djvu | 631505406e7458ef3b2300f251ed10a77655757e77e11ff06fbacb6a625cc992

Analysis

max time kernel
91s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2023 10:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

631505406e7458ef3b2300f251ed10a77655757e77e11ff06fbacb6a625cc992.exe
Size

341KB
MD5

65fb6d2f92197ecfc2acc3fa4e4b4373
SHA1

ef029bf54ec6b22ef700cdf5e953a85cfa5023ef
SHA256

631505406e7458ef3b2300f251ed10a77655757e77e11ff06fbacb6a625cc992
SHA512

a651472c958012c8672608b9f71b3c87b4122f17cfdf3c8b44cd092e6df6d2c06866dec0fbf0c7fd2a59a50626d71c5ee6c0edb88fa9105fcda1558c2c408cf1
SSDEEP

6144:KLjFeOjL4MvtA6erK/9YbhOjq7VWRFBMolz90VEbp:K3Fjj5vW6eIgr7VWR5lz8Ebp

Score

10^/10

djvu smokeloader vidar 19 backdoor discovery persistence ransomware spyware stealer trojan vmprotect

Malware Config

Extracted

Family

djvu

http://drampik.com/lancer/get.php

Attributes

extension
.mzop
offline_id
ex4uvTKsM2vEkIcr3MjXi2C6v27h1mS682iUXGt1
payload_url
http://uaery.top/dl/build2.exe
http://drampik.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-uZxWxoKbU5 Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@freshmail.top Reserve e-mail address to contact us: datarestorehelp@airmail.cc Your personal ID: 0637JOsie

rsa_pubkey.plain

Extracted

Family

vidar

Version

2.2

Botnet

https://t.me/litlebey

https://steamcommunity.com/profiles/76561199472399815

Attributes

profile_id
19

Signatures

Detected Djvu ransomware 10 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3128-164-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3128-166-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3128-168-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3640-169-0x0000000002360000-0x000000000247B000-memory.dmp	family_djvu
behavioral1/memory/3128-173-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3128-185-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2308-191-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2308-193-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2308-198-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2308-214-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Detects Smokeloader packer 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3832-133-0x00000000005D0000-0x00000000005D9000-memory.dmp	family_smokeloader
behavioral1/memory/2504-175-0x0000000000800000-0x0000000000809000-memory.dmp	family_smokeloader

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file

Executes dropped EXE 13 IoCs

Processes:

E92C.exeEA75.exeED83.exeEF0B.exeF2D5.exeF7C7.exeEA75.exeEA75.exeEA75.exebuild2.exebuild3.exebuild2.exemstsca.exe

pid	process
668	E92C.exe
3640	EA75.exe
2504	ED83.exe
1580	EF0B.exe
4080	F2D5.exe
360	F7C7.exe
3128	EA75.exe
3324	EA75.exe
2308	EA75.exe
4908	build2.exe
2564	build3.exe
5020	build2.exe
4836	mstsca.exe

VMProtect packed file 6 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\F2D5.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\F2D5.exe	vmprotect
behavioral1/memory/4080-152-0x0000000140000000-0x0000000140623000-memory.dmp	vmprotect
C:\Users\Admin\AppData\Local\Temp\F7C7.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\F7C7.exe	vmprotect
behavioral1/memory/360-159-0x0000000140000000-0x0000000140623000-memory.dmp	vmprotect

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

build2.exeE92C.exeEA75.exeEA75.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	build2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	E92C.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	EA75.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	EA75.exe

Loads dropped DLL 2 IoCs

Processes:

build2.exe

pid process

5020 build2.exe
5020 build2.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

3748 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
5020	build2.exe
5020	build2.exe

pid	process
3748	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

EA75.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\c9f8c54b-9549-47e5-993e-837764c4a695\\EA75.exe\" --AutoStart"	EA75.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

96 api.2ip.ua
98 api.2ip.ua
133 api.2ip.ua

flow	ioc
96	api.2ip.ua
98	api.2ip.ua
133	api.2ip.ua

Suspicious use of SetThreadContext 3 IoCs

Processes:

EA75.exeEA75.exebuild2.exe

description	pid	process	target process
PID 3640 set thread context of 3128	3640	EA75.exe	EA75.exe
PID 3324 set thread context of 2308	3324	EA75.exe	EA75.exe
PID 4908 set thread context of 5020	4908	build2.exe	build2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3872 1580 WerFault.exe EF0B.exe
536 668 WerFault.exe E92C.exe

pid	pid_target	process	target process
3872	1580	WerFault.exe	EF0B.exe
536	668	WerFault.exe	E92C.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

631505406e7458ef3b2300f251ed10a77655757e77e11ff06fbacb6a625cc992.exeED83.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	631505406e7458ef3b2300f251ed10a77655757e77e11ff06fbacb6a625cc992.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	631505406e7458ef3b2300f251ed10a77655757e77e11ff06fbacb6a625cc992.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	631505406e7458ef3b2300f251ed10a77655757e77e11ff06fbacb6a625cc992.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ED83.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ED83.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ED83.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

build2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	build2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	build2.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

4400 schtasks.exe
3536 schtasks.exe
3200 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1132 timeout.exe

pid	process
4400	schtasks.exe
3536	schtasks.exe
3200	schtasks.exe

pid	process
1132	timeout.exe

Modifies registry class 3 IoCs

Processes:

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

631505406e7458ef3b2300f251ed10a77655757e77e11ff06fbacb6a625cc992.exe

pid	process
3832	631505406e7458ef3b2300f251ed10a77655757e77e11ff06fbacb6a625cc992.exe
3832	631505406e7458ef3b2300f251ed10a77655757e77e11ff06fbacb6a625cc992.exe
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2164
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

631505406e7458ef3b2300f251ed10a77655757e77e11ff06fbacb6a625cc992.exeED83.exe

pid process

3832 631505406e7458ef3b2300f251ed10a77655757e77e11ff06fbacb6a625cc992.exe
2504 ED83.exe

pid	process
2164

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	2164
Token: SeCreatePagefilePrivilege	2164
Token: SeShutdownPrivilege	2164
Token: SeCreatePagefilePrivilege	2164
Token: SeShutdownPrivilege	2164
Token: SeCreatePagefilePrivilege	2164
Token: SeShutdownPrivilege	2164
Token: SeCreatePagefilePrivilege	2164
Token: SeShutdownPrivilege	2164
Token: SeCreatePagefilePrivilege	2164
Token: SeShutdownPrivilege	2164
Token: SeCreatePagefilePrivilege	2164
Token: SeShutdownPrivilege	2164
Token: SeCreatePagefilePrivilege	2164
Token: SeShutdownPrivilege	2164
Token: SeCreatePagefilePrivilege	2164
Token: SeShutdownPrivilege	2164
Token: SeCreatePagefilePrivilege	2164
Token: SeShutdownPrivilege	2164
Token: SeCreatePagefilePrivilege	2164
Token: SeShutdownPrivilege	2164
Token: SeCreatePagefilePrivilege	2164
Token: SeShutdownPrivilege	2164
Token: SeCreatePagefilePrivilege	2164

