dcrat | 440d5de6aaa2ccd09e773a6092ebcf51025e7684025115f587552fe492eb5108

Analysis

max time kernel
131s
max time network
118s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 13:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

538b71221fc868d804dad1b3019cf73e.exe
Size

210KB
MD5

538b71221fc868d804dad1b3019cf73e
SHA1

aacd8fa3f58ade7d9bf281ca171e56c35a2ddaef
SHA256

440d5de6aaa2ccd09e773a6092ebcf51025e7684025115f587552fe492eb5108
SHA512

5ee98f2bb1bed67c0ca3dd3fc6e16474a8ed86d7c70dc9930ae9f3bfee26e424e1e760356a877fbc0933414bfd554c71fedbbe2591178f3f23a3b529625dd9ed
SSDEEP

3072:RVpWFLFxLBHPEsWJ8/nPsdnv/zsln7dHyuDM16yBf6J3z16RtMmfX:R8LrLBHtWiPPsVv/zQ7dHyuDUBffM

Score

10^/10

dcrat djvu smokeloader up3 backdoor discovery infostealer persistence ransomware rat trojan

Malware Config

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

smokeloader

Version

2020

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Extracted

Family

djvu

http://zexeq.com/test1/get.php

Attributes

extension
.cdqw
offline_id
mMsRxMUuXypapZbGOAfxD9pczHmW8zVRP7Pgjwt1
payload_url
http://brusuax.com/dl/build2.exe

http://zexeq.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-99MNqXMrdS Price of private key and decrypt software is $1999. Discount 50% available if you contact us first 72 hours, that's price for you is $999. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0840ASdw

rsa_pubkey.plain

Signatures

DcRat 4 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI		538b71221fc868d804dad1b3019cf73e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\0992d72b-f381-4791-a0ca-c18d8e3ee68a\\F00C.exe\" --AutoStart"		F00C.exe
		2896	schtasks.exe
		1504	schtasks.exe

Detected Djvu ransomware 15 IoCs

resource	yara_rule
behavioral1/memory/2676-45-0x0000000002160000-0x000000000227B000-memory.dmp	family_djvu
behavioral1/memory/2788-46-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2788-50-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2788-49-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2788-71-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1988-82-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1988-81-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1988-96-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1988-95-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1988-100-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1988-103-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1988-102-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1988-104-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2412-120-0x0000000000990000-0x0000000000A90000-memory.dmp	family_djvu
behavioral1/memory/1988-185-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file

Deletes itself 1 IoCs

pid	Process
1212	Process not Found

Executes dropped EXE 10 IoCs

pid	Process
2676	F00C.exe
2788	F00C.exe
1104	F00C.exe
1988	F00C.exe
2412	build2.exe
1560	build2.exe
3036	build3.exe
2140	build3.exe
2232	mstsca.exe
2476	mstsca.exe

Loads dropped DLL 12 IoCs

pid	Process
2676	F00C.exe
2788	F00C.exe
2788	F00C.exe
1104	F00C.exe
1988	F00C.exe
1988	F00C.exe
1988	F00C.exe
1988	F00C.exe
1996	WerFault.exe
1996	WerFault.exe
1996	WerFault.exe
1996	WerFault.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1308	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\0992d72b-f381-4791-a0ca-c18d8e3ee68a\\F00C.exe\" --AutoStart"	F00C.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
9	api.2ip.ua
11	api.2ip.ua
15	api.2ip.ua

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 3036 set thread context of 2096	3036	538b71221fc868d804dad1b3019cf73e.exe	28
PID 2676 set thread context of 2788	2676	F00C.exe	38
PID 1104 set thread context of 1988	1104	F00C.exe	43
PID 2412 set thread context of 1560	2412	build2.exe	46
PID 3036 set thread context of 2140	3036	build3.exe	49
PID 2232 set thread context of 2476	2232	mstsca.exe	58

