amadey | a6bda3b1e990cdc4da5b889f8c4d5a717ac32107a22720e81c9268d0af553e9c

Analysis

max time kernel
150s
max time network
139s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
15-02-2024 05:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a6bda3b1e990cdc4da5b889f8c4d5a717ac32107a22720e81c9268d0af553e9c.exe
Size

286KB
MD5

b711abfd1d3f342fd53e7234672e23a3
SHA1

abba6fdf4ce45cfc9121bc8f93658b0875ba1f4f
SHA256

a6bda3b1e990cdc4da5b889f8c4d5a717ac32107a22720e81c9268d0af553e9c
SHA512

f3d3e2e2bad6975e45c9b90568604085c92b7016ee7c56504593d1fea695b3be5c05991515c7ebe9442cc315084a75f59d19630e108806f78f912521efa5e242
SSDEEP

3072:Wz6T6oy729nhffLbCWeia4bU3qrf9tExSD2w3TA4xFgIzSUxaIa2Vd:3T6o28XC7AU3gvEx/6TA4LiUxaIh

Score

10^/10

amadey dcrat djvu smokeloader vidar 13bd7290c1961db27b4ede41bfbf4c5e pub1 backdoor discovery evasion infostealer persistence ransomware rat stealer trojan

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php

rc4.i32

Extracted

Family

djvu

http://habrafa.com/test1/get.php

Attributes

extension
.lkhy
offline_id
OxV6DGl22io8sqMOW1zCCOlzPiv4f1Vqzw7Y8zt1
payload_url
http://brusuax.com/dl/build2.exe

http://habrafa.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://we.tl/t-uNdL2KHHdy Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0851ASdw

rsa_pubkey.plain

Extracted

Family

vidar

Version

7.8

Botnet

13bd7290c1961db27b4ede41bfbf4c5e

https://t.me/karl3on

https://steamcommunity.com/profiles/76561199637071579

Attributes

profile_id_v2
13bd7290c1961db27b4ede41bfbf4c5e
user_agent
Mozilla/5.0 (X11; Linux 3.5.4-1-ARCH i686; es) KHTML/4.9.1 (like Gecko) Konqueror/4.9

Extracted

Family

amadey

Version

4.17

http://185.215.113.32

Attributes

install_dir
00c07260dc
install_file
explorgu.exe
strings_key
461809bd97c251ba0c0c8450c7055f1d
url_paths
/yandex/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

DcRat 4 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

a6bda3b1e990cdc4da5b889f8c4d5a717ac32107a22720e81c9268d0af553e9c.exeE6B8.exeschtasks.exeschtasks.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	a6bda3b1e990cdc4da5b889f8c4d5a717ac32107a22720e81c9268d0af553e9c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\4be56eb3-c661-48fc-a8f3-f18a6135be16\\E6B8.exe\" --AutoStart"	E6B8.exe
3052	schtasks.exe
2624	schtasks.exe

Detect Vidar Stealer 5 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/1652-112-0x0000000000400000-0x0000000000644000-memory.dmp	family_vidar_v7
behavioral1/memory/2232-113-0x0000000000230000-0x0000000000261000-memory.dmp	family_vidar_v7
behavioral1/memory/1652-116-0x0000000000400000-0x0000000000644000-memory.dmp	family_vidar_v7
behavioral1/memory/1652-118-0x0000000000400000-0x0000000000644000-memory.dmp	family_vidar_v7
behavioral1/memory/1652-257-0x0000000000400000-0x0000000000644000-memory.dmp	family_vidar_v7

Detected Djvu ransomware 14 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2540-33-0x0000000004570000-0x000000000468B000-memory.dmp	family_djvu
behavioral1/memory/2908-38-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2908-41-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2908-42-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2908-62-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/988-73-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/988-74-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/988-87-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/988-88-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/988-92-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/988-94-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/988-95-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/988-117-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/988-255-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Detects Windows executables referencing non-Windows User-Agents 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1652-112-0x0000000000400000-0x0000000000644000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/1652-116-0x0000000000400000-0x0000000000644000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/1652-118-0x0000000000400000-0x0000000000644000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/1652-257-0x0000000000400000-0x0000000000644000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1652-112-0x0000000000400000-0x0000000000644000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
behavioral1/memory/1652-116-0x0000000000400000-0x0000000000644000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
behavioral1/memory/1652-118-0x0000000000400000-0x0000000000644000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
behavioral1/memory/1652-257-0x0000000000400000-0x0000000000644000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

