djvu | 73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027

Analysis

max time kernel
296s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
01-02-2024 04:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe
Size

700KB
MD5

82b95c134ff0481c15adec3f77e413f3
SHA1

bf3f50f5a88f9f3efb40a1dce441824a24c5df1c
SHA256

73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027
SHA512

9bdc2c364fea0c28c5f3a8862e33119c5ebe3fb3f7b21037d148abd7d15f5e1fe74550cbad99e38b6c311bfe4e0f39430da124ea0f1483f317235ecf3f044921
SSDEEP

12288:kT9K0UmPjoKllWmrr28ueznY3efXlmEEHEuKRVbNGvrjlS2er0LZll/:wZ7ozmrrfPzYwmfHIVbNGHXeol9

Score

10^/10

djvu vidar 1b9d7ec5a25ab9d78c31777a0016a097 discovery persistence ransomware stealer

Malware Config

Extracted

Family

djvu

http://habrafa.com/test1/get.php

Attributes

extension
.cdcc
offline_id
LBxKKiegnAy53rpqH3Pj2j46vwldiEt9kqHSuMt1
payload_url
http://brusuax.com/dl/build2.exe
http://habrafa.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-iVcrVFVRqu Price of private key and decrypt software is $1999. Discount 50% available if you contact us first 72 hours, that's price for you is $999. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0846ASdw

rsa_pubkey.plain

Extracted

Family

vidar

Version

7.6

Botnet

1b9d7ec5a25ab9d78c31777a0016a097

https://t.me/tvrugrats

https://steamcommunity.com/profiles/76561199627279110

Attributes

profile_id_v2
1b9d7ec5a25ab9d78c31777a0016a097

Signatures

Detect Vidar Stealer 5 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/1860-95-0x0000000000230000-0x0000000000260000-memory.dmp	family_vidar_v7
behavioral1/memory/2732-99-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral1/memory/2732-100-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral1/memory/2732-96-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral1/memory/2732-251-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7

Detected Djvu ransomware 15 IoCs

Processes:

resource	yara_rule
behavioral1/memory/752-5-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/752-8-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/752-9-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3032-2-0x0000000002B90000-0x0000000002CAB000-memory.dmp	family_djvu
behavioral1/memory/2420-53-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2420-54-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/752-45-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2420-71-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2420-70-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2420-78-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2420-77-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2420-75-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1860-93-0x0000000000620000-0x0000000000720000-memory.dmp	family_djvu
behavioral1/memory/2420-101-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2420-235-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file

Executes dropped EXE 14 IoCs

Processes:

build2.exebuild2.exebuild3.exebuild3.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exe

pid	process
1860	build2.exe
2732	build2.exe
1976	build3.exe
2056	build3.exe
2140	mstsca.exe
2652	mstsca.exe
1444	mstsca.exe
2116	mstsca.exe
2736	mstsca.exe
408	mstsca.exe
2108	mstsca.exe
1664	mstsca.exe
2248	mstsca.exe
2696	mstsca.exe

Loads dropped DLL 11 IoCs

Processes:

73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exeWerFault.exe

pid	process
2420	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe
2420	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe
1420	WerFault.exe
1420	WerFault.exe
1420	WerFault.exe
1420	WerFault.exe
1420	WerFault.exe
1420	WerFault.exe
1420	WerFault.exe
2420	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe
2420	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

2808 icacls.exe

pid	process
2808	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\63f7a1e9-bf68-4219-94f0-26b0c02b94b4\\73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe\" --AutoStart"	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 api.2ip.ua
16 api.2ip.ua
3 api.2ip.ua

flow	ioc
4	api.2ip.ua
16	api.2ip.ua
3	api.2ip.ua

Suspicious use of SetThreadContext 9 IoCs

Processes:

73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exebuild2.exebuild3.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exe

description	pid	process	target process
PID 3032 set thread context of 752	3032	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe
PID 2560 set thread context of 2420	2560	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe
PID 1860 set thread context of 2732	1860	build2.exe	build2.exe
PID 1976 set thread context of 2056	1976	build3.exe	build3.exe
PID 2140 set thread context of 2652	2140	mstsca.exe	mstsca.exe
PID 1444 set thread context of 2116	1444	mstsca.exe	mstsca.exe
PID 2736 set thread context of 408	2736	mstsca.exe	mstsca.exe
PID 2108 set thread context of 1664	2108	mstsca.exe	mstsca.exe
PID 2248 set thread context of 2696	2248	mstsca.exe	mstsca.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1420 2732 WerFault.exe build2.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2192 schtasks.exe
2428 schtasks.exe

pid	pid_target	process	target process
1420	2732	WerFault.exe	build2.exe

pid	process
2192	schtasks.exe
2428	schtasks.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

build2.exe73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	build2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	build2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	build2.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe

pid	process
752	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe
752	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe
2420	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe
2420	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exebuild2.exebuild2.exebuild3.exebuild3.exe

description	pid	process	target process
PID 3032 wrote to memory of 752	3032	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe
PID 3032 wrote to memory of 752	3032	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe
PID 3032 wrote to memory of 752	3032	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe
PID 3032 wrote to memory of 752	3032	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe
PID 3032 wrote to memory of 752	3032	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe
PID 3032 wrote to memory of 752	3032	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe
PID 3032 wrote to memory of 752	3032	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe
PID 3032 wrote to memory of 752	3032	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe
PID 3032 wrote to memory of 752	3032	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe
PID 3032 wrote to memory of 752	3032	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe
PID 3032 wrote to memory of 752	3032	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe
PID 752 wrote to memory of 2808	752	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe	icacls.exe
PID 752 wrote to memory of 2808	752	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe	icacls.exe
PID 752 wrote to memory of 2808	752	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe	icacls.exe
PID 752 wrote to memory of 2808	752	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe	icacls.exe
PID 752 wrote to memory of 2560	752	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe
PID 752 wrote to memory of 2560	752	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe
PID 752 wrote to memory of 2560	752	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe
PID 752 wrote to memory of 2560	752	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe
PID 2560 wrote to memory of 2420	2560	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe
PID 2560 wrote to memory of 2420	2560	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe
PID 2560 wrote to memory of 2420	2560	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe
PID 2560 wrote to memory of 2420	2560	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe
PID 2560 wrote to memory of 2420	2560	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe
PID 2560 wrote to memory of 2420	2560	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe
PID 2560 wrote to memory of 2420	2560	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe
PID 2560 wrote to memory of 2420	2560	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe
PID 2560 wrote to memory of 2420	2560	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe
PID 2560 wrote to memory of 2420	2560	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe
PID 2560 wrote to memory of 2420	2560	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe
PID 2420 wrote to memory of 1860	2420	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe	build2.exe
PID 2420 wrote to memory of 1860	2420	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe	build2.exe
PID 2420 wrote to memory of 1860	2420	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe	build2.exe
PID 2420 wrote to memory of 1860	2420	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe	build2.exe
PID 1860 wrote to memory of 2732	1860	build2.exe	build2.exe
PID 1860 wrote to memory of 2732	1860	build2.exe	build2.exe
PID 1860 wrote to memory of 2732	1860	build2.exe	build2.exe
PID 1860 wrote to memory of 2732	1860	build2.exe	build2.exe
PID 1860 wrote to memory of 2732	1860	build2.exe	build2.exe
PID 1860 wrote to memory of 2732	1860	build2.exe	build2.exe
PID 1860 wrote to memory of 2732	1860	build2.exe	build2.exe
PID 1860 wrote to memory of 2732	1860	build2.exe	build2.exe
PID 1860 wrote to memory of 2732	1860	build2.exe	build2.exe
PID 1860 wrote to memory of 2732	1860	build2.exe	build2.exe
PID 1860 wrote to memory of 2732	1860	build2.exe	build2.exe
PID 2732 wrote to memory of 1420	2732	build2.exe	WerFault.exe
PID 2732 wrote to memory of 1420	2732	build2.exe	WerFault.exe
PID 2732 wrote to memory of 1420	2732	build2.exe	WerFault.exe
PID 2732 wrote to memory of 1420	2732	build2.exe	WerFault.exe
PID 2420 wrote to memory of 1976	2420	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe	build3.exe
PID 2420 wrote to memory of 1976	2420	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe	build3.exe
PID 2420 wrote to memory of 1976	2420	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe	build3.exe
PID 2420 wrote to memory of 1976	2420	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe	build3.exe
PID 1976 wrote to memory of 2056	1976	build3.exe	build3.exe
PID 1976 wrote to memory of 2056	1976	build3.exe	build3.exe
PID 1976 wrote to memory of 2056	1976	build3.exe	build3.exe
PID 1976 wrote to memory of 2056	1976	build3.exe	build3.exe
PID 1976 wrote to memory of 2056	1976	build3.exe	build3.exe
PID 1976 wrote to memory of 2056	1976	build3.exe	build3.exe
PID 1976 wrote to memory of 2056	1976	build3.exe	build3.exe
PID 1976 wrote to memory of 2056	1976	build3.exe	build3.exe
PID 1976 wrote to memory of 2056	1976	build3.exe	build3.exe
PID 1976 wrote to memory of 2056	1976	build3.exe	build3.exe
PID 2056 wrote to memory of 2192	2056	build3.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe
"C:\Users\Admin\AppData\Local\Temp\73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3032