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1996	1560	WerFault.exe	46

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	538b71221fc868d804dad1b3019cf73e.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	538b71221fc868d804dad1b3019cf73e.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	538b71221fc868d804dad1b3019cf73e.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2896	schtasks.exe
1504	schtasks.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	build2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	build2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	build2.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2096	538b71221fc868d804dad1b3019cf73e.exe
2096	538b71221fc868d804dad1b3019cf73e.exe
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2096	538b71221fc868d804dad1b3019cf73e.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1212	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3036 wrote to memory of 2096	3036	538b71221fc868d804dad1b3019cf73e.exe	28
PID 3036 wrote to memory of 2096	3036	538b71221fc868d804dad1b3019cf73e.exe	28
PID 3036 wrote to memory of 2096	3036	538b71221fc868d804dad1b3019cf73e.exe	28
PID 3036 wrote to memory of 2096	3036	538b71221fc868d804dad1b3019cf73e.exe	28
PID 3036 wrote to memory of 2096	3036	538b71221fc868d804dad1b3019cf73e.exe	28
PID 3036 wrote to memory of 2096	3036	538b71221fc868d804dad1b3019cf73e.exe	28
PID 3036 wrote to memory of 2096	3036	538b71221fc868d804dad1b3019cf73e.exe	28
PID 1212 wrote to memory of 2740	1212	Process not Found	29
PID 1212 wrote to memory of 2740	1212	Process not Found	29
PID 1212 wrote to memory of 2740	1212	Process not Found	29
PID 2740 wrote to memory of 2772	2740	cmd.exe	31
PID 2740 wrote to memory of 2772	2740	cmd.exe	31
PID 2740 wrote to memory of 2772	2740	cmd.exe	31
PID 1212 wrote to memory of 2004	1212	Process not Found	32
PID 1212 wrote to memory of 2004	1212	Process not Found	32
PID 1212 wrote to memory of 2004	1212	Process not Found	32
PID 2004 wrote to memory of 2652	2004	cmd.exe	34
PID 2004 wrote to memory of 2652	2004	cmd.exe	34
PID 2004 wrote to memory of 2652	2004	cmd.exe	34
PID 1212 wrote to memory of 2676	1212	Process not Found	37
PID 1212 wrote to memory of 2676	1212	Process not Found	37
PID 1212 wrote to memory of 2676	1212	Process not Found	37
PID 1212 wrote to memory of 2676	1212	Process not Found	37
PID 2676 wrote to memory of 2788	2676	F00C.exe	38
PID 2676 wrote to memory of 2788	2676	F00C.exe	38
PID 2676 wrote to memory of 2788	2676	F00C.exe	38
PID 2676 wrote to memory of 2788	2676	F00C.exe	38
PID 2676 wrote to memory of 2788	2676	F00C.exe	38
PID 2676 wrote to memory of 2788	2676	F00C.exe	38
PID 2676 wrote to memory of 2788	2676	F00C.exe	38
PID 2676 wrote to memory of 2788	2676	F00C.exe	38
PID 2676 wrote to memory of 2788	2676	F00C.exe	38
PID 2676 wrote to memory of 2788	2676	F00C.exe	38
PID 2676 wrote to memory of 2788	2676	F00C.exe	38
PID 2788 wrote to memory of 1308	2788	F00C.exe	42
PID 2788 wrote to memory of 1308	2788	F00C.exe	42
PID 2788 wrote to memory of 1308	2788	F00C.exe	42
PID 2788 wrote to memory of 1308	2788	F00C.exe	42
PID 2788 wrote to memory of 1104	2788	F00C.exe	41
PID 2788 wrote to memory of 1104	2788	F00C.exe	41
PID 2788 wrote to memory of 1104	2788	F00C.exe	41
PID 2788 wrote to memory of 1104	2788	F00C.exe	41
PID 1104 wrote to memory of 1988	1104	F00C.exe	43
PID 1104 wrote to memory of 1988	1104	F00C.exe	43
PID 1104 wrote to memory of 1988	1104	F00C.exe	43
PID 1104 wrote to memory of 1988	1104	F00C.exe	43
PID 1104 wrote to memory of 1988	1104	F00C.exe	43
PID 1104 wrote to memory of 1988	1104	F00C.exe	43
PID 1104 wrote to memory of 1988	1104	F00C.exe	43
PID 1104 wrote to memory of 1988	1104	F00C.exe	43
PID 1104 wrote to memory of 1988	1104	F00C.exe	43
PID 1104 wrote to memory of 1988	1104	F00C.exe	43
PID 1104 wrote to memory of 1988	1104	F00C.exe	43
PID 1988 wrote to memory of 2412	1988	F00C.exe	45
PID 1988 wrote to memory of 2412	1988	F00C.exe	45
PID 1988 wrote to memory of 2412	1988	F00C.exe	45
PID 1988 wrote to memory of 2412	1988	F00C.exe	45
PID 2412 wrote to memory of 1560	2412	build2.exe	46
PID 2412 wrote to memory of 1560	2412	build2.exe	46
PID 2412 wrote to memory of 1560	2412	build2.exe	46
PID 2412 wrote to memory of 1560	2412	build2.exe	46
PID 2412 wrote to memory of 1560	2412	build2.exe	46
PID 2412 wrote to memory of 1560	2412	build2.exe	46
PID 2412 wrote to memory of 1560	2412	build2.exe	46

