djvu | 58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b

Analysis

max time kernel
298s
max time network
159s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
15/01/2024, 04:51

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe
Size

759KB
MD5

6f89ec245ea854d0e13e12be1b96c4c1
SHA1

e4625c074a0e14f1df3f47370b8b2b7246afbfc4
SHA256

58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b
SHA512

60830f51d447b41bf6ea8c54e3cf07aa5285d2928bf302acfaf237693530a3e68704b05b59db92912e3f64858309dd754dc42a60a3f0c75d3a8c96a3678a2f1f
SSDEEP

12288:R3U/qyAXBb9nFOtXy++zB71x3CmmtPV3B0BFAam3wZ0gkCCydbe:2/qyAx5FOUld7qmmx9CO5wZXkVy5e

Score

10^/10

djvu vidar discovery persistence ransomware stealer

Malware Config

Extracted

Family

djvu

http://habrafa.com/test1/get.php

Attributes

extension
.cdpo
offline_id
Bn3q97hwLouKbhkQRNO4SeV07gjdEQVm8NKhg0t1
payload_url
http://brusuax.com/dl/build2.exe

http://habrafa.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-FCWSCsjEWS Price of private key and decrypt software is $1999. Discount 50% available if you contact us first 72 hours, that's price for you is $999. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0844OSkw

rsa_pubkey.plain

Signatures

Detect Vidar Stealer 5 IoCs

stealer

resource	yara_rule
behavioral1/memory/2044-79-0x0000000000400000-0x000000000065E000-memory.dmp	family_vidar_v6
behavioral1/memory/2044-80-0x0000000000400000-0x000000000065E000-memory.dmp	family_vidar_v6
behavioral1/memory/740-75-0x0000000000230000-0x000000000027B000-memory.dmp	family_vidar_v6
behavioral1/memory/2044-76-0x0000000000400000-0x000000000065E000-memory.dmp	family_vidar_v6
behavioral1/memory/2044-226-0x0000000000400000-0x000000000065E000-memory.dmp	family_vidar_v6

Detected Djvu ransomware 17 IoCs

resource	yara_rule
behavioral1/memory/2240-2-0x00000000004D0000-0x00000000005EB000-memory.dmp	family_djvu
behavioral1/memory/2916-5-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2916-7-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2916-8-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2916-26-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2152-36-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2152-35-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2152-50-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2152-49-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2152-54-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2152-57-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2152-56-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2152-58-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2152-152-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2100-241-0x0000000000250000-0x0000000000350000-memory.dmp	family_djvu
behavioral1/memory/436-298-0x0000000000900000-0x0000000000A00000-memory.dmp	family_djvu
behavioral1/memory/1468-338-0x0000000000880000-0x0000000000980000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file

Executes dropped EXE 12 IoCs

pid	Process
740	build2.exe
2044	build2.exe
2452	build3.exe
2016	build3.exe
2100	mstsca.exe
2640	mstsca.exe
1440	mstsca.exe
2248	mstsca.exe
436	mstsca.exe
2328	mstsca.exe
1468	mstsca.exe
1388	mstsca.exe

Loads dropped DLL 8 IoCs

pid	Process
2152	58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe
2152	58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe
2152	58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe
2152	58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe
1000	WerFault.exe
1000	WerFault.exe
1000	WerFault.exe
1000	WerFault.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2100	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\a2d35282-fae8-4629-8a65-b4f4bf65e769\\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe\" --AutoStart"	58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	api.2ip.ua
9	api.2ip.ua
10	api.2ip.ua
3	api.2ip.ua

Suspicious use of SetThreadContext 8 IoCs

description	pid	Process	procid_target
PID 2240 set thread context of 2916	2240	58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe	28
PID 2880 set thread context of 2152	2880	58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe	31
PID 740 set thread context of 2044	740	build2.exe	34
PID 2452 set thread context of 2016	2452	build3.exe	39
PID 2100 set thread context of 2640	2100	mstsca.exe	46
PID 1440 set thread context of 2248	1440	mstsca.exe	50
PID 436 set thread context of 2328	436	mstsca.exe	52
PID 1468 set thread context of 1388	1468	mstsca.exe	54