C:\Users\Admin\AppData\Local\Temp\73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe
"C:\Users\Admin\AppData\Local\Temp\73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe"
2⤵
- Adds Run key to start application
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:752

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\63f7a1e9-bf68-4219-94f0-26b0c02b94b4" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:2808

C:\Users\Admin\AppData\Local\Temp\73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe
"C:\Users\Admin\AppData\Local\Temp\73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2560

C:\Users\Admin\AppData\Local\Temp\73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe
"C:\Users\Admin\AppData\Local\Temp\73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe" --Admin IsNotAutoStart IsNotTask
1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2420

C:\Users\Admin\AppData\Local\9942857f-7e3d-42ad-aa39-9c264686fe9e\build2.exe
"C:\Users\Admin\AppData\Local\9942857f-7e3d-42ad-aa39-9c264686fe9e\build2.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1860

C:\Users\Admin\AppData\Local\9942857f-7e3d-42ad-aa39-9c264686fe9e\build3.exe
"C:\Users\Admin\AppData\Local\9942857f-7e3d-42ad-aa39-9c264686fe9e\build3.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1976

C:\Users\Admin\AppData\Local\9942857f-7e3d-42ad-aa39-9c264686fe9e\build3.exe
"C:\Users\Admin\AppData\Local\9942857f-7e3d-42ad-aa39-9c264686fe9e\build3.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2056

C:\Users\Admin\AppData\Local\9942857f-7e3d-42ad-aa39-9c264686fe9e\build2.exe
"C:\Users\Admin\AppData\Local\9942857f-7e3d-42ad-aa39-9c264686fe9e\build2.exe"
1⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 1360
2⤵
- Loads dropped DLL
- Program crash
PID:1420

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
1⤵
- Creates scheduled task(s)
PID:2192

C:\Windows\system32\taskeng.exe
taskeng.exe {035BFA81-C80E-4408-9CCB-3F5CF9DD383E} S-1-5-21-3470981204-343661084-3367201002-1000:GLTGRJAG\Admin:Interactive:[1]
1⤵
PID:1060

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2140

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
3⤵
- Executes dropped EXE
PID:2652

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
4⤵
- Creates scheduled task(s)
PID:2428

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1444

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
3⤵
- Executes dropped EXE
PID:2116

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2736

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
3⤵
- Executes dropped EXE
PID:408

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2108

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
3⤵
- Executes dropped EXE
PID:1664

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2248

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
3⤵
- Executes dropped EXE
PID:2696