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\538b71221fc868d804dad1b3019cf73e.exe
"C:\Users\Admin\AppData\Local\Temp\538b71221fc868d804dad1b3019cf73e.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3036
- C:\Users\Admin\AppData\Local\Temp\538b71221fc868d804dad1b3019cf73e.exe
  "C:\Users\Admin\AppData\Local\Temp\538b71221fc868d804dad1b3019cf73e.exe"
  2⤵
  - DcRat
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:2096

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\6BBE.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:2740
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
  2⤵
  PID:2772

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\6FC4.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
  2⤵
  PID:2652

C:\Users\Admin\AppData\Local\Temp\F00C.exe
C:\Users\Admin\AppData\Local\Temp\F00C.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Users\Admin\AppData\Local\Temp\F00C.exe
  C:\Users\Admin\AppData\Local\Temp\F00C.exe
  2⤵
  - DcRat
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2788
- - C:\Users\Admin\AppData\Local\Temp\F00C.exe
    "C:\Users\Admin\AppData\Local\Temp\F00C.exe" --Admin IsNotAutoStart IsNotTask
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1104
  - - C:\Users\Admin\AppData\Local\Temp\F00C.exe
      "C:\Users\Admin\AppData\Local\Temp\F00C.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1988
    - - C:\Users\Admin\AppData\Local\f0106d9f-02b8-4813-8ed0-d1d7d5f1d38a\build2.exe
        
        "C:\Users\Admin\AppData\Local\f0106d9f-02b8-4813-8ed0-d1d7d5f1d38a\build2.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2412
      - C:\Users\Admin\AppData\Local\f0106d9f-02b8-4813-8ed0-d1d7d5f1d38a\build2.exe
        
        "C:\Users\Admin\AppData\Local\f0106d9f-02b8-4813-8ed0-d1d7d5f1d38a\build2.exe"
        6⤵
        Executes dropped EXE
        Modifies system certificate store
        
        PID:1560
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1560 -s 1452
        7⤵
        Loads dropped DLL
        Program crash
        
        PID:1996
    - - C:\Users\Admin\AppData\Local\f0106d9f-02b8-4813-8ed0-d1d7d5f1d38a\build3.exe
        
        "C:\Users\Admin\AppData\Local\f0106d9f-02b8-4813-8ed0-d1d7d5f1d38a\build3.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3036
      - C:\Users\Admin\AppData\Local\f0106d9f-02b8-4813-8ed0-d1d7d5f1d38a\build3.exe
        
        "C:\Users\Admin\AppData\Local\f0106d9f-02b8-4813-8ed0-d1d7d5f1d38a\build3.exe"
        6⤵
        Executes dropped EXE
        
        PID:2140
        
        C:\Windows\SysWOW64\schtasks.exe
        
        /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
        7⤵
        DcRat
        Creates scheduled task(s)
        
        PID:2896
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Users\Admin\AppData\Local\0992d72b-f381-4791-a0ca-c18d8e3ee68a" /deny *S-1-1-0:(OI)(CI)(DE,DC)
    3⤵
    - Modifies file permissions
    PID:1308

C:\Windows\system32\taskeng.exe
taskeng.exe {6AF46484-A135-4E71-9B74-E55092CC1FF8} S-1-5-21-3601492379-692465709-652514833-1000:CALKHSYM\Admin:Interactive:[1]
1⤵
PID:2016
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2232
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    3⤵
    - Executes dropped EXE
    PID:2476

