dharma | a6ed8beb599f2aa594298076a2e8312871a2b12feb8e5d072d51335f21f85d7b

Resubmissions

23-10-2023 21:58

231023-1vlrxsgc2w 10

28-12-2022 20:03

221228-ys52nsbd89 10

28-12-2022 19:41

221228-yej72sbd64 10

28-12-2022 19:27

221228-x569tsbd43 10

Analysis

max time kernel
256s
max time network
257s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
28-12-2022 19:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dharma.exe
Size

677KB
MD5

2d4ec86793fec1e10ac8fb617b2dcdbd
SHA1

078df2b23e7e24f2397532f9ec2694191fd9cc20
SHA256

a6ed8beb599f2aa594298076a2e8312871a2b12feb8e5d072d51335f21f85d7b
SHA512

1e15b4c910532ed36cf3adf605f744784224ceaa815e71588fb521f0e7b76975dc37889e6c8ac2e1c888060eda2380850c8877a801c74e222db043715719c5de
SSDEEP

12288:5IODa1GPYOBsDMOUaIQpGyEV3T5W241YcWEhpEdVe1/4vS1ZoYGIRUafy5LT+0w:5IO+aYxHjpYT5s1YcWEhpEdVe1/4vS1T

Score

10^/10

dharma persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note

All your files have been encrypted! All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail admin@stex777.com Write this ID in the title of your message A4F56274 In case of no answer in 24 hours write us to theese e-mails: admin@stex777.xyz You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. Free decryption as guarantee Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/ Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

admin@stex777.com

admin@stex777.xyz

Signatures

Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

dharma.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation dharma.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	dharma.exe

Drops startup file 6 IoCs

Processes:

dharma.exetaskmgr.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dharma.exe	dharma.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	dharma.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-A4F56274.[admin@stex777.com].money	dharma.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-A4F56274.[admin@stex777.com].money	dharma.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta	dharma.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\info.hta	taskmgr.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

dharma.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dharma.exe = "C:\\Windows\\System32\\dharma.exe"	dharma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\""	dharma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\""	dharma.exe

Drops desktop.ini file(s) 64 IoCs

Processes:

dharma.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	dharma.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	dharma.exe
File opened for modification	C:\Users\Public\desktop.ini	dharma.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	dharma.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	dharma.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	dharma.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	dharma.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	dharma.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	dharma.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	dharma.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\desktop.ini	dharma.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	dharma.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	dharma.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	dharma.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	dharma.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	dharma.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	dharma.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	dharma.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	dharma.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	dharma.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	dharma.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	dharma.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	dharma.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	dharma.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	dharma.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	dharma.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	dharma.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	dharma.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	dharma.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	dharma.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	dharma.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	dharma.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	dharma.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	dharma.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	dharma.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	dharma.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	dharma.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	dharma.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	dharma.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	dharma.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	dharma.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	dharma.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	dharma.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	dharma.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	dharma.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	dharma.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	dharma.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini	dharma.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	dharma.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	dharma.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	dharma.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	dharma.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	dharma.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	dharma.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	dharma.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini	dharma.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	dharma.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	dharma.exe
File opened for modification	C:\Program Files\desktop.ini	dharma.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	dharma.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	dharma.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	dharma.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	dharma.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	dharma.exe

Drops file in System32 directory 2 IoCs

Processes:

dharma.exe

description ioc process

File created C:\Windows\System32\dharma.exe dharma.exe
File created C:\Windows\System32\Info.hta dharma.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

dharma.exe

description pid process target process

PID 3564 set thread context of 1804 3564 dharma.exe dharma.exe

description	ioc	process
File created	C:\Windows\System32\dharma.exe	dharma.exe
File created	C:\Windows\System32\Info.hta	dharma.exe

description	pid	process	target process
PID 3564 set thread context of 1804	3564	dharma.exe	dharma.exe

