djvu | c6d317e1eb756b3577414068ac20fc445921f4edd86bef21dbab2d89920e4649

Analysis

max time kernel
150s
max time network
137s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
08-02-2024 19:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

69d761d941e1a7a4721e267e91167b3a.exe
Size

170KB
MD5

69d761d941e1a7a4721e267e91167b3a
SHA1

7e83135738bdd132a8c9da031b4794852cfc9f8b
SHA256

c6d317e1eb756b3577414068ac20fc445921f4edd86bef21dbab2d89920e4649
SHA512

4ccfe22c2a726f10e4956383fb12371cc07be797707ac6b5dba1a14a5b798c24503bd4f29302c525240dffd0a3f1d3775ff575a2fddb4443df974d1de5ce1295
SSDEEP

3072:lLWPQWxrjDjU6G+JLfeEXcUesyx0RcAJ+qVeYg:lLWPvjU6TFhXBes/c

Score

10^/10

djvu smokeloader vidar zgrat 655507914130aa0fe72362726c206a7c pub1 backdoor discovery persistence ransomware rat stealer trojan

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php

rc4.i32

Extracted

Family

djvu

http://habrafa.com/test1/get.php

Attributes

extension
.ldhy
offline_id
pIGzEr0bxHiTz7xnvNidWeqzKkxMfVdHTyCkzwt1
payload_url
http://brusuax.com/dl/build2.exe

http://habrafa.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://we.tl/t-hPAqznkJKD Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0849ASdw

rsa_pubkey.plain

Extracted

Family

vidar

Version

7.7

Botnet

655507914130aa0fe72362726c206a7c

https://t.me/newagev

https://steamcommunity.com/profiles/76561199631487327

Attributes

profile_id_v2
655507914130aa0fe72362726c206a7c

Signatures

Detect Vidar Stealer 5 IoCs

stealer

resource	yara_rule
behavioral1/memory/2324-114-0x0000000000400000-0x0000000000644000-memory.dmp	family_vidar_v7
behavioral1/memory/3008-113-0x0000000000230000-0x0000000000261000-memory.dmp	family_vidar_v7
behavioral1/memory/2324-118-0x0000000000400000-0x0000000000644000-memory.dmp	family_vidar_v7
behavioral1/memory/2324-117-0x0000000000400000-0x0000000000644000-memory.dmp	family_vidar_v7
behavioral1/memory/2324-205-0x0000000000400000-0x0000000000644000-memory.dmp	family_vidar_v7

Detect ZGRat V1 2 IoCs

resource	yara_rule
behavioral1/memory/3008-347-0x0000000004900000-0x00000000049F0000-memory.dmp	family_zgrat_v1
behavioral1/memory/3008-1495-0x00000000048C0000-0x0000000004900000-memory.dmp	family_zgrat_v1

Detected Djvu ransomware 14 IoCs

resource	yara_rule
behavioral1/memory/2716-35-0x00000000045C0000-0x00000000046DB000-memory.dmp	family_djvu
behavioral1/memory/2692-37-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2692-40-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2692-41-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2692-62-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1260-72-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1260-74-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1260-87-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1260-88-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1260-92-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1260-94-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1260-95-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1260-96-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1260-164-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Downloads MZ/PE file

Deletes itself 1 IoCs

pid	Process
1252	Process not Found

Executes dropped EXE 26 IoCs

pid	Process
2392	9B07.exe
2716	B433.exe
2692	B433.exe
700	B433.exe
1260	B433.exe
3008	build2.exe
2324	build2.exe
760	build3.exe
1136	build3.exe
876	mstsca.exe
2724	mstsca.exe
2968	49FD.exe
3008	5F70.exe
1048	6367.exe
1164	5F70.exe
2556	5F70.exe
440	5F70.exe
2076	5F70.exe
2356	5F70.exe
1144	5F70.exe
1708	5F70.exe
1140	5F70.exe
1528	5F70.exe
936	5F70.exe
1688	mstsca.exe
2148	mstsca.exe