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
1⤵
- DcRat
- Creates scheduled task(s)
PID:1504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
d4fa6d2a84fa78d11b875ea5cd30eba8

SHA1
992b2a18b5dce24b924086e93cd37a4463256c56

SHA256
4f5e1f270a70f3ad6f5de2661bb2577b8706b9a7f3c62e1eb73c38b29dadcc48

SHA512
a54f8208e37833c4ad89f751071a8912199198c8ce0aeec5cef9eadf11f2be24c6f436b8b0c13eb00080cea574c139e818b69026e72e9fc29719b85b04eac8ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
e5b80321e7a61c71d2608fbde75c20cb

SHA1
5cad01f723e08a70632455bf54515ce407ee1b6e

SHA256
6e8d3595413d36dc9d15ced944041e23e01e899421960a046abbcd44cff40f07

SHA512
f7c2ce42150f4f453785268cb6099ac4efaa4cbabac842e755ba0e470fdf02e9965067f42ff19daea73fc1c77d8450fc58c20e4e51cc3bd60204e7e9a39a5ebf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f2e4a7ab228f964c877ee5ab2d16c6a9

SHA1
554b1f21a9dbba82d04fce3b74942cbfe708b2ac

SHA256
6830d151c1744761f6150cb548a95e36d26b58da7351e480a6e498a6a7d4a1f3

SHA512
427f3c061827ab46c0a099ff1387d21ebb032b116951a31f1da41c4b5566c7e6f8431f08ff5a126c8866159f83ac06d083e9cc84b3ca6cbb7295156cddccd010

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
392B

MD5
9230ab833ce263a1e023985e4c90feeb

SHA1
033db76f205a7bed55c47feff2b2c97a5867fb0d

SHA256
aad97555f363a950b0daeb60f9da63ffcaebad4fd939140a915fe1320078ff49

SHA512
241766117d39200cabf56a0881aa142584293391e290116e63a2d08af06f31aa571247374fed49713b47e16aa67308bace638d2e7ecfa787a0b8a0650a4e8b32

Download Submit
C:\Users\Admin\AppData\Local\0992d72b-f381-4791-a0ca-c18d8e3ee68a\F00C.exe

Filesize
172KB

MD5
581ec3b00053849e6999861b394880c3

SHA1
ba67915e42492112f61b49bce21afb30bce41153

SHA256
26073eb2e29a72b1eb23b04b6ba2fca1752f93a8acc94535ad865ce869d55224

SHA512
1fd23d06d24b4736d23214965f3df57f1b2054b9c38bb41de6aadedad21396ca5aad9c225d5483333bb1ee4af32ad75bc25391238c588376ea3321028ca6d560

Download Submit
C:\Users\Admin\AppData\Local\Temp\6BBE.bat

Filesize
77B

MD5
55cc761bf3429324e5a0095cab002113

SHA1
2cc1ef4542a4e92d4158ab3978425d517fafd16d

SHA256
d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a

SHA512
33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab14B9.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\F00C.exe

Filesize
212KB

MD5
97e61f23dcb866ea0ca377251e77cdd4

SHA1
9680a77c75d3da14b30f734a55d0f49d158026bc

SHA256
d27526404767a4afbc13b90356300b8695bb4d06bae187704ec9906e66612842

SHA512
16467579ca90fcfb6daaa8b0a3349add57bfe315025e59f484a6bea491a0a2569eb75d343342f9f046f6c35d7eeee059d8e20030e361e82eef73f4fe635ba4a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\F00C.exe

Filesize
328KB

MD5
8774a42551b4e7891e281c26b682ffef

SHA1
1bc7728889cbcaa37d1f2c4d4246a72583cc4089

SHA256
d6e387ad4d55ee08566e260266a6ea662f01bc6dfb9034bb308ee89cd0c2c6d9

SHA512
4af6f5322ff5b40ad7c7f217e11c8890aa3d09e4df7b05146f673cedff8cf8ba917d50cd176fb489ababb06a26b9d691949c310f31f15a4077f874eb54f39341

