djvu | ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c

Analysis

max time kernel
299s
max time network
195s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
05-02-2024 05:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe
Size

772KB
MD5

bab1ea0e1eba81e7bf661766ac1ac177
SHA1

12e1aa39059fd8a727214592f415bee1c9905177
SHA256

ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c
SHA512

066a0b3a2daad8a888a5b2d968ed5ab897b742d28da98b28e39d6d538a729ab5331f566e3f57d1c89978c597e97dd64fe9fd050986741be2bb1ca9b42458b234
SSDEEP

12288:9vhycdmFgKk2gjva8foyadXAcF78F1oXWcUDwW7yPwJ1SFBAPUy9Fq6UUF/2:dQxlevpwvAFawDwW7hJ1oBSUyUUR

Score

10^/10

djvu vidar 1b9d7ec5a25ab9d78c31777a0016a097 discovery persistence ransomware stealer

Malware Config

Extracted

Family

djvu

http://habrafa.com/test1/get.php

Attributes

extension
.cdcc
offline_id
LBxKKiegnAy53rpqH3Pj2j46vwldiEt9kqHSuMt1
payload_url
http://brusuax.com/dl/build2.exe
http://habrafa.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-iVcrVFVRqu Price of private key and decrypt software is $1999. Discount 50% available if you contact us first 72 hours, that's price for you is $999. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0846ASdw

rsa_pubkey.plain

Extracted

Family

vidar

Version

7.6

Botnet

1b9d7ec5a25ab9d78c31777a0016a097

https://t.me/tvrugrats

https://steamcommunity.com/profiles/76561199627279110

Attributes

profile_id_v2
1b9d7ec5a25ab9d78c31777a0016a097

Signatures

Detect Vidar Stealer 5 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/2136-78-0x0000000000230000-0x0000000000260000-memory.dmp	family_vidar_v7
behavioral1/memory/1792-80-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral1/memory/1792-81-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral1/memory/1792-75-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral1/memory/1792-235-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7

Detected Djvu ransomware 16 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2332-3-0x0000000001D90000-0x0000000001EAB000-memory.dmp	family_djvu
behavioral1/memory/2348-5-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2348-9-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2348-8-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2348-27-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2816-36-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2816-37-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2816-51-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2816-50-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2816-55-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2816-58-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2816-57-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2816-59-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2136-76-0x0000000000630000-0x0000000000730000-memory.dmp	family_djvu
behavioral1/memory/2816-92-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2132-254-0x0000000000900000-0x0000000000A00000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file

Executes dropped EXE 12 IoCs

Processes:

build2.exebuild2.exebuild3.exebuild3.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exe

pid	process
2136	build2.exe
1792	build2.exe
1596	build3.exe
784	build3.exe
2132	mstsca.exe
1780	mstsca.exe
2544	mstsca.exe
2268	mstsca.exe
1004	mstsca.exe
1216	mstsca.exe
1540	mstsca.exe
2120	mstsca.exe

Loads dropped DLL 11 IoCs

Processes:

ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exeWerFault.exe

pid	process
2816	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe
2816	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe
2816	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe
2816	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe
2400	WerFault.exe
2400	WerFault.exe
2400	WerFault.exe
2400	WerFault.exe
2400	WerFault.exe
2400	WerFault.exe
2400	WerFault.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

2800 icacls.exe

pid	process
2800	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\064b90fa-05c6-476e-8359-6ee018cac88f\\ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe\" --AutoStart"	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 api.2ip.ua
4 api.2ip.ua
9 api.2ip.ua

flow	ioc
3	api.2ip.ua
4	api.2ip.ua
9	api.2ip.ua

Suspicious use of SetThreadContext 8 IoCs

Processes:

ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exeee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exebuild2.exebuild3.exemstsca.exemstsca.exemstsca.exemstsca.exe

description	pid	process	target process
PID 2332 set thread context of 2348	2332	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe
PID 3028 set thread context of 2816	3028	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe
PID 2136 set thread context of 1792	2136	build2.exe	build2.exe
PID 1596 set thread context of 784	1596	build3.exe	build3.exe
PID 2132 set thread context of 1780	2132	mstsca.exe	mstsca.exe
PID 2544 set thread context of 2268	2544	mstsca.exe	mstsca.exe
PID 1004 set thread context of 1216	1004	mstsca.exe	mstsca.exe
PID 1540 set thread context of 2120	1540	mstsca.exe	mstsca.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2400 1792 WerFault.exe build2.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1412 schtasks.exe
2552 schtasks.exe

pid	pid_target	process	target process
2400	1792	WerFault.exe	build2.exe

pid	process
1412	schtasks.exe
2552	schtasks.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

build2.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	build2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	build2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	build2.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exeee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe

pid	process
2348	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe
2816	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe
2816	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exeee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exeee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exeee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exebuild2.exebuild3.exebuild3.exebuild2.exe

description	pid	process	target process
PID 2332 wrote to memory of 2348	2332	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe
PID 2332 wrote to memory of 2348	2332	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe
PID 2332 wrote to memory of 2348	2332	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe
PID 2332 wrote to memory of 2348	2332	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe
PID 2332 wrote to memory of 2348	2332	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe
PID 2332 wrote to memory of 2348	2332	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe
PID 2332 wrote to memory of 2348	2332	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe
PID 2332 wrote to memory of 2348	2332	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe
PID 2332 wrote to memory of 2348	2332	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe
PID 2332 wrote to memory of 2348	2332	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe
PID 2332 wrote to memory of 2348	2332	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe
PID 2348 wrote to memory of 2800	2348	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe	icacls.exe
PID 2348 wrote to memory of 2800	2348	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe	icacls.exe
PID 2348 wrote to memory of 2800	2348	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe	icacls.exe
PID 2348 wrote to memory of 2800	2348	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe	icacls.exe
PID 2348 wrote to memory of 3028	2348	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe
PID 2348 wrote to memory of 3028	2348	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe
PID 2348 wrote to memory of 3028	2348	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe
PID 2348 wrote to memory of 3028	2348	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe
PID 3028 wrote to memory of 2816	3028	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe
PID 3028 wrote to memory of 2816	3028	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe
PID 3028 wrote to memory of 2816	3028	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe
PID 3028 wrote to memory of 2816	3028	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe
PID 3028 wrote to memory of 2816	3028	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe
PID 3028 wrote to memory of 2816	3028	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe
PID 3028 wrote to memory of 2816	3028	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe
PID 3028 wrote to memory of 2816	3028	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe
PID 3028 wrote to memory of 2816	3028	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe
PID 3028 wrote to memory of 2816	3028	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe
PID 3028 wrote to memory of 2816	3028	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe
PID 2816 wrote to memory of 2136	2816	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe	build2.exe
PID 2816 wrote to memory of 2136	2816	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe	build2.exe
PID 2816 wrote to memory of 2136	2816	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe	build2.exe
PID 2816 wrote to memory of 2136	2816	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe	build2.exe
PID 2136 wrote to memory of 1792	2136	build2.exe	build2.exe
PID 2136 wrote to memory of 1792	2136	build2.exe	build2.exe
PID 2136 wrote to memory of 1792	2136	build2.exe	build2.exe
PID 2136 wrote to memory of 1792	2136	build2.exe	build2.exe
PID 2136 wrote to memory of 1792	2136	build2.exe	build2.exe
PID 2136 wrote to memory of 1792	2136	build2.exe	build2.exe
PID 2136 wrote to memory of 1792	2136	build2.exe	build2.exe
PID 2136 wrote to memory of 1792	2136	build2.exe	build2.exe
PID 2136 wrote to memory of 1792	2136	build2.exe	build2.exe
PID 2136 wrote to memory of 1792	2136	build2.exe	build2.exe
PID 2136 wrote to memory of 1792	2136	build2.exe	build2.exe
PID 2816 wrote to memory of 1596	2816	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe	build3.exe
PID 2816 wrote to memory of 1596	2816	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe	build3.exe
PID 2816 wrote to memory of 1596	2816	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe	build3.exe
PID 2816 wrote to memory of 1596	2816	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe	build3.exe
PID 1596 wrote to memory of 784	1596	build3.exe	build3.exe
PID 1596 wrote to memory of 784	1596	build3.exe	build3.exe
PID 1596 wrote to memory of 784	1596	build3.exe	build3.exe
PID 1596 wrote to memory of 784	1596	build3.exe	build3.exe
PID 1596 wrote to memory of 784	1596	build3.exe	build3.exe
PID 1596 wrote to memory of 784	1596	build3.exe	build3.exe
PID 1596 wrote to memory of 784	1596	build3.exe	build3.exe
PID 1596 wrote to memory of 784	1596	build3.exe	build3.exe
PID 1596 wrote to memory of 784	1596	build3.exe	build3.exe
PID 1596 wrote to memory of 784	1596	build3.exe	build3.exe
PID 784 wrote to memory of 1412	784	build3.exe	schtasks.exe
PID 784 wrote to memory of 1412	784	build3.exe	schtasks.exe
PID 784 wrote to memory of 1412	784	build3.exe	schtasks.exe
PID 784 wrote to memory of 1412	784	build3.exe	schtasks.exe
PID 1792 wrote to memory of 2400	1792	build2.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe
"C:\Users\Admin\AppData\Local\Temp\ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2332