Loads dropped DLL 35 IoCs

pid	Process
2716	B433.exe
2692	B433.exe
2692	B433.exe
700	B433.exe
1260	B433.exe
1260	B433.exe
1260	B433.exe
1260	B433.exe
972	WerFault.exe
972	WerFault.exe
972	WerFault.exe
972	WerFault.exe
972	WerFault.exe
972	WerFault.exe
972	WerFault.exe
2892	WerFault.exe
2892	WerFault.exe
2892	WerFault.exe
2892	WerFault.exe
2892	WerFault.exe
2476	WerFault.exe
2476	WerFault.exe
2476	WerFault.exe
2476	WerFault.exe
2476	WerFault.exe
3008	5F70.exe
3008	5F70.exe
3008	5F70.exe
3008	5F70.exe
3008	5F70.exe
3008	5F70.exe
3008	5F70.exe
3008	5F70.exe
3008	5F70.exe
3008	5F70.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
528	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\26d3cec0-d6bc-48f8-a70d-7f78a03cd51a\\B433.exe\" --AutoStart"	B433.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
30	api.2ip.ua
45	api.2ip.ua
28	api.2ip.ua

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 2716 set thread context of 2692	2716	B433.exe	30
PID 700 set thread context of 1260	700	B433.exe	34
PID 3008 set thread context of 2324	3008	build2.exe	39
PID 760 set thread context of 1136	760	build3.exe	44
PID 876 set thread context of 2724	876	mstsca.exe	49
PID 1688 set thread context of 2148	1688	mstsca.exe	68

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
972	2324	WerFault.exe	39
2892	2968	WerFault.exe	52
2476	1048	WerFault.exe	55

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	9B07.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	69d761d941e1a7a4721e267e91167b3a.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	69d761d941e1a7a4721e267e91167b3a.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	69d761d941e1a7a4721e267e91167b3a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	9B07.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	9B07.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2868	schtasks.exe
2856	schtasks.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	build2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	build2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	build2.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1616	69d761d941e1a7a4721e267e91167b3a.exe
1616	69d761d941e1a7a4721e267e91167b3a.exe
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1616	69d761d941e1a7a4721e267e91167b3a.exe
2392	9B07.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1252	Process not Found
Token: SeShutdownPrivilege	1252	Process not Found
Token: SeDebugPrivilege	3008	5F70.exe
Token: SeShutdownPrivilege	1252	Process not Found

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1252	Process not Found
1252	Process not Found