Download Submit
C:\Users\Admin\AppData\Local\Temp\F00C.exe

Filesize
85KB

MD5
eedfd690d51e17d0f1a152ce0643a11b

SHA1
a18a26cedc1195613de1c7098f0370eea71c866a

SHA256
58a1181e5d2522298fb00d97fc12a1938bc75e5b10b44dc36b308e74ffc6ba2b

SHA512
0fbed5d6a28c489e8237c17a101760d7f157fa6f4f0c0254f296bc32072cb1203e505656ecc96af08900de6c280f64c795ae6882be71781021736ed7cd1af66a

Download Submit
C:\Users\Admin\AppData\Local\Temp\F00C.exe

Filesize
14KB

MD5
d74651a2687975601e1bf4e8c61e7d7b

SHA1
611f52f3105b963761bc82892ba21837f5e80052

SHA256
708ff30dc65d70fa428800f979a750629360f59b44f69cef18c11e7f871626c0

SHA512
c1b110b53b70e2467ce070180da8eee64201db2e5598f87231203393d064b05bf0f8914465b401ba9868361deda8c207544fd49b7c24ca0fca0f2053936a8087

Download Submit
C:\Users\Admin\AppData\Local\Temp\F00C.exe

Filesize
367KB

MD5
88c329ae9111ea78d0b222420cff4da9

SHA1
0be6e99356081b4811a35fbf9692a47102912e4e

SHA256
d5c44cec2943f0f3493c8655091faf211f1094274ed8b7da3ce10fdce684a957

SHA512
14be0a3f754c64123d0136d68c437b060fa09ad8f8a30e1fd6c3b9f0881542ca46d0a98887e76a721b32eb26293e56b1214f48dd39b453b69e04dea1fb8dad63

Download Submit
C:\Users\Admin\AppData\Local\Temp\F00C.exe

Filesize
661KB

MD5
0863a6996f1fffb76ff08274e3bd243b

SHA1
434fa13959b75f4d7b1b7d1ed83b251f85fc47c4

SHA256
2eb6d314f4910a0d1514fb5a9a93a3bddccc95b6c3ec47b03ee1bd0eb71fc856

SHA512
541560d4d1ab2136fc6d2625c9b776202d64cd64a6a8492f673f171af6ba6bc49e1d7c7079a5948e7f6cb36d2bb77740ce1aa9e5e8930dc967b201774c6544f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar43D5.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\f0106d9f-02b8-4813-8ed0-d1d7d5f1d38a\build3.exe

Filesize
91KB

MD5
e55b624cc074f912cbf4af5578b2f2fa

SHA1
c34e38a853081658ae0801ad9a5ea3a8c044025c

SHA256
54b27fd0b0fb313615cffe681c73c9ac895286926cc354c112d0a30eb7063661

SHA512
5f0a7ebf96a975e88c85f230656e6c9a1b3057eaf5bc7b2f5ebf0e31618eefaba4203e35842cbb0aa28b8040b0b4560b29686540d4f4f4ca76e6337cab248acb

Download Submit
C:\Users\Admin\AppData\Local\f0106d9f-02b8-4813-8ed0-d1d7d5f1d38a\build3.exe

Filesize
150KB

MD5
c80ed9af29d4fd5342d1066df00d125e

SHA1
cc8c74abe3eab5ae71e38c5dc7ef886a1464d03f

SHA256
b6960f34612f201118eac575cfe5fca38eb033b99b4dc249f9505852353621f2

SHA512
90f8cacca136b73b0b4e5149d7ab05c21dec1a2b984b39cc14dd1db3c7832535eb795a4c9a76931a4f8232a81a5df16e10d68483dd1ef13d3a3e4edd00eeaa0f

Download Submit
C:\Users\Admin\AppData\Local\f0106d9f-02b8-4813-8ed0-d1d7d5f1d38a\build3.exe

Filesize
198KB

MD5
3d9865840d4d5aec2948d3f3ef964db3

SHA1
10360c4153f13cd3e9bcb88d8ff0eef8b7c893cc

SHA256
a7ace9b1199e47c3e48ce18bec426d64aea28d1fbd2005bba7ebe43856a21c52

SHA512
cb9eb040a74d96ecdcc197319096f226412d351dcaea049ef1c43488e5d73fdc5ec5d6b44b0aa271c2a77ac7d4e3b9c82be715e951fbeeb8618819b7001b5836

