djvu | 944e3da5cf2cebf1ae8c127a66def8d245911b3ae51b78120fafecac59499a9c

Analysis

max time kernel
150s
max time network
129s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
01-02-2024 08:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aed10ad37747d1d3c3078b2a24a73ccf.exe
Size

216KB
MD5

aed10ad37747d1d3c3078b2a24a73ccf
SHA1

c6647496404dbb0a381fbaef83e2126c363153a5
SHA256

944e3da5cf2cebf1ae8c127a66def8d245911b3ae51b78120fafecac59499a9c
SHA512

e5a7181dbf4315e73516cab06c16c39e0d02ef4ea74d0688198d1b1eccfe4166e20f902f08b56660fea7579c0086330004349c4f81f1aecee501bbfeadcbb3e6
SSDEEP

3072:qhAVkKKz6bqDSWrItkJj75qwv7Zt6gIZi26GDaMQxgMXEfpF:qh12m+kZlqw9t6AGOMQxgMXI

Score

10^/10

djvu risepro smokeloader socks5systemz vidar 1b9d7ec5a25ab9d78c31777a0016a097 pub1 backdoor botnet discovery evasion persistence ransomware stealer trojan

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php

rc4.i32

Extracted

Family

djvu

http://habrafa.com/test1/get.php

Attributes

extension
.cdcc
offline_id
LBxKKiegnAy53rpqH3Pj2j46vwldiEt9kqHSuMt1
payload_url
http://brusuax.com/dl/build2.exe
http://habrafa.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-iVcrVFVRqu Price of private key and decrypt software is $1999. Discount 50% available if you contact us first 72 hours, that's price for you is $999. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0846ASdw

rsa_pubkey.plain

Extracted

Family

vidar

Version

7.6

Botnet

1b9d7ec5a25ab9d78c31777a0016a097

https://t.me/tvrugrats

https://steamcommunity.com/profiles/76561199627279110

Attributes

profile_id_v2
1b9d7ec5a25ab9d78c31777a0016a097

Extracted

Family

risepro

193.233.132.62:50500

Signatures

Detect Socks5Systemz Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1748-435-0x00000000022D0000-0x0000000002372000-memory.dmp	family_socks5systemz

Detect Vidar Stealer 7 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/1240-114-0x0000000000230000-0x0000000000260000-memory.dmp	family_vidar_v7
behavioral1/memory/2792-118-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral1/memory/2792-115-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral1/memory/2792-119-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral1/memory/2216-258-0x0000000000230000-0x0000000000330000-memory.dmp	family_vidar_v7
behavioral1/memory/2792-271-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral1/memory/2712-361-0x0000000003760000-0x0000000003A41000-memory.dmp	family_vidar_v7

Detected Djvu ransomware 15 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2848-37-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3064-36-0x00000000044A0000-0x00000000045BB000-memory.dmp	family_djvu
behavioral1/memory/2848-40-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2848-41-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2848-62-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1644-72-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1644-73-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1644-87-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1644-86-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1644-91-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1644-93-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1644-94-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1644-95-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1240-112-0x00000000005D0000-0x00000000006D0000-memory.dmp	family_djvu
behavioral1/memory/1644-191-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

26E4.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 26E4.exe
Downloads MZ/PE file

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	26E4.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

26E4.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	26E4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	26E4.exe

Deletes itself 1 IoCs

Processes:

pid process

1204

pid	process
1204

Executes dropped EXE 18 IoCs

Processes:

A0C2.exeB79D.exeB79D.exeB79D.exeB79D.exebuild2.exebuild2.exebuild3.exebuild3.exe26E4.exe3823.exe3823.tmpksverify.exeksverify.exemstsca.exemstsca.exemstsca.exemstsca.exe

pid	process
2360	A0C2.exe
3064	B79D.exe
2848	B79D.exe
532	B79D.exe
1644	B79D.exe
1240	build2.exe
2792	build2.exe
2216	build3.exe
2656	build3.exe
2788	26E4.exe
588	3823.exe
2712	3823.tmp
1792	ksverify.exe
1748	ksverify.exe
1040	mstsca.exe
2984	mstsca.exe
1684	mstsca.exe
1804	mstsca.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