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

2164
2164

pid	process
2164
2164

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

EA75.exeEA75.exeE92C.exeEA75.exeEA75.exebuild3.exebuild2.exebuild2.exe

description	pid	process	target process
PID 2164 wrote to memory of 668	2164		E92C.exe
PID 2164 wrote to memory of 668	2164		E92C.exe
PID 2164 wrote to memory of 668	2164		E92C.exe
PID 2164 wrote to memory of 3640	2164		EA75.exe
PID 2164 wrote to memory of 3640	2164		EA75.exe
PID 2164 wrote to memory of 3640	2164		EA75.exe
PID 2164 wrote to memory of 2504	2164		ED83.exe
PID 2164 wrote to memory of 2504	2164		ED83.exe
PID 2164 wrote to memory of 2504	2164		ED83.exe
PID 2164 wrote to memory of 1580	2164		EF0B.exe
PID 2164 wrote to memory of 1580	2164		EF0B.exe
PID 2164 wrote to memory of 1580	2164		EF0B.exe
PID 2164 wrote to memory of 4080	2164		F2D5.exe
PID 2164 wrote to memory of 4080	2164		F2D5.exe
PID 2164 wrote to memory of 360	2164		F7C7.exe
PID 2164 wrote to memory of 360	2164		F7C7.exe
PID 3640 wrote to memory of 3128	3640	EA75.exe	EA75.exe
PID 3640 wrote to memory of 3128	3640	EA75.exe	EA75.exe
PID 3640 wrote to memory of 3128	3640	EA75.exe	EA75.exe
PID 3640 wrote to memory of 3128	3640	EA75.exe	EA75.exe
PID 3640 wrote to memory of 3128	3640	EA75.exe	EA75.exe
PID 3640 wrote to memory of 3128	3640	EA75.exe	EA75.exe
PID 3640 wrote to memory of 3128	3640	EA75.exe	EA75.exe
PID 3640 wrote to memory of 3128	3640	EA75.exe	EA75.exe
PID 3640 wrote to memory of 3128	3640	EA75.exe	EA75.exe
PID 3640 wrote to memory of 3128	3640	EA75.exe	EA75.exe
PID 3128 wrote to memory of 3748	3128	EA75.exe	icacls.exe
PID 3128 wrote to memory of 3748	3128	EA75.exe	icacls.exe
PID 3128 wrote to memory of 3748	3128	EA75.exe	icacls.exe
PID 668 wrote to memory of 4400	668	E92C.exe	schtasks.exe
PID 668 wrote to memory of 4400	668	E92C.exe	schtasks.exe
PID 668 wrote to memory of 4400	668	E92C.exe	schtasks.exe
PID 3128 wrote to memory of 3324	3128	EA75.exe	EA75.exe
PID 3128 wrote to memory of 3324	3128	EA75.exe	EA75.exe
PID 3128 wrote to memory of 3324	3128	EA75.exe	EA75.exe
PID 3324 wrote to memory of 2308	3324	EA75.exe	EA75.exe
PID 3324 wrote to memory of 2308	3324	EA75.exe	EA75.exe
PID 3324 wrote to memory of 2308	3324	EA75.exe	EA75.exe
PID 3324 wrote to memory of 2308	3324	EA75.exe	EA75.exe
PID 3324 wrote to memory of 2308	3324	EA75.exe	EA75.exe
PID 3324 wrote to memory of 2308	3324	EA75.exe	EA75.exe
PID 3324 wrote to memory of 2308	3324	EA75.exe	EA75.exe
PID 3324 wrote to memory of 2308	3324	EA75.exe	EA75.exe
PID 3324 wrote to memory of 2308	3324	EA75.exe	EA75.exe
PID 3324 wrote to memory of 2308	3324	EA75.exe	EA75.exe
PID 2308 wrote to memory of 4908	2308	EA75.exe	build2.exe
PID 2308 wrote to memory of 4908	2308	EA75.exe	build2.exe
PID 2308 wrote to memory of 4908	2308	EA75.exe	build2.exe
PID 2308 wrote to memory of 2564	2308	EA75.exe	build3.exe
PID 2308 wrote to memory of 2564	2308	EA75.exe	build3.exe
PID 2308 wrote to memory of 2564	2308	EA75.exe	build3.exe
PID 2564 wrote to memory of 3536	2564	build3.exe	schtasks.exe
PID 2564 wrote to memory of 3536	2564	build3.exe	schtasks.exe
PID 2564 wrote to memory of 3536	2564	build3.exe	schtasks.exe
PID 4908 wrote to memory of 5020	4908	build2.exe	build2.exe
PID 4908 wrote to memory of 5020	4908	build2.exe	build2.exe
PID 4908 wrote to memory of 5020	4908	build2.exe	build2.exe
PID 4908 wrote to memory of 5020	4908	build2.exe	build2.exe
PID 4908 wrote to memory of 5020	4908	build2.exe	build2.exe
PID 4908 wrote to memory of 5020	4908	build2.exe	build2.exe
PID 4908 wrote to memory of 5020	4908	build2.exe	build2.exe
PID 4908 wrote to memory of 5020	4908	build2.exe	build2.exe
PID 4908 wrote to memory of 5020	4908	build2.exe	build2.exe
PID 5020 wrote to memory of 3804	5020	build2.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\631505406e7458ef3b2300f251ed10a77655757e77e11ff06fbacb6a625cc992.exe
"C:\Users\Admin\AppData\Local\Temp\631505406e7458ef3b2300f251ed10a77655757e77e11ff06fbacb6a625cc992.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3832

C:\Users\Admin\AppData\Local\Temp\E92C.exe
C:\Users\Admin\AppData\Local\Temp\E92C.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:668

