djvu | b6d7d2ab6d7e66ba154aac8266fd5e0f6667c11d3cc682b241da586a5577581a

Analysis

max time kernel
149s
max time network
127s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
23-01-2024 16:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

222KB
MD5

11ac7990dacb8fed9a583f69660a8310
SHA1

a891612189e2db49a16704a9ac08850c5a76be3d
SHA256

b6d7d2ab6d7e66ba154aac8266fd5e0f6667c11d3cc682b241da586a5577581a
SHA512

7613b538549467fb21b3d3a4c25c82a6ab44a384b832efc6cd420b32083bf81e4563f4e558cf316532cc7d8fed68f5d232c9bfeb4335230e8c6db20c036a20d5
SSDEEP

3072:yKSFP/aG5wOG9vlyLfniPI4JSzjEz5MXzHuSgAChOrFgjaaSpGq/B:y5FPyrs/iKzeMXPVh9p7

Score

10^/10

djvu smokeloader vidar zgrat pub1 backdoor discovery persistence ransomware rat stealer trojan

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php

rc4.i32

Extracted

Family

djvu

http://habrafa.com/test1/get.php

Attributes

extension
.cdpo
offline_id
Bn3q97hwLouKbhkQRNO4SeV07gjdEQVm8NKhg0t1
payload_url
http://brusuax.com/dl/build2.exe

http://habrafa.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-FCWSCsjEWS Price of private key and decrypt software is $1999. Discount 50% available if you contact us first 72 hours, that's price for you is $999. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0844OSkw

rsa_pubkey.plain

Signatures

Detect Vidar Stealer 6 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/1748-109-0x0000000000240000-0x000000000026C000-memory.dmp	family_vidar_v6
behavioral1/memory/1148-112-0x0000000000400000-0x000000000063F000-memory.dmp	family_vidar_v6
behavioral1/memory/1148-116-0x0000000000400000-0x000000000063F000-memory.dmp	family_vidar_v6
behavioral1/memory/1148-117-0x0000000000400000-0x000000000063F000-memory.dmp	family_vidar_v6
behavioral1/memory/1148-278-0x0000000000400000-0x000000000063F000-memory.dmp	family_vidar_v6
behavioral1/memory/1148-286-0x0000000000400000-0x000000000063F000-memory.dmp	family_vidar_v6

Detect ZGRat V1 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/532-305-0x0000000004C70000-0x0000000004D3A000-memory.dmp	family_zgrat_v1
behavioral1/memory/532-306-0x0000000004C70000-0x0000000004D33000-memory.dmp	family_zgrat_v1
behavioral1/memory/532-307-0x0000000004C70000-0x0000000004D33000-memory.dmp	family_zgrat_v1
behavioral1/memory/532-309-0x0000000004C70000-0x0000000004D33000-memory.dmp	family_zgrat_v1

Detected Djvu ransomware 14 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2628-32-0x0000000001D20000-0x0000000001E3B000-memory.dmp	family_djvu
behavioral1/memory/2632-37-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2632-40-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2632-41-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2632-62-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/364-72-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/364-73-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/364-86-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/364-87-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/364-91-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/364-93-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/364-94-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/364-121-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/364-133-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Downloads MZ/PE file

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Deletes itself 1 IoCs

Processes:

pid process

1188

Executes dropped EXE 14 IoCs

Processes:

DCD7.exeF3B3.exeF3B3.exeF3B3.exeF3B3.exebuild2.exebuild2.exe1815.exebuild3.exebuild3.exe8E3E.exe8E3E.exemstsca.exemstsca.exe

pid	process
2776	DCD7.exe
2628	F3B3.exe
2632	F3B3.exe
2940	F3B3.exe
364	F3B3.exe
1748	build2.exe
1148	build2.exe
524	1815.exe
1080	build3.exe
2784	build3.exe
532	8E3E.exe
268	8E3E.exe
904	mstsca.exe
2296	mstsca.exe