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1000	2044	WerFault.exe	34

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1520	schtasks.exe
852	schtasks.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	build2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	build2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	build2.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2916	58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe
2152	58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe
2152	58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 2916	2240	58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe	28
PID 2240 wrote to memory of 2916	2240	58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe	28
PID 2240 wrote to memory of 2916	2240	58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe	28
PID 2240 wrote to memory of 2916	2240	58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe	28
PID 2240 wrote to memory of 2916	2240	58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe	28
PID 2240 wrote to memory of 2916	2240	58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe	28
PID 2240 wrote to memory of 2916	2240	58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe	28
PID 2240 wrote to memory of 2916	2240	58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe	28
PID 2240 wrote to memory of 2916	2240	58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe	28
PID 2240 wrote to memory of 2916	2240	58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe	28
PID 2240 wrote to memory of 2916	2240	58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe	28
PID 2916 wrote to memory of 2100	2916	58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe	29
PID 2916 wrote to memory of 2100	2916	58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe	29
PID 2916 wrote to memory of 2100	2916	58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe	29
PID 2916 wrote to memory of 2100	2916	58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe	29
PID 2916 wrote to memory of 2880	2916	58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe	30
PID 2916 wrote to memory of 2880	2916	58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe	30
PID 2916 wrote to memory of 2880	2916	58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe	30
PID 2916 wrote to memory of 2880	2916	58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe	30
PID 2880 wrote to memory of 2152	2880	58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe	31
PID 2880 wrote to memory of 2152	2880	58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe	31
PID 2880 wrote to memory of 2152	2880	58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe	31
PID 2880 wrote to memory of 2152	2880	58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe	31
PID 2880 wrote to memory of 2152	2880	58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe	31
PID 2880 wrote to memory of 2152	2880	58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe	31
PID 2880 wrote to memory of 2152	2880	58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe	31
PID 2880 wrote to memory of 2152	2880	58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe	31
PID 2880 wrote to memory of 2152	2880	58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe	31
PID 2880 wrote to memory of 2152	2880	58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe	31
PID 2880 wrote to memory of 2152	2880	58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe	31
PID 2152 wrote to memory of 740	2152	58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe	33
PID 2152 wrote to memory of 740	2152	58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe	33
PID 2152 wrote to memory of 740	2152	58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe	33
PID 2152 wrote to memory of 740	2152	58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe	33
PID 740 wrote to memory of 2044	740	build2.exe	34
PID 740 wrote to memory of 2044	740	build2.exe	34
PID 740 wrote to memory of 2044	740	build2.exe	34
PID 740 wrote to memory of 2044	740	build2.exe	34
PID 740 wrote to memory of 2044	740	build2.exe	34
PID 740 wrote to memory of 2044	740	build2.exe	34
PID 740 wrote to memory of 2044	740	build2.exe	34
PID 740 wrote to memory of 2044	740	build2.exe	34
PID 740 wrote to memory of 2044	740	build2.exe	34
PID 740 wrote to memory of 2044	740	build2.exe	34
PID 740 wrote to memory of 2044	740	build2.exe	34
PID 2152 wrote to memory of 2452	2152	58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe	35
PID 2152 wrote to memory of 2452	2152	58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe	35
PID 2152 wrote to memory of 2452	2152	58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe	35
PID 2152 wrote to memory of 2452	2152	58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe	35
PID 2044 wrote to memory of 1000	2044	build2.exe	38
PID 2044 wrote to memory of 1000	2044	build2.exe	38
PID 2044 wrote to memory of 1000	2044	build2.exe	38
PID 2044 wrote to memory of 1000	2044	build2.exe	38
PID 2452 wrote to memory of 2016	2452	build3.exe	39
PID 2452 wrote to memory of 2016	2452	build3.exe	39
PID 2452 wrote to memory of 2016	2452	build3.exe	39
PID 2452 wrote to memory of 2016	2452	build3.exe	39
PID 2452 wrote to memory of 2016	2452	build3.exe	39
PID 2452 wrote to memory of 2016	2452	build3.exe	39
PID 2452 wrote to memory of 2016	2452	build3.exe	39
PID 2452 wrote to memory of 2016	2452	build3.exe	39
PID 2452 wrote to memory of 2016	2452	build3.exe	39
PID 2452 wrote to memory of 2016	2452	build3.exe	39
PID 2016 wrote to memory of 1520	2016	build3.exe	41