26E4.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Wine 26E4.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Wine	26E4.exe

Loads dropped DLL 21 IoCs

Processes:

B79D.exeB79D.exeB79D.exeB79D.exeWerFault.exe3823.exe3823.tmp

pid	process
3064	B79D.exe
2848	B79D.exe
2848	B79D.exe
532	B79D.exe
1644	B79D.exe
1644	B79D.exe
1644	B79D.exe
1644	B79D.exe
2824	WerFault.exe
2824	WerFault.exe
2824	WerFault.exe
2824	WerFault.exe
2824	WerFault.exe
2824	WerFault.exe
2824	WerFault.exe
588	3823.exe
2712	3823.tmp
2712	3823.tmp
2712	3823.tmp
2712	3823.tmp
2712	3823.tmp

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

692 icacls.exe

pid	process
692	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

B79D.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\ebb202a7-65ef-4dca-862d-ad372fdec8ec\\B79D.exe\" --AutoStart"	B79D.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

9 api.2ip.ua
10 api.2ip.ua
19 api.2ip.ua
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

26E4.exe

pid process

2788 26E4.exe

flow	ioc
9	api.2ip.ua
10	api.2ip.ua
19	api.2ip.ua

pid	process
2788	26E4.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

B79D.exeB79D.exebuild2.exebuild3.exemstsca.exemstsca.exe

description	pid	process	target process
PID 3064 set thread context of 2848	3064	B79D.exe	B79D.exe
PID 532 set thread context of 1644	532	B79D.exe	B79D.exe
PID 1240 set thread context of 2792	1240	build2.exe	build2.exe
PID 2216 set thread context of 2656	2216	build3.exe	build3.exe
PID 1040 set thread context of 2984	1040	mstsca.exe	mstsca.exe
PID 1684 set thread context of 1804	1684	mstsca.exe	mstsca.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2824 2792 WerFault.exe build2.exe

pid	pid_target	process	target process
2824	2792	WerFault.exe	build2.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

aed10ad37747d1d3c3078b2a24a73ccf.exeA0C2.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	aed10ad37747d1d3c3078b2a24a73ccf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	A0C2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	A0C2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	A0C2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	aed10ad37747d1d3c3078b2a24a73ccf.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	aed10ad37747d1d3c3078b2a24a73ccf.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2676 schtasks.exe
2280 schtasks.exe

pid	process
2676	schtasks.exe
2280	schtasks.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

build2.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	build2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	build2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	build2.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

aed10ad37747d1d3c3078b2a24a73ccf.exe

pid	process
2044	aed10ad37747d1d3c3078b2a24a73ccf.exe
2044	aed10ad37747d1d3c3078b2a24a73ccf.exe
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

aed10ad37747d1d3c3078b2a24a73ccf.exeA0C2.exe

pid process

2044 aed10ad37747d1d3c3078b2a24a73ccf.exe
2360 A0C2.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

description pid process

Token: SeShutdownPrivilege 1204
Token: SeShutdownPrivilege 1204
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

3823.tmp

pid process

1204
1204
2712 3823.tmp
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

pid process

1204
1204

description	pid	process
Token: SeShutdownPrivilege	1204
Token: SeShutdownPrivilege	1204