Loads dropped DLL 20 IoCs

Processes:

F3B3.exeF3B3.exeF3B3.exeF3B3.exeWerFault.exe8E3E.exeWerFault.exe

pid	process
2628	F3B3.exe
2632	F3B3.exe
2632	F3B3.exe
2940	F3B3.exe
364	F3B3.exe
364	F3B3.exe
364	F3B3.exe
364	F3B3.exe
2420	WerFault.exe
2420	WerFault.exe
2420	WerFault.exe
2420	WerFault.exe
532	8E3E.exe
1776	WerFault.exe
1776	WerFault.exe
1776	WerFault.exe
1776	WerFault.exe
1776	WerFault.exe
1776	WerFault.exe
1776	WerFault.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

2916 icacls.exe

pid	process
2916	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

F3B3.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\c3a8c530-bcda-4351-ba1f-b57a633447f3\\F3B3.exe\" --AutoStart"	F3B3.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

17 api.2ip.ua
9 api.2ip.ua
10 api.2ip.ua

flow	ioc
17	api.2ip.ua
9	api.2ip.ua
10	api.2ip.ua

Suspicious use of SetThreadContext 6 IoCs

Processes:

F3B3.exeF3B3.exebuild2.exebuild3.exe8E3E.exemstsca.exe

description	pid	process	target process
PID 2628 set thread context of 2632	2628	F3B3.exe	F3B3.exe
PID 2940 set thread context of 364	2940	F3B3.exe	F3B3.exe
PID 1748 set thread context of 1148	1748	build2.exe	build2.exe
PID 1080 set thread context of 2784	1080	build3.exe	build3.exe
PID 532 set thread context of 268	532	8E3E.exe	8E3E.exe
PID 904 set thread context of 2296	904	mstsca.exe	mstsca.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2420 1148 WerFault.exe build2.exe
1776 268 WerFault.exe 8E3E.exe

pid	pid_target	process	target process
2420	1148	WerFault.exe	build2.exe
1776	268	WerFault.exe	8E3E.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

file.exeDCD7.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DCD7.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DCD7.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DCD7.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2776 schtasks.exe
2448 schtasks.exe

pid	process
2776	schtasks.exe
2448	schtasks.exe

Modifies registry class 5 IoCs

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

build2.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	build2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	build2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	build2.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

file.exe

pid	process
1180	file.exe
1180	file.exe
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

file.exeDCD7.exe

pid process

1180 file.exe
2776 DCD7.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

explorer.exe8E3E.exe

description	pid	process
Token: SeShutdownPrivilege	1188
Token: SeShutdownPrivilege	1704	explorer.exe
Token: SeShutdownPrivilege	1704	explorer.exe
Token: SeShutdownPrivilege	1704	explorer.exe
Token: SeShutdownPrivilege	1704	explorer.exe
Token: SeShutdownPrivilege	1704	explorer.exe
Token: SeShutdownPrivilege	1704	explorer.exe
Token: SeShutdownPrivilege	1704	explorer.exe
Token: SeShutdownPrivilege	1704	explorer.exe
Token: SeShutdownPrivilege	1704	explorer.exe
Token: SeShutdownPrivilege	1704	explorer.exe
Token: SeDebugPrivilege	532	8E3E.exe
Token: SeShutdownPrivilege	1704	explorer.exe
Token: SeShutdownPrivilege	1704	explorer.exe
Token: SeShutdownPrivilege	1704	explorer.exe

Suspicious use of FindShellTrayWindow 31 IoCs

Processes:

explorer.exe

pid	process
1188
1188
1704	explorer.exe
1704	explorer.exe
1704	explorer.exe
1704	explorer.exe
1704	explorer.exe
1704	explorer.exe
1704	explorer.exe
1704	explorer.exe
1704	explorer.exe
1704	explorer.exe
1704	explorer.exe
1704	explorer.exe
1704	explorer.exe
1704	explorer.exe
1704	explorer.exe
1704	explorer.exe
1704	explorer.exe
1704	explorer.exe
1704	explorer.exe
1704	explorer.exe
1704	explorer.exe
1704	explorer.exe
1704	explorer.exe
1704	explorer.exe
1704	explorer.exe
1704	explorer.exe
1704	explorer.exe
1704	explorer.exe
1704	explorer.exe