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1252	Process not Found
1252	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1252 wrote to memory of 2392	1252	Process not Found	28
PID 1252 wrote to memory of 2392	1252	Process not Found	28
PID 1252 wrote to memory of 2392	1252	Process not Found	28
PID 1252 wrote to memory of 2392	1252	Process not Found	28
PID 1252 wrote to memory of 2716	1252	Process not Found	29
PID 1252 wrote to memory of 2716	1252	Process not Found	29
PID 1252 wrote to memory of 2716	1252	Process not Found	29
PID 1252 wrote to memory of 2716	1252	Process not Found	29
PID 2716 wrote to memory of 2692	2716	B433.exe	30
PID 2716 wrote to memory of 2692	2716	B433.exe	30
PID 2716 wrote to memory of 2692	2716	B433.exe	30
PID 2716 wrote to memory of 2692	2716	B433.exe	30
PID 2716 wrote to memory of 2692	2716	B433.exe	30
PID 2716 wrote to memory of 2692	2716	B433.exe	30
PID 2716 wrote to memory of 2692	2716	B433.exe	30
PID 2716 wrote to memory of 2692	2716	B433.exe	30
PID 2716 wrote to memory of 2692	2716	B433.exe	30
PID 2716 wrote to memory of 2692	2716	B433.exe	30
PID 2716 wrote to memory of 2692	2716	B433.exe	30
PID 2692 wrote to memory of 528	2692	B433.exe	32
PID 2692 wrote to memory of 528	2692	B433.exe	32
PID 2692 wrote to memory of 528	2692	B433.exe	32
PID 2692 wrote to memory of 528	2692	B433.exe	32
PID 2692 wrote to memory of 700	2692	B433.exe	33
PID 2692 wrote to memory of 700	2692	B433.exe	33
PID 2692 wrote to memory of 700	2692	B433.exe	33
PID 2692 wrote to memory of 700	2692	B433.exe	33
PID 700 wrote to memory of 1260	700	B433.exe	34
PID 700 wrote to memory of 1260	700	B433.exe	34
PID 700 wrote to memory of 1260	700	B433.exe	34
PID 700 wrote to memory of 1260	700	B433.exe	34
PID 700 wrote to memory of 1260	700	B433.exe	34
PID 700 wrote to memory of 1260	700	B433.exe	34
PID 700 wrote to memory of 1260	700	B433.exe	34
PID 700 wrote to memory of 1260	700	B433.exe	34
PID 700 wrote to memory of 1260	700	B433.exe	34
PID 700 wrote to memory of 1260	700	B433.exe	34
PID 700 wrote to memory of 1260	700	B433.exe	34
PID 1260 wrote to memory of 3008	1260	B433.exe	38
PID 1260 wrote to memory of 3008	1260	B433.exe	38
PID 1260 wrote to memory of 3008	1260	B433.exe	38
PID 1260 wrote to memory of 3008	1260	B433.exe	38
PID 3008 wrote to memory of 2324	3008	build2.exe	39
PID 3008 wrote to memory of 2324	3008	build2.exe	39
PID 3008 wrote to memory of 2324	3008	build2.exe	39
PID 3008 wrote to memory of 2324	3008	build2.exe	39
PID 3008 wrote to memory of 2324	3008	build2.exe	39
PID 3008 wrote to memory of 2324	3008	build2.exe	39
PID 3008 wrote to memory of 2324	3008	build2.exe	39
PID 3008 wrote to memory of 2324	3008	build2.exe	39
PID 3008 wrote to memory of 2324	3008	build2.exe	39
PID 3008 wrote to memory of 2324	3008	build2.exe	39
PID 3008 wrote to memory of 2324	3008	build2.exe	39
PID 1260 wrote to memory of 760	1260	B433.exe	40
PID 1260 wrote to memory of 760	1260	B433.exe	40
PID 1260 wrote to memory of 760	1260	B433.exe	40
PID 1260 wrote to memory of 760	1260	B433.exe	40
PID 2324 wrote to memory of 972	2324	build2.exe	43
PID 2324 wrote to memory of 972	2324	build2.exe	43
PID 2324 wrote to memory of 972	2324	build2.exe	43
PID 2324 wrote to memory of 972	2324	build2.exe	43
PID 760 wrote to memory of 1136	760	build3.exe	44
PID 760 wrote to memory of 1136	760	build3.exe	44
PID 760 wrote to memory of 1136	760	build3.exe	44

C:\Users\Admin\AppData\Local\Temp\69d761d941e1a7a4721e267e91167b3a.exe
"C:\Users\Admin\AppData\Local\Temp\69d761d941e1a7a4721e267e91167b3a.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1616

C:\Users\Admin\AppData\Local\Temp\9B07.exe
C:\Users\Admin\AppData\Local\Temp\9B07.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2392

C:\Users\Admin\AppData\Local\Temp\B433.exe
C:\Users\Admin\AppData\Local\Temp\B433.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2716
- C:\Users\Admin\AppData\Local\Temp\B433.exe
  C:\Users\Admin\AppData\Local\Temp\B433.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Users\Admin\AppData\Local\26d3cec0-d6bc-48f8-a70d-7f78a03cd51a" /deny *S-1-1-0:(OI)(CI)(DE,DC)
    3⤵
    - Modifies file permissions
    PID:528
- - C:\Users\Admin\AppData\Local\Temp\B433.exe
    "C:\Users\Admin\AppData\Local\Temp\B433.exe" --Admin IsNotAutoStart IsNotTask
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:700
  - - C:\Users\Admin\AppData\Local\Temp\B433.exe
      "C:\Users\Admin\AppData\Local\Temp\B433.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1260
    - - C:\Users\Admin\AppData\Local\409af725-7bbb-4a26-84c4-81399915211f\build2.exe
        
        "C:\Users\Admin\AppData\Local\409af725-7bbb-4a26-84c4-81399915211f\build2.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3008
      - C:\Users\Admin\AppData\Local\409af725-7bbb-4a26-84c4-81399915211f\build2.exe
        
        "C:\Users\Admin\AppData\Local\409af725-7bbb-4a26-84c4-81399915211f\build2.exe"
        6⤵
        Executes dropped EXE
        Modifies system certificate store
        Suspicious use of WriteProcessMemory
        