pid	process
1204
1204
2712	3823.tmp

pid	process
1204
1204

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

B79D.exeB79D.exeB79D.exeB79D.exebuild2.exebuild2.exebuild3.exe

description	pid	process	target process
PID 1204 wrote to memory of 2360	1204		A0C2.exe
PID 1204 wrote to memory of 2360	1204		A0C2.exe
PID 1204 wrote to memory of 2360	1204		A0C2.exe
PID 1204 wrote to memory of 2360	1204		A0C2.exe
PID 1204 wrote to memory of 3064	1204		B79D.exe
PID 1204 wrote to memory of 3064	1204		B79D.exe
PID 1204 wrote to memory of 3064	1204		B79D.exe
PID 1204 wrote to memory of 3064	1204		B79D.exe
PID 3064 wrote to memory of 2848	3064	B79D.exe	B79D.exe
PID 3064 wrote to memory of 2848	3064	B79D.exe	B79D.exe
PID 3064 wrote to memory of 2848	3064	B79D.exe	B79D.exe
PID 3064 wrote to memory of 2848	3064	B79D.exe	B79D.exe
PID 3064 wrote to memory of 2848	3064	B79D.exe	B79D.exe
PID 3064 wrote to memory of 2848	3064	B79D.exe	B79D.exe
PID 3064 wrote to memory of 2848	3064	B79D.exe	B79D.exe
PID 3064 wrote to memory of 2848	3064	B79D.exe	B79D.exe
PID 3064 wrote to memory of 2848	3064	B79D.exe	B79D.exe
PID 3064 wrote to memory of 2848	3064	B79D.exe	B79D.exe
PID 3064 wrote to memory of 2848	3064	B79D.exe	B79D.exe
PID 2848 wrote to memory of 692	2848	B79D.exe	icacls.exe
PID 2848 wrote to memory of 692	2848	B79D.exe	icacls.exe
PID 2848 wrote to memory of 692	2848	B79D.exe	icacls.exe
PID 2848 wrote to memory of 692	2848	B79D.exe	icacls.exe
PID 2848 wrote to memory of 532	2848	B79D.exe	B79D.exe
PID 2848 wrote to memory of 532	2848	B79D.exe	B79D.exe
PID 2848 wrote to memory of 532	2848	B79D.exe	B79D.exe
PID 2848 wrote to memory of 532	2848	B79D.exe	B79D.exe
PID 532 wrote to memory of 1644	532	B79D.exe	B79D.exe
PID 532 wrote to memory of 1644	532	B79D.exe	B79D.exe
PID 532 wrote to memory of 1644	532	B79D.exe	B79D.exe
PID 532 wrote to memory of 1644	532	B79D.exe	B79D.exe
PID 532 wrote to memory of 1644	532	B79D.exe	B79D.exe
PID 532 wrote to memory of 1644	532	B79D.exe	B79D.exe
PID 532 wrote to memory of 1644	532	B79D.exe	B79D.exe
PID 532 wrote to memory of 1644	532	B79D.exe	B79D.exe
PID 532 wrote to memory of 1644	532	B79D.exe	B79D.exe
PID 532 wrote to memory of 1644	532	B79D.exe	B79D.exe
PID 532 wrote to memory of 1644	532	B79D.exe	B79D.exe
PID 1644 wrote to memory of 1240	1644	B79D.exe	build2.exe
PID 1644 wrote to memory of 1240	1644	B79D.exe	build2.exe
PID 1644 wrote to memory of 1240	1644	B79D.exe	build2.exe
PID 1644 wrote to memory of 1240	1644	B79D.exe	build2.exe
PID 1240 wrote to memory of 2792	1240	build2.exe	build2.exe
PID 1240 wrote to memory of 2792	1240	build2.exe	build2.exe
PID 1240 wrote to memory of 2792	1240	build2.exe	build2.exe
PID 1240 wrote to memory of 2792	1240	build2.exe	build2.exe
PID 1240 wrote to memory of 2792	1240	build2.exe	build2.exe
PID 1240 wrote to memory of 2792	1240	build2.exe	build2.exe
PID 1240 wrote to memory of 2792	1240	build2.exe	build2.exe
PID 1240 wrote to memory of 2792	1240	build2.exe	build2.exe
PID 1240 wrote to memory of 2792	1240	build2.exe	build2.exe
PID 1240 wrote to memory of 2792	1240	build2.exe	build2.exe
PID 1240 wrote to memory of 2792	1240	build2.exe	build2.exe
PID 1644 wrote to memory of 2216	1644	B79D.exe	build3.exe
PID 1644 wrote to memory of 2216	1644	B79D.exe	build3.exe
PID 1644 wrote to memory of 2216	1644	B79D.exe	build3.exe
PID 1644 wrote to memory of 2216	1644	B79D.exe	build3.exe
PID 2792 wrote to memory of 2824	2792	build2.exe	WerFault.exe
PID 2792 wrote to memory of 2824	2792	build2.exe	WerFault.exe
PID 2792 wrote to memory of 2824	2792	build2.exe	WerFault.exe
PID 2792 wrote to memory of 2824	2792	build2.exe	WerFault.exe
PID 2216 wrote to memory of 2656	2216	build3.exe	build3.exe
PID 2216 wrote to memory of 2656	2216	build3.exe	build3.exe
PID 2216 wrote to memory of 2656	2216	build3.exe	build3.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\aed10ad37747d1d3c3078b2a24a73ccf.exe
"C:\Users\Admin\AppData\Local\Temp\aed10ad37747d1d3c3078b2a24a73ccf.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2044