Suspicious use of SendNotifyMessage 21 IoCs

Processes:

explorer.exe

pid	process
1188
1188
1704	explorer.exe
1704	explorer.exe
1704	explorer.exe
1704	explorer.exe
1704	explorer.exe
1704	explorer.exe
1704	explorer.exe
1704	explorer.exe
1704	explorer.exe
1704	explorer.exe
1704	explorer.exe
1704	explorer.exe
1704	explorer.exe
1704	explorer.exe
1704	explorer.exe
1704	explorer.exe
1704	explorer.exe
1704	explorer.exe
1704	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

F3B3.exeF3B3.exeF3B3.exeF3B3.exebuild2.exe

description	pid	process	target process
PID 1188 wrote to memory of 2776	1188		DCD7.exe
PID 1188 wrote to memory of 2776	1188		DCD7.exe
PID 1188 wrote to memory of 2776	1188		DCD7.exe
PID 1188 wrote to memory of 2776	1188		DCD7.exe
PID 1188 wrote to memory of 2628	1188		F3B3.exe
PID 1188 wrote to memory of 2628	1188		F3B3.exe
PID 1188 wrote to memory of 2628	1188		F3B3.exe
PID 1188 wrote to memory of 2628	1188		F3B3.exe
PID 2628 wrote to memory of 2632	2628	F3B3.exe	F3B3.exe
PID 2628 wrote to memory of 2632	2628	F3B3.exe	F3B3.exe
PID 2628 wrote to memory of 2632	2628	F3B3.exe	F3B3.exe
PID 2628 wrote to memory of 2632	2628	F3B3.exe	F3B3.exe
PID 2628 wrote to memory of 2632	2628	F3B3.exe	F3B3.exe
PID 2628 wrote to memory of 2632	2628	F3B3.exe	F3B3.exe
PID 2628 wrote to memory of 2632	2628	F3B3.exe	F3B3.exe
PID 2628 wrote to memory of 2632	2628	F3B3.exe	F3B3.exe
PID 2628 wrote to memory of 2632	2628	F3B3.exe	F3B3.exe
PID 2628 wrote to memory of 2632	2628	F3B3.exe	F3B3.exe
PID 2628 wrote to memory of 2632	2628	F3B3.exe	F3B3.exe
PID 2632 wrote to memory of 2916	2632	F3B3.exe	icacls.exe
PID 2632 wrote to memory of 2916	2632	F3B3.exe	icacls.exe
PID 2632 wrote to memory of 2916	2632	F3B3.exe	icacls.exe
PID 2632 wrote to memory of 2916	2632	F3B3.exe	icacls.exe
PID 2632 wrote to memory of 2940	2632	F3B3.exe	F3B3.exe
PID 2632 wrote to memory of 2940	2632	F3B3.exe	F3B3.exe
PID 2632 wrote to memory of 2940	2632	F3B3.exe	F3B3.exe
PID 2632 wrote to memory of 2940	2632	F3B3.exe	F3B3.exe
PID 2940 wrote to memory of 364	2940	F3B3.exe	F3B3.exe
PID 2940 wrote to memory of 364	2940	F3B3.exe	F3B3.exe
PID 2940 wrote to memory of 364	2940	F3B3.exe	F3B3.exe
PID 2940 wrote to memory of 364	2940	F3B3.exe	F3B3.exe
PID 2940 wrote to memory of 364	2940	F3B3.exe	F3B3.exe
PID 2940 wrote to memory of 364	2940	F3B3.exe	F3B3.exe
PID 2940 wrote to memory of 364	2940	F3B3.exe	F3B3.exe
PID 2940 wrote to memory of 364	2940	F3B3.exe	F3B3.exe
PID 2940 wrote to memory of 364	2940	F3B3.exe	F3B3.exe
PID 2940 wrote to memory of 364	2940	F3B3.exe	F3B3.exe
PID 2940 wrote to memory of 364	2940	F3B3.exe	F3B3.exe
PID 364 wrote to memory of 1748	364	F3B3.exe	build2.exe
PID 364 wrote to memory of 1748	364	F3B3.exe	build2.exe
PID 364 wrote to memory of 1748	364	F3B3.exe	build2.exe
PID 364 wrote to memory of 1748	364	F3B3.exe	build2.exe
PID 1748 wrote to memory of 1148	1748	build2.exe	build2.exe
PID 1748 wrote to memory of 1148	1748	build2.exe	build2.exe
PID 1748 wrote to memory of 1148	1748	build2.exe	build2.exe
PID 1748 wrote to memory of 1148	1748	build2.exe	build2.exe
PID 1748 wrote to memory of 1148	1748	build2.exe	build2.exe
PID 1748 wrote to memory of 1148	1748	build2.exe	build2.exe
PID 1748 wrote to memory of 1148	1748	build2.exe	build2.exe
PID 1748 wrote to memory of 1148	1748	build2.exe	build2.exe
PID 1748 wrote to memory of 1148	1748	build2.exe	build2.exe
PID 1748 wrote to memory of 1148	1748	build2.exe	build2.exe
PID 1748 wrote to memory of 1148	1748	build2.exe	build2.exe
PID 1188 wrote to memory of 524	1188		1815.exe
PID 1188 wrote to memory of 524	1188		1815.exe
PID 1188 wrote to memory of 524	1188		1815.exe
PID 1188 wrote to memory of 524	1188		1815.exe
PID 1188 wrote to memory of 524	1188		1815.exe
PID 1188 wrote to memory of 524	1188		1815.exe
PID 1188 wrote to memory of 524	1188		1815.exe
PID 364 wrote to memory of 1080	364	F3B3.exe	build3.exe
PID 364 wrote to memory of 1080	364	F3B3.exe	build3.exe
PID 364 wrote to memory of 1080	364	F3B3.exe	build3.exe
PID 364 wrote to memory of 1080	364	F3B3.exe	build3.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1180