        PID:2324
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 1420
        7⤵
        Loads dropped DLL
        Program crash
        
        PID:972
    - - C:\Users\Admin\AppData\Local\409af725-7bbb-4a26-84c4-81399915211f\build3.exe
        
        "C:\Users\Admin\AppData\Local\409af725-7bbb-4a26-84c4-81399915211f\build3.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:760
      - C:\Users\Admin\AppData\Local\409af725-7bbb-4a26-84c4-81399915211f\build3.exe
        
        "C:\Users\Admin\AppData\Local\409af725-7bbb-4a26-84c4-81399915211f\build3.exe"
        6⤵
        Executes dropped EXE
        
        PID:1136
        
        C:\Windows\SysWOW64\schtasks.exe
        
        /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
        7⤵
        Creates scheduled task(s)
        
        PID:2868

C:\Windows\system32\taskeng.exe
taskeng.exe {4AAEF28F-3393-4415-B43E-26D0321BFB0B} S-1-5-21-452311807-3713411997-1028535425-1000:OZEMQECW\Admin:Interactive:[1]
1⤵
PID:2664
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:876
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    3⤵
    - Executes dropped EXE
    PID:2724
  - - C:\Windows\SysWOW64\schtasks.exe
      /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
      4⤵
      Creates scheduled task(s)
      PID:2856
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:1688
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    3⤵
    - Executes dropped EXE
    PID:2148

C:\Users\Admin\AppData\Local\Temp\49FD.exe
C:\Users\Admin\AppData\Local\Temp\49FD.exe
1⤵
- Executes dropped EXE
PID:2968
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 96
  2⤵
  - Loads dropped DLL
  - Program crash
  PID:2892

C:\Users\Admin\AppData\Local\Temp\5F70.exe
C:\Users\Admin\AppData\Local\Temp\5F70.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3008
- C:\Users\Admin\AppData\Local\Temp\5F70.exe
  C:\Users\Admin\AppData\Local\Temp\5F70.exe
  2⤵
  - Executes dropped EXE
  PID:1164
- C:\Users\Admin\AppData\Local\Temp\5F70.exe
  C:\Users\Admin\AppData\Local\Temp\5F70.exe
  2⤵
  - Executes dropped EXE
  PID:2556
- C:\Users\Admin\AppData\Local\Temp\5F70.exe
  C:\Users\Admin\AppData\Local\Temp\5F70.exe
  2⤵
  - Executes dropped EXE
  PID:440
- C:\Users\Admin\AppData\Local\Temp\5F70.exe
  C:\Users\Admin\AppData\Local\Temp\5F70.exe
  2⤵
  - Executes dropped EXE
  PID:1528
- C:\Users\Admin\AppData\Local\Temp\5F70.exe
  C:\Users\Admin\AppData\Local\Temp\5F70.exe
  2⤵
  - Executes dropped EXE
  PID:1140
- C:\Users\Admin\AppData\Local\Temp\5F70.exe
  C:\Users\Admin\AppData\Local\Temp\5F70.exe
  2⤵
  - Executes dropped EXE
  PID:1708
- C:\Users\Admin\AppData\Local\Temp\5F70.exe
  C:\Users\Admin\AppData\Local\Temp\5F70.exe
  2⤵
  - Executes dropped EXE
  PID:1144
- C:\Users\Admin\AppData\Local\Temp\5F70.exe
  C:\Users\Admin\AppData\Local\Temp\5F70.exe
  2⤵
  - Executes dropped EXE
  PID:2356
- C:\Users\Admin\AppData\Local\Temp\5F70.exe
  C:\Users\Admin\AppData\Local\Temp\5F70.exe
  2⤵
  - Executes dropped EXE
  PID:2076
- C:\Users\Admin\AppData\Local\Temp\5F70.exe
  C:\Users\Admin\AppData\Local\Temp\5F70.exe
  2⤵
  - Executes dropped EXE
  PID:936

C:\Users\Admin\AppData\Local\Temp\6367.exe
C:\Users\Admin\AppData\Local\Temp\6367.exe
1⤵
- Executes dropped EXE
PID:1048
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1048 -s 652
  2⤵
  - Loads dropped DLL
  - Program crash
  PID:2476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
2b33b0833148dc664d6b13c3f7e97bc2