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /tn "svcupdater" /tr "C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
2⤵
- Creates scheduled task(s)
PID:4400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 668 -s 1136
2⤵
- Program crash
PID:536

C:\Users\Admin\AppData\Local\Temp\EA75.exe
C:\Users\Admin\AppData\Local\Temp\EA75.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3640

C:\Users\Admin\AppData\Local\Temp\EA75.exe
C:\Users\Admin\AppData\Local\Temp\EA75.exe
2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3128

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\c9f8c54b-9549-47e5-993e-837764c4a695" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:3748

C:\Users\Admin\AppData\Local\Temp\EA75.exe
"C:\Users\Admin\AppData\Local\Temp\EA75.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3324

C:\Users\Admin\AppData\Local\Temp\EA75.exe
"C:\Users\Admin\AppData\Local\Temp\EA75.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2308

C:\Users\Admin\AppData\Local\704c7a0d-0e5b-4293-b195-5a7bfd3a2701\build2.exe
"C:\Users\Admin\AppData\Local\704c7a0d-0e5b-4293-b195-5a7bfd3a2701\build2.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4908

C:\Users\Admin\AppData\Local\704c7a0d-0e5b-4293-b195-5a7bfd3a2701\build2.exe
"C:\Users\Admin\AppData\Local\704c7a0d-0e5b-4293-b195-5a7bfd3a2701\build2.exe"
6⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:5020

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\704c7a0d-0e5b-4293-b195-5a7bfd3a2701\build2.exe" & exit
7⤵
PID:3804

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
8⤵
- Delays execution with timeout.exe
PID:1132

C:\Users\Admin\AppData\Local\704c7a0d-0e5b-4293-b195-5a7bfd3a2701\build3.exe
"C:\Users\Admin\AppData\Local\704c7a0d-0e5b-4293-b195-5a7bfd3a2701\build3.exe"
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2564

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
6⤵
- Creates scheduled task(s)
PID:3536

C:\Users\Admin\AppData\Local\Temp\ED83.exe
C:\Users\Admin\AppData\Local\Temp\ED83.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2504

C:\Users\Admin\AppData\Local\Temp\EF0B.exe
C:\Users\Admin\AppData\Local\Temp\EF0B.exe
1⤵
- Executes dropped EXE
PID:1580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1580 -s 300
2⤵
- Program crash
PID:3872

C:\Users\Admin\AppData\Local\Temp\F2D5.exe
C:\Users\Admin\AppData\Local\Temp\F2D5.exe
1⤵
- Executes dropped EXE
PID:4080

C:\Users\Admin\AppData\Local\Temp\F7C7.exe
C:\Users\Admin\AppData\Local\Temp\F7C7.exe
1⤵
- Executes dropped EXE
PID:360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1580 -ip 1580
1⤵
PID:2376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 668 -ip 668
1⤵
PID:1936

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
- Executes dropped EXE
PID:4836

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
2⤵
- Creates scheduled task(s)
PID:3200

C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exe
C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exe
1⤵
PID:1156

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mozglue.dll
Filesize
133KB

MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
C:\ProgramData\nss3.dll
Filesize
1.2MB

MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
Filesize
2KB

MD5
22daa805c2a6b8bbfe715fdc86f56413

SHA1
16c81036f559b5862b0fb45a8bb8558f460f13a4

SHA256
b75e739320fc1859c36dc338c1677929373f5dd5d606ef6ea61614a23eee7c95

SHA512
f5c4af15bc18daff01b111fb87d1f0c9d43857a5a63f568f85590901b1ff13071de1617274d7c73fe7336965562b21143bc668ed798a1a386130c7eb57e165a0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize
1KB

MD5
5f37048de717939db22879d186493d92

SHA1
f2fac6a9a6261397d648aec0d3f7f2ead3ae023d

SHA256
31f3c6aa02743ff82e7fe54bcf5c3005406d9dc4858993cc4762f33f13198c37

SHA512
1188df5bbfa21db355b5bf124db2949ac6d75fa95d8aa03158b1b1bd17dd5077ee1a68691ea5e8ca866f5bb4bd8dacdba80a0d1e4005de6bfc5d9499b770acc6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
Filesize
488B