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
1KB

MD5
8112ab2a9d7578692e66734917d00015

SHA1
5dc1f7cb2c66c925d195fb98784917d108a001dd

SHA256
919561b1927726f5218e79f21184c4bf7117db4466686fc93d3d5dbc1380033b

SHA512
538f1f36b44d628d2ade163cc40deb58b50cb7fbd56019d9526c8233c30771db8542ed5786d311322dfd2e9d44e979da9513c4a0bbc7416b47bb7beca90013d1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
51KB

MD5
8d8a6ed48ef3c769dc5a5f0386a0f3af

SHA1
1372db53148be4349813f949263a62b279afd8a1

SHA256
967b3878ee02b19500cfb87ecba486fdfe22a5d7a7aafa35e37440142d895c4e

SHA512
983492c453d9ad29b9d32bbfc4c7ad383c72a0f063f2906f180779dbb6d5c49b33fc49b977381f4c7cfb8f33bbdfea7d5a4d37a252c1d3bbd4731b014c71b112

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
410B

MD5
fd4c132a58ef96812865ac18562f98e8

SHA1
556ee9b58f917a2893bcf200bc552b988a3f25b8

SHA256
5d080035ebd59227abaea6ca1fbc41686ff092a683d7be13fb271face1b73fa6

SHA512
87fa1e48972affdf8922a93ab5ff20b5c71f6eecc0846caf84343c4e53868598d6d3630d958ce080d98f08ae927dc12c699798759160aadc7975c9aecc460aff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
0cda8b5db8f8fefe73f8f29f548492e0

SHA1
020e26884ac5afb19588323f9a8a0370657c6663

SHA256
318d06f6da7c6b13081d420367f558c9d18038fd89269e5aaea90593f604660b

SHA512
fe0251fa5135715af47d80f678575576b2cc6db3ed9ef00ad35bee6c3f6f1f399d7f2b0b1b3d002ffdbdbefb3f1fb77f9655cfb1fce7f6fa5d9c1ed2a8eb2cbc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
b2fe06d0ec24605c69107b23582de7f9

SHA1
937e6d1499ea1fc65086aaa79a14b332738d64a7

SHA256
caa3c6e5cab5d055e33ab04e94f61a415694ed32c25e2dc19d76b9afbbe721b5

SHA512
512275acf22b80fc15c6dd3a9c8f4e8a45ce9b2d3040a3599e05308bb08785e8bbde0f271881e8489d10e0b61168c134d9fd14c0d3c19faea9982836d186f797

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
392B

MD5
38b6ed29470d7a219d5dd07ee13b49f6

SHA1
b94af4b3824e15a83ee0d758faa18ec7c2358219

SHA256
f67acebd365b8d01cf7cf978655de31ad3d7b76f803ec6e5bcc85b1c4bdf6fb0

SHA512
f74b84c4802916cab56fcf7fef2f72a76eb4816874fc94ab6b1924d6e58518a16c3cec2320b3fdbc9f8ba0be43bcea1d437292f6cf8c4f2841cabb0d560f4568

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
242B

MD5
bda7bb0d9bf9b2c6537d53764dc3959d

SHA1
b20a53d394924a1dc4231253760187f799ca0fb4

SHA256
114e168cba6cbd83dbfdfac1c9938588373cc2ad11d98d4c648275cfaa2b1e24

SHA512
f3ca734f4429052a2d657ba6cc511f5572c860a16077e89244d7553311b648cc7f691289feb246ae806cd02063702e55d47159b86bb5c7de0be825a5943f695e

Download Submit
C:\Users\Admin\AppData\Local\63f7a1e9-bf68-4219-94f0-26b0c02b94b4\73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe
Filesize
322KB

MD5
c36d2ae7bad85a96413bef952392f072

SHA1
10b001c2ce928d6d035bd592144dc35a36c78f67

SHA256
3e7890e6f359ae14addf79797f0791227f8570318c5e65b52ef1335f5a24def3

SHA512
4e8a14211432d1a8ba1fa70995c04caef3e9a8f7eab8584912cdc6e2e4015c3ef20754906301b1e411af365da19e7aeaf69a7263bad13260c8e29bda4412cf28