C:\Users\Admin\AppData\Local\Temp\A0C2.exe
C:\Users\Admin\AppData\Local\Temp\A0C2.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2360

C:\Users\Admin\AppData\Local\Temp\B79D.exe
C:\Users\Admin\AppData\Local\Temp\B79D.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3064

C:\Users\Admin\AppData\Local\Temp\B79D.exe
C:\Users\Admin\AppData\Local\Temp\B79D.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2848

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\ebb202a7-65ef-4dca-862d-ad372fdec8ec" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:692

C:\Users\Admin\AppData\Local\Temp\B79D.exe
"C:\Users\Admin\AppData\Local\Temp\B79D.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:532

C:\Users\Admin\AppData\Local\Temp\B79D.exe
"C:\Users\Admin\AppData\Local\Temp\B79D.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1644

C:\Users\Admin\AppData\Local\a320ee96-5bbc-4324-9e14-98f278560fc7\build2.exe
"C:\Users\Admin\AppData\Local\a320ee96-5bbc-4324-9e14-98f278560fc7\build2.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1240

C:\Users\Admin\AppData\Local\a320ee96-5bbc-4324-9e14-98f278560fc7\build2.exe
"C:\Users\Admin\AppData\Local\a320ee96-5bbc-4324-9e14-98f278560fc7\build2.exe"
6⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2792 -s 1436
7⤵
- Loads dropped DLL
- Program crash
PID:2824

C:\Users\Admin\AppData\Local\a320ee96-5bbc-4324-9e14-98f278560fc7\build3.exe
"C:\Users\Admin\AppData\Local\a320ee96-5bbc-4324-9e14-98f278560fc7\build3.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2216

C:\Users\Admin\AppData\Local\a320ee96-5bbc-4324-9e14-98f278560fc7\build3.exe
"C:\Users\Admin\AppData\Local\a320ee96-5bbc-4324-9e14-98f278560fc7\build3.exe"
6⤵
- Executes dropped EXE
PID:2656

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
7⤵
- Creates scheduled task(s)
PID:2676

C:\Users\Admin\AppData\Local\Temp\26E4.exe
C:\Users\Admin\AppData\Local\Temp\26E4.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2788

C:\Users\Admin\AppData\Local\Temp\3823.exe
C:\Users\Admin\AppData\Local\Temp\3823.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:588

C:\Users\Admin\AppData\Local\Temp\is-19V99.tmp\3823.tmp
"C:\Users\Admin\AppData\Local\Temp\is-19V99.tmp\3823.tmp" /SL5="$601A4,7390120,54272,C:\Users\Admin\AppData\Local\Temp\3823.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:2712

C:\Users\Admin\AppData\Local\Key Signatures verification\ksverify.exe
"C:\Users\Admin\AppData\Local\Key Signatures verification\ksverify.exe" -i
3⤵
- Executes dropped EXE
PID:1792

C:\Users\Admin\AppData\Local\Key Signatures verification\ksverify.exe
"C:\Users\Admin\AppData\Local\Key Signatures verification\ksverify.exe" -s
3⤵
- Executes dropped EXE
PID:1748

C:\Windows\system32\taskeng.exe
taskeng.exe {CE8B0DC2-891A-457C-B330-CE7F281D5C4B} S-1-5-21-452311807-3713411997-1028535425-1000:OZEMQECW\Admin:Interactive:[1]
1⤵
PID:1864