Drops file in Program Files directory 64 IoCs

Processes:

dharma.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_MAK_AE-ppd.xrm-ms.id-A4F56274.[admin@stex777.com].money	dharma.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CANYON\CANYON.INF.id-A4F56274.[admin@stex777.com].money	dharma.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libfluidsynth_plugin.dll.id-A4F56274.[admin@stex777.com].money	dharma.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\en-US\PSGet.Resource.psd1.id-A4F56274.[admin@stex777.com].money	dharma.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\salesforce.ini.id-A4F56274.[admin@stex777.com].money	dharma.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\as80.xsl.id-A4F56274.[admin@stex777.com].money	dharma.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_MAK_AE-ul-oob.xrm-ms.id-A4F56274.[admin@stex777.com].money	dharma.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_OEM_Perp-pl.xrm-ms.id-A4F56274.[admin@stex777.com].money	dharma.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\da-dk\ui-strings.js	dharma.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\ta.pak	dharma.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Tw Cen MT-Rockwell.xml.id-A4F56274.[admin@stex777.com].money	dharma.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\1033\MCABOUT.HTM.id-A4F56274.[admin@stex777.com].money	dharma.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\en\Microsoft.PackageManagement.resources.dll	dharma.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\vcruntime140_1.dll	dharma.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.hash.id-A4F56274.[admin@stex777.com].money	dharma.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\license.html	dharma.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019MSDNR_Retail-ul-oob.xrm-ms.id-A4F56274.[admin@stex777.com].money	dharma.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\Square150x150Logo.scale-100.png	dharma.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\2876_20x20x32.png	dharma.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Grace-ul-oob.xrm-ms.id-A4F56274.[admin@stex777.com].money	dharma.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\iw_get.svg.id-A4F56274.[admin@stex777.com].money	dharma.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GADUGI.TTF.id-A4F56274.[admin@stex777.com].money	dharma.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\OriginResume.Dotx.id-A4F56274.[admin@stex777.com].money	dharma.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PROFILE\PREVIEW.GIF	dharma.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\1033\FM20.CHM	dharma.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-heap-l1-1-0.dll	dharma.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\misc.exe.id-A4F56274.[admin@stex777.com].money	dharma.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00.UWPDesktop_14.0.27629.0_x64__8wekyb3d8bbwe\mfc140fra.dll	dharma.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\am.pak.id-A4F56274.[admin@stex777.com].money	dharma.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\as80.xsl.id-A4F56274.[admin@stex777.com].money	dharma.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\TimerSmallTile.contrast-black_scale-125.png	dharma.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\fr-fr\ui-strings.js	dharma.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\it-it\ui-strings.js	dharma.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml	dharma.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Google.scale-150.png	dharma.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-black\MedTile.scale-200.png	dharma.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-32_altform-lightunplated.png	dharma.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_KMS_Client-ppd.xrm-ms	dharma.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\bg_pattern_RHP.png.id-A4F56274.[admin@stex777.com].money	dharma.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\themes\dark\rhp_world_icon.png.id-A4F56274.[admin@stex777.com].money	dharma.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\GameBarTasks.dll	dharma.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN011.XML.id-A4F56274.[admin@stex777.com].money	dharma.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteAppList.scale-200.png	dharma.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-16_altform-unplated_contrast-white.png	dharma.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\zh-cn\ui-strings.js.id-A4F56274.[admin@stex777.com].money	dharma.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL044.XML.id-A4F56274.[admin@stex777.com].money	dharma.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\sql2000.xsl	dharma.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\StoreLogo.scale-125_contrast-black.png	dharma.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\Microsoft.PackageManagement.MsiProvider.dll.id-A4F56274.[admin@stex777.com].money	dharma.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\osmuxmui.msi.16.en-us.boot.tree.dat.id-A4F56274.[admin@stex777.com].money	dharma.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\hrtfs\dodeca_and_7channel_3DSL_HRTF.sofa	dharma.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\Store.Purchase\Resources\XboxResourceDictionary.xaml	dharma.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GamesXboxHubBadgeLogo.scale-125_contrast-white.png	dharma.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\XboxApp.UI\Resources\Images\Home-Placeholder.png	dharma.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\da-dk\ui-strings.js.id-A4F56274.[admin@stex777.com].money	dharma.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\resources\strings\LocalizedStrings_lt.json	dharma.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\OrientationControlConeHover.png	dharma.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessEntry2019R_PrepidBypass-ppd.xrm-ms.id-A4F56274.[admin@stex777.com].money	dharma.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jsoundds.dll	dharma.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageStoreLogo.scale-150_contrast-white.png	dharma.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_MAKC2R-pl.xrm-ms.id-A4F56274.[admin@stex777.com].money	dharma.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\Microsoft.PackageManagement.MsuProvider.dll	dharma.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-synch-l1-2-0.dll.id-A4F56274.[admin@stex777.com].money	dharma.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ecf.identity_3.4.0.v20140827-1444.jar.id-A4F56274.[admin@stex777.com].money	dharma.exe

