djvu | 28182eeef1af984a72678a4c52478d74f67c9729f4b1a4bc33c3068eead62255

Analysis

max time kernel
117s
max time network
139s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
22/04/2023, 00:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup.exe
Size

724KB
MD5

2507457dc74ba35692289735b816bc33
SHA1

fee3651f12fedaf4cd149dbfdd5da55ac773280e
SHA256

28182eeef1af984a72678a4c52478d74f67c9729f4b1a4bc33c3068eead62255
SHA512

ed1b32092b36673b2cca1650093478b340e00bbb2fa82730b526c142e174ac20eacbd03acbeb687ac03ecece07aabf1ef25f18bad1afa3f28566abf15538b7e2
SSDEEP

12288:mKCPTMtiFp8UhZYW4Na3UMJMgY2cn/S7FnD/1CmgwOYIlPHcloW9WAPCvQf9/z:mKCPfFpLHAU3UCs/n/S7BD9Cx08P+F93

Score

10^/10

djvu vidar bf58e1879f88b222ba2391682babf9d8 discovery persistence ransomware stealer

Malware Config

Extracted

Family

djvu

http://zexeq.com/raud/get.php

Attributes

extension
.coza
offline_id
O8Ao46dcCReRPC4I1PGMYsRFFc9WI5eOp0O3MFt1
payload_url
http://colisumy.com/dl/build2.exe

http://zexeq.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-EPBZCVAS8s Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0693JOsie

rsa_pubkey.plain

Extracted

Family

vidar

Version

3.5

Botnet

bf58e1879f88b222ba2391682babf9d8

https://steamcommunity.com/profiles/76561199497218285

https://t.me/tg_duckworld

Attributes

profile_id_v2
bf58e1879f88b222ba2391682babf9d8
user_agent
Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Vivaldi/3.7

Signatures

Detected Djvu ransomware 13 IoCs

resource	yara_rule
behavioral1/memory/1716-56-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/624-58-0x00000000047E0000-0x00000000048FB000-memory.dmp	family_djvu
behavioral1/memory/1716-59-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1716-61-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1716-98-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/828-107-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/828-155-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/828-156-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/828-160-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/828-178-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/828-182-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/828-191-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/828-208-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file

Executes dropped EXE 4 IoCs

pid	Process
1840	build2.exe
588	build3.exe
1932	build2.exe
520	mstsca.exe

Loads dropped DLL 14 IoCs

pid	Process
828	setup.exe
828	setup.exe
1840	build2.exe
1840	build2.exe
1840	build2.exe
1840	build2.exe
828	setup.exe
828	setup.exe
588	build3.exe
588	build3.exe
588	build3.exe
1932	build2.exe
1932	build2.exe
1932	build2.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1836	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\0dc23a87-836d-4bbd-a1be-3a55d8661063\\setup.exe\" --AutoStart"	setup.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	api.2ip.ua
4	api.2ip.ua
12	api.2ip.ua

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 624 set thread context of 1716	624	setup.exe	28
PID 2036 set thread context of 828	2036	setup.exe	33
PID 1840 set thread context of 1932	1840	build2.exe	37