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1040

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
3⤵
- Executes dropped EXE
PID:2984

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
4⤵
- Creates scheduled task(s)
PID:2280

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1684

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
3⤵
- Executes dropped EXE
PID:1804

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
1KB

MD5
8575bad5f12fe8f29f41c434d67fe563

SHA1
99391d1c1f1e9af2b3d3e0e604c77b90c40926ad

SHA256
5ebd8bc8bd783501d4c6cc0efcfd2cd737300d43cb12e4ecfad4010905330d91

SHA512
fc405ff900ca6988faf692a4471b1b29cee93683618e16d07e57eee2ede0ef51ad42cfa6974064641b0cf4128fc3989203f6d061d1c859b211c1cef9b63a839f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
410B

MD5
942fd8900fe8ee33383e5228c0c5d7ca

SHA1
ed056f29db411dec6fc977447510b2f665399776

SHA256
04b206611be3dde8a7c97a4d221b7636f8fe31147ff4ec06f47bd9460094601f

SHA512
bd9479cb7d6b3924e48a0fea58cfd38a88b75b803fecb37b6b19da6a3821758d784858cd553ec96ffa49746e9d9b6314f6ba59315e767050c9d4bf9282ed3542

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
eda9e7d8b261bcb08bf547e99f5e8c53

SHA1
d05d21256ccc89b71395bc1d4bbb609396026372

SHA256
5e24c64432920417f6779557139fd09e341a12419076c9a83f2a202910058fd5

SHA512
36a002ca016df6c48ef584dd645a9eb7cf9b3c1d364eac53f8ffe43c573de3f08510f1a4223508f1c0234ab70a6c9e7a33c73228ba0d9a844e746f245170ce55

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
f0f91c5d19d66a83012b7b436e15b868

SHA1
25c50c861a567ad1cf2196e04e1d71679aeb7e0a

SHA256
50c37c1658459411f50df010d6b8fb54a9b18d866b9ebcc8af5b13899f411ad0

SHA512
77b524801cecea744fb932a3725805bc48e65af8241bde16a557167fdf5bd7bdc8bb5e85589650eaf7a63b950aca0bf252feb4e377ab177b842d6b28273010a5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
392B

MD5
f08b774746d0e51700f7c4e9b026d696

SHA1
de27ed06508d9652b1b79555bcf844053371f492

SHA256
625d716ca8497489f065ffab0bc74a6eb0fce4015fa9c3ace826b504e4a84c77

SHA512
69bf9cbf750fa95b275831d56980f3728e3609bce72b1955b26ab9ac0b3fef1813f7cc81de6834f5cc3553b29d5643b9dd74dab2790eddeb9be8b6ae0b1f9a91

Download Submit
C:\Users\Admin\AppData\Local\Key Signatures verification\ksverify.exe
Filesize
2.9MB

MD5
6936a45ddd0b7ca33e8de3533f629640

SHA1
22082a6bd02761f7350f58f51d1ce936ed033b31

SHA256
f5ab766ada6141971442080f8f6c7577d2fb2520ebd078146d21cd779eb1f0c4

SHA512
c28689e92d64fa2fdd95c933d8389489d708de2b45fd49d7fa941216800bbfdb7c8af4b2e91f3052e814aedbba2e8f6a5c4bdedb9c9fee6c75714d833a5d6d1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\26E4.exe
Filesize
2.2MB

MD5
631417d758a28c436fdb13a7f3365117

SHA1
6443a00953d6823fa922e590c17774b6c398af29

SHA256
04dc7e7bda691cfe893123023ebc84848233d4d5c7be8c32ecddab1fcd71f2a8

SHA512
6048361f59aca6126366c8e9671143dd20dc0f3c125dab2861e61d312e4b193b573405699f6fe7503f3c930ec908b6d7313e27e6ea242117161e904bbf19a5dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\3823.exe
Filesize
4.2MB