589E.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 589E.exe
Downloads MZ/PE file

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	589E.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

589E.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	589E.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	589E.exe

Deletes itself 1 IoCs

Processes:

pid process

1244

pid	process
1244

Executes dropped EXE 14 IoCs

Processes:

C774.exeE6B8.exeE6B8.exeE6B8.exeE6B8.exebuild2.exebuild2.exe28E6.exebuild3.exebuild3.exe589E.exe62FB.exemstsca.exemstsca.exe

pid	process
1828	C774.exe
2540	E6B8.exe
2908	E6B8.exe
1548	E6B8.exe
988	E6B8.exe
2232	build2.exe
1652	build2.exe
2800	28E6.exe
2784	build3.exe
1464	build3.exe
1016	589E.exe
108	62FB.exe
2652	mstsca.exe
2960	mstsca.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

589E.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Wine 589E.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Wine	589E.exe

Loads dropped DLL 12 IoCs

Processes:

E6B8.exeE6B8.exeE6B8.exeE6B8.exeWerFault.exe

pid	process
2540	E6B8.exe
2908	E6B8.exe
2908	E6B8.exe
1548	E6B8.exe
988	E6B8.exe
988	E6B8.exe
2284	WerFault.exe
2284	WerFault.exe
2284	WerFault.exe
2284	WerFault.exe
988	E6B8.exe
988	E6B8.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

2152 icacls.exe

pid	process
2152	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

E6B8.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\4be56eb3-c661-48fc-a8f3-f18a6135be16\\E6B8.exe\" --AutoStart"	E6B8.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

26 api.2ip.ua
27 api.2ip.ua
44 api.2ip.ua
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

589E.exe

pid process

1016 589E.exe

flow	ioc
26	api.2ip.ua
27	api.2ip.ua
44	api.2ip.ua

pid	process
1016	589E.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

E6B8.exeE6B8.exebuild2.exebuild3.exemstsca.exe

description	pid	process	target process
PID 2540 set thread context of 2908	2540	E6B8.exe	E6B8.exe
PID 1548 set thread context of 988	1548	E6B8.exe	E6B8.exe
PID 2232 set thread context of 1652	2232	build2.exe	build2.exe
PID 2784 set thread context of 1464	2784	build3.exe	build3.exe
PID 2652 set thread context of 2960	2652	mstsca.exe	mstsca.exe

Drops file in Windows directory 1 IoCs

Processes:

589E.exe

description ioc process

File created C:\Windows\Tasks\explorgu.job 589E.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2284 1652 WerFault.exe build2.exe

description	ioc	process
File created	C:\Windows\Tasks\explorgu.job	589E.exe

pid	pid_target	process	target process
2284	1652	WerFault.exe	build2.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

a6bda3b1e990cdc4da5b889f8c4d5a717ac32107a22720e81c9268d0af553e9c.exeC774.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	a6bda3b1e990cdc4da5b889f8c4d5a717ac32107a22720e81c9268d0af553e9c.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	a6bda3b1e990cdc4da5b889f8c4d5a717ac32107a22720e81c9268d0af553e9c.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	a6bda3b1e990cdc4da5b889f8c4d5a717ac32107a22720e81c9268d0af553e9c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	C774.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	C774.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	C774.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

3052 schtasks.exe
2624 schtasks.exe

pid	process
3052	schtasks.exe
2624	schtasks.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

build2.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	build2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	build2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	build2.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

a6bda3b1e990cdc4da5b889f8c4d5a717ac32107a22720e81c9268d0af553e9c.exe

pid	process
1700	a6bda3b1e990cdc4da5b889f8c4d5a717ac32107a22720e81c9268d0af553e9c.exe
1700	a6bda3b1e990cdc4da5b889f8c4d5a717ac32107a22720e81c9268d0af553e9c.exe
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

a6bda3b1e990cdc4da5b889f8c4d5a717ac32107a22720e81c9268d0af553e9c.exeC774.exe

pid process

1700 a6bda3b1e990cdc4da5b889f8c4d5a717ac32107a22720e81c9268d0af553e9c.exe
1828 C774.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

description pid process

Token: SeShutdownPrivilege 1244
Token: SeShutdownPrivilege 1244
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