Download Submit
C:\Users\Admin\AppData\Local\9942857f-7e3d-42ad-aa39-9c264686fe9e\build2.exe
Filesize
145KB

MD5
5895032ee764aed193cb7ee33698d683

SHA1
9a0d432efbdb6af72dd9cc1bfbe372c377f31c77

SHA256
7eea56dc5b5e7a5e481314dd3f3d2a299a915f502267887be54e01217ac59d77

SHA512
19b035209d267895029e7d557db43e347d784b20f9c89ede3a18345215b57baee7405d4fc2f5d9fb9c7c970050eed04bdd5017d5a8cf6c5ded8a410a99e8d2db

Download Submit
C:\Users\Admin\AppData\Local\9942857f-7e3d-42ad-aa39-9c264686fe9e\build2.exe
Filesize
160KB

MD5
337ebc9b9665a310862916a95eb788aa

SHA1
e5fdd54025fc2c81a967b861f48bf10c0a53a5cf

SHA256
6ecbc210a4151035fae08799caa62f868f3586a2d2a31bbb66ddd71299a46c8d

SHA512
9580a6e4a2bac2992cc972364dfc02bf9efdc48b56299c411d7d570581e2ed02cd048ff85da66c14d4da55b4aeee2d667ef1ce66053380d6886b3f39047f824c

Download Submit
C:\Users\Admin\AppData\Local\9942857f-7e3d-42ad-aa39-9c264686fe9e\build2.exe
Filesize
97KB

MD5
6e1d56ddb4bd2b4a4405ee44da966110

SHA1
9638121feb2ec8f1af110a3a7805ae8e9e407090

SHA256
447f6c1df599fdc920e2ec8d0f4e7a099c9fc7a1dad1c3d3a4b0342b10f3ed4f

SHA512
518dff0246471559c501868c3d6d79cbb2b8ac2d1f3b23d4de2c5c9451b8048b960cee223ae4458d14492f0125552c2c0b9c38a4167a402cb8d1d877c9846738

Download Submit
C:\Users\Admin\AppData\Local\9942857f-7e3d-42ad-aa39-9c264686fe9e\build2.exe
Filesize
105KB

MD5
cd0344b2dae803063a761c949e363125

SHA1
c5b7651e2cedb937bac3d2e76536d3bc98314fe4

SHA256
415c0a724bf966ca9bb87facbd6d95db607da9881362fc497d753567357e87f7

SHA512
3e8ccdca65f91cddca80a3684acccaea79770babd56e696fe54d90407f4b8dacba0332686c17fa3ca64cdcaf286bd018daf8a33150073f068cc70d1cbe16cfa4

Download Submit
C:\Users\Admin\AppData\Local\9942857f-7e3d-42ad-aa39-9c264686fe9e\build3.exe
Filesize
9KB

MD5
9f2a96367a52c87cfc6a9126f452cc2d

SHA1
6df22db4fb95700b0f121bf2e6d345ff9075079d

SHA256
d19625b085e39f32ee3a9740cc622b0328aa321d83cae210599351d1402a3f47

SHA512
d72cd533c12a1d435e43d8f2a7a31b1595feaa8069bb39a99e4467751090e57f8f6fe0b262a5a78ea5bf3ff55e35bf3dc1ab653468fef7527bbacf5a505e967d

Download Submit
C:\Users\Admin\AppData\Local\9942857f-7e3d-42ad-aa39-9c264686fe9e\build3.exe
Filesize
8KB

MD5
bf8070b7c595452791909a1469ac0007

SHA1
84710d9f2daefbc68674820a2c3bd542e80b20b7

SHA256
3b176d538d3cdb3a249542f19b38d469419a2da010aacd83875e3a6e05b8c9c4

SHA512
c4137a8e6be5f5a309b61ca5af0ea9e829a797efece846d1e9f5402ff3857fad1c765f6e1bf4580c1665265c7ac66988c1c4cf8c5e7970cef00eb8ecf955ae3c