SHA1
184dfbee227e2492d975e14298f5912a8f357fff

SHA256
fede4adce8cf32bb9dc17a6f389971ebce68ef8415f949f5690b04612ee8e5a3

SHA512
ec0a774a532b2a52619ef321fcc779f13d89d10a0a1bb0e73f281dada30a1e625641acd6c658f9fff9171eaffd5c9d83ce063334f564f2700b1e09820d3dabfb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
8c498b1014f231beb4019f8af590c868

SHA1
166f06817d3ba88173a55def64960a6ef95c18c6

SHA256
3b88c520c685a090f9bd00e788ac5a2b31b45a16075c72c3c8e83a771e9dd5ca

SHA512
139dec15bed186e40f3d84897ed77e7b4b989857ee84bcada5c6a1d42b4a8e5c9f9791e6feb956bb8482c31f2e6a8cb0f45674f4943168f030f575aa35e0d3fd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
72c50a7659c74caabba5b2e4b113f5b8

SHA1
c43a65e489b469bed798db4f659b8037aeb44a32

SHA256
238df822eda8f497a19660d92bde741a610fec89911d6a1455fa0439226254eb

SHA512
177e70dc17f68730e6d774d537b5a156950697aa699438d47c8f22892bf0a58b66f2e685f6b25c8b9d1bc4dec673ce139f2ee34d8b4f3ac3462c52f83ecdd709

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0b796f0d4ed15a4accb3ceb1fb84f66f

SHA1
1b061004889817c312e852fa7a82aff1f88d8618

SHA256
b7fdc01363a520b182bef59214b413b03908ae990ca5406ecb02344c1f18d129

SHA512
c59aeed0a9aa8465fbea527be757c361b58e3b4d761e0ba2ccf184b730563f7fc8edc6121dce634af4565a5d9eafd9a1ed9f7308f940d58ca6fcad19f9acfe3d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
64d0a76c38aac6d0ab898f1cb4720e11

SHA1
f6bd9f7a1e3ad0f46ccbc1039dbe120565aad1b4

SHA256
27cd148092bfe040bc50be56d7041c65da10b3ebea22ed22e97eab6bab26b2a3

SHA512
97b2a273bb38f5190c99b01393ecb0d5cddaca75b5fd8dfd873835ad491847e3e118ff9c53d095952e79eca6311a8e733d27b2866427bcd14db4ada8bea0fdc3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
392B

MD5
98d0c136f6313b102e904ae3df164b79

SHA1
fecb0fe65ce8092c67131cbfc2119f22e527df3f

SHA256
51be5dd41333247687230f8f409231cf07098164990631aec93e32cce97c64a0

SHA512
211f42e897b43a12d38325176782a0935d13dba6931ed4010d666165d3889b0a78387d560895d147005b4bbbebbab5f37a3abc42336649d6c2417c8e7fae0d1a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
5e50b239a33806559bd3bd106dcb93c0

SHA1
509c0c45646eaaadfcb1f8c8f00c34d15d1aca58

SHA256
be6734c988fae4ef0835ff7a2bb1cd31adee1fede47fe39b13fbe797b16e840a

SHA512
8b9963fdde18c068725858a8bb193fbfa24728552b9ef9d3d66e834545619e907de5251723ca2eae162ece3fa2f39ac4ae77ec11b9a9b80bdd92d7a8750e3d72

Download Submit
C:\Users\Admin\AppData\Local\409af725-7bbb-4a26-84c4-81399915211f\build2.exe

Filesize
320KB

MD5
698128efcd00cd992543f5efe720b664

SHA1
cae1caffe79c76f954f8c3d8d060b54e9eb7aea4

SHA256
e72332c6f01bc37d102fd2124d380429e6d1a15fa55556a798ec8fb276668a37

SHA512
5c09e9123753dbd13085cb9c722b58d7bb6c64597ef5e44ed58ee50b7132fccd0bd3912f24440944925927e27586ece4a09a9deb4f90caddcabfb70c54cf1e22

Download Submit
C:\Users\Admin\AppData\Local\409af725-7bbb-4a26-84c4-81399915211f\build3.exe

