmic.exe
Token: SeLoadDriverPrivilege	4452	wmic.exe
Token: SeSystemProfilePrivilege	4452	wmic.exe
Token: SeSystemtimePrivilege	4452	wmic.exe
Token: SeProfSingleProcessPrivilege	4452	wmic.exe
Token: SeIncBasePriorityPrivilege	4452	wmic.exe
Token: SeCreatePagefilePrivilege	4452	wmic.exe
Token: SeBackupPrivilege	4452	wmic.exe
Token: SeRestorePrivilege	4452	wmic.exe
Token: SeShutdownPrivilege	4452	wmic.exe
Token: SeDebugPrivilege	4452	wmic.exe
Token: SeSystemEnvironmentPrivilege	4452	wmic.exe
Token: SeRemoteShutdownPrivilege	4452	wmic.exe
Token: SeUndockPrivilege	4452	wmic.exe
Token: SeManageVolumePrivilege	4452	wmic.exe
Token: 33	4452	wmic.exe
Token: 34	4452	wmic.exe
Token: 35	4452	wmic.exe
Token: 36	4452	wmic.exe
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

regsvr32.exe3B05.exe3B05.exe4084.exe3B05.execmd.execmd.exe3B05.exe

description	pid	process	target process
PID 3048 wrote to memory of 1856	3048		3B05.exe
PID 3048 wrote to memory of 1856	3048		3B05.exe
PID 3048 wrote to memory of 1856	3048		3B05.exe
PID 3048 wrote to memory of 4008	3048		4084.exe
PID 3048 wrote to memory of 4008	3048		4084.exe
PID 3048 wrote to memory of 4008	3048		4084.exe
PID 3048 wrote to memory of 4244	3048		426A.exe
PID 3048 wrote to memory of 4244	3048		426A.exe
PID 3048 wrote to memory of 4244	3048		426A.exe
PID 3048 wrote to memory of 1520	3048		regsvr32.exe
PID 3048 wrote to memory of 1520	3048		regsvr32.exe
PID 3048 wrote to memory of 3992	3048		explorer.exe
PID 3048 wrote to memory of 3992	3048		explorer.exe
PID 3048 wrote to memory of 3992	3048		explorer.exe
PID 3048 wrote to memory of 3992	3048		explorer.exe
PID 1520 wrote to memory of 3568	1520	regsvr32.exe	regsvr32.exe
PID 1520 wrote to memory of 3568	1520	regsvr32.exe	regsvr32.exe
PID 1520 wrote to memory of 3568	1520	regsvr32.exe	regsvr32.exe
PID 1856 wrote to memory of 3012	1856	3B05.exe	3B05.exe
PID 1856 wrote to memory of 3012	1856	3B05.exe	3B05.exe
PID 1856 wrote to memory of 3012	1856	3B05.exe	3B05.exe
PID 1856 wrote to memory of 3012	1856	3B05.exe	3B05.exe
PID 1856 wrote to memory of 3012	1856	3B05.exe	3B05.exe
PID 1856 wrote to memory of 3012	1856	3B05.exe	3B05.exe
PID 1856 wrote to memory of 3012	1856	3B05.exe	3B05.exe
PID 1856 wrote to memory of 3012	1856	3B05.exe	3B05.exe
PID 1856 wrote to memory of 3012	1856	3B05.exe	3B05.exe
PID 1856 wrote to memory of 3012	1856	3B05.exe	3B05.exe
PID 3048 wrote to memory of 5108	3048		explorer.exe
PID 3048 wrote to memory of 5108	3048		explorer.exe
PID 3048 wrote to memory of 5108	3048		explorer.exe
PID 3012 wrote to memory of 3656	3012	3B05.exe	icacls.exe
PID 3012 wrote to memory of 3656	3012	3B05.exe	icacls.exe
PID 3012 wrote to memory of 3656	3012	3B05.exe	icacls.exe
PID 3012 wrote to memory of 1752	3012	3B05.exe	3B05.exe
PID 3012 wrote to memory of 1752	3012	3B05.exe	3B05.exe
PID 3012 wrote to memory of 1752	3012	3B05.exe	3B05.exe
PID 4008 wrote to memory of 4452	4008	4084.exe	wmic.exe
PID 4008 wrote to memory of 4452	4008	4084.exe	wmic.exe
PID 4008 wrote to memory of 4452	4008	4084.exe	wmic.exe
PID 1752 wrote to memory of 2356	1752	3B05.exe	3B05.exe
PID 1752 wrote to memory of 2356	1752	3B05.exe	3B05.exe
PID 1752 wrote to memory of 2356	1752	3B05.exe	3B05.exe
PID 1752 wrote to memory of 2356	1752	3B05.exe	3B05.exe
PID 1752 wrote to memory of 2356	1752	3B05.exe	3B05.exe
PID 1752 wrote to memory of 2356	1752	3B05.exe	3B05.exe
PID 1752 wrote to memory of 2356	1752	3B05.exe	3B05.exe
PID 1752 wrote to memory of 2356	1752	3B05.exe	3B05.exe
PID 1752 wrote to memory of 2356	1752	3B05.exe	3B05.exe
PID 1752 wrote to memory of 2356	1752	3B05.exe	3B05.exe
PID 4008 wrote to memory of 1560	4008	4084.exe	cmd.exe
PID 4008 wrote to memory of 1560	4008	4084.exe	cmd.exe
PID 4008 wrote to memory of 1560	4008	4084.exe	cmd.exe
PID 1560 wrote to memory of 5072	1560	cmd.exe	WMIC.exe
PID 1560 wrote to memory of 5072	1560	cmd.exe	WMIC.exe
PID 1560 wrote to memory of 5072	1560	cmd.exe	WMIC.exe
PID 4008 wrote to memory of 5076	4008	4084.exe	cmd.exe
PID 4008 wrote to memory of 5076	4008	4084.exe	cmd.exe
PID 4008 wrote to memory of 5076	4008	4084.exe	cmd.exe
PID 5076 wrote to memory of 444	5076	cmd.exe	WMIC.exe
PID 5076 wrote to memory of 444	5076	cmd.exe	WMIC.exe
PID 5076 wrote to memory of 444	5076	cmd.exe	WMIC.exe
PID 2356 wrote to memory of 3884	2356	3B05.exe	build3.exe
PID 2356 wrote to memory of 3884	2356	3B05.exe	build3.exe