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1700	schtasks.exe
564	schtasks.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	setup.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1716	setup.exe
1716	setup.exe
828	setup.exe
828	setup.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeRestorePrivilege	1716	setup.exe
Token: SeBackupPrivilege	1716	setup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 624 wrote to memory of 1716	624	setup.exe	28
PID 624 wrote to memory of 1716	624	setup.exe	28
PID 624 wrote to memory of 1716	624	setup.exe	28
PID 624 wrote to memory of 1716	624	setup.exe	28
PID 624 wrote to memory of 1716	624	setup.exe	28
PID 624 wrote to memory of 1716	624	setup.exe	28
PID 624 wrote to memory of 1716	624	setup.exe	28
PID 624 wrote to memory of 1716	624	setup.exe	28
PID 624 wrote to memory of 1716	624	setup.exe	28
PID 624 wrote to memory of 1716	624	setup.exe	28
PID 624 wrote to memory of 1716	624	setup.exe	28
PID 624 wrote to memory of 1716	624	setup.exe	28
PID 624 wrote to memory of 1716	624	setup.exe	28
PID 624 wrote to memory of 1716	624	setup.exe	28
PID 1716 wrote to memory of 1836	1716	setup.exe	31
PID 1716 wrote to memory of 1836	1716	setup.exe	31
PID 1716 wrote to memory of 1836	1716	setup.exe	31
PID 1716 wrote to memory of 1836	1716	setup.exe	31
PID 1716 wrote to memory of 1836	1716	setup.exe	31
PID 1716 wrote to memory of 1836	1716	setup.exe	31
PID 1716 wrote to memory of 1836	1716	setup.exe	31
PID 1716 wrote to memory of 2036	1716	setup.exe	32
PID 1716 wrote to memory of 2036	1716	setup.exe	32
PID 1716 wrote to memory of 2036	1716	setup.exe	32
PID 1716 wrote to memory of 2036	1716	setup.exe	32
PID 1716 wrote to memory of 2036	1716	setup.exe	32
PID 1716 wrote to memory of 2036	1716	setup.exe	32
PID 1716 wrote to memory of 2036	1716	setup.exe	32
PID 2036 wrote to memory of 828	2036	setup.exe	33
PID 2036 wrote to memory of 828	2036	setup.exe	33
PID 2036 wrote to memory of 828	2036	setup.exe	33
PID 2036 wrote to memory of 828	2036	setup.exe	33
PID 2036 wrote to memory of 828	2036	setup.exe	33
PID 2036 wrote to memory of 828	2036	setup.exe	33
PID 2036 wrote to memory of 828	2036	setup.exe	33
PID 2036 wrote to memory of 828	2036	setup.exe	33
PID 2036 wrote to memory of 828	2036	setup.exe	33
PID 2036 wrote to memory of 828	2036	setup.exe	33
PID 2036 wrote to memory of 828	2036	setup.exe	33
PID 2036 wrote to memory of 828	2036	setup.exe	33
PID 2036 wrote to memory of 828	2036	setup.exe	33
PID 2036 wrote to memory of 828	2036	setup.exe	33
PID 828 wrote to memory of 1840	828	setup.exe	35
PID 828 wrote to memory of 1840	828	setup.exe	35
PID 828 wrote to memory of 1840	828	setup.exe	35
PID 828 wrote to memory of 1840	828	setup.exe	35
PID 828 wrote to memory of 1840	828	setup.exe	35
PID 828 wrote to memory of 1840	828	setup.exe	35
PID 828 wrote to memory of 1840	828	setup.exe	35
PID 1840 wrote to memory of 1932	1840	build2.exe	37
PID 1840 wrote to memory of 1932	1840	build2.exe	37
PID 1840 wrote to memory of 1932	1840	build2.exe	37
PID 1840 wrote to memory of 1932	1840	build2.exe	37
PID 1840 wrote to memory of 1932	1840	build2.exe	37
PID 1840 wrote to memory of 1932	1840	build2.exe	37
PID 1840 wrote to memory of 1932	1840	build2.exe	37
PID 828 wrote to memory of 588	828	setup.exe	36
PID 828 wrote to memory of 588	828	setup.exe	36
PID 828 wrote to memory of 588	828	setup.exe	36
PID 828 wrote to memory of 588	828	setup.exe	36
PID 828 wrote to memory of 588	828	setup.exe	36
PID 828 wrote to memory of 588	828	setup.exe	36
PID 828 wrote to memory of 588	828	setup.exe	36
PID 1840 wrote to memory of 1932	1840	build2.exe	37