Drops file in Windows directory 1 IoCs

Processes:

mspaint.exe

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe

Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

1996 vssadmin.exe
296 vssadmin.exe
Modifies registry class 1 IoCs

Processes:

OpenWith.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings OpenWith.exe

pid	process
1996	vssadmin.exe
296	vssadmin.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

dharma.exetaskmgr.exe

pid	process
1804	dharma.exe
1804	dharma.exe
1804	dharma.exe
1804	dharma.exe
1804	dharma.exe
1804	dharma.exe
1804	dharma.exe
1804	dharma.exe
1804	dharma.exe
1804	dharma.exe
1804	dharma.exe
1804	dharma.exe
1804	dharma.exe
1804	dharma.exe
1804	dharma.exe
1804	dharma.exe
1804	dharma.exe
1804	dharma.exe
1804	dharma.exe
1804	dharma.exe
1804	dharma.exe
1804	dharma.exe
1804	dharma.exe
1804	dharma.exe
1804	dharma.exe
1804	dharma.exe
1804	dharma.exe
1804	dharma.exe
1804	dharma.exe
1804	dharma.exe
1804	dharma.exe
1804	dharma.exe
1804	dharma.exe
1804	dharma.exe
1804	dharma.exe
1804	dharma.exe
1804	dharma.exe
1804	dharma.exe
1804	dharma.exe
1804	dharma.exe
1804	dharma.exe
1804	dharma.exe
1804	dharma.exe
1804	dharma.exe
4312	taskmgr.exe
4312	taskmgr.exe
1804	dharma.exe
1804	dharma.exe
1804	dharma.exe
1804	dharma.exe
1804	dharma.exe
1804	dharma.exe
1804	dharma.exe
1804	dharma.exe
1804	dharma.exe
1804	dharma.exe
1804	dharma.exe
1804	dharma.exe
1804	dharma.exe
1804	dharma.exe
4312	taskmgr.exe
1804	dharma.exe
1804	dharma.exe
1804	dharma.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

taskmgr.exeOpenWith.exe

pid process

4312 taskmgr.exe
3144 OpenWith.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

vssvc.exetaskmgr.exe

description	pid	process
Token: SeBackupPrivilege	396	vssvc.exe
Token: SeRestorePrivilege	396	vssvc.exe
Token: SeAuditPrivilege	396	vssvc.exe
Token: SeDebugPrivilege	4312	taskmgr.exe
Token: SeSystemProfilePrivilege	4312	taskmgr.exe
Token: SeCreateGlobalPrivilege	4312	taskmgr.exe
Token: 33	4312	taskmgr.exe
Token: SeIncBasePriorityPrivilege	4312	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

taskmgr.exe

pid	process
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exe

pid	process
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe

Suspicious use of SetWindowsHookEx 17 IoCs

Processes:

OpenWith.exemspaint.exe

pid	process
3144	OpenWith.exe
3144	OpenWith.exe
3144	OpenWith.exe
3144	OpenWith.exe
3144	OpenWith.exe
3144	OpenWith.exe
3144	OpenWith.exe
3144	OpenWith.exe
3144	OpenWith.exe
3144	OpenWith.exe
3144	OpenWith.exe
3144	OpenWith.exe
3144	OpenWith.exe
4940	mspaint.exe
4940	mspaint.exe
4940	mspaint.exe
4940	mspaint.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

dharma.exedharma.execmd.execmd.exeOpenWith.exe

description	pid	process	target process
PID 3564 wrote to memory of 1804	3564	dharma.exe	dharma.exe
PID 3564 wrote to memory of 1804	3564	dharma.exe	dharma.exe
PID 3564 wrote to memory of 1804	3564	dharma.exe	dharma.exe
PID 3564 wrote to memory of 1804	3564	dharma.exe	dharma.exe
PID 1804 wrote to memory of 4600	1804	dharma.exe	cmd.exe
PID 1804 wrote to memory of 4600	1804	dharma.exe	cmd.exe
PID 4600 wrote to memory of 4376	4600	cmd.exe	mode.com
PID 4600 wrote to memory of 4376	4600	cmd.exe	mode.com
PID 4600 wrote to memory of 1996	4600	cmd.exe	vssadmin.exe
PID 4600 wrote to memory of 1996	4600	cmd.exe	vssadmin.exe
PID 1804 wrote to memory of 3712	1804	dharma.exe	cmd.exe
PID 1804 wrote to memory of 3712	1804	dharma.exe	cmd.exe
PID 3712 wrote to memory of 2364	3712	cmd.exe	mode.com
PID 3712 wrote to memory of 2364	3712	cmd.exe	mode.com
PID 1804 wrote to memory of 2000	1804	dharma.exe	mshta.exe
PID 1804 wrote to memory of 2000	1804	dharma.exe	mshta.exe
PID 1804 wrote to memory of 3432	1804	dharma.exe	mshta.exe
PID 1804 wrote to memory of 3432	1804	dharma.exe	mshta.exe
PID 3712 wrote to memory of 296	3712	cmd.exe	vssadmin.exe
PID 3712 wrote to memory of 296	3712	cmd.exe	vssadmin.exe
PID 3144 wrote to memory of 4940	3144	OpenWith.exe	mspaint.exe
PID 3144 wrote to memory of 4940	3144	OpenWith.exe	mspaint.exe

C:\Users\Admin\AppData\Local\Temp\dharma.exe
"C:\Users\Admin\AppData\Local\Temp\dharma.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3564

C:\Users\Admin\AppData\Local\Temp\dharma.exe
C:\Users\Admin\AppData\Local\Temp\dharma.exe
2⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1804

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:4600

C:\Windows\system32\mode.com
mode con cp select=1251
4⤵
PID:4376

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:1996

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:3712

C:\Windows\system32\mode.com
mode con cp select=1251
4⤵
PID:2364

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:296

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
3⤵
PID:2000

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
3⤵
PID:3432

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:396

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops startup file
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4312

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:3340

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3144

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Public\Desktop\Google Chrome.lnk.id-A4F56274.[admin@stex777.com].money"
2⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:4940

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:380

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
Filesize
13KB

MD5
125d104225b0f251f83c458b6da4e30f

SHA1
70425b3a9b793a6a9544ffab0afb0e529574e8ef

SHA256
5bac752ebff690977cf421cbffe5873d7e00977f1c840d1f5ef7b2876cd6eb1b

SHA512
8cf7bae12597a8a33eed44c777b103fb4747230fbb72ebf2e889909cda2119db9f852c5ff486839844b60659a96d2e8b4d4fb45111b52f22b4d8c7cf50e61b2e

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\dharma.exe
Filesize
677KB

MD5
2d4ec86793fec1e10ac8fb617b2dcdbd

SHA1
078df2b23e7e24f2397532f9ec2694191fd9cc20

SHA256
a6ed8beb599f2aa594298076a2e8312871a2b12feb8e5d072d51335f21f85d7b

SHA512
1e15b4c910532ed36cf3adf605f744784224ceaa815e71588fb521f0e7b76975dc37889e6c8ac2e1c888060eda2380850c8877a801c74e222db043715719c5de