Filesize
299KB

MD5
41b883a061c95e9b9cb17d4ca50de770

SHA1
1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad

SHA256
fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408

SHA512
cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

Download Submit
C:\Users\Admin\AppData\Local\Temp\49FD.exe

Filesize
4.5MB

MD5
7c3017cca61282972763fdecb9cf13c1

SHA1
450d2d207112d7a330789025bb92da05fa763ad8

SHA256
8c4e88559c5801efb21ad75ea72417c39a76f4ea6f2cb07d780ad3a8f8642e1f

SHA512
578b7f75f262665921792615db11d5e6019347ebadffa15fc2ea3c45c8c672f17d673ae32b0776a0684af671c99b78e85d0e7ddb2289372a25737f4415901699

Download Submit
C:\Users\Admin\AppData\Local\Temp\5F70.exe

Filesize
952KB

MD5
422a9c5cfa6370c93a4bd5db29c3d196

SHA1
caaf89e601fde4bc9dbe3c0edda8e7efa5062e17

SHA256
82311d6280999d5c9d368377e30b8f55abe2a3d7d98f8c074f6e40c5be7cd965

SHA512
2caf014595f65caa26bd7c8396f981ee452ef01fdf35dde3e9e2e950855f564e97026f71c52b9a49526f9bca68d4f5c6d4bc9ba51d4b8330e38e4b4b84214e96

Download Submit
C:\Users\Admin\AppData\Local\Temp\6367.exe

Filesize
68KB

MD5
cd2b5a09efdac0ffbd76111f44733138

SHA1
6db6bc9dba96632213d1077155725f388237e268

SHA256
1c6b4fadf6a74e1dfacd17468bdb0743ec21a1bdf3fcd4c3f58bf727efb1c74c

SHA512
16fa87494baa4d65bd170d346efe082b998689d0c3488cec764170f5c0e63a7a4ad2fc51f18aa710aa8bca1ed84af99965baae692a81cead192cfa63aa37c714

Download Submit
C:\Users\Admin\AppData\Local\Temp\9B07.exe

Filesize
170KB

MD5
69d761d941e1a7a4721e267e91167b3a

SHA1
7e83135738bdd132a8c9da031b4794852cfc9f8b

SHA256
c6d317e1eb756b3577414068ac20fc445921f4edd86bef21dbab2d89920e4649

SHA512
4ccfe22c2a726f10e4956383fb12371cc07be797707ac6b5dba1a14a5b798c24503bd4f29302c525240dffd0a3f1d3775ff575a2fddb4443df974d1de5ce1295

Download Submit
C:\Users\Admin\AppData\Local\Temp\B433.exe

Filesize
699KB

MD5
a2b38ede1742205c46b74ce044287fb9

SHA1
8415a9ab51551583f3ace6916816c4474a2ffb9b

SHA256
324a8068a203d94f77eb773e1491ca27fd52b5a2b5b220f50d3a9b86f9d69965

SHA512
9fb2d5c030bedcb71132db3c019fdf7131826e48cb4c64d779bd2e853ab110d8fd384e3ed07946ee8bd055c880e17510488b6edc68421a99a76bfd57872694d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\B433.exe

Filesize
170KB

MD5
70921df5f05c89e62c8d686bdde51fac

SHA1
3e21c0780cc9d238a91d79e3e72d255a712f5592

SHA256
0a0afc692d7c90184186993d1cc99fe305dfab08e5c633d35a6517d440dd8901

SHA512
c049e0946edcbc6542797e16b51f67a2006ba67ea94ced7404ad8c814c1c68757c6cdd124366450f96356054e8d96874a05f2eabdf71355170863d783e1af754

Download Submit
C:\Users\Admin\AppData\Local\Temp\B433.exe

Filesize
640KB

MD5
4a0a2319b176c870c77de2a8cb7f3dc9

SHA1
c5c794bc73363e310a186020876699eab313cb82

SHA256
612a55b45950b078368705bec4db91f40427b0ddc863cdd9b2dfeadbb162b85c

SHA512
054d1951d39214fe4ea843bd22abcbf8d99964a8ccc79179174a521ef5a6d4d6691185fa6dff903e86a9c89a13f217f738552d9753cc864c493c3f615793a66a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC9D4.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF1BF.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
\Users\Admin\AppData\Local\409af725-7bbb-4a26-84c4-81399915211f\build2.exe