MD5
440f03b1867750bf45ba7e78b9ea80f4

SHA1
25ae4270d969befd5effe6d60aa184af30fcb09a

SHA256
928f484f11874ae86c68c9b52dd8fb68a335bec88fd1a2c9435ed5e516abfa84

SHA512
ec24b7a8cdcff807bf043b24445b7b8ced61405420ffb1737c2f874a8319b1a9ec9ddd6d382e01582403fffbc942cb1804c2c1b9fbf8aebf82c7da1946163a0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\3823.exe
Filesize
4.6MB

MD5
83edef6cf6434eab94be978936208921

SHA1
976003687cfaf09bfd4747775119ad747d619aed

SHA256
627373ae0a16e6c35fd2a8d431d26310cc88dd23a072e4bcc51d1c8320f4419e

SHA512
d317ac40a4f7ef50dc0065f445a36850682d824d791cdde21d36af2a3534d683c14107ea98a99047f21a8f3dcd34e1d2f2c92b7836326e93df749938e061a2ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\A0C2.exe
Filesize
208KB

MD5
3459e4e3b8c2023cb721b547fda205f6

SHA1
c4cc7eb4d2e016b762e685a87b16144fda258f9c

SHA256
9e5c6920cc755310726ff3ba27373a487206238dd24667a58c0c67219db79cbd

SHA512
eba48ac97ca9d2ca6626cd7fbcdb17f5a7173e03f6d8164c9b0c91902741e38043800d8815e0385ee3e57690fcc5a77d71f2c811b859e3e5d8a886b96a0070bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\B79D.exe
Filesize
686KB

MD5
77c4f6bb281f77975dcafa34ac349790

SHA1
d7f9091c80970c92769ec6ef76b67609afabe1eb

SHA256
135698647c6708059999b677fcd123b3255cdb3020842db103dbe990f4cc0593

SHA512
ed0b9f4fba640134402a034bc7eabdf2ab6f276c2e145a8a83b54bb592d992f9b6b47e759f4a3ae5dcd3eb6d5c56c09b66f612334d335c03c4c502aaeb16ccb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\B79D.exe
Filesize
627KB

MD5
c62c7b573217e329aaa1e8a4557650cd

SHA1
2c90e1c9c0540d4d42ca9ae8a5f4363259d22136

SHA256
c76fc75052d155d501cf33c60fd7ed1544e32f113fbe53195d3d27924ced8971

SHA512
6da723c55d6548a14757ef94d8400f1dfc5a0263fe351fa38152c3660b6b8d26350baa027199b3fa3582ae25783463142a1721f422e9e9d12ef6e31a0f6bccea

Download Submit
C:\Users\Admin\AppData\Local\Temp\B79D.exe
Filesize
486KB

MD5
49c80ca6e8600bfedf84d2f497cd195e

SHA1
b82886bd4fde9180244412408c17bcc836d991aa

SHA256
fd060f989c8da349a3ed0b711e7d84e923a1771aea3ba696103d1ddb88671f1a

SHA512
599cfc6e417292752547c959183b5284d7a8d7658c0e963ba7ce6f3c5ae1225bdba89899a5950b3300872c35363fb5dfc20fbf457109e02bd6fc8ff4081407ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabCE66.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1160.tmp
Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
\??\c:\users\admin\appdata\local\temp\is-19v99.tmp\3823.tmp
Filesize
692KB

MD5
558517932afff8def7d6c9e9a2a51668

SHA1
69f1830a41bf3c5f9d3e578b85071d05faefc934

SHA256
464ff8248e06554c0d76b162e9c10968648013091c93869b3c93be6d086b632e

SHA512
d23badd9d1dd0bbb370fdb4f46dca6ebf176d42f126d7ebf751f25498a047eda3f1c0e6fd93fcfaba0df29b177961201ab869cf0e14e2f360da47e7a756d69db

Download Submit
\Users\Admin\AppData\Local\Temp\B79D.exe
Filesize
652KB

MD5
f3131787bdad2925e3946d719551970f

SHA1
31d34fcf263faf51c5860dcece22752c9e9378fc

SHA256
cb0a96aaa041f60795335024435b51de1889638c8a44524670269e63ac84784e

SHA512
dbcb04292a988b22987e79f383d66c0cc8b41b43ce9fee9bbb8c957cd1ebdf99e2c1911c8af79d9f9c55127b79e4c0cd8cc162c4bf81384fc2be1426aca160d5