MD5
480ba5e2c6bb858f43788ca5ef1c6bf2

SHA1
09003b41344e2b2fd5ada8ff6c0a772bc67e11e6

SHA256
e8849e8150adfc23390780d6948af1f17e739cd0b39d76a2dfe99d8914af4d81

SHA512
e874a3793784c54bfbcb126fd962f6fff9dd838540c38bdf2ecfcecfab6a5b5106468df93392744183aa6023fdc7626b3116a2712453f49c8c13a296c44a9096

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize
482B

MD5
df3be00b5be388a73ee166fad1c7e272

SHA1
4f43576dba7b4940ca481d9965533168b0474938

SHA256
045e743f66b6a0678dc9fb19ee1d140f0491433693a88d8dd7dafe0892ce098f

SHA512
00d001b77c910df997fa7b27fd75229f8c15c40512dc74950a6e6f5068beb1adc5dccfb4325eb7dc0a3049b86656fcdc1aaee98aa31eae279fac470115e8bfb0

Download Submit
C:\Users\Admin\AppData\Local\704c7a0d-0e5b-4293-b195-5a7bfd3a2701\build2.exe
Filesize
437KB

MD5
5bc3c0c24790b3738ab85b644a1c6fc9

SHA1
c68547eb157a77f30e88a6c4666f6024765b70d8

SHA256
c37e19ba7ca31d3984004ec6534551197c1e4ab710bf26f822924168f17cbe7e

SHA512
f7aafcc10e5d1513e523bf7a1aee42316141862ba0d54f5b75ccc18f65a6cd14361728cb4a6a6ea795569431a0bc03792b132269293ba240bd3d9fa1e012c3ab

Download Submit
C:\Users\Admin\AppData\Local\704c7a0d-0e5b-4293-b195-5a7bfd3a2701\build2.exe
Filesize
437KB

MD5
5bc3c0c24790b3738ab85b644a1c6fc9

SHA1
c68547eb157a77f30e88a6c4666f6024765b70d8

SHA256
c37e19ba7ca31d3984004ec6534551197c1e4ab710bf26f822924168f17cbe7e

SHA512
f7aafcc10e5d1513e523bf7a1aee42316141862ba0d54f5b75ccc18f65a6cd14361728cb4a6a6ea795569431a0bc03792b132269293ba240bd3d9fa1e012c3ab

Download Submit
C:\Users\Admin\AppData\Local\704c7a0d-0e5b-4293-b195-5a7bfd3a2701\build2.exe
Filesize
437KB

MD5
5bc3c0c24790b3738ab85b644a1c6fc9

SHA1
c68547eb157a77f30e88a6c4666f6024765b70d8

SHA256
c37e19ba7ca31d3984004ec6534551197c1e4ab710bf26f822924168f17cbe7e

SHA512
f7aafcc10e5d1513e523bf7a1aee42316141862ba0d54f5b75ccc18f65a6cd14361728cb4a6a6ea795569431a0bc03792b132269293ba240bd3d9fa1e012c3ab

Download Submit
C:\Users\Admin\AppData\Local\704c7a0d-0e5b-4293-b195-5a7bfd3a2701\build3.exe
Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Local\704c7a0d-0e5b-4293-b195-5a7bfd3a2701\build3.exe
Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\E92C.exe
Filesize
408KB

MD5
261b1db94ccf4266128e2eb71a80fda4

SHA1
9d4cd03297f31eabe957f261dc7c3c6c268bd39f

SHA256
b0072463e78182e8d9721f91f889a62d9ce59a348fddc5196b6201a5fa68b259

SHA512
2dd25970561cf9e3d946acd891b601e6aa7e6563dde6c10ed5ac1a6486bbc1851cf3908b5bdee6c9b29633e51c90339209c50d97c0ea28b897bd6e7117b1ac7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\E92C.exe
Filesize
408KB

MD5
261b1db94ccf4266128e2eb71a80fda4

SHA1
9d4cd03297f31eabe957f261dc7c3c6c268bd39f

SHA256
b0072463e78182e8d9721f91f889a62d9ce59a348fddc5196b6201a5fa68b259

SHA512
2dd25970561cf9e3d946acd891b601e6aa7e6563dde6c10ed5ac1a6486bbc1851cf3908b5bdee6c9b29633e51c90339209c50d97c0ea28b897bd6e7117b1ac7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EA75.exe
Filesize
841KB