Download Submit
C:\Users\Admin\AppData\Local\9942857f-7e3d-42ad-aa39-9c264686fe9e\build3.exe
Filesize
92KB

MD5
4b3fc3105731c7ff3a7e3966416912a2

SHA1
0e792bf25e8795158074fa6bd2ee87ad16675124

SHA256
c0f698bcc4324958848de5d8e1b1bdaed5e01632d8c827a5a95356eb04a2c443

SHA512
6ed5ee0139d9d9a676232a6c5d6e9a8528f880025a11fccf8a1a32a999ae5fac41f993c384fabec788e4e47da714d67f1def0348da6b0f4392e7fc7ff1098c28

Download Submit
C:\Users\Admin\AppData\Local\9942857f-7e3d-42ad-aa39-9c264686fe9e\build3.exe
Filesize
44KB

MD5
698926128469e317eb774ce81c5b72a6

SHA1
1e2f04fa98a1b0402183505a1ebafadde9f7d8cc

SHA256
40fc03314ae8191e7c53880ca0ac504e7d8cb1c01cbd128f95ff234e9e8bda61

SHA512
d01526b82455ccd00012bb79e63e569e76c026c565e601f620da8e20d08d6520bbda92e61c989763a1643cfb16505b36079b4ec56662b69314fe5a59f6fb809d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF8C.tmp
Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Filesize
299KB

MD5
41b883a061c95e9b9cb17d4ca50de770

SHA1
1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad

SHA256
fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408

SHA512
cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Filesize
13KB

MD5
e4ffc9d89073e1aafd4cb886d4f1f37f

SHA1
85d51dc5630c4f6e30f940d869b42d54ebe6ce65

SHA256
1ed3637a57a59ecc086c042cb27a3525685f726a8581429aae939ef703f12b5e

SHA512
58a510c88071e0ac68fd1b044ff5885979f3d2111c2ae5a0a186fda8bdcf7ea33023f1e4af33100664950e4ece2f6a77c8e86490ed9a927b7a179c5e74d380f0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Filesize
4KB

MD5
fadabe6d8bf7eea4a472f9250f453907

SHA1
24c5f911a2cf1355f87f6a9d1a8527607fdcdfd4

SHA256
8be527f2aa83cd83496741b10a44c37d09f156d7817ea656be3b335e2f6f500b

SHA512
2b7d290639ffdd49ef510ba24ef4a76e8b14b239932787d398bbd866cdf7270ad8ea7f7435e165feab3a5f45e0767005c4837a60ad65e948587c55495681b785

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Filesize
60KB

MD5
cd7b580fb3343bb063c3788f3a2c8b62

SHA1
8770eea5a729cb853197bb45cf3521dbf6570989

SHA256
7620f3bfada721e870fe389c5f47b8b1ac0086dcd0081ae508f48a7c67632243

SHA512
ef3cb340c0577bb6858c9fae626747cc6e42ac9e953d9e148937bddebc81726ffea51a5e3da98630d6f6179024981a3a85abc182004c156aa41eb873bc3e3446

Download Submit
\Users\Admin\AppData\Local\9942857f-7e3d-42ad-aa39-9c264686fe9e\build2.exe
Filesize
74KB

MD5
b342902ff083c19fc16afebb7c3483ff

SHA1
582694603624a6d0e22abf6b30f6aae8af0f9384

SHA256
6e8ea453928f127d35c637c523c552bbdb4f9418681723aa424d6936103e7166

SHA512
3156c71b404ebcbf07801430e0ba86307676db6a1fd4cc01a65df2711ad5fc0a378ed135ae30ccf419f3de0a92ac2a2f1a1fc63db7d4c29c35e0b670d1758f09

Download Submit
\Users\Admin\AppData\Local\9942857f-7e3d-42ad-aa39-9c264686fe9e\build2.exe
Filesize
92KB