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:624
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  - Adds Run key to start application
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1716
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Users\Admin\AppData\Local\0dc23a87-836d-4bbd-a1be-3a55d8661063" /deny *S-1-1-0:(OI)(CI)(DE,DC)
    3⤵
    - Modifies file permissions
    PID:1836
- - C:\Users\Admin\AppData\Local\Temp\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\setup.exe" --Admin IsNotAutoStart IsNotTask
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2036
  - - C:\Users\Admin\AppData\Local\Temp\setup.exe
      "C:\Users\Admin\AppData\Local\Temp\setup.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      Loads dropped DLL
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:828
    - - C:\Users\Admin\AppData\Local\1c1623fb-5fe7-40d9-92eb-2c5283033c20\build2.exe
        
        "C:\Users\Admin\AppData\Local\1c1623fb-5fe7-40d9-92eb-2c5283033c20\build2.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1840
      - C:\Users\Admin\AppData\Local\1c1623fb-5fe7-40d9-92eb-2c5283033c20\build2.exe
        
        "C:\Users\Admin\AppData\Local\1c1623fb-5fe7-40d9-92eb-2c5283033c20\build2.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1932
    - - C:\Users\Admin\AppData\Local\1c1623fb-5fe7-40d9-92eb-2c5283033c20\build3.exe
        
        "C:\Users\Admin\AppData\Local\1c1623fb-5fe7-40d9-92eb-2c5283033c20\build3.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:588
      - C:\Windows\SysWOW64\schtasks.exe
        
        /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:1700

C:\Windows\system32\taskeng.exe
taskeng.exe {75B1445A-F046-4C8B-943F-25D7C762C207} S-1-5-21-3499517378-2376672570-1134980332-1000:MLXLFKOI\Admin:Interactive:[1]
1⤵
PID:1576
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  - Executes dropped EXE
  PID:520
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
    3⤵
    - Creates scheduled task(s)
    PID:564

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
2KB

MD5
fa233b45db82551f99dbef0228a3230e

SHA1
d1282ccc021ce2016499fd755c71d49f2f353b6c

SHA256
f7b9fa61ba5a068a693c957b733c79279406494b069b1adef21a8ec2d22c6b2e

SHA512
398582cef2d630a75c9c0611c0dc376c667f551b8712c8dfeabf6b6eecef5ab33027fac59b1963ed44d82584dd171b3b832d389b043fd56368545418eaf05c62

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
e71c8443ae0bc2e282c73faead0a6dd3

SHA1
0c110c1b01e68edfacaeae64781a37b1995fa94b

SHA256
95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

SHA512
b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
e71c8443ae0bc2e282c73faead0a6dd3

SHA1
0c110c1b01e68edfacaeae64781a37b1995fa94b

SHA256
95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

SHA512
b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
1KB

MD5
b7263b275d39b35a30dc1c997259591b

SHA1
22ff18c6f51280d4b41361fbc36c8cc8134bd70c

SHA256
f9bf7b98d683c868daf9015ff946510adef6cdbe093bf3b30004bc3db0d5963a

SHA512
251cbce9f5dc25f83cf4c6542e87dbe232b740667b48b5eec5903fb0c3a6c4442841bd8021dc949bc719a874055cbffff0bb522635aae8c8e24817ee83a91506

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
488B

MD5
f63cf4aa090dddcf82c7b9a8f5f74baf

SHA1
8909f4d133fb9cba217c4ebe04aad47aac25d550

SHA256
a8a143050b66fe957b450c53031a7488ca5fb78449b6aade6c7b78b2807e8e8d

SHA512
d67eea3befd14ea2ef66ce7857391a54b7ad28b7b7073d140a2e78fa4ab4e1060d3e02ff4594f44493291274dcaa20d007a92fbd7add974b655353f2d866ccd2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
ed8b881534ab56cf381a56de1078b953

SHA1
a8bae5c40cf12d136c28e0ffdc2345aa2d44d6e1

SHA256
8cb9a3b26b3eba6c521b27aea11813dda950432bd76aae9554b0fbf0772365c1

SHA512
74ad487485be051d36e8a01fad3957c210e42c54ea48f6d21291183edf8f5639bc7cdb1c992f2d0c765967c89ce80761ce14600d06b17fa624ad24ad49ddd62a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
482B