outlook_office_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

outlook_win_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3020

C:\Users\Admin\AppData\Local\Temp\3B05.exe
C:\Users\Admin\AppData\Local\Temp\3B05.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1856

C:\Users\Admin\AppData\Local\Temp\3B05.exe
C:\Users\Admin\AppData\Local\Temp\3B05.exe
2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3012

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\e0cdf64d-ebd6-4345-b440-720dc96de939" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:3656

C:\Users\Admin\AppData\Local\Temp\3B05.exe
"C:\Users\Admin\AppData\Local\Temp\3B05.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1752

C:\Users\Admin\AppData\Local\Temp\3B05.exe
"C:\Users\Admin\AppData\Local\Temp\3B05.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2356

C:\Users\Admin\AppData\Local\85063fbc-f1d7-45c0-ae19-7466d452ef58\build3.exe
"C:\Users\Admin\AppData\Local\85063fbc-f1d7-45c0-ae19-7466d452ef58\build3.exe"
5⤵
- Executes dropped EXE
PID:3884

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
6⤵
- Creates scheduled task(s)
PID:4944

C:\Users\Admin\AppData\Local\Temp\4084.exe
C:\Users\Admin\AppData\Local\Temp\4084.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4008 -s 548
2⤵
- Program crash
PID:912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4008 -s 552
2⤵
- Program crash
PID:4676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4008 -s 552
2⤵
- Program crash
PID:4196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4008 -s 680
2⤵
- Program crash
PID:1860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4008 -s 768
2⤵
- Program crash
PID:1468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4008 -s 860
2⤵
- Program crash
PID:3924

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4008 -s 1364
2⤵
- Program crash
PID:4176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4008 -s 1372
2⤵
- Program crash
PID:2052

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
2⤵
- Suspicious use of WriteProcessMemory
PID:1560