MD5
230239a54eb2b96fb8264eb303534dc7

SHA1
c415fd0af6bd976f59187cfce9fe2fb812fa2796

SHA256
5b749776328733e38ef3caafa20b587a16ce8fb9cd82bd1de6c76a0ca4366fc5

SHA512
5ba643f0bb4e2284ccb06041bf15c21d5e21943cac7a4a2c28dca2cb74094bae7057936ae7101e89dc6b9e7f5849f00e93991bdf1d0a59102ff5f1b67566c7ea

Download Submit
\Users\Admin\AppData\Local\9942857f-7e3d-42ad-aa39-9c264686fe9e\build2.exe
Filesize
98KB

MD5
aa95086cc7c5a5d9eaee1cc03eee26ff

SHA1
78b8035a500c059d7c2e689d5aa51de3f4ca88d1

SHA256
bb3e39d767ca5408a50a2f44e6f9511de559a4bd8f260f4c4d63d8ff824a7f96

SHA512
64a7d02e0b2e678785f69e96748f71a45fb9c4f07059658d3ebc8224e157f049d3a5bc7bf71bb3e069d9dcb72f16aed2585a70b53a61ffd7748a67a6e2f55625

Download Submit
\Users\Admin\AppData\Local\9942857f-7e3d-42ad-aa39-9c264686fe9e\build2.exe
Filesize
126KB

MD5
9a284ffb3400855d31699f6cec6d832a

SHA1
b4f95555608c5dfc6a912a0ebd051001d87595d2

SHA256
353c10cd202a8da465b3fdcf26872b828ef884c55330f6780f1490608cdbcf5b

SHA512
5a147dd0cfd2267c386f39ecefc27f9751a0a965cf6640c143f79e191e93b7e2537b61c50e66e38be8a0289dc90f748834c8f9bf5edeaacac6156bbb71ec908f

Download Submit
\Users\Admin\AppData\Local\9942857f-7e3d-42ad-aa39-9c264686fe9e\build2.exe
Filesize
1KB

MD5
4b49c6fe09c9c2d4b59bd6cfbeacb12c

SHA1
34592ba710ba16b6df0cda4dc8cfd6db93600062

SHA256
284c248d8da39b056cd78802f016eeecd4d0f55c272de796f9fc3744d3db67bf

SHA512
4a31d9edca2c3c4b21113489627930a2bc444c68a507c08b72ae15f41d23d555b75b4bfe84ab81dd3891735057c0f6eda89143ba49b8940f0a0c7b9e6501d5b3

Download Submit
\Users\Admin\AppData\Local\9942857f-7e3d-42ad-aa39-9c264686fe9e\build2.exe
Filesize
21KB

MD5
71228075c601e1e609ce7af6fbae85f2

SHA1
b9172c26692a14e563bf001004e1aa41c2c003ce

SHA256
77a3e46972b3fc83f8fee3f2169b72bff382f2017013df82cf2f509e693912c2

SHA512
242972d639420f147a933015ba64c4c3564f749b6e20963d2f1add1607b58a4d9c616bc03c70395c5315ce693502c1245af9a2fbff24844bbdb008573b9832e4

Download Submit
\Users\Admin\AppData\Local\9942857f-7e3d-42ad-aa39-9c264686fe9e\build2.exe
Filesize
86KB

MD5
1a53c4b978bb3189db151e5b9ff66860

SHA1
dff5a50eb2eda3d6bd9f909c3f4d7609134d36b0

SHA256
deaeea7df51090ccf179d79180f44fed310c170e497e760bfc5c6659f1ea9d93

SHA512
e1782d212f6a17e1fc3c9aaf567d4b8e6446b41768e3cf01392b7628bd35c2a267519c227ba151fe547d0c8bdac06bb6de2a9c04c77bb576c18688359e9848cc

Download Submit
\Users\Admin\AppData\Local\9942857f-7e3d-42ad-aa39-9c264686fe9e\build2.exe
Filesize
131KB