MD5
aee2878985f2e327b5765d48c370fd80

SHA1
3b08d940255be45fe0eb295f8d257736c74875fb

SHA256
2874c694bb2baf52811b559a4bfba1e223e23cb36735799b77f50bc61e8731ad

SHA512
df850f9df1458babff7d67b8c66fdaf7573fc0c7cd0c80931a36c4e2eee5db7fa8121697f4cb405f44b0c39c9ac0dbae123ca41c63dc8d42fb4213d319598b18

Download Submit
C:\Users\Admin\AppData\Local\0dc23a87-836d-4bbd-a1be-3a55d8661063\setup.exe

Filesize
724KB

MD5
2507457dc74ba35692289735b816bc33

SHA1
fee3651f12fedaf4cd149dbfdd5da55ac773280e

SHA256
28182eeef1af984a72678a4c52478d74f67c9729f4b1a4bc33c3068eead62255

SHA512
ed1b32092b36673b2cca1650093478b340e00bbb2fa82730b526c142e174ac20eacbd03acbeb687ac03ecece07aabf1ef25f18bad1afa3f28566abf15538b7e2

Download Submit
C:\Users\Admin\AppData\Local\1c1623fb-5fe7-40d9-92eb-2c5283033c20\build2.exe

Filesize
324KB

MD5
d0eb40fe08f409805aed3f5312bfb5b8

SHA1
5f7942d58673854f01d25c3831efcba4182882e9

SHA256
2689a2c221cb723b4f35e912efa5c1f6df415d9f656b44c1c9cbbccf248ad1c6

SHA512
ad0925312dfb7f2ac82670b77c746920154dc2095553ef0df70c0a935bf4d0e31850bd6c4781cbd4e97fcc0a1bf3f918e977134b9d9101ed71088278a7b61e94

Download Submit
C:\Users\Admin\AppData\Local\1c1623fb-5fe7-40d9-92eb-2c5283033c20\build2.exe

Filesize
324KB

MD5
d0eb40fe08f409805aed3f5312bfb5b8

SHA1
5f7942d58673854f01d25c3831efcba4182882e9

SHA256
2689a2c221cb723b4f35e912efa5c1f6df415d9f656b44c1c9cbbccf248ad1c6

SHA512
ad0925312dfb7f2ac82670b77c746920154dc2095553ef0df70c0a935bf4d0e31850bd6c4781cbd4e97fcc0a1bf3f918e977134b9d9101ed71088278a7b61e94

Download Submit
C:\Users\Admin\AppData\Local\1c1623fb-5fe7-40d9-92eb-2c5283033c20\build2.exe

Filesize
324KB

MD5
d0eb40fe08f409805aed3f5312bfb5b8

SHA1
5f7942d58673854f01d25c3831efcba4182882e9

SHA256
2689a2c221cb723b4f35e912efa5c1f6df415d9f656b44c1c9cbbccf248ad1c6

SHA512
ad0925312dfb7f2ac82670b77c746920154dc2095553ef0df70c0a935bf4d0e31850bd6c4781cbd4e97fcc0a1bf3f918e977134b9d9101ed71088278a7b61e94

Download Submit
C:\Users\Admin\AppData\Local\1c1623fb-5fe7-40d9-92eb-2c5283033c20\build2.exe

Filesize
324KB

MD5
d0eb40fe08f409805aed3f5312bfb5b8

SHA1
5f7942d58673854f01d25c3831efcba4182882e9

SHA256
2689a2c221cb723b4f35e912efa5c1f6df415d9f656b44c1c9cbbccf248ad1c6

SHA512
ad0925312dfb7f2ac82670b77c746920154dc2095553ef0df70c0a935bf4d0e31850bd6c4781cbd4e97fcc0a1bf3f918e977134b9d9101ed71088278a7b61e94