C:\Users\Admin\AppData\Local\Temp\DCD7.exe
C:\Users\Admin\AppData\Local\Temp\DCD7.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2776

C:\Users\Admin\AppData\Local\Temp\F3B3.exe
C:\Users\Admin\AppData\Local\Temp\F3B3.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2628

C:\Users\Admin\AppData\Local\Temp\F3B3.exe
C:\Users\Admin\AppData\Local\Temp\F3B3.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2632

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\c3a8c530-bcda-4351-ba1f-b57a633447f3" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:2916

C:\Users\Admin\AppData\Local\Temp\F3B3.exe
"C:\Users\Admin\AppData\Local\Temp\F3B3.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2940

C:\Users\Admin\AppData\Local\Temp\F3B3.exe
"C:\Users\Admin\AppData\Local\Temp\F3B3.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:364

C:\Users\Admin\AppData\Local\6ff35b4b-7125-408e-b34a-0965f53ef299\build2.exe
"C:\Users\Admin\AppData\Local\6ff35b4b-7125-408e-b34a-0965f53ef299\build2.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1748

C:\Users\Admin\AppData\Local\6ff35b4b-7125-408e-b34a-0965f53ef299\build2.exe
"C:\Users\Admin\AppData\Local\6ff35b4b-7125-408e-b34a-0965f53ef299\build2.exe"
6⤵
- Executes dropped EXE
- Modifies system certificate store
PID:1148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1148 -s 1452
7⤵
- Loads dropped DLL
- Program crash
PID:2420

C:\Users\Admin\AppData\Local\6ff35b4b-7125-408e-b34a-0965f53ef299\build3.exe
"C:\Users\Admin\AppData\Local\6ff35b4b-7125-408e-b34a-0965f53ef299\build3.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1080