C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe
"C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe
  "C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Users\Admin\AppData\Local\a2d35282-fae8-4629-8a65-b4f4bf65e769" /deny *S-1-1-0:(OI)(CI)(DE,DC)
    3⤵
    - Modifies file permissions
    PID:2100
- - C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe
    "C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe" --Admin IsNotAutoStart IsNotTask
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2880
  - - C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe
      "C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2152
    - - C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build2.exe
        
        "C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build2.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:740
      - C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build2.exe
        
        "C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build2.exe"
        6⤵
        Executes dropped EXE
        Modifies system certificate store
        Suspicious use of WriteProcessMemory
        
        PID:2044
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2044 -s 1464
        7⤵
        Loads dropped DLL
        Program crash
        
        PID:1000
    - - C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build3.exe
        
        "C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build3.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2452
      - C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build3.exe
        
        "C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build3.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2016
        
        C:\Windows\SysWOW64\schtasks.exe
        
        /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
        7⤵
        Creates scheduled task(s)
        
        PID:1520

C:\Windows\system32\taskeng.exe
taskeng.exe {E83BAB74-7AE2-4AD1-AE09-0419A9B8AEC3} S-1-5-21-928733405-3780110381-2966456290-1000:VTILVGXH\Admin:Interactive:[1]
1⤵
PID:2088
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2100
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    3⤵
    - Executes dropped EXE
    PID:2640
  - - C:\Windows\SysWOW64\schtasks.exe
      /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
      4⤵
      Creates scheduled task(s)
      PID:852
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:1440
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    3⤵
    - Executes dropped EXE
    PID:2248
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:436
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    3⤵
    - Executes dropped EXE
    PID:2328
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:1468
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    3⤵
    - Executes dropped EXE
    PID:1388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
b7470a9aa569b259d4c2bb3b80ae3aa3

SHA1
093290296b7f1e402ef96e4b33a88f064aa401eb

SHA256
ee8aeed77dd9f1631fa75845214d75bfe04951a61892410ee369035e13fd14c6

SHA512
4da3fc09260692f159c37b068664852931b712c8173de5e4b294799ac33ecf179055aaeb016fd0afad88cbfc50a571c4c88033dca56a573431af7462ea7979be

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
7a617aacb167ff477b6174ea445129ac

SHA1
a8621d37008de52315fc425204e12e430400b027

SHA256
4833a7c1b75f46d2270dd956c6cd8275039d00cd176dc4d5741670928fdd6a10

SHA512
040631344987a1195f331c222b04455533a235253da8a854a3bf20d3c9e9fd93effd22f677f25222f52e667e70d5b4e3c8fa7fc2fa1bed54588bdf5178c9e07c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f8fa59842506baabfd6dfb2364632958

SHA1
aa5ad8196c99651c4d96b341d7dd0ed8f1a9b367

SHA256
3b6584ff933e9583ea9c988a65354060522f90c5507edb767b49ed34fb188eaa

SHA512
1403b765c0567672ba93d5098df503c304b836be9c80c816d3109e68c6e584df41e86cc9ceaf0836138654283f6c63d50f126bd5398781c557f26e1b467caac2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3b9834a90af53b48e47bc03ce501cef1

SHA1
819f847cf6d4f7393d81f8399b798999cf082947

SHA256
e3b22fe7b710d185c43e5ef21a4e2ff01101ded1eb7fedc277f90972855289a1

SHA512
b9fcb4b3311f810e6912853b8936ec175f33fbf8e652d18e0a2d23760f4f11bfceac7a9b22c3f6e625773ec9c88ba81c17e49651370e740c2db91b28c3e2c410

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
392B

MD5
9f8cb28a41f4e6ce22e66da1394e3493

SHA1
89be50044db9b8fe36c9c8ffa583fa85e83086c8

SHA256
9e25075febf7fde0e6c7615b06b1e0ca3d5e4629930809eb2d46cd34924f4ead

SHA512
dd7f6289c9821545a979b3516743bed2ba71b4e43ca3b6eee9e7fc0ceaf1c40f8ec817a067ba8050e56195438ccb602b262b64e0f58bd52121715892f234f0f3