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
3⤵
PID:5072

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic cpu get name"
2⤵
- Suspicious use of WriteProcessMemory
PID:5076

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get name
3⤵
PID:444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4008 -s 140
2⤵
- Program crash
PID:1648

C:\Users\Admin\AppData\Local\Temp\426A.exe
C:\Users\Admin\AppData\Local\Temp\426A.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4244

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\45D6.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1520

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\45D6.dll
2⤵
- Loads dropped DLL
PID:3568

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:3992

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:5108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4008 -ip 4008
1⤵
PID:2332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4008 -ip 4008
1⤵
PID:3772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4008 -ip 4008
1⤵
PID:4200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4008 -ip 4008
1⤵
PID:3368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4008 -ip 4008
1⤵
PID:1684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4008 -ip 4008
1⤵
PID:4960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4008 -ip 4008
1⤵
PID:2692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4008 -ip 4008
1⤵
PID:4912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4008 -ip 4008
1⤵
PID:1236

C:\Users\Admin\AppData\Local\Temp\CD85.exe
C:\Users\Admin\AppData\Local\Temp\CD85.exe
1⤵
- Executes dropped EXE
PID:1692

C:\Users\Admin\AppData\Local\Temp\D1DC.exe
C:\Users\Admin\AppData\Local\Temp\D1DC.exe
1⤵
- Executes dropped EXE
PID:3084

C:\Users\Admin\AppData\Local\Temp\DA78.exe
C:\Users\Admin\AppData\Local\Temp\DA78.exe
1⤵
- Executes dropped EXE
PID:1068

C:\Users\Admin\AppData\Local\Temp\E7A8.exe
C:\Users\Admin\AppData\Local\Temp\E7A8.exe
1⤵
- Executes dropped EXE
PID:1548

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
2⤵
PID:3632

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
2⤵
PID:2268

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
3⤵
PID:2264

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic cpu get name"
2⤵
PID:4708

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get name
3⤵
PID:2104

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3636

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4924

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:968

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1472

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2468

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3568

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1520

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3804

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4768

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
- Executes dropped EXE
PID:1800

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
2⤵
- Creates scheduled task(s)
PID:1616

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
Filesize
2KB

MD5
596d2fdcebb9285d08c83e8c66f21dc9

SHA1
d634a64d292467c4fe9f1b2b80ac3bf82a08d49f

SHA256
0231bc4602667ff24bfa1caab1d56c225a54031c452c9de84b810be18628a3e3

SHA512
fd0399c36455095561381c33ba0f6f98496dc2fd63792f148ec9dfbc06ed6ad24a6bf9aa7f559dba7f257ccd145ee8532418606c2eb282a42ca678de4231d818

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize
1KB

MD5
b6f52795b677b4e2ad47736ffe3704a5

SHA1
945cb962aae5a0986c476650006227debf93b51c

SHA256
c8aff1f15506340e6abd76c8a8382e9caeba4fa8e8483254cf7ab9d22c2a57fe

SHA512
1e241b4c9bf53a97c980dd09bc73abcaf05ed8ccc641d5b0ad1eadc4502b4c1519b62d9c51f8e38c73898c2eca4a4a2e81777763731bf0f36dc5c04a30ae0450

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
Filesize
488B

MD5
0ce504e13e8f9a7993e4fd12ddccd74a

SHA1
d142397e1ffb35b8531f351b4d2cc3c21c975951

SHA256
b37480427442c61be22a203959935d9278cdfe68747d9fac93482900324b0ebd

SHA512
c1930372b5e8e79f1720b5249e9033dc283a060b9891e08d67af90e759910d1df95183a97817ec40109374f28760edc9a473cde9caa3bd3ed17fa6792dbe145c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize
482B

MD5
63a5c3e923ec25bfce8381673cbfa405

SHA1
913a47e296648cb7a7a6439af0927a48223e2525

SHA256
33421c308b18785e981763ec34e10ddac2f5d2fcca3f60bc6ef1fe3f36e1565e

SHA512
be8ffb80d0e97fe85b614da1de2331437ab162075748a6f603a51cb6457a23fcebe5c601025e704ed499894014382c750a31093e0260477363f56172bb06bf36