C:\Users\Admin\AppData\Local\6ff35b4b-7125-408e-b34a-0965f53ef299\build3.exe
"C:\Users\Admin\AppData\Local\6ff35b4b-7125-408e-b34a-0965f53ef299\build3.exe"
6⤵
- Executes dropped EXE
PID:2784

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
7⤵
- Creates scheduled task(s)
PID:2776

C:\Users\Admin\AppData\Local\Temp\1815.exe
C:\Users\Admin\AppData\Local\Temp\1815.exe
1⤵
- Executes dropped EXE
PID:524

C:\Users\Admin\AppData\Local\Temp\8E3E.exe
C:\Users\Admin\AppData\Local\Temp\8E3E.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:532

C:\Users\Admin\AppData\Local\Temp\8E3E.exe
C:\Users\Admin\AppData\Local\Temp\8E3E.exe
2⤵
- Executes dropped EXE
PID:268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 268 -s 156
3⤵
- Loads dropped DLL
- Program crash
PID:1776

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1704

C:\Windows\system32\taskeng.exe
taskeng.exe {18EC1BD3-BF22-47FB-AD12-584909B504C2} S-1-5-21-3427588347-1492276948-3422228430-1000:QVMRJQQO\Admin:Interactive:[1]
1⤵
PID:3008

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:904

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
3⤵
- Executes dropped EXE
PID:2296

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
4⤵
- Creates scheduled task(s)
PID:2448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
b0e04da50e22c31e5a1bcd823b31bc0a

SHA1
834ed42ea8cc071f41030231dfd38dbdd3a92c33

SHA256
b97307b15450163273d276f2918012e7afbcb2dfe9359886402fc7acbc198031

SHA512
37f70063bf02ed58b18dba6b1986fae9d57a6b54cded5d929098dab98fe450e81a8461c59e3f19a7e45c2b59295494264322747427cd1a30cdb3cbdd12238df5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
ba198b4894ac9aeb07c3705b2c434a38

SHA1
7d1addf14782ff1d411690fad708f999f948ad68

SHA256
32f87c710484007513f27de5e0872a2591b661d6d3e63c0ff0685c6d42b5abfa

SHA512
33af107de382fb0b0ffa60aaf6df67cf66d57b791471f8476b0ea40810e2388f24985860294e1732846d1fb2ec873d2f4f9cef7b3166650497c3f199821b0122

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
386580322f33ae57397fec6d5243623e

SHA1
d093ba6803b646168e0d391817c92d19e10e899f

SHA256
a2d910f554900db7ac97de417f059dce673837571a4b5b5da487e8099008e38c

SHA512
9a8a077debb956c497b593316cafe91e9e58116d4045e1f8cea50a7d0a85a58be2eed3bcee4009403d50863adc7846cecafa8da6d549e8fd372ef0928e398470

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
392B

MD5
42e95c54af5fe68c893d53302e425e87

SHA1
d37c11bb6b87ce5f6e852f058ba7fa75f21ce8ed

SHA256
74fc20551fbb4b904a0e9133f940b4ef70d1f33db9aeff42e065ec916e572b68

SHA512
bffa559fbd73866df30f2b587c71651713463555f196e3a384567c45632fb7e693183ef18a6e1483491ce91480e786a63cc5182c32d128c32a332fdd3ef3cb37

Download Submit
C:\Users\Admin\AppData\Local\6ff35b4b-7125-408e-b34a-0965f53ef299\build3.exe

Filesize
299KB

MD5
41b883a061c95e9b9cb17d4ca50de770

SHA1
1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad

SHA256
fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408

SHA512
cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

Download Submit
C:\Users\Admin\AppData\Local\Temp\1815.exe

Filesize
5.3MB

MD5
2b82eb950c4b07624724358abaee1e17

SHA1
35b7e43f3e60c7c9423773458715f65d010c854e

SHA256
883e014f638041cc942d1125a65846156b6a0af20f3a27883817ecc2ab0d6727

SHA512
2099a58cfd73290572793c6a9f36b5f3fdb20117eb601dfd7f62246465901cc56449c6a5e6a852a383d7a44534221aca91405ef2a6f96c76ad30ad82f16f24af