Download Submit
C:\Users\Admin\AppData\Local\f0106d9f-02b8-4813-8ed0-d1d7d5f1d38a\build3.exe

Filesize
114KB

MD5
5b2ba1f88c34025261da2c32256e3d30

SHA1
0dec1a7f9c032ad66646a00e0074a4eb9f9bf0cc

SHA256
93a4300396e88507cc8dfdfce60f7bdc8c0302c0d95d6ec4f597bf60731cc7f9

SHA512
5805c273615f7cc22b4014ef7237326400fcd5283518025cff3a32d8afa7a3ce8327b40223c5d6dd47ec68dfe9af7ccb558fd2d3aa1e02edd6fb4d9d99884d27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Filesize
210KB

MD5
d2d714f467416fb117f7fdcc698d1ee7

SHA1
b6d0bc272806a88ac5abdb643deb2b750114d852

SHA256
5a14ebbe4bdaae479cd8385418e0c02bccbd1f47dd6bcc68c76493d91512d436

SHA512
cd1d4d096e80281acf4f9d7520531bb808c03e0cb6f6d5fe9c819b8c447ed74f4c2bc204775721e17c17e55c7a1d0ccc6f7a577877a3792da6de39dd7c99a039

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Filesize
200KB

MD5
034b6d734a57bfd51ca3d902c92cbd89

SHA1
1c4bc3f6f7fe6ebcebf5375209dc671a2f5205fa

SHA256
921c0468b6f2a1b45e9161ac22e9d5c0ad58997e71d267ef782645b32c77f81d

SHA512
2d1fa9b6ff274fd1796c5b29472d1e347d07df8f736863b00f322ee6d93d89277cac2808ef9aaf99f504dd16180308ba44d8453264a6f4743c1d4e23c3113a2f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Filesize
32KB

MD5
84d7df5d8ccd0a35f311e763eb34b451

SHA1
471d04e1dbd87086c034a5c8bcf9a4618afed2d8

SHA256
7f1ae63a159c837c3f3c163f7c7decf7c2ebaa52876893344831177e84a97cd6

SHA512
2d843bcce64bdfda943a0732355919976ae092c24cfe47c7e105c22aff0ce730231ac9b899c86bba7992765ee84af5b275f3ea414f1f9ced6c3aa3b5e0aca030

Download Submit
\Users\Admin\AppData\Local\Temp\F00C.exe

Filesize
132KB

MD5
c34eb5ede344b1010070ab72033de77d

SHA1
474d238eff550b6fcd23fff5957b67117ac85766

SHA256
c7fa4a2cd18bcc6456d39d38747f94c8fafe8440e9da72949cd0f9dbca4202ae

SHA512
5705e070788229534bd3a0328c432210fca7f5645aabd37d6bdc3081d62ef2790d60fbacd8f8fd365817dca9c7e55aca68633f0c0eb0cf0c4a2b6941f5be4e66

Download Submit
\Users\Admin\AppData\Local\Temp\F00C.exe

Filesize
709KB

MD5
fb63e92c110edf654aafd854d6dfce74

SHA1
f42755793df9a53e786863f9eecaa5fd50087e6a

SHA256
56cf2235afa22716da576cf8e894ee3f480cf92c5e406a342666aabcec19c55e

SHA512
66744b574fabd0765ca85a59bb5409e95bfdcb6f96c434dcc0e8efff980a34e159ae8030ec04b8266f3db281d66f07f8ca503993dc1b104bce611a38f7a47985

Download Submit
\Users\Admin\AppData\Local\f0106d9f-02b8-4813-8ed0-d1d7d5f1d38a\build2.exe

Filesize
216KB

MD5
a187125322e7072de3196b7ae5684f65

SHA1
c2563b181c8d7a84bb9a758994d4b5fe644315ce

SHA256
69941676bb04f17207d351806d67e888a0b0e064624dd4b72330d81726ef31e3

SHA512
c46831c360acbd942a2dbdd34d400f3309525b2c22df9394ebb9f18a36a5d738471d60e15b8997eb7f8d77a4ba9947209171a796a52bdac67566a51eccd4138e

Download Submit
\Users\Admin\AppData\Local\f0106d9f-02b8-4813-8ed0-d1d7d5f1d38a\build2.exe