Filesize
332KB

MD5
a0cc1241aa4803dc23ff778af73e3768

SHA1
75d07c8f1784e8e64e7520c2666bc63c2a477ffa

SHA256
c0b12bbdcb41f6941d4356309fd8a43f61cbfd18eee044ff1771cbdbba248466

SHA512
3ccb46eca07827f5c86b31da5f7ab1b4a4b80f0cf3c1f8245c9ea57cf7c2244bc5f867a09696ce1c80cce38c631c7f6a13dca537b8e4b297735324f52cabb755

Download Submit
\Users\Admin\AppData\Local\409af725-7bbb-4a26-84c4-81399915211f\build2.exe

Filesize
128KB

MD5
0bc3fd2c11e38745e5321eee0112cd1e

SHA1
b3e15026c901f4053b18cf04983bd5be1cdb60ac

SHA256
df5f4276eed1bb5fa6c776c7a4c5690da26852e3214fa7832f11a29c7448734c

SHA512
a20002522e3dcbc6170fc677c70d753607fb851e9003108a05b14ae181df813dd379d95d58f82b9a3cfee81e568c25fa3c8df81527c32c6b94135798a81f38b8

Download Submit
\Users\Admin\AppData\Local\409af725-7bbb-4a26-84c4-81399915211f\build2.exe

Filesize
256KB

MD5
9c1873ad12fb91a31770e4253153ab80

SHA1
087b2ecc4a6b777e9b76b67a2ddfe870dd61e6e7

SHA256
d13a9bcd36f6c4faca5b99a564c7d9e0ed435b1bb53cbd8528f0cd31750a9c1d

SHA512
55b6db8d127e374675515c12cc93d8618b37c2fcec0dc374ec95441cf122bd14a8202fb025b1574e780ac1b0afe890b02a9bcfee0332ac0ccc8733fff41e85c9

Download Submit
\Users\Admin\AppData\Local\409af725-7bbb-4a26-84c4-81399915211f\build2.exe

Filesize
192KB

MD5
0be8c8a5c3b881997ae9fbebd5e61f36

SHA1
c8025f6c4a4af88642e553b7833816b467314ff8

SHA256
5f2c815ed53c1cc625b5bc83767aaab5309e5be79e6bad45e2b36f63ca932484

SHA512
30dcd186ad3d554be918a352ef7a85cf031cae22e0bc8eb35249df9033262554d3f52f0b4ca8d688a556bd9b3342a134a799bc00de2c340b639a5ab816890c58

Download Submit
\Users\Admin\AppData\Local\Temp\49FD.exe

Filesize
6.0MB

MD5
95e59305ad61119cf15ee95562bd05ba

SHA1
0f0059cda9609c46105cf022f609c407f3718e04

SHA256
dd87f94c961b9612bbd65761bee6ed15318d63652f262e2c425bd177a2341a19

SHA512
5fbcfe79162460080e0c3944df747835f0b8f2cdb35b038eb69eadf2eb85a209f7d5432a328d0f0eeafba036012f48793e3c08d94531b98a12a498bcf3b00ad2

Download Submit
memory/700-64-0x00000000043B0000-0x0000000004442000-memory.dmp

Filesize
584KB

Download
memory/700-67-0x00000000043B0000-0x0000000004442000-memory.dmp

Filesize
584KB

Download
memory/700-73-0x00000000043B0000-0x0000000004442000-memory.dmp

Filesize
584KB

Download
memory/760-191-0x00000000008C0000-0x00000000009C0000-memory.dmp

Filesize
1024KB

Download
memory/760-192-0x0000000000220000-0x0000000000224000-memory.dmp

Filesize
16KB

Download
memory/876-211-0x00000000002F2000-0x0000000000302000-memory.dmp

Filesize
64KB

Download
memory/1048-1492-0x0000000073490000-0x0000000073B7E000-memory.dmp

Filesize
6.9MB

Download
memory/1048-1494-0x0000000004AD0000-0x0000000004B10000-memory.dmp

Filesize
256KB

Download
memory/1048-354-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1048-355-0x0000000073490000-0x0000000073B7E000-memory.dmp