Download Submit
C:\Users\Admin\AppData\Local\Temp\8E3E.exe

Filesize
640KB

MD5
56e62dc1069db724cc54b467947fb9f8

SHA1
8a5a1a9499a9b7a1d4ac52aeeceda2cf5e3f4745

SHA256
f118b3001c4bf7db2e44c8956eb639ae7412d9a4e3f7e677994cf761784feb1f

SHA512
b9856323468de2b1fb6dec35866e2b85141cb92ec24650589fc14a4bf78e3d4fb4f7deae6eb6b8421647717bc182155deb63169fc1e77b49314223a9de705188

Download Submit
C:\Users\Admin\AppData\Local\Temp\8E3E.exe

Filesize
763KB

MD5
14f7c4b98e2c837e555d030bfbe740c4

SHA1
695e50ac70754d449445343764d8a0c339323a04

SHA256
585892aac1dd2104c9dc5badf75efbc0d5f363456c084741af5e251402473de0

SHA512
c72065546378ea95362d370b6e5fe6aa75e197c2a156193057f6ffe0f4c010ad3a2d7b6d024b02f7aee91b97dd6740833911107bcdb8a7fae2316e0ef8228cc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab676.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DCD7.exe

Filesize
222KB

MD5
11ac7990dacb8fed9a583f69660a8310

SHA1
a891612189e2db49a16704a9ac08850c5a76be3d

SHA256
b6d7d2ab6d7e66ba154aac8266fd5e0f6667c11d3cc682b241da586a5577581a

SHA512
7613b538549467fb21b3d3a4c25c82a6ab44a384b832efc6cd420b32083bf81e4563f4e558cf316532cc7d8fed68f5d232c9bfeb4335230e8c6db20c036a20d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\F3B3.exe

Filesize
750KB

MD5
fb41f20c1783dee1ff3ff24e9320ef44

SHA1
873e409ee8fd52a51031269bee1b5e56207b8cf8

SHA256
3f8c53cc5aff0effc748241349db40bff4d9c3004b557c091c00ed192d8f4226

SHA512
b83682f64c79dab3ac134a2f42fa111882a6e7555d59b112599953a532091e67b76a1fd0da3426e516912c3e650ebed79d0bdc0ba9b4317f0bfb341e0b4cd481

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2444.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
\Users\Admin\AppData\Local\6ff35b4b-7125-408e-b34a-0965f53ef299\build2.exe

Filesize
262KB

MD5
9b00df1cca53e81d90dfc2548f8d9114

SHA1
a783bde9346c8ece56aa6fec12348fea40fdf6ec

SHA256
1ae4509fb8949fab80d4cc0fefec087af17e7c5654f2a66ac04f7372edaec5fe

SHA512
406e14898fadc9aa63021d15c1e23cc812f472c6dd1fb59a29de2c4660b573e26ba13b892b2d3755e29d6fe5fe30a4d1c0550e0aca9d0bf5ae936e59d3141ffc

Download Submit
\Users\Admin\AppData\Local\Temp\8E3E.exe

Filesize
128KB

MD5
4ffa6ea1daeb329c44d96258d49df616

SHA1
bb09631bf3e40e8d9fdc8f8c105a9a699eea6d2d

SHA256
6d8286ca072cd2bcd7ee66a5785c1efeab04e52e8d50b3198b1492576b141e2a

SHA512
cee5276eb322d92101cc5f4c5e7151135cd654df5e0c5ccae4d778a5a6607aa1f3c00263210b6676e74accdd0904b5849e32a6a1a2a1cbddb32ff6db9bd7db62