Download Submit
C:\Users\Admin\AppData\Local\1c1623fb-5fe7-40d9-92eb-2c5283033c20\build3.exe

Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Local\1c1623fb-5fe7-40d9-92eb-2c5283033c20\build3.exe

Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Local\1c1623fb-5fe7-40d9-92eb-2c5283033c20\build3.exe

Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar370A.tmp

Filesize
161KB

MD5
be2bec6e8c5653136d3e72fe53c98aa3

SHA1
a8182d6db17c14671c3d5766c72e58d87c0810de

SHA256
1919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd

SHA512
0d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
\Users\Admin\AppData\Local\1c1623fb-5fe7-40d9-92eb-2c5283033c20\build2.exe

Filesize
324KB

MD5
d0eb40fe08f409805aed3f5312bfb5b8

SHA1
5f7942d58673854f01d25c3831efcba4182882e9

SHA256
2689a2c221cb723b4f35e912efa5c1f6df415d9f656b44c1c9cbbccf248ad1c6

SHA512
ad0925312dfb7f2ac82670b77c746920154dc2095553ef0df70c0a935bf4d0e31850bd6c4781cbd4e97fcc0a1bf3f918e977134b9d9101ed71088278a7b61e94

Download Submit
\Users\Admin\AppData\Local\1c1623fb-5fe7-40d9-92eb-2c5283033c20\build2.exe

Filesize
324KB

MD5
d0eb40fe08f409805aed3f5312bfb5b8

SHA1
5f7942d58673854f01d25c3831efcba4182882e9

SHA256
2689a2c221cb723b4f35e912efa5c1f6df415d9f656b44c1c9cbbccf248ad1c6

SHA512
ad0925312dfb7f2ac82670b77c746920154dc2095553ef0df70c0a935bf4d0e31850bd6c4781cbd4e97fcc0a1bf3f918e977134b9d9101ed71088278a7b61e94

Download Submit
\Users\Admin\AppData\Local\1c1623fb-5fe7-40d9-92eb-2c5283033c20\build2.exe

Filesize
324KB

MD5
d0eb40fe08f409805aed3f5312bfb5b8

SHA1
5f7942d58673854f01d25c3831efcba4182882e9

SHA256
2689a2c221cb723b4f35e912efa5c1f6df415d9f656b44c1c9cbbccf248ad1c6

SHA512
ad0925312dfb7f2ac82670b77c746920154dc2095553ef0df70c0a935bf4d0e31850bd6c4781cbd4e97fcc0a1bf3f918e977134b9d9101ed71088278a7b61e94

Download Submit
\Users\Admin\AppData\Local\1c1623fb-5fe7-40d9-92eb-2c5283033c20\build2.exe

Filesize
324KB

MD5
d0eb40fe08f409805aed3f5312bfb5b8

SHA1
5f7942d58673854f01d25c3831efcba4182882e9

SHA256
2689a2c221cb723b4f35e912efa5c1f6df415d9f656b44c1c9cbbccf248ad1c6

SHA512
ad0925312dfb7f2ac82670b77c746920154dc2095553ef0df70c0a935bf4d0e31850bd6c4781cbd4e97fcc0a1bf3f918e977134b9d9101ed71088278a7b61e94

Download Submit
\Users\Admin\AppData\Local\1c1623fb-5fe7-40d9-92eb-2c5283033c20\build2.exe

Filesize
324KB

MD5
d0eb40fe08f409805aed3f5312bfb5b8

SHA1
5f7942d58673854f01d25c3831efcba4182882e9

SHA256
2689a2c221cb723b4f35e912efa5c1f6df415d9f656b44c1c9cbbccf248ad1c6

SHA512
ad0925312dfb7f2ac82670b77c746920154dc2095553ef0df70c0a935bf4d0e31850bd6c4781cbd4e97fcc0a1bf3f918e977134b9d9101ed71088278a7b61e94