Filesize
6.9MB

Download
memory/1048-356-0x0000000000560000-0x000000000057A000-memory.dmp

Filesize
104KB

Download
memory/1048-359-0x0000000004AD0000-0x0000000004B10000-memory.dmp

Filesize
256KB

Download
memory/1136-190-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1136-194-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1136-197-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1136-198-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1136-200-0x0000000000410000-0x0000000000477000-memory.dmp

Filesize
412KB

Download
memory/1252-4-0x00000000024C0000-0x00000000024D6000-memory.dmp

Filesize
88KB

Download
memory/1252-20-0x0000000002DB0000-0x0000000002DC6000-memory.dmp

Filesize
88KB

Download
memory/1260-88-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1260-92-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1260-72-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1260-96-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1260-164-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1260-95-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1260-94-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1260-74-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1260-87-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1616-3-0x0000000000400000-0x0000000002BD7000-memory.dmp

Filesize
39.8MB

Download
memory/1616-5-0x0000000000400000-0x0000000002BD7000-memory.dmp

Filesize
39.8MB

Download
memory/1616-1-0x00000000002D0000-0x00000000003D0000-memory.dmp

Filesize
1024KB

Download
memory/1616-2-0x00000000001B0000-0x00000000001BB000-memory.dmp

Filesize
44KB

Download
memory/1688-1515-0x00000000008B0000-0x00000000009B0000-memory.dmp

Filesize
1024KB

Download
memory/2324-118-0x0000000000400000-0x0000000000644000-memory.dmp

Filesize
2.3MB

Download
memory/2324-205-0x0000000000400000-0x0000000000644000-memory.dmp

Filesize
2.3MB

Download
memory/2324-117-0x0000000000400000-0x0000000000644000-memory.dmp

Filesize
2.3MB

Download
memory/2324-110-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2324-114-0x0000000000400000-0x0000000000644000-memory.dmp

Filesize
2.3MB

Download
memory/2392-21-0x0000000000400000-0x0000000002BD7000-memory.dmp

Filesize
39.8MB

Download
memory/2392-18-0x0000000002CA0000-0x0000000002DA0000-memory.dmp

Filesize
1024KB

Download
memory/2392-19-0x0000000000400000-0x0000000002BD7000-memory.dmp

Filesize
39.8MB

Download
memory/2692-41-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2692-34-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2692-37-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2692-40-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2692-62-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2716-33-0x0000000002C60000-0x0000000002CF2000-memory.dmp

Filesize
584KB

Download
memory/2716-35-0x00000000045C0000-0x00000000046DB000-memory.dmp

Filesize
1.1MB

Download
memory/2716-30-0x0000000002C60000-0x0000000002CF2000-memory.dmp

Filesize
584KB

Download
memory/2968-231-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/2968-221-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/2968-257-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/2968-224-0x0000000000FC0000-0x0000000001B1B000-memory.dmp

Filesize
11.4MB

Download
memory/2968-1483-0x0000000000FC0000-0x0000000001B1B000-memory.dmp

Filesize
11.4MB

Download
memory/2968-229-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/2968-226-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/2968-227-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/2968-223-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/3008-346-0x0000000073490000-0x0000000073B7E000-memory.dmp

Filesize
6.9MB

Download
memory/3008-1478-0x00000000048C0000-0x0000000004900000-memory.dmp

Filesize
256KB

Download
memory/3008-1479-0x00000000004D0000-0x00000000004D1000-memory.dmp

Filesize
4KB

Download
memory/3008-1481-0x00000000047E0000-0x000000000482C000-memory.dmp

Filesize
304KB

Download
memory/3008-1480-0x0000000004630000-0x00000000046AA000-memory.dmp

Filesize
488KB

Download
memory/3008-347-0x0000000004900000-0x00000000049F0000-memory.dmp

Filesize
960KB

Download
memory/3008-1487-0x0000000073490000-0x0000000073B7E000-memory.dmp

Filesize
6.9MB

Download
memory/3008-345-0x00000000003D0000-0x00000000004C2000-memory.dmp

Filesize
968KB

Download
memory/3008-111-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/3008-1495-0x00000000048C0000-0x0000000004900000-memory.dmp

Filesize
256KB

Download
memory/3008-1511-0x0000000073490000-0x0000000073B7E000-memory.dmp

Filesize
6.9MB

Download
memory/3008-113-0x0000000000230000-0x0000000000261000-memory.dmp

Filesize
196KB

Download