Download Submit
\Users\Admin\AppData\Local\Temp\8E3E.exe

Filesize
448KB

MD5
84e4f5b630da12c165b1e9b001eb9caf

SHA1
e033dede1f1b392a4f48fbb2ccb76975e9a1e45d

SHA256
2162b42f639b20cb1b20bb9e3a48abdee97bd94408c3149760dab953d73b8a8e

SHA512
22803fdd47df888757c3d43ed6fa1bf801c9b4fc8f837672ffb4a42bfd129c8bc7b06d0887bdaa60d178959d343a9854f988e5f08fd7ca6c07389e04774b9640

Download Submit
\Users\Admin\AppData\Local\Temp\8E3E.exe

Filesize
384KB

MD5
3a320224046261873725ed77c969095d

SHA1
f770f4cf431bcec47d10f4397eb3ec75205b0d41

SHA256
a5fce1916749a3c2bcdcb9183ef8f777f096cf99cb3da94e186e8f5a0dd45480

SHA512
9787bb71bc0b42a3c5b9dd8f2df2557e270be38a6e374fe8765a42f074f75e47f60b4a318e57cbcb169804bb6227d20c9f3010cbd067241b6166c950b847d671

Download Submit
\Users\Admin\AppData\Local\Temp\8E3E.exe

Filesize
320KB

MD5
4e35c59e25f78b7e5b8aeaccba8974be

SHA1
5fe6cb6eca6ebf59971ceccfdacfd1580fb88d0a

SHA256
9d48456d1b1f2ead21b94b88c6f55b59e33c46de6630b5437a037c621f02b9bb

SHA512
46e5d682fc44f4507a4bee389280cfd2ac07a18a60b286c68730490743b1df4617be8c31cfbca67a0df3654dddd4751c6af5b13ce31d0752e1635975f8378875

Download Submit
\Users\Admin\AppData\Local\Temp\8E3E.exe

Filesize
256KB

MD5
416d2df04ae8012128bec7197bb81f96

SHA1
344f74731835c138d6f1ee4f0bc708e1ecdde20f

SHA256
db24032c3a6bd09a7745c39f6e91b2ba6f0a92517057626e8a8554d7316e2f88

SHA512
cc404077a4fc88afd01ce43553848c04c95c7f407084f885bcfa08b5e146efae93d5a0c8d10c794cc5ee60feb697f5770c4b99bcdb1fbad166a2365eae94d880

Download Submit
\Users\Admin\AppData\Local\Temp\8E3E.exe

Filesize
42KB

MD5
0c6305017aaf90d0681298c5c1ce3f8d

SHA1
cea3d6dde37866576f3c9570c8b57342246f9d5a

SHA256
e09fc5ef473416f32c2fd1f7a2c4ebd85232848565804dcaefa0d602db52d3ce

SHA512
f3c29403303ebc5f9bb840b4b90a800620c332f05beffc885534d6ebcc76fd1d235f230f1294deaf84e967093e725de12e9c453b3ff79343e5470f217cf625f6

Download Submit
memory/364-73-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/364-86-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/364-121-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/364-94-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/364-72-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/364-93-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/364-133-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/364-91-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/364-87-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/524-135-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/524-140-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/524-149-0x0000000077760000-0x0000000077761000-memory.dmp

Filesize
4KB

Download
memory/524-136-0x0000000000EC0000-0x0000000001774000-memory.dmp

Filesize
8.7MB

Download
memory/524-138-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/524-148-0x0000000000EC0000-0x0000000001774000-memory.dmp