Download Submit
\Users\Admin\AppData\Local\Temp\is-TUNGG.tmp\_isetup\_iscrypt.dll
Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-TUNGG.tmp\_isetup\_isdecmp.dll
Filesize
19KB

MD5
3adaa386b671c2df3bae5b39dc093008

SHA1
067cf95fbdb922d81db58432c46930f86d23dded

SHA256
71cd2f5bc6e13b8349a7c98697c6d2e3fcdeea92699cedd591875bea869fae38

SHA512
bbe4187758d1a69f75a8cca6b3184e0c20cf8701b16531b55ed4987497934b3c9ef66ecd5e6b83c7357f69734f1c8301b9f82f0a024bb693b732a2d5760fd303

Download Submit
\Users\Admin\AppData\Local\Temp\is-TUNGG.tmp\_isetup\_shfoldr.dll
Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\a320ee96-5bbc-4324-9e14-98f278560fc7\build2.exe
Filesize
385KB

MD5
63e4a9cd7a8b37335b5f18cefc5dd9d2

SHA1
c781a30935afc452b108cc78724b60f389b78874

SHA256
c1e75efde3fd1da605135e5c3ffab0073299c80632d136f8eeba9d4a7c98c70f

SHA512
3818b5966938704c5830acb5426db7791f6ae476853248d8984b1aff35a6722a0684bea54a53ef6ded1f301f6de9ed044d45f007457a9c0f3a7ea3afc7bf0ecc

Download Submit
\Users\Admin\AppData\Local\a320ee96-5bbc-4324-9e14-98f278560fc7\build3.exe
Filesize
299KB

MD5
41b883a061c95e9b9cb17d4ca50de770

SHA1
1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad

SHA256
fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408

SHA512
cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

Download Submit
memory/532-66-0x0000000000220000-0x00000000002B2000-memory.dmp

Filesize
584KB

Download
memory/532-64-0x0000000000220000-0x00000000002B2000-memory.dmp

Filesize
584KB

Download
memory/588-292-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/588-296-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/588-375-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1040-384-0x0000000000290000-0x0000000000390000-memory.dmp

Filesize
1024KB

Download
memory/1204-27-0x0000000002B00000-0x0000000002B16000-memory.dmp

Filesize
88KB

Download
memory/1204-4-0x0000000002A50000-0x0000000002A66000-memory.dmp

Filesize
88KB

Download
memory/1240-114-0x0000000000230000-0x0000000000260000-memory.dmp

Filesize
192KB

Download
memory/1240-112-0x00000000005D0000-0x00000000006D0000-memory.dmp

Filesize
1024KB

Download
memory/1644-72-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1644-191-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1644-93-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1644-94-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1644-95-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1644-86-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1644-87-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1644-73-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1644-91-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1684-447-0x00000000002D0000-0x00000000003D0000-memory.dmp

Filesize
1024KB

Download
memory/1748-373-0x0000000000400000-0x00000000006E1000-memory.dmp

Filesize
2.9MB

Download
memory/1748-397-0x0000000000400000-0x00000000006E1000-memory.dmp

Filesize
2.9MB

Download
memory/1748-400-0x0000000000400000-0x00000000006E1000-memory.dmp

Filesize
2.9MB

Download
memory/1748-391-0x0000000000400000-0x00000000006E1000-memory.dmp

Filesize
2.9MB

Download
memory/1748-370-0x0000000000400000-0x00000000006E1000-memory.dmp

Filesize
2.9MB

Download
memory/1748-435-0x00000000022D0000-0x0000000002372000-memory.dmp

Filesize
648KB

Download
memory/1792-367-0x0000000000400000-0x00000000006E1000-memory.dmp

Filesize
2.9MB

Download
memory/1792-368-0x0000000000400000-0x00000000006E1000-memory.dmp

Filesize
2.9MB

Download
memory/1792-362-0x0000000000400000-0x00000000006E1000-memory.dmp

Filesize
2.9MB

Download
memory/1792-364-0x0000000000400000-0x00000000006E1000-memory.dmp

Filesize
2.9MB

Download
memory/2044-3-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2044-1-0x00000000005F0000-0x00000000006F0000-memory.dmp