MD5
4f4e814518760a13cb117c4eddf388fd

SHA1
00b1d6f9ad694538f6c22065aca604e1b6232b58

SHA256
85d995b21927fa84f4bfa35443acfe1e0f89fde371106bb1806aa0d78a01572e

SHA512
75f9e86917d8103b10b78a3b30f5407a96235a2fc0a1bd09ad7e7b112be94138f57d058443352fd4d808d368ed8a40c2da98b15bf204ad37934fa85d0e1d42ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\EA75.exe
Filesize
841KB

MD5
4f4e814518760a13cb117c4eddf388fd

SHA1
00b1d6f9ad694538f6c22065aca604e1b6232b58

SHA256
85d995b21927fa84f4bfa35443acfe1e0f89fde371106bb1806aa0d78a01572e

SHA512
75f9e86917d8103b10b78a3b30f5407a96235a2fc0a1bd09ad7e7b112be94138f57d058443352fd4d808d368ed8a40c2da98b15bf204ad37934fa85d0e1d42ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\EA75.exe
Filesize
841KB

MD5
4f4e814518760a13cb117c4eddf388fd

SHA1
00b1d6f9ad694538f6c22065aca604e1b6232b58

SHA256
85d995b21927fa84f4bfa35443acfe1e0f89fde371106bb1806aa0d78a01572e

SHA512
75f9e86917d8103b10b78a3b30f5407a96235a2fc0a1bd09ad7e7b112be94138f57d058443352fd4d808d368ed8a40c2da98b15bf204ad37934fa85d0e1d42ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\EA75.exe
Filesize
841KB

MD5
4f4e814518760a13cb117c4eddf388fd

SHA1
00b1d6f9ad694538f6c22065aca604e1b6232b58

SHA256
85d995b21927fa84f4bfa35443acfe1e0f89fde371106bb1806aa0d78a01572e

SHA512
75f9e86917d8103b10b78a3b30f5407a96235a2fc0a1bd09ad7e7b112be94138f57d058443352fd4d808d368ed8a40c2da98b15bf204ad37934fa85d0e1d42ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\EA75.exe
Filesize
841KB

MD5
4f4e814518760a13cb117c4eddf388fd

SHA1
00b1d6f9ad694538f6c22065aca604e1b6232b58

SHA256
85d995b21927fa84f4bfa35443acfe1e0f89fde371106bb1806aa0d78a01572e

SHA512
75f9e86917d8103b10b78a3b30f5407a96235a2fc0a1bd09ad7e7b112be94138f57d058443352fd4d808d368ed8a40c2da98b15bf204ad37934fa85d0e1d42ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\ED83.exe
Filesize
341KB

MD5
ad0cdb9e4e1b21afe13af92c938aedf0

SHA1
d0f5bc954a29cba251331ce0f75942b027456a75

SHA256
be03b91b5a912496e981e24707d21df4e6cfade365bb5ba1f2d4ef2ea2fe668c

SHA512
01106463bc9101b3aad033baf267a6d245c1358060bf94c2da5d7adbf782f0d8e21c96ebc1c41b4c15474fd7039f2550932df3fbb534b9212d1928a5ceba84a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ED83.exe
Filesize
341KB

MD5
ad0cdb9e4e1b21afe13af92c938aedf0

SHA1
d0f5bc954a29cba251331ce0f75942b027456a75

SHA256
be03b91b5a912496e981e24707d21df4e6cfade365bb5ba1f2d4ef2ea2fe668c

SHA512
01106463bc9101b3aad033baf267a6d245c1358060bf94c2da5d7adbf782f0d8e21c96ebc1c41b4c15474fd7039f2550932df3fbb534b9212d1928a5ceba84a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\EF0B.exe
Filesize
341KB

MD5
6fc8a134c74a4ea22e4fe1263c99d738

SHA1
9325b39fe3dc44bce22f122001420151d9d85e3f

SHA256
7179477ccc594d012ddc02107b6d4e4ac0bd910f08fb2b687af54efcb4e7eec8

SHA512
01fa8d8aec2258e0d72174464405a569ca604db0aac74983f9de6d86cbbde8267f1bdfa851cc8953e7a9579032612121885fef143f66fd42e402bd999bc0dfae