Download Submit
C:\Users\Admin\AppData\Local\85063fbc-f1d7-45c0-ae19-7466d452ef58\build3.exe
Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Local\85063fbc-f1d7-45c0-ae19-7466d452ef58\build3.exe
Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\3B05.exe
Filesize
783KB

MD5
7e5c07b23f8106fb60e872e6d597db83

SHA1
61a00be86ca3d7ab7c4a3942d9551fa78c293b71

SHA256
72faac0671b74302f64cd3577e2a2513d04f4b6da8a2782deb279a9024eecc9c

SHA512
3149639209406c98eddc025f136df880778641923a52481d26213982e5c262b2c9c0de26f116a40f6ff62c6bda04c87f825d834ece761c05e6b3a5c8e6cb3eb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\3B05.exe
Filesize
783KB

MD5
7e5c07b23f8106fb60e872e6d597db83

SHA1
61a00be86ca3d7ab7c4a3942d9551fa78c293b71

SHA256
72faac0671b74302f64cd3577e2a2513d04f4b6da8a2782deb279a9024eecc9c

SHA512
3149639209406c98eddc025f136df880778641923a52481d26213982e5c262b2c9c0de26f116a40f6ff62c6bda04c87f825d834ece761c05e6b3a5c8e6cb3eb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\3B05.exe
Filesize
783KB

MD5
7e5c07b23f8106fb60e872e6d597db83

SHA1
61a00be86ca3d7ab7c4a3942d9551fa78c293b71

SHA256
72faac0671b74302f64cd3577e2a2513d04f4b6da8a2782deb279a9024eecc9c

SHA512
3149639209406c98eddc025f136df880778641923a52481d26213982e5c262b2c9c0de26f116a40f6ff62c6bda04c87f825d834ece761c05e6b3a5c8e6cb3eb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\3B05.exe
Filesize
783KB

MD5
7e5c07b23f8106fb60e872e6d597db83

SHA1
61a00be86ca3d7ab7c4a3942d9551fa78c293b71

SHA256
72faac0671b74302f64cd3577e2a2513d04f4b6da8a2782deb279a9024eecc9c

SHA512
3149639209406c98eddc025f136df880778641923a52481d26213982e5c262b2c9c0de26f116a40f6ff62c6bda04c87f825d834ece761c05e6b3a5c8e6cb3eb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\3B05.exe
Filesize
783KB

MD5
7e5c07b23f8106fb60e872e6d597db83

SHA1
61a00be86ca3d7ab7c4a3942d9551fa78c293b71

SHA256
72faac0671b74302f64cd3577e2a2513d04f4b6da8a2782deb279a9024eecc9c

SHA512
3149639209406c98eddc025f136df880778641923a52481d26213982e5c262b2c9c0de26f116a40f6ff62c6bda04c87f825d834ece761c05e6b3a5c8e6cb3eb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\4084.exe
Filesize
4.7MB

MD5
b7d1f2d9f24ea1dd252488dfd5e9248a

SHA1
dc7c95df7de74aab0797b29af52474d994a6d4e8

SHA256
bb9d7bf8907b369d8b93d8ec05a4e1af62995fb9b3220a21b3069c96c446eaec

SHA512
00e104075b4c349162b54ddad116aae202e8cfd463bca286d6dd3ca81cb43560081b816a263ba12f74740ff89fd21040e7ffc14ffc2cfee92d842cab8d06a0b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\4084.exe
Filesize
4.7MB

MD5
b7d1f2d9f24ea1dd252488dfd5e9248a

SHA1
dc7c95df7de74aab0797b29af52474d994a6d4e8

SHA256
bb9d7bf8907b369d8b93d8ec05a4e1af62995fb9b3220a21b3069c96c446eaec

SHA512
00e104075b4c349162b54ddad116aae202e8cfd463bca286d6dd3ca81cb43560081b816a263ba12f74740ff89fd21040e7ffc14ffc2cfee92d842cab8d06a0b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\426A.exe
Filesize
272KB