C:\Users\Admin\AppData\Local\Temp\ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe
"C:\Users\Admin\AppData\Local\Temp\ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe"
2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2348

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\064b90fa-05c6-476e-8359-6ee018cac88f" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:2800

C:\Users\Admin\AppData\Local\Temp\ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe
"C:\Users\Admin\AppData\Local\Temp\ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3028

C:\Users\Admin\AppData\Local\Temp\ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe
"C:\Users\Admin\AppData\Local\Temp\ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2816

C:\Users\Admin\AppData\Local\d71637a7-4fd7-4b74-a1d7-d0e5427f69df\build2.exe
"C:\Users\Admin\AppData\Local\d71637a7-4fd7-4b74-a1d7-d0e5427f69df\build2.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2136

C:\Users\Admin\AppData\Local\d71637a7-4fd7-4b74-a1d7-d0e5427f69df\build3.exe
"C:\Users\Admin\AppData\Local\d71637a7-4fd7-4b74-a1d7-d0e5427f69df\build3.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1596

C:\Users\Admin\AppData\Local\d71637a7-4fd7-4b74-a1d7-d0e5427f69df\build3.exe
"C:\Users\Admin\AppData\Local\d71637a7-4fd7-4b74-a1d7-d0e5427f69df\build3.exe"
6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:784

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
7⤵
- Creates scheduled task(s)
PID:1412

C:\Users\Admin\AppData\Local\d71637a7-4fd7-4b74-a1d7-d0e5427f69df\build2.exe
"C:\Users\Admin\AppData\Local\d71637a7-4fd7-4b74-a1d7-d0e5427f69df\build2.exe"
1⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1792 -s 1440
2⤵
- Loads dropped DLL
- Program crash
PID:2400

C:\Windows\system32\taskeng.exe
taskeng.exe {AF01455E-0285-4264-8A16-795EC33C0A23} S-1-5-21-3818056530-936619650-3554021955-1000:SFVRQGEO\Admin:Interactive:[1]
1⤵
PID:2788

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2132

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
3⤵
- Executes dropped EXE
PID:1780

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
4⤵
- Creates scheduled task(s)
PID:2552

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2544

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
3⤵
- Executes dropped EXE
PID:2268

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1004

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
3⤵
- Executes dropped EXE
PID:1216

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1540

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
3⤵
- Executes dropped EXE
PID:2120

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
1KB

MD5
c59708a86e78530488f2356251e775a2

SHA1
17e33e077261cdd9e54d4e58dfb168f15ee93efb

SHA256
71719971666e64a4f767e8f9d0b52e822189c4bfb1fe449a0e7c8066c82813c2

SHA512
42afd4d2c791ea8cb239130cf4f4d43da0ec39c63049c56796e082282e2ba2f0cd0fd8934b7de3b359ca433b0609ad159fda6f92168168f2d4517f13fbbb3fbf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
410B

MD5
902a27e12f01e6f9c0d15645ec1ba860

SHA1
4643f6fde423e65424cd02ff5e0ba6729a34e42f

SHA256
6b72cd42d9d00dbb8df4a5384a96c801c9e18f01b23373a6bd3bd1f6d65c0549

SHA512
20d077e028ec862eb1d835f27a7e7a3cdd5a8fdcf5e0aecafa2485b0be60d1bf9bea7db214d582d81576d3e2922c1bd0aac972a818516a24cea7e9954cb7307f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
9f202509a2097126a74be242eb5b0ad0