Filesize
8.7MB

Download
memory/524-162-0x0000000000EC0000-0x0000000001774000-memory.dmp

Filesize
8.7MB

Download
memory/532-307-0x0000000004C70000-0x0000000004D33000-memory.dmp

Filesize
780KB

Download
memory/532-303-0x0000000004780000-0x00000000047C0000-memory.dmp

Filesize
256KB

Download
memory/532-302-0x0000000073140000-0x000000007382E000-memory.dmp

Filesize
6.9MB

Download
memory/532-295-0x0000000000890000-0x0000000000956000-memory.dmp

Filesize
792KB

Download
memory/532-304-0x0000000004AA0000-0x0000000004B68000-memory.dmp

Filesize
800KB

Download
memory/532-305-0x0000000004C70000-0x0000000004D3A000-memory.dmp

Filesize
808KB

Download
memory/532-306-0x0000000004C70000-0x0000000004D33000-memory.dmp

Filesize
780KB

Download
memory/532-309-0x0000000004C70000-0x0000000004D33000-memory.dmp

Filesize
780KB

Download
memory/532-1241-0x00000000004C0000-0x00000000004C1000-memory.dmp

Filesize
4KB

Download
memory/532-1243-0x0000000001F70000-0x0000000001FD0000-memory.dmp

Filesize
384KB

Download
memory/532-1244-0x0000000002020000-0x000000000206C000-memory.dmp

Filesize
304KB

Download
memory/532-1263-0x0000000073140000-0x000000007382E000-memory.dmp

Filesize
6.9MB

Download
memory/904-1283-0x0000000000960000-0x0000000000A60000-memory.dmp

Filesize
1024KB

Download
memory/1080-268-0x00000000008C0000-0x00000000009C0000-memory.dmp

Filesize
1024KB

Download
memory/1080-269-0x0000000000220000-0x0000000000224000-memory.dmp

Filesize
16KB

Download
memory/1148-278-0x0000000000400000-0x000000000063F000-memory.dmp

Filesize
2.2MB

Download
memory/1148-116-0x0000000000400000-0x000000000063F000-memory.dmp

Filesize
2.2MB

Download
memory/1148-117-0x0000000000400000-0x000000000063F000-memory.dmp

Filesize
2.2MB

Download
memory/1148-110-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1148-112-0x0000000000400000-0x000000000063F000-memory.dmp

Filesize
2.2MB

Download
memory/1148-286-0x0000000000400000-0x000000000063F000-memory.dmp

Filesize
2.2MB

Download
memory/1180-2-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1180-3-0x00000000002B0000-0x00000000002BB000-memory.dmp

Filesize
44KB

Download
memory/1180-1-0x00000000004B0000-0x00000000005B0000-memory.dmp

Filesize
1024KB

Download
memory/1180-5-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1188-4-0x0000000002A70000-0x0000000002A86000-memory.dmp

Filesize
88KB

Download
memory/1188-297-0x0000000002A40000-0x0000000002A41000-memory.dmp

Filesize
4KB

Download
memory/1188-20-0x0000000003980000-0x0000000003996000-memory.dmp

Filesize
88KB

Download
memory/1704-1242-0x0000000003F60000-0x0000000003F61000-memory.dmp

Filesize
4KB

Download
memory/1704-1278-0x0000000003F60000-0x0000000003F61000-memory.dmp

Filesize
4KB

Download
memory/1748-107-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/1748-109-0x0000000000240000-0x000000000026C000-memory.dmp

Filesize
176KB

Download
memory/2628-31-0x0000000000530000-0x00000000005C1000-memory.dmp

Filesize
580KB

Download
memory/2628-30-0x0000000000530000-0x00000000005C1000-memory.dmp

Filesize
580KB

Download
memory/2628-32-0x0000000001D20000-0x0000000001E3B000-memory.dmp

Filesize
1.1MB

Download
memory/2632-35-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2632-37-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2632-40-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2632-41-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2632-62-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2776-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2776-19-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2776-18-0x0000000000250000-0x0000000000350000-memory.dmp

Filesize
1024KB

Download
memory/2784-279-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2784-276-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2784-273-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2784-271-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2940-65-0x0000000000220000-0x00000000002B1000-memory.dmp

Filesize
580KB

Download
memory/2940-64-0x0000000000220000-0x00000000002B1000-memory.dmp

Filesize
580KB

Download