Filesize
202KB

MD5
5f7cf12ff9e606dbb19ae3a6c116e92d

SHA1
56db8a369ea68b4b7850e9472e1f427a8a82f9f7

SHA256
10580739cd1ea6f7b112681ff7b338f32410ad6281a3fc4efc5464a81b947083

SHA512
e0689a89912a1e3b7e2b70b00afa927c9a577a3fab3d82c8fa290b60effa57a36231f33fe142b9701c5abeed7fe83e361b84fcf5d83fa3a87bb6bef35c13f30c

Download Submit
\Users\Admin\AppData\Local\f0106d9f-02b8-4813-8ed0-d1d7d5f1d38a\build3.exe

Filesize
161KB

MD5
c5f8f162f8ac54b49f16637f4c805d87

SHA1
f7d5600b361ec2f5e2fc3a2c038511a99cf41a4f

SHA256
5e0678325eccbdf0d60f49e5127bad88f77c5dd31a9a6c4fabbc4ce985b17453

SHA512
6cfa27c41c77ea063c6add69fb2e0532434e32376dcf4cdfc59966d2b0929643e2c30413ad42a7ef03199f6dd2eb3be43daf05aa220a8fcd011ece70e073f235

Download Submit
\Users\Admin\AppData\Local\f0106d9f-02b8-4813-8ed0-d1d7d5f1d38a\build3.exe

Filesize
119KB

MD5
fe9df65489ce18b48155ad707282db64

SHA1
8630ffef77e3e7cff4500981fcb967d5e05143ae

SHA256
cdda6a809413af88bd74959febd1a15cdf5185a975f55a40800f3cb347f9283b

SHA512
b5631a34ed682f0a5e86fff90606db7304acb1cc9edd33517329ff457a4705ca8079432d8f1f86080972a0a35f817cfa7cfd29c711023b5d961849b350fc03df

Download Submit
memory/1104-74-0x0000000000300000-0x0000000000391000-memory.dmp

Filesize
580KB

Download
memory/1104-72-0x0000000000300000-0x0000000000391000-memory.dmp

Filesize
580KB

Download
memory/1212-7-0x0000000003F10000-0x0000000003F26000-memory.dmp

Filesize
88KB

Download
memory/1560-279-0x0000000000400000-0x000000000063C000-memory.dmp

Filesize
2.2MB

Download
memory/1560-127-0x0000000000400000-0x000000000063C000-memory.dmp

Filesize
2.2MB

Download
memory/1560-126-0x0000000000400000-0x000000000063C000-memory.dmp

Filesize
2.2MB

Download
memory/1560-123-0x0000000000400000-0x000000000063C000-memory.dmp

Filesize
2.2MB

Download
memory/1988-81-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1988-100-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1988-103-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1988-102-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1988-104-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1988-95-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1988-82-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1988-185-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1988-96-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2096-6-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2096-8-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2096-5-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2096-2-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2140-210-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2140-226-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2140-223-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2232-295-0x0000000000950000-0x0000000000A50000-memory.dmp

Filesize
1024KB

Download
memory/2412-122-0x0000000000250000-0x0000000000278000-memory.dmp

Filesize
160KB

Download
memory/2412-120-0x0000000000990000-0x0000000000A90000-memory.dmp

Filesize
1024KB

Download
memory/2676-39-0x0000000000950000-0x00000000009E1000-memory.dmp

Filesize
580KB

Download
memory/2676-43-0x0000000000950000-0x00000000009E1000-memory.dmp

Filesize
580KB

Download
memory/2676-45-0x0000000002160000-0x000000000227B000-memory.dmp

Filesize
1.1MB

Download
memory/2788-49-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2788-71-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2788-46-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2788-50-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3036-213-0x00000000002F2000-0x0000000000303000-memory.dmp

Filesize
68KB

Download
memory/3036-222-0x00000000001B0000-0x00000000001B4000-memory.dmp

Filesize
16KB

Download
memory/3036-1-0x00000000008F0000-0x00000000009F0000-memory.dmp

Filesize
1024KB

Download
memory/3036-4-0x0000000000220000-0x0000000000229000-memory.dmp

Filesize
36KB

Download
memory/3036-282-0x00000000001B0000-0x00000000001B4000-memory.dmp

Filesize
16KB

Download