MD5
8c82c1d50301a25e8865507f6cf6ec49

SHA1
3d7c8b00ebbac74445948db93b23acb68c944639

SHA256
98b423d68edb1645bc951eb52f8249066378a53a90794d00b021434bed3a7ef0

SHA512
5f6f52c8b651098a12457a8551934110b96ccae7014b75a02cf65be4fe92e021fe937613eb4eb50d13dce830e954440cc5b6964262ff8576e22cf08c7f0c4f27

Download Submit
C:\Users\Admin\AppData\Local\Temp\426A.exe
Filesize
272KB

MD5
8c82c1d50301a25e8865507f6cf6ec49

SHA1
3d7c8b00ebbac74445948db93b23acb68c944639

SHA256
98b423d68edb1645bc951eb52f8249066378a53a90794d00b021434bed3a7ef0

SHA512
5f6f52c8b651098a12457a8551934110b96ccae7014b75a02cf65be4fe92e021fe937613eb4eb50d13dce830e954440cc5b6964262ff8576e22cf08c7f0c4f27

Download Submit
C:\Users\Admin\AppData\Local\Temp\45D6.dll
Filesize
2.0MB

MD5
44e2c7075a5172112820a47e794678cc

SHA1
c0d14ed8ccbcdb3542e69463a76712afdf00e715

SHA256
c229d1d9ffaab276517584f97ab91132b533185e849ca2eea47832525dc62537

SHA512
a71c2f54830c8faeeab09f312ac9a1652ac7927c53d9bba6c8bdce9eb13bafe81f48c046e6a0bf722b3f4e9798abf8904a110db958f64bd0ffd2e68f914854c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\45D6.dll
Filesize
2.0MB

MD5
44e2c7075a5172112820a47e794678cc

SHA1
c0d14ed8ccbcdb3542e69463a76712afdf00e715

SHA256
c229d1d9ffaab276517584f97ab91132b533185e849ca2eea47832525dc62537

SHA512
a71c2f54830c8faeeab09f312ac9a1652ac7927c53d9bba6c8bdce9eb13bafe81f48c046e6a0bf722b3f4e9798abf8904a110db958f64bd0ffd2e68f914854c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\45D6.dll
Filesize
2.0MB

MD5
44e2c7075a5172112820a47e794678cc

SHA1
c0d14ed8ccbcdb3542e69463a76712afdf00e715

SHA256
c229d1d9ffaab276517584f97ab91132b533185e849ca2eea47832525dc62537

SHA512
a71c2f54830c8faeeab09f312ac9a1652ac7927c53d9bba6c8bdce9eb13bafe81f48c046e6a0bf722b3f4e9798abf8904a110db958f64bd0ffd2e68f914854c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\CD85.exe
Filesize
315KB

MD5
7be1dfb20bf80ad1375b7f3134a68b03

SHA1
406c461a6a3f7f7708399402d28831f37eb5f6d1

SHA256
9a96cfcf69c059705c170e32e5b49372bf4fce9f5e15bf32de4a518b621538ca

SHA512
f0404d394e73f39b00e43c067c4786f77192d8917acf9a31e6a0657eb2bc8f559f2057a026120f7ccdd44dc7849080579f3bad572151cea3975a6423a7ce4995

Download Submit
C:\Users\Admin\AppData\Local\Temp\CD85.exe
Filesize
315KB

MD5
7be1dfb20bf80ad1375b7f3134a68b03

SHA1
406c461a6a3f7f7708399402d28831f37eb5f6d1

SHA256
9a96cfcf69c059705c170e32e5b49372bf4fce9f5e15bf32de4a518b621538ca

SHA512
f0404d394e73f39b00e43c067c4786f77192d8917acf9a31e6a0657eb2bc8f559f2057a026120f7ccdd44dc7849080579f3bad572151cea3975a6423a7ce4995

Download Submit
C:\Users\Admin\AppData\Local\Temp\D1DC.exe
Filesize
363KB

MD5
aa555eded49c161f8438d13541e5f377

SHA1
ef016e5ab668777eded55920f9c9d20b6ab00aa3

SHA256
03f134c8db4b04b4232d737cf058ec5735dd0b94d706ae1dde2c328bbb6a8b20

SHA512
9a344c00730c3270feaec599be739c84f2aa8f408907eeab7e462fce75dc46a478d1dcd52f0e730c956b8659cc8bedab77cf30a69eb5e45727b22253ee72d24f