Download Submit
C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build2.exe

Filesize
69KB

MD5
c2e8559bea84c210250b05175275dd91

SHA1
21ba87ac0920c39986d1dd6d0f12d707f0f22b0d

SHA256
7874e9bfac041e51b91565bc75494e41746da7b216daa8de4f14e3038ea1de69

SHA512
1d76b016b8eabdc2b54cde0707af1f3a1a691a742db8a34bf338dfbb1269f3a1a6d16ca64c7208565afa652a566c4ba6a66ca0db8fe6d953d644845705318fc3

Download Submit
C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build2.exe

Filesize
60KB

MD5
e89bde19fb9b37c089ca3abd84b032d2

SHA1
bb7544fca99ecc0ad52ada96174aeab60fc73ff3

SHA256
aef4380723a2bffa187fad845a3b07c1977e3fcad4e4864a63c691da7a3a366c

SHA512
a4a63857e2084559f6a9a1b405057e0105ac6dc2ede932df7ebe3c1967b2df099131b0a37aada12945220eb94cfac691d67d0fe82898d1a9a42096cf60a9772e

Download Submit
C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build2.exe

Filesize
89KB

MD5
f95ea965e227ac34fcdb0a2861639025

SHA1
e2249206c9436cb19c6192d418b0aa6c7c3c6d6e

SHA256
906fd64c362f6750499ae166302d4d8e1268176ceed0f14dfadb8e1d272c0e92

SHA512
0a405ac3e0439e8ca87f90abecac99cc094b5bee6e331f115a2058a214450d73703dc98d8eb5e2870483472f620732f16be6144e2945481a335861264e07a538

Download Submit
C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build2.exe

Filesize
144KB

MD5
f94c2f0a318fbe7d6abbdb7f94bc996f

SHA1
ef0bc409ee4812c2b7a1dd85c8cabc802e80a1c2

SHA256
cdeaa3ffd1338cb4b02c66ebfeb6dc6f1070beb6e8fbf501477129d7eff34670

SHA512
5ac94bcea0847ef32691e21c64f67aa90f8f09c136695297166681047cc1b3abe0127f1b0a8397163ee5e40fcc38d246bc1cce7e63b3bd0d8318228af70b380d

Download Submit
C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build3.exe

Filesize
119KB

MD5
38331a82abe588b06cd02561e498c89c

SHA1
15ecc31f1cac2903830080b760e32740cfae3bb8

SHA256
c4e53a406513d0af7c491270e3eccd6f0c3c1973c7750a37fcec8c7c5d38e144

SHA512
c73b68bfe28b9f553b616dbaa90bf95021859702dc1b83e08bed12a0378b1f74b3e9b5e164ebfd74a3664c5c09c596cfb6f6a40a08b48f16229f1639f5c0adcc

Download Submit
C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build3.exe

Filesize
113KB

MD5
a82bf8636c06e7081df3c88f120640be

SHA1
4277d5f45ced663c86583f9c8e6ff339fae8cf79

SHA256
315c021ef2b5fd836b1242309346102c35da6209a54b25207af192283e74267b

SHA512
8160aa3a0978473c816185d021f6ae993b62f16613cc3c0af71fa619b818de18e8a839b6994821bcc141655585eeeebcf7acd8852c10a0bdfa495164a5f79ab2

Download Submit
C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build3.exe

Filesize
192KB

MD5
8c01266d2ed407f681b1a0b88a81df25

SHA1
d2b29a1e598e83f6fefe12cec439e6384f1f146d

SHA256
74156317e67a872f05786ca5080851ca94d9fbcc55905ed141d9910df5651902

SHA512
1be9f6398b996782f5d3fb017aa65852cb15cce4c5656ede2b76317e2b23ff84d4c71bb0bc055da3a90b94c5b4d6419e4907759ea6a1e17ec7c0413d65f2bd1a

Download Submit
C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build3.exe

Filesize
162KB

MD5
60a12caace88752fd7810023659be910

SHA1
9ac460eb628d0b5a7e4aac60af374f817265c236

SHA256
45b4414c9bbac9f5725fe3d9dfe48aec2ce4d44a4df8d3bc30a7a8a3555eaaa1

SHA512
802caf09043df8f516be8db08859855344aadc2285f04d3da12483a0ca674710149a636745823e58e236ecdbc1894b9d96980c6fa46c59e0669e2e061a1c4db2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6CC7.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8538.tmp