Filesize
1024KB

Download
memory/2044-2-0x0000000000220000-0x000000000022B000-memory.dmp

Filesize
44KB

Download
memory/2044-5-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2216-258-0x0000000000230000-0x0000000000330000-memory.dmp

Filesize
1024KB

Download
memory/2216-259-0x00000000003A0000-0x00000000003A4000-memory.dmp

Filesize
16KB

Download
memory/2360-28-0x0000000000400000-0x0000000002B0D000-memory.dmp

Filesize
39.1MB

Download
memory/2360-18-0x0000000002BD0000-0x0000000002CD0000-memory.dmp

Filesize
1024KB

Download
memory/2360-19-0x0000000000400000-0x0000000002B0D000-memory.dmp

Filesize
39.1MB

Download
memory/2656-265-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2656-264-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2656-261-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2712-361-0x0000000003760000-0x0000000003A41000-memory.dmp

Filesize
2.9MB

Download
memory/2712-306-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2712-376-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2712-381-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2712-390-0x0000000003760000-0x0000000003A41000-memory.dmp

Filesize
2.9MB

Download
memory/2788-274-0x0000000000880000-0x0000000000881000-memory.dmp

Filesize
4KB

Download
memory/2788-276-0x0000000000850000-0x0000000000851000-memory.dmp

Filesize
4KB

Download
memory/2788-379-0x0000000000CA0000-0x000000000124C000-memory.dmp

Filesize
5.7MB

Download
memory/2788-282-0x0000000000C90000-0x0000000000C91000-memory.dmp

Filesize
4KB

Download
memory/2788-280-0x00000000028E0000-0x00000000028E1000-memory.dmp

Filesize
4KB

Download
memory/2788-281-0x0000000000C40000-0x0000000000C41000-memory.dmp

Filesize
4KB

Download
memory/2788-283-0x00000000008F0000-0x00000000008F1000-memory.dmp

Filesize
4KB

Download
memory/2788-284-0x0000000002650000-0x0000000002651000-memory.dmp

Filesize
4KB

Download
memory/2788-279-0x0000000000A00000-0x0000000000A01000-memory.dmp

Filesize
4KB

Download
memory/2788-277-0x0000000000CA0000-0x000000000124C000-memory.dmp

Filesize
5.7MB

Download
memory/2788-278-0x0000000000C20000-0x0000000000C21000-memory.dmp

Filesize
4KB

Download
memory/2788-372-0x0000000000CA0000-0x000000000124C000-memory.dmp

Filesize
5.7MB

Download
memory/2788-359-0x0000000000CA0000-0x000000000124C000-memory.dmp

Filesize
5.7MB

Download
memory/2788-272-0x0000000077B70000-0x0000000077B72000-memory.dmp

Filesize
8KB

Download
memory/2788-285-0x0000000002940000-0x0000000002942000-memory.dmp

Filesize
8KB

Download
memory/2788-275-0x0000000000C30000-0x0000000000C31000-memory.dmp

Filesize
4KB

Download
memory/2788-273-0x00000000009B0000-0x00000000009B1000-memory.dmp

Filesize
4KB

Download
memory/2788-270-0x0000000000CA0000-0x000000000124C000-memory.dmp

Filesize
5.7MB

Download
memory/2792-271-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2792-111-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2792-119-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2792-115-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2792-118-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2848-40-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2848-41-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2848-62-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2848-33-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2848-37-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3064-26-0x0000000000320000-0x00000000003B2000-memory.dmp

Filesize
584KB

Download
memory/3064-34-0x0000000000320000-0x00000000003B2000-memory.dmp

Filesize
584KB

Download
memory/3064-36-0x00000000044A0000-0x00000000045BB000-memory.dmp

Filesize
1.1MB

Download