SHA1
6acdc33cf3368436dd9a5ca5d0ea1c3a4d0ac8d5

SHA256
6bea9f3f4f271a309aed3d3e3faa927a44b44fa70aa4c43a05fbcc3c073f79f9

SHA512
31af372843bcc1e2a7c6e65acbb264a9ea93769170ad530ace34a7972f446c85fbdd819410dbb4f2835e5ac388e85909161b3b742bd98429a93f1b4b62d974ba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
392B

MD5
9d61ffceaee2abae219d826072141034

SHA1
646b437122dfd3735e4d5bf986bc01fc1a8d3388

SHA256
e7ef2ef197b73659fede41d97a9bdd770ef14e35daa7d035e7e1f04595311e1d

SHA512
a44ffc6bcd4e9d778bae76e21aac20112f194ea279cdb3885b82cded88e4f274c591b462facfa289351b1894046575345b2c7fd8ff6fd63fedab19452dab7bfc

Download Submit
C:\Users\Admin\AppData\Local\064b90fa-05c6-476e-8359-6ee018cac88f\ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe
Filesize
473KB

MD5
7ad350ebe3ee9a12c36eb63fca5023c9

SHA1
ba64b7bd4bf5881cee44cae45b177101737ab519

SHA256
ee5139cc71afb35bf2659995abc70f1736b5dbe7bd4bc7ef11006c1e4e55be49

SHA512
2d665497212bf004aa4dbbbe262e0ddbf633b660777ae3881d1f23d8fc6d1285e2b4c614c5bc05c49689dbd08a5ff7f5453db0e7477c2e2b4e99ee21fe9f4468

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2F2B.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4809.tmp
Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\d71637a7-4fd7-4b74-a1d7-d0e5427f69df\build2.exe
Filesize
385KB

MD5
63e4a9cd7a8b37335b5f18cefc5dd9d2

SHA1
c781a30935afc452b108cc78724b60f389b78874

SHA256
c1e75efde3fd1da605135e5c3ffab0073299c80632d136f8eeba9d4a7c98c70f

SHA512
3818b5966938704c5830acb5426db7791f6ae476853248d8984b1aff35a6722a0684bea54a53ef6ded1f301f6de9ed044d45f007457a9c0f3a7ea3afc7bf0ecc

Download Submit
C:\Users\Admin\AppData\Local\d71637a7-4fd7-4b74-a1d7-d0e5427f69df\build3.exe
Filesize
29KB

MD5
e7e5ee11df33022e8259e913fcfae3f5

SHA1
95857ccf6d862e0cf6a1b294ce20b32b019ccb04

SHA256
5ba456328906e19cf1793820fc8a17525841dabd6d171567a8d6bbd18c2f5a4e

SHA512
dede98d87b0b4c0e92141b81d9d3addc347752947dfe14c21b1417d912d6bd12721dbdb32b73026ea0de383fa60049f286b5fe1ef3bc1c8a8d8345abdcfe03f6

Download Submit
C:\Users\Admin\AppData\Local\d71637a7-4fd7-4b74-a1d7-d0e5427f69df\build3.exe
Filesize
54KB

MD5
9f367db238ed785a786e59036627a168

SHA1
c376c004dec17e087eb42aa0e3f4ac58e34f0381

SHA256
8d544a0a65dfc480712d81ac4ef9b8f1fde7c0f820b35d723bdc0a287a7e9f8f

SHA512
4fce7ce6d6f1dc92f94c362e6588535d639b0df6a68e5ff9284b58e3fd2d40d029322e41b65e93510738c6d58a0acb8592d2b66b050d1d041b71febe4c547a11

Download Submit
C:\Users\Admin\AppData\Local\d71637a7-4fd7-4b74-a1d7-d0e5427f69df\build3.exe
Filesize
191KB

MD5
52df085e0161101c31e03a50f81012ad

SHA1
00d38d9895e1b08e133e7c4c5aa874407b7cad29

SHA256
980369856bc1c7028296edafeba6349faceee0e739cd03ab3116762fe9198577

SHA512
7ab854f7a9eeaef0f98e4ef4f7b7a44f5dd2da7d6e4d27b45fbd1dd633303766db6719c0748a2b227e16c0a9f52477d68fec3b8258728486d02baa058152005d