Filesize
30KB

MD5
1c72ad556b8e38e1c6329e18e5a639c4

SHA1
29af4d07dd3346f6bfecbd614825d29d7c60674f

SHA256
48fb75c2c46735c2410b2322f0e590b5e8878e82fca923b61b02d5a7288ebc63

SHA512
2c23e244492da837e9777d5b0bf12173e3458a5f9317b0c2c1305116669111d2451ca475328d69fe88278da071ed4413ff762587a18567b170e392c2b34e57f9

Download Submit
C:\Users\Admin\AppData\Local\a2d35282-fae8-4629-8a65-b4f4bf65e769\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe

Filesize
756KB

MD5
801d88770313a1b52d78aac315b5e44e

SHA1
295694fa03a099bb977049b5d0348ae59ffeb6f5

SHA256
b0922cb660f9d08eee36ea7c11c6109301597c97f420e5e4a5211ff420bac8b2

SHA512
04326ffee6c928e1fbb527a6fd6e66eeebcd9ecce1d53dde694cffd2847df1514e2cdc5dffc0785ae9da705298fa76ab7e6fdd5e6d666e5c0f3bc3ccb8fb350b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Filesize
299KB

MD5
41b883a061c95e9b9cb17d4ca50de770

SHA1
1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad

SHA256
fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408

SHA512
cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

Download Submit
\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build2.exe

Filesize
94KB

MD5
667e150e0eaef936810f438619a01955

SHA1
3bc7f72365daceecc63162ba53f9b90eb65a7be8

SHA256
3c6ab98262ad6701a7e0f1abba0c1ab0d85e2613bda4ece76533267daa30f97f

SHA512
11cb93f49a3fc1a21488eca1676419511cc1b915db878e0c1978eb1bbeee8aa39d7d14cf2de60bb690dc95aeddd9186f948974178806b0ac6beb200ef368494b

Download Submit
\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build2.exe

Filesize
79KB

MD5
2b1044986fed50e3db11f62830caa61e

SHA1
007be66f57f620becaa579d7b62ad133f9611b9e

SHA256
ecf7cb6948472812e614d5b0d502ca87e363521db2a11bf1a55450b9ab5acda5

SHA512
2b06b7e92d2e1ff66de2939a1a1fcb60c38f8bf5847674a28d96aecf214f74c6025e2db91819f43416ae96ffd0847def53afc79d8510748866542fc27dfbba17

Download Submit
\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build2.exe

Filesize
159KB

MD5
a99dce227407cd4a8ae67fbe37b6079d

SHA1
81abb6534ac149b97cafa41e580a707de285b790

SHA256
c6c569d62c9a1ac8d5adc29a449101b71cacaf680766bc97f997a93b2ad3a273

SHA512
ab309db5b34806dbd733c26c0f4ab42d0b564212c4205d34d7b0a71e81af489927e1bbbfe65bb5e767f7ab3b59a94e9cf32485df32e00f5b98bdedd5e4f1dcd5

Download Submit
\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build2.exe

Filesize
45KB

MD5
1bc8b52ac0ae323631fe28dda57f1c0c

SHA1
333c0d702ed1216ff087e5348646c7d2c5f6b50a

SHA256
ca2a209552033bfdc228bea070a611d8452616fd2cc23ee0b53363f80ff8ea1c

SHA512
5d1d61e7fd700b75f8ea89a5322f9bdae14486e365bfadb56fb8d20c2a4084cb2b94aa23f50efd692fbc5979cb0e6a0af8c3dfe326baf43d394b13a15e656f56

Download Submit
\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build2.exe

Filesize
131KB

MD5
ad38fdd0db4c7c0191ae83ce7a61e4ee

SHA1
6843d68e8290aec4cefc0ba37a8d61a10b1c7e7c

SHA256
66fa9727b477df887578c3570f26ee57571d0ed82dbdbdcde028fbe1541b5fea

SHA512
905d95ccebac7d64adfdcdc7a7efc98744713c7ce09edce5ab3ea9f6b885c9e019052887f7bf0d905fe6d231191d83027993d11edff7c9dbdd25f12f6a11bcb2