Download Submit
\Users\Admin\AppData\Local\1c1623fb-5fe7-40d9-92eb-2c5283033c20\build2.exe

Filesize
324KB

MD5
d0eb40fe08f409805aed3f5312bfb5b8

SHA1
5f7942d58673854f01d25c3831efcba4182882e9

SHA256
2689a2c221cb723b4f35e912efa5c1f6df415d9f656b44c1c9cbbccf248ad1c6

SHA512
ad0925312dfb7f2ac82670b77c746920154dc2095553ef0df70c0a935bf4d0e31850bd6c4781cbd4e97fcc0a1bf3f918e977134b9d9101ed71088278a7b61e94

Download Submit
\Users\Admin\AppData\Local\1c1623fb-5fe7-40d9-92eb-2c5283033c20\build2.exe

Filesize
324KB

MD5
d0eb40fe08f409805aed3f5312bfb5b8

SHA1
5f7942d58673854f01d25c3831efcba4182882e9

SHA256
2689a2c221cb723b4f35e912efa5c1f6df415d9f656b44c1c9cbbccf248ad1c6

SHA512
ad0925312dfb7f2ac82670b77c746920154dc2095553ef0df70c0a935bf4d0e31850bd6c4781cbd4e97fcc0a1bf3f918e977134b9d9101ed71088278a7b61e94

Download Submit
\Users\Admin\AppData\Local\1c1623fb-5fe7-40d9-92eb-2c5283033c20\build2.exe

Filesize
324KB

MD5
d0eb40fe08f409805aed3f5312bfb5b8

SHA1
5f7942d58673854f01d25c3831efcba4182882e9

SHA256
2689a2c221cb723b4f35e912efa5c1f6df415d9f656b44c1c9cbbccf248ad1c6

SHA512
ad0925312dfb7f2ac82670b77c746920154dc2095553ef0df70c0a935bf4d0e31850bd6c4781cbd4e97fcc0a1bf3f918e977134b9d9101ed71088278a7b61e94

Download Submit
\Users\Admin\AppData\Local\1c1623fb-5fe7-40d9-92eb-2c5283033c20\build2.exe

Filesize
324KB

MD5
d0eb40fe08f409805aed3f5312bfb5b8

SHA1
5f7942d58673854f01d25c3831efcba4182882e9

SHA256
2689a2c221cb723b4f35e912efa5c1f6df415d9f656b44c1c9cbbccf248ad1c6

SHA512
ad0925312dfb7f2ac82670b77c746920154dc2095553ef0df70c0a935bf4d0e31850bd6c4781cbd4e97fcc0a1bf3f918e977134b9d9101ed71088278a7b61e94

Download Submit
\Users\Admin\AppData\Local\1c1623fb-5fe7-40d9-92eb-2c5283033c20\build3.exe

Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
\Users\Admin\AppData\Local\1c1623fb-5fe7-40d9-92eb-2c5283033c20\build3.exe

Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
\Users\Admin\AppData\Local\1c1623fb-5fe7-40d9-92eb-2c5283033c20\build3.exe

Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
\Users\Admin\AppData\Local\1c1623fb-5fe7-40d9-92eb-2c5283033c20\build3.exe

Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
\Users\Admin\AppData\Local\1c1623fb-5fe7-40d9-92eb-2c5283033c20\build3.exe

Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
memory/624-54-0x0000000000240000-0x00000000002D1000-memory.dmp

Filesize
580KB

Download
memory/624-58-0x00000000047E0000-0x00000000048FB000-memory.dmp

Filesize
1.1MB

Download
memory/828-191-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/828-155-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/828-208-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/828-107-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/828-178-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/828-156-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/828-160-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/828-182-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1716-61-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1716-55-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1716-59-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1716-56-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1716-98-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1840-200-0x00000000002F0000-0x0000000000347000-memory.dmp

Filesize
348KB

Download
memory/1932-203-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1932-199-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2036-99-0x00000000045A0000-0x0000000004631000-memory.dmp

Filesize
580KB

Download