Download Submit
C:\Users\Admin\AppData\Local\d71637a7-4fd7-4b74-a1d7-d0e5427f69df\build3.exe
Filesize
224KB

MD5
403287a3223cfb32bf8ab14dfcecb750

SHA1
60daaa10e5c15c013f8cccdc9ed8be9da2d0550d

SHA256
de99ab939b4c7d1cc401a4e1dc4f35436a0de3ed276b7086beacbf1c073a6c0f

SHA512
74c54dc3dd1c3b3e81ffc15a950654b916adfd6b99e0610db94a49d34be687c1cc337d962fccdfc0cbaf77fd536705d39d0861c36abf23c58c158922552ecfea

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Filesize
299KB

MD5
41b883a061c95e9b9cb17d4ca50de770

SHA1
1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad

SHA256
fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408

SHA512
cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

Download Submit
\Users\Admin\AppData\Local\d71637a7-4fd7-4b74-a1d7-d0e5427f69df\build3.exe
Filesize
263KB

MD5
bddd048dc51a6ef7da7a4a89496cd790

SHA1
68ca777ae0aa28ff182e43c150e63d5dbc0181c3

SHA256
5c0f0b5124d8ccd8d287e83da54d24850c15913cdd8ae96f336d0bd2849731aa

SHA512
fc53efc75c4950360b43b624657e6a6125edb987c506ff8f2df9547e36d33c02da563757685d370d49a1c4be6f76b19cfecddb0cb1dd0dd86a39ff5c6f3c70f2

Download Submit
\Users\Admin\AppData\Local\d71637a7-4fd7-4b74-a1d7-d0e5427f69df\build3.exe
Filesize
177KB

MD5
b92a6f698973c843c529d061d72835a9

SHA1
25896810e00e70bb5fae807ed201ba2aa3fe65b3

SHA256
5941f9723a089dcc902079166ae68cfaffe3a86cac8a2b4db06f4430019ab55c

SHA512
b72aabdb7892a4f446c397551f8f9d47798f2e4b29aab3ffaf8cc10c7174d65ad2bab342064aa4ac9908f6623db1413a4e759196e5a8984e5ab83e081e04d502

Download Submit
memory/784-153-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/784-146-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/784-144-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/784-151-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1004-309-0x0000000000C72000-0x0000000000C82000-memory.dmp

Filesize
64KB

Download
memory/1540-337-0x0000000000942000-0x0000000000952000-memory.dmp

Filesize
64KB

Download
memory/1596-150-0x00000000001C0000-0x00000000001C4000-memory.dmp

Filesize
16KB

Download
memory/1596-149-0x0000000000312000-0x0000000000323000-memory.dmp

Filesize
68KB

Download
memory/1792-81-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/1792-235-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/1792-75-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/1792-73-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1792-80-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2132-254-0x0000000000900000-0x0000000000A00000-memory.dmp

Filesize
1024KB

Download
memory/2136-78-0x0000000000230000-0x0000000000260000-memory.dmp

Filesize
192KB

Download
memory/2136-76-0x0000000000630000-0x0000000000730000-memory.dmp

Filesize
1024KB

Download
memory/2332-0-0x00000000004D0000-0x0000000000561000-memory.dmp

Filesize
580KB

Download
memory/2332-7-0x00000000004D0000-0x0000000000561000-memory.dmp

Filesize
580KB

Download
memory/2332-3-0x0000000001D90000-0x0000000001EAB000-memory.dmp

Filesize
1.1MB

Download
memory/2332-1-0x00000000004D0000-0x0000000000561000-memory.dmp

Filesize
580KB

Download
memory/2348-27-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2348-8-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2348-9-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2348-5-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2348-2-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2544-282-0x0000000000990000-0x0000000000A90000-memory.dmp

Filesize
1024KB

Download
memory/2816-37-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2816-92-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2816-59-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2816-57-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2816-58-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2816-55-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2816-50-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2816-51-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2816-36-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3028-35-0x00000000002F0000-0x0000000000381000-memory.dmp

Filesize
580KB

Download
memory/3028-30-0x00000000002F0000-0x0000000000381000-memory.dmp

Filesize
580KB

Download
memory/3028-28-0x00000000002F0000-0x0000000000381000-memory.dmp

Filesize
580KB

Download