Download Submit
C:\Users\Admin\AppData\Local\Temp\D1DC.exe
Filesize
363KB

MD5
aa555eded49c161f8438d13541e5f377

SHA1
ef016e5ab668777eded55920f9c9d20b6ab00aa3

SHA256
03f134c8db4b04b4232d737cf058ec5735dd0b94d706ae1dde2c328bbb6a8b20

SHA512
9a344c00730c3270feaec599be739c84f2aa8f408907eeab7e462fce75dc46a478d1dcd52f0e730c956b8659cc8bedab77cf30a69eb5e45727b22253ee72d24f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DA78.exe
Filesize
363KB

MD5
8d1f87ede369c82a966fbaaf5c9c2f1b

SHA1
45f48261817734db95d6f7bea033fd35b0974c4d

SHA256
834239cd424b7bd74c6fd310b2bc06ec3efa51c344b0aaf46a7e8aaeb87b6223

SHA512
4d84953f5ded8424af39e043af8683d72c68ca1f89126ea0b0d9eba52763495f9510688c10255350a943f0456f135c62f9ba26c8309edf1cb35852133f95a665

Download Submit
C:\Users\Admin\AppData\Local\Temp\DA78.exe
Filesize
363KB

MD5
8d1f87ede369c82a966fbaaf5c9c2f1b

SHA1
45f48261817734db95d6f7bea033fd35b0974c4d

SHA256
834239cd424b7bd74c6fd310b2bc06ec3efa51c344b0aaf46a7e8aaeb87b6223

SHA512
4d84953f5ded8424af39e043af8683d72c68ca1f89126ea0b0d9eba52763495f9510688c10255350a943f0456f135c62f9ba26c8309edf1cb35852133f95a665

Download Submit
C:\Users\Admin\AppData\Local\Temp\E7A8.exe
Filesize
4.3MB

MD5
3604fd6fc5729191f8ef87f94ab1c503

SHA1
431823b1236fcddbf7a7cd0377192e0b7a73e761

SHA256
e5302fda9a13df32c0e7afb3f2d12d1dabf7c4c57a6bbb4d1213ab6b6cfc51a5

SHA512
8ae7a57b2cc1d0e3fbea12839ed3b02c7d07f1068470d1ab62386a511d65eaca50230e8f8205839ee75f45e77600cd1d0badfc54c142f8cd223f7c35d4105aab

Download Submit
C:\Users\Admin\AppData\Local\Temp\E7A8.exe
Filesize
4.3MB

MD5
3604fd6fc5729191f8ef87f94ab1c503

SHA1
431823b1236fcddbf7a7cd0377192e0b7a73e761

SHA256
e5302fda9a13df32c0e7afb3f2d12d1dabf7c4c57a6bbb4d1213ab6b6cfc51a5

SHA512
8ae7a57b2cc1d0e3fbea12839ed3b02c7d07f1068470d1ab62386a511d65eaca50230e8f8205839ee75f45e77600cd1d0badfc54c142f8cd223f7c35d4105aab

Download Submit
C:\Users\Admin\AppData\Local\e0cdf64d-ebd6-4345-b440-720dc96de939\3B05.exe
Filesize
783KB

MD5
7e5c07b23f8106fb60e872e6d597db83

SHA1
61a00be86ca3d7ab7c4a3942d9551fa78c293b71

SHA256
72faac0671b74302f64cd3577e2a2513d04f4b6da8a2782deb279a9024eecc9c

SHA512
3149639209406c98eddc025f136df880778641923a52481d26213982e5c262b2c9c0de26f116a40f6ff62c6bda04c87f825d834ece761c05e6b3a5c8e6cb3eb1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
memory/444-200-0x0000000000000000-mapping.dmp