MD5
f4567b0b3c53cfd710c63c2a501a53ff

SHA1
6b977a365243fb61e04d9ece28f5913b88ceb25c

SHA256
8f6f768de60e2716fde9db57157dd4cb4bdef8e901af03d045de64b207bd63df

SHA512
b6bc579daebc4888af8ffcdb0cf99c5d6621abde4781aae124ed402a8090aa8d911cd3eadfa233b51e74fbe1d45c547f114b28110657692c9bcd726418ed322e

Download Submit
\Users\Admin\AppData\Local\9942857f-7e3d-42ad-aa39-9c264686fe9e\build3.exe
Filesize
39KB

MD5
bb67b815af0d72b2e8e0266d57a9fb52

SHA1
a873814074097e3e8d841a0ffac6d50eda1826da

SHA256
48940a8c9c94aa00805096396b3c6ec9e6b667c4da036bca294b25a644e62e37

SHA512
43f766fb3d595d0404fa4f10740a568135572a6d1c70b69bc033c09d79c20600ef7903caaa19583eb3fe361d4dca0de2ad40838d34899ed1a88aea20f6df2a58

Download Submit
\Users\Admin\AppData\Local\9942857f-7e3d-42ad-aa39-9c264686fe9e\build3.exe
Filesize
21KB

MD5
871959e60efd58bb9b3bac5c41f20977

SHA1
ea48e6636d1b13adb93f9759abe2f41a22cb1fb4

SHA256
2b4973eb7b342002f966b4d15e959532ba9aa388bea8a7903604371367c44422

SHA512
9b220286b8a1d77fc2f5decc4615d67f92dc326be66d5ecfc1a1f83985991ec0a87548cd098daf0152e7258e395c1551a182a83728f33a1d6936ba91afd74083

Download Submit
memory/752-45-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/752-9-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/752-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/752-5-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/752-8-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1444-293-0x00000000008E2000-0x00000000008F2000-memory.dmp

Filesize
64KB

Download
memory/1860-93-0x0000000000620000-0x0000000000720000-memory.dmp

Filesize
1024KB

Download
memory/1860-95-0x0000000000230000-0x0000000000260000-memory.dmp

Filesize
192KB

Download
memory/1976-244-0x0000000000910000-0x0000000000A10000-memory.dmp

Filesize
1024KB

Download
memory/1976-245-0x0000000000220000-0x0000000000224000-memory.dmp

Filesize
16KB

Download
memory/2056-241-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2056-246-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2056-249-0x0000000000410000-0x0000000000477000-memory.dmp

Filesize
412KB

Download
memory/2056-248-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2108-348-0x00000000008C2000-0x00000000008D2000-memory.dmp

Filesize
64KB

Download
memory/2140-263-0x00000000002B0000-0x00000000003B0000-memory.dmp

Filesize
1024KB

Download
memory/2248-376-0x0000000000272000-0x0000000000282000-memory.dmp

Filesize
64KB

Download
memory/2420-75-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2420-70-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2420-71-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2420-78-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2420-235-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2420-77-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2420-101-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2420-53-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2420-54-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2560-49-0x0000000000220000-0x00000000002B1000-memory.dmp

Filesize
580KB

Download
memory/2560-47-0x0000000000220000-0x00000000002B1000-memory.dmp

Filesize
580KB

Download
memory/2732-251-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2732-100-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2732-96-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2732-99-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2732-92-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2736-320-0x0000000000902000-0x0000000000912000-memory.dmp

Filesize
64KB

Download
memory/3032-0-0x0000000000260000-0x00000000002F1000-memory.dmp

Filesize
580KB

Download
memory/3032-2-0x0000000002B90000-0x0000000002CAB000-memory.dmp

Filesize
1.1MB

Download
memory/3032-7-0x0000000000260000-0x00000000002F1000-memory.dmp

Filesize
580KB

Download
memory/3032-1-0x0000000000260000-0x00000000002F1000-memory.dmp

Filesize
580KB

Download