Download Submit
C:\Users\Admin\AppData\Local\Temp\EF0B.exe
Filesize
341KB

MD5
6fc8a134c74a4ea22e4fe1263c99d738

SHA1
9325b39fe3dc44bce22f122001420151d9d85e3f

SHA256
7179477ccc594d012ddc02107b6d4e4ac0bd910f08fb2b687af54efcb4e7eec8

SHA512
01fa8d8aec2258e0d72174464405a569ca604db0aac74983f9de6d86cbbde8267f1bdfa851cc8953e7a9579032612121885fef143f66fd42e402bd999bc0dfae

Download Submit
C:\Users\Admin\AppData\Local\Temp\F2D5.exe
Filesize
3.5MB

MD5
e36b667b33d4c9b76f17042fda512335

SHA1
58b18d90c7065c521980f60160f4b8a85e863f3d

SHA256
624b429fdaa3f9df7c3a64a2e8346a8dc4aadbcccbf1c6d9093e1ccbe62f5cc1

SHA512
4856a202d0c5a384dd9a663dca56bee53914297fae6d98cff00b5ee887a6908cad83776b50d5c36559b84e599d1631c5ce59777ad24fc4aa433bce4eb50fab90

Download Submit
C:\Users\Admin\AppData\Local\Temp\F2D5.exe
Filesize
3.5MB

MD5
e36b667b33d4c9b76f17042fda512335

SHA1
58b18d90c7065c521980f60160f4b8a85e863f3d

SHA256
624b429fdaa3f9df7c3a64a2e8346a8dc4aadbcccbf1c6d9093e1ccbe62f5cc1

SHA512
4856a202d0c5a384dd9a663dca56bee53914297fae6d98cff00b5ee887a6908cad83776b50d5c36559b84e599d1631c5ce59777ad24fc4aa433bce4eb50fab90

Download Submit
C:\Users\Admin\AppData\Local\Temp\F7C7.exe
Filesize
3.5MB

MD5
e36b667b33d4c9b76f17042fda512335

SHA1
58b18d90c7065c521980f60160f4b8a85e863f3d

SHA256
624b429fdaa3f9df7c3a64a2e8346a8dc4aadbcccbf1c6d9093e1ccbe62f5cc1

SHA512
4856a202d0c5a384dd9a663dca56bee53914297fae6d98cff00b5ee887a6908cad83776b50d5c36559b84e599d1631c5ce59777ad24fc4aa433bce4eb50fab90

Download Submit
C:\Users\Admin\AppData\Local\Temp\F7C7.exe
Filesize
3.5MB

MD5
e36b667b33d4c9b76f17042fda512335

SHA1
58b18d90c7065c521980f60160f4b8a85e863f3d

SHA256
624b429fdaa3f9df7c3a64a2e8346a8dc4aadbcccbf1c6d9093e1ccbe62f5cc1

SHA512
4856a202d0c5a384dd9a663dca56bee53914297fae6d98cff00b5ee887a6908cad83776b50d5c36559b84e599d1631c5ce59777ad24fc4aa433bce4eb50fab90

Download Submit
C:\Users\Admin\AppData\Local\c9f8c54b-9549-47e5-993e-837764c4a695\EA75.exe
Filesize
841KB

MD5
4f4e814518760a13cb117c4eddf388fd

SHA1
00b1d6f9ad694538f6c22065aca604e1b6232b58

SHA256
85d995b21927fa84f4bfa35443acfe1e0f89fde371106bb1806aa0d78a01572e

SHA512
75f9e86917d8103b10b78a3b30f5407a96235a2fc0a1bd09ad7e7b112be94138f57d058443352fd4d808d368ed8a40c2da98b15bf204ad37934fa85d0e1d42ed

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exe
Filesize
458.8MB

MD5
29c513fbf99dc4db7905b84aa6edccbc

SHA1
0d777f1ef79096a6bd3c2891651ea0ea04292ad3

SHA256
3cf34eec419a04a4cf41b1b84c6cdb4ef2b6b9c019924c5472dc9ba5c7db94a2

SHA512
394e79b38555254442b6047a0d37287009a05fb23db14414e561942a0e6e0bfa2765a46a4ed312028c58c229962f57b151fd7814e7b46a6f132e9441b0f082f3

Download Submit
C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exe
Filesize
458.8MB