Download
memory/968-253-0x0000000001140000-0x0000000001145000-memory.dmp

Filesize
20KB

Download
memory/968-229-0x0000000000000000-mapping.dmp

Download
memory/968-231-0x0000000001140000-0x0000000001145000-memory.dmp

Filesize
20KB

Download
memory/968-232-0x0000000001130000-0x0000000001139000-memory.dmp

Filesize
36KB

Download
memory/1068-213-0x0000000000000000-mapping.dmp

Download
memory/1472-234-0x00000000004C0000-0x00000000004C6000-memory.dmp

Filesize
24KB

Download
memory/1472-233-0x0000000000000000-mapping.dmp

Download
memory/1472-235-0x00000000004B0000-0x00000000004BC000-memory.dmp

Filesize
48KB

Download
memory/1520-146-0x0000000000000000-mapping.dmp

Download
memory/1520-244-0x0000000000AD0000-0x0000000000ADB000-memory.dmp

Filesize
44KB

Download
memory/1520-242-0x0000000000000000-mapping.dmp

Download
memory/1520-256-0x0000000000AE0000-0x0000000000AE6000-memory.dmp

Filesize
24KB

Download
memory/1520-243-0x0000000000AE0000-0x0000000000AE6000-memory.dmp

Filesize
24KB

Download
memory/1548-216-0x0000000000000000-mapping.dmp

Download
memory/1560-197-0x0000000000000000-mapping.dmp

Download
memory/1616-261-0x0000000000000000-mapping.dmp

Download
memory/1692-207-0x0000000000000000-mapping.dmp

Download
memory/1752-190-0x000000000212B000-0x00000000021BC000-memory.dmp

Filesize
580KB

Download
memory/1752-177-0x0000000000000000-mapping.dmp

Download
memory/1856-137-0x0000000000000000-mapping.dmp

Download
memory/1856-155-0x0000000002170000-0x000000000228B000-memory.dmp

Filesize
1.1MB

Download
memory/1856-154-0x0000000000728000-0x00000000007B9000-memory.dmp

Filesize
580KB

Download
memory/2104-230-0x0000000000000000-mapping.dmp

Download
memory/2264-227-0x0000000000000000-mapping.dmp

Download
memory/2268-226-0x0000000000000000-mapping.dmp

Download
memory/2356-191-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2356-189-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2356-206-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2356-196-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2356-186-0x0000000000000000-mapping.dmp

Download
memory/2468-236-0x0000000000000000-mapping.dmp

Download
memory/2468-254-0x0000000000BC0000-0x0000000000BE2000-memory.dmp

Filesize
136KB

Download
memory/2468-237-0x0000000000BC0000-0x0000000000BE2000-memory.dmp

Filesize
136KB

Download
memory/2468-238-0x0000000000B90000-0x0000000000BB7000-memory.dmp

Filesize
156KB

Download
memory/3012-163-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3012-151-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3012-179-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3012-173-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3012-150-0x0000000000000000-mapping.dmp

Download
memory/3012-153-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3012-159-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3020-132-0x000000000074C000-0x000000000075C000-memory.dmp

Filesize
64KB

Download
memory/3020-136-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/3020-135-0x000000000074C000-0x000000000075C000-memory.dmp

Filesize
64KB

Download
memory/3020-134-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/3020-133-0x0000000000590000-0x0000000000599000-memory.dmp