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
Filesize
28KB

MD5
5bc82a24bcd69d33722090ca3a7ac303

SHA1
b1eb04bd182ed38ff291bc70ade2fa3cfe87adb1

SHA256
b20a745b06c12c6159e91c9457a49a7241d67935ed3e0b361f94328db0c7daa8

SHA512
417cfdbc4db69ed748f4af00b0bf305248997f208df5e2a1e671d8355af4b93f44dfb9b032b1b0ff00419b73d732efcda747d5b4b348f788a50c2369185aff07

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
Filesize
13KB

MD5
125d104225b0f251f83c458b6da4e30f

SHA1
70425b3a9b793a6a9544ffab0afb0e529574e8ef

SHA256
5bac752ebff690977cf421cbffe5873d7e00977f1c840d1f5ef7b2876cd6eb1b

SHA512
8cf7bae12597a8a33eed44c777b103fb4747230fbb72ebf2e889909cda2119db9f852c5ff486839844b60659a96d2e8b4d4fb45111b52f22b4d8c7cf50e61b2e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dharma.exe
Filesize
677KB

MD5
2d4ec86793fec1e10ac8fb617b2dcdbd

SHA1
078df2b23e7e24f2397532f9ec2694191fd9cc20

SHA256
a6ed8beb599f2aa594298076a2e8312871a2b12feb8e5d072d51335f21f85d7b

SHA512
1e15b4c910532ed36cf3adf605f744784224ceaa815e71588fb521f0e7b76975dc37889e6c8ac2e1c888060eda2380850c8877a801c74e222db043715719c5de

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk.id-A4F56274.[admin@stex777.com].money
Filesize
2KB

MD5
ac9c88ff919b611d0c7a8849a80dda02

SHA1
787cba66fac4170c1ac1cfdab9dd62a2b0d636f7

SHA256
e2c8d62235c51a67babf22aad043b85070902ecc487418f01cbd61f67650b160

SHA512
b8688fc04ec968301a3d16f7cd6120d49d21be2e416305f36f3d90b9b72e9145123c5141d48d694c03df36002c2b0df3a57b00f22c5d26f6aeafe254fe256816

Download Submit
C:\Windows\System32\dharma.exe
Filesize
677KB

MD5
2d4ec86793fec1e10ac8fb617b2dcdbd

SHA1
078df2b23e7e24f2397532f9ec2694191fd9cc20

SHA256
a6ed8beb599f2aa594298076a2e8312871a2b12feb8e5d072d51335f21f85d7b

SHA512
1e15b4c910532ed36cf3adf605f744784224ceaa815e71588fb521f0e7b76975dc37889e6c8ac2e1c888060eda2380850c8877a801c74e222db043715719c5de

Download Submit
memory/296-159-0x0000000000000000-mapping.dmp

Download
memory/1804-134-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1804-133-0x0000000000000000-mapping.dmp

Download
memory/1804-139-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1996-143-0x0000000000000000-mapping.dmp

Download
memory/2000-154-0x0000000000000000-mapping.dmp

Download
memory/2364-153-0x0000000000000000-mapping.dmp

Download
memory/3432-156-0x0000000000000000-mapping.dmp

Download
memory/3564-132-0x00000000029B0000-0x00000000029E3000-memory.dmp

Filesize
204KB

Download
memory/3564-141-0x00000000029B0000-0x00000000029E3000-memory.dmp

Filesize
204KB

Download
memory/3712-151-0x0000000000000000-mapping.dmp

Download
memory/4376-142-0x0000000000000000-mapping.dmp

Download
memory/4600-140-0x0000000000000000-mapping.dmp

Download
memory/4940-161-0x0000000000000000-mapping.dmp

Download