MD5
e710ad484ab8acaa6c0f6828dfb0bbf6

SHA1
10c76adc33f553dc07fa62c3c682260f1f9c153d

SHA256
10bb3dc534c2164894879f1faf0ccdf67bcb5dd4e3ab595c0bbae2b3f6e672ce

SHA512
810aaa26563609eb9ac829734a46f77ebe2c88937f3fc1d7f39a7875148b2068444ce0a057d5d57a5a590ed6b16c6d427ba82e4402c90c905a27fffc26f225c7

Download Submit
memory/360-159-0x0000000140000000-0x0000000140623000-memory.dmp

Filesize
6.1MB

Download
memory/360-156-0x0000000000000000-mapping.dmp

Download
memory/668-137-0x0000000000000000-mapping.dmp

Download
memory/668-171-0x0000000000700000-0x0000000000747000-memory.dmp

Filesize
284KB

Download
memory/668-170-0x00000000007DD000-0x0000000000807000-memory.dmp

Filesize
168KB

Download
memory/668-187-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/668-186-0x00000000007DD000-0x0000000000807000-memory.dmp

Filesize
168KB

Download
memory/668-172-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1132-238-0x0000000000000000-mapping.dmp

Download
memory/1156-246-0x00000000005CC000-0x00000000005F6000-memory.dmp

Filesize
168KB

Download
memory/1156-247-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1156-245-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1156-244-0x00000000005CC000-0x00000000005F6000-memory.dmp

Filesize
168KB

Download
memory/1580-178-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1580-177-0x000000000056D000-0x0000000000582000-memory.dmp

Filesize
84KB

Download
memory/1580-146-0x0000000000000000-mapping.dmp

Download
memory/2308-198-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2308-188-0x0000000000000000-mapping.dmp

Download
memory/2308-191-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2308-214-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2308-193-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2504-175-0x0000000000800000-0x0000000000809000-memory.dmp

Filesize
36KB

Download
memory/2504-143-0x0000000000000000-mapping.dmp

Download
memory/2504-181-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2504-174-0x000000000082D000-0x0000000000843000-memory.dmp

Filesize
88KB

Download
memory/2504-176-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2564-202-0x0000000000000000-mapping.dmp

Download
memory/3128-168-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3128-163-0x0000000000000000-mapping.dmp

Download
memory/3128-173-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3128-164-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3128-166-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3128-185-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3200-241-0x0000000000000000-mapping.dmp

Download
memory/3324-183-0x0000000000000000-mapping.dmp

Download
memory/3324-192-0x0000000002191000-0x0000000002223000-memory.dmp

Filesize
584KB

Download
memory/3536-205-0x0000000000000000-mapping.dmp

Download
memory/3640-169-0x0000000002360000-0x000000000247B000-memory.dmp

Filesize
1.1MB

Download
memory/3640-167-0x0000000000555000-0x00000000005E7000-memory.dmp

Filesize
584KB

Download
memory/3640-140-0x0000000000000000-mapping.dmp

Download
memory/3748-179-0x0000000000000000-mapping.dmp

Download
memory/3804-236-0x0000000000000000-mapping.dmp

Download
memory/3832-136-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3832-132-0x000000000048E000-0x00000000004A3000-memory.dmp

Filesize
84KB

Download
memory/3832-134-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3832-133-0x00000000005D0000-0x00000000005D9000-memory.dmp

Filesize
36KB

Download
memory/3832-135-0x000000000048E000-0x00000000004A3000-memory.dmp

Filesize
84KB

Download
memory/4080-152-0x0000000140000000-0x0000000140623000-memory.dmp

Filesize
6.1MB

Download
memory/4080-149-0x0000000000000000-mapping.dmp

Download
memory/4400-180-0x0000000000000000-mapping.dmp

Download
memory/4908-210-0x00000000005DE000-0x000000000060F000-memory.dmp

Filesize
196KB

Download
memory/4908-212-0x0000000000530000-0x0000000000586000-memory.dmp

Filesize
344KB

Download
memory/4908-199-0x0000000000000000-mapping.dmp

Download
memory/5020-237-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/5020-206-0x0000000000000000-mapping.dmp

Download
memory/5020-207-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/5020-209-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/5020-215-0x0000000060900000-0x0000000060992000-memory.dmp

Filesize
584KB

Download
memory/5020-213-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/5020-211-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download