Filesize
36KB

Download
memory/3084-210-0x0000000000000000-mapping.dmp

Download
memory/3568-165-0x00000000028D0000-0x0000000002A34000-memory.dmp

Filesize
1.4MB

Download
memory/3568-149-0x0000000000000000-mapping.dmp

Download
memory/3568-158-0x0000000002350000-0x0000000002548000-memory.dmp

Filesize
2.0MB

Download
memory/3568-255-0x00000000010A0000-0x00000000010A5000-memory.dmp

Filesize
20KB

Download
memory/3568-241-0x0000000001090000-0x0000000001099000-memory.dmp

Filesize
36KB

Download
memory/3568-240-0x00000000010A0000-0x00000000010A5000-memory.dmp

Filesize
20KB

Download
memory/3568-239-0x0000000000000000-mapping.dmp

Download
memory/3568-184-0x0000000002B70000-0x0000000002C94000-memory.dmp

Filesize
1.1MB

Download
memory/3568-166-0x0000000002B70000-0x0000000002C94000-memory.dmp

Filesize
1.1MB

Download
memory/3568-180-0x0000000002CB0000-0x0000000002D70000-memory.dmp

Filesize
768KB

Download
memory/3568-181-0x0000000002D80000-0x0000000002E2B000-memory.dmp

Filesize
684KB

Download
memory/3568-182-0x0000000002D80000-0x0000000002E2B000-memory.dmp

Filesize
684KB

Download
memory/3632-223-0x0000000000000000-mapping.dmp

Download
memory/3636-221-0x0000000000A30000-0x0000000000A3B000-memory.dmp

Filesize
44KB

Download
memory/3636-251-0x0000000000A40000-0x0000000000A47000-memory.dmp

Filesize
28KB

Download
memory/3636-220-0x0000000000A40000-0x0000000000A47000-memory.dmp

Filesize
28KB

Download
memory/3636-219-0x0000000000000000-mapping.dmp

Download
memory/3656-168-0x0000000000000000-mapping.dmp

Download
memory/3804-247-0x0000000000F50000-0x0000000000F5D000-memory.dmp

Filesize
52KB

Download
memory/3804-246-0x0000000000F60000-0x0000000000F67000-memory.dmp

Filesize
28KB

Download
memory/3804-245-0x0000000000000000-mapping.dmp

Download
memory/3804-257-0x0000000000F60000-0x0000000000F67000-memory.dmp

Filesize
28KB

Download
memory/3884-202-0x0000000000000000-mapping.dmp

Download
memory/3992-162-0x0000000001400000-0x0000000001475000-memory.dmp

Filesize
468KB

Download
memory/3992-164-0x0000000001130000-0x000000000119B000-memory.dmp

Filesize
428KB

Download
memory/3992-147-0x0000000000000000-mapping.dmp

Download
memory/3992-167-0x0000000001130000-0x000000000119B000-memory.dmp

Filesize
428KB

Download
memory/4008-201-0x0000000000400000-0x00000000008BC000-memory.dmp

Filesize
4.7MB

Download
memory/4008-140-0x0000000000000000-mapping.dmp

Download
memory/4008-175-0x0000000003140000-0x0000000003587000-memory.dmp

Filesize
4.3MB

Download
memory/4008-176-0x0000000000400000-0x00000000008BC000-memory.dmp

Filesize
4.7MB

Download
memory/4244-143-0x0000000000000000-mapping.dmp

Download
memory/4244-171-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4244-172-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4244-169-0x00000000007EB000-0x00000000007FC000-memory.dmp

Filesize
68KB

Download
memory/4244-170-0x0000000000590000-0x0000000000599000-memory.dmp

Filesize
36KB

Download
memory/4452-185-0x0000000000000000-mapping.dmp

Download
memory/4708-228-0x0000000000000000-mapping.dmp

Download
memory/4768-248-0x0000000000000000-mapping.dmp

Download
memory/4768-250-0x00000000010A0000-0x00000000010AB000-memory.dmp

Filesize
44KB

Download
memory/4768-249-0x00000000010B0000-0x00000000010B8000-memory.dmp

Filesize
32KB

Download
memory/4768-258-0x00000000010B0000-0x00000000010B8000-memory.dmp

Filesize
32KB

Download
memory/4924-252-0x0000000000B30000-0x0000000000B39000-memory.dmp

Filesize
36KB

Download
memory/4924-225-0x0000000000B20000-0x0000000000B2F000-memory.dmp

Filesize
60KB

Download
memory/4924-224-0x0000000000B30000-0x0000000000B39000-memory.dmp

Filesize
36KB

Download
memory/4924-222-0x0000000000000000-mapping.dmp

Download
memory/4944-205-0x0000000000000000-mapping.dmp

Download
memory/5072-198-0x0000000000000000-mapping.dmp

Download
memory/5076-199-0x0000000000000000-mapping.dmp

Download
memory/5108-160-0x0000000000000000-mapping.dmp

Download
memory/5108-161-0x00000000004C0000-0x00000000004CC000-memory.dmp

Filesize
48KB

Download