Download Submit
\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build2.exe

Filesize
77KB

MD5
efdf40d4b946d5fe1253d2e40f9c5115

SHA1
bfa7e266d5260cabb1631b046dad2cf747ed64f3

SHA256
0c0589df21420e803078064ff51f209744b2123146cb8072af9120e44a798171

SHA512
23c92e5afb065878a8cde7b4ac1d9d53ba590cc039b4b6f944cce2f06efb92ae39cc9735e8fb352aa2087f369a268dddcabeb017e0d18f4b5d24b4b6f56e1b09

Download Submit
\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build3.exe

Filesize
64KB

MD5
8b6a819c6926597dfa7529b692d7a6cc

SHA1
50c535e9cca464afd3a589d2231d87ce417d4312

SHA256
b9cb5501cc2d257e049e1757062523c7f9ee5a85d57d46538fe492125befd26c

SHA512
dfd28b270d99ad89f8ce1df9750b92ff558f73fe2448bf182b5c1c05c7b180bb29175eeaf5a7c918791d64b36167fc1a6044f1aaff838e02e878782f5f6c0ba9

Download Submit
\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build3.exe

Filesize
80KB

MD5
e1851d2ef4776535dda5f7813c664724

SHA1
4337e412b5a9612e4fca5f696185fca563a4ffe2

SHA256
a8e228e248ed175221b672da4f12a21559ed79777b9fcc38c9ba12603f9cc2e4

SHA512
f50bbde99af3c938756e880b15457f313c3188225637a8e4c03b7ddaf4771cf28cd07772ce58986f46c25a81fec095c639a28895235e9a7a92182e6e127b64de

Download Submit
memory/436-298-0x0000000000900000-0x0000000000A00000-memory.dmp

Filesize
1024KB

Download
memory/740-75-0x0000000000230000-0x000000000027B000-memory.dmp

Filesize
300KB

Download
memory/740-73-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/1440-266-0x0000000000C30000-0x0000000000D30000-memory.dmp

Filesize
1024KB

Download
memory/1468-338-0x0000000000880000-0x0000000000980000-memory.dmp

Filesize
1024KB

Download
memory/1468-326-0x0000000000880000-0x0000000000980000-memory.dmp

Filesize
1024KB

Download
memory/2016-222-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2016-217-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2016-223-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2044-79-0x0000000000400000-0x000000000065E000-memory.dmp

Filesize
2.4MB

Download
memory/2044-72-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2044-76-0x0000000000400000-0x000000000065E000-memory.dmp

Filesize
2.4MB

Download
memory/2044-80-0x0000000000400000-0x000000000065E000-memory.dmp

Filesize
2.4MB

Download
memory/2044-226-0x0000000000400000-0x000000000065E000-memory.dmp

Filesize
2.4MB

Download
memory/2100-241-0x0000000000250000-0x0000000000350000-memory.dmp

Filesize
1024KB

Download
memory/2152-36-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2152-152-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2152-35-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2152-50-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2152-58-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2152-56-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2152-57-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2152-49-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2152-54-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2240-2-0x00000000004D0000-0x00000000005EB000-memory.dmp

Filesize
1.1MB

Download
memory/2240-0-0x0000000000240000-0x00000000002D2000-memory.dmp

Filesize
584KB

Download
memory/2240-1-0x0000000000240000-0x00000000002D2000-memory.dmp

Filesize
584KB

Download
memory/2452-221-0x00000000001B0000-0x00000000001B4000-memory.dmp

Filesize
16KB

Download
memory/2452-220-0x0000000000312000-0x0000000000323000-memory.dmp

Filesize
68KB

Download
memory/2880-27-0x0000000001CE0000-0x0000000001D72000-memory.dmp

Filesize
584KB

Download
memory/2880-34-0x0000000001CE0000-0x0000000001D72000-memory.dmp

Filesize
584KB

Download
memory/2880-29-0x0000000001CE0000-0x0000000001D72000-memory.dmp

Filesize
584KB

Download
memory/2916-5-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2916-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2916-7-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2916-8-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2916-26-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download