589E.exe

pid process

1244
1244
1016 589E.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

pid process

1244
1244

description	pid	process
Token: SeShutdownPrivilege	1244
Token: SeShutdownPrivilege	1244

pid	process
1244
1244
1016	589E.exe

pid	process
1244
1244

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

E6B8.exeE6B8.exeE6B8.exeE6B8.exebuild2.exebuild2.exe

description	pid	process	target process
PID 1244 wrote to memory of 1828	1244		C774.exe
PID 1244 wrote to memory of 1828	1244		C774.exe
PID 1244 wrote to memory of 1828	1244		C774.exe
PID 1244 wrote to memory of 1828	1244		C774.exe
PID 1244 wrote to memory of 2540	1244		E6B8.exe
PID 1244 wrote to memory of 2540	1244		E6B8.exe
PID 1244 wrote to memory of 2540	1244		E6B8.exe
PID 1244 wrote to memory of 2540	1244		E6B8.exe
PID 2540 wrote to memory of 2908	2540	E6B8.exe	E6B8.exe
PID 2540 wrote to memory of 2908	2540	E6B8.exe	E6B8.exe
PID 2540 wrote to memory of 2908	2540	E6B8.exe	E6B8.exe
PID 2540 wrote to memory of 2908	2540	E6B8.exe	E6B8.exe
PID 2540 wrote to memory of 2908	2540	E6B8.exe	E6B8.exe
PID 2540 wrote to memory of 2908	2540	E6B8.exe	E6B8.exe
PID 2540 wrote to memory of 2908	2540	E6B8.exe	E6B8.exe
PID 2540 wrote to memory of 2908	2540	E6B8.exe	E6B8.exe
PID 2540 wrote to memory of 2908	2540	E6B8.exe	E6B8.exe
PID 2540 wrote to memory of 2908	2540	E6B8.exe	E6B8.exe
PID 2540 wrote to memory of 2908	2540	E6B8.exe	E6B8.exe
PID 2908 wrote to memory of 2152	2908	E6B8.exe	icacls.exe
PID 2908 wrote to memory of 2152	2908	E6B8.exe	icacls.exe
PID 2908 wrote to memory of 2152	2908	E6B8.exe	icacls.exe
PID 2908 wrote to memory of 2152	2908	E6B8.exe	icacls.exe
PID 2908 wrote to memory of 1548	2908	E6B8.exe	E6B8.exe
PID 2908 wrote to memory of 1548	2908	E6B8.exe	E6B8.exe
PID 2908 wrote to memory of 1548	2908	E6B8.exe	E6B8.exe
PID 2908 wrote to memory of 1548	2908	E6B8.exe	E6B8.exe
PID 1548 wrote to memory of 988	1548	E6B8.exe	E6B8.exe
PID 1548 wrote to memory of 988	1548	E6B8.exe	E6B8.exe
PID 1548 wrote to memory of 988	1548	E6B8.exe	E6B8.exe
PID 1548 wrote to memory of 988	1548	E6B8.exe	E6B8.exe
PID 1548 wrote to memory of 988	1548	E6B8.exe	E6B8.exe
PID 1548 wrote to memory of 988	1548	E6B8.exe	E6B8.exe
PID 1548 wrote to memory of 988	1548	E6B8.exe	E6B8.exe
PID 1548 wrote to memory of 988	1548	E6B8.exe	E6B8.exe
PID 1548 wrote to memory of 988	1548	E6B8.exe	E6B8.exe
PID 1548 wrote to memory of 988	1548	E6B8.exe	E6B8.exe
PID 1548 wrote to memory of 988	1548	E6B8.exe	E6B8.exe
PID 988 wrote to memory of 2232	988	E6B8.exe	build2.exe
PID 988 wrote to memory of 2232	988	E6B8.exe	build2.exe
PID 988 wrote to memory of 2232	988	E6B8.exe	build2.exe
PID 988 wrote to memory of 2232	988	E6B8.exe	build2.exe
PID 2232 wrote to memory of 1652	2232	build2.exe	build2.exe
PID 2232 wrote to memory of 1652	2232	build2.exe	build2.exe
PID 2232 wrote to memory of 1652	2232	build2.exe	build2.exe
PID 2232 wrote to memory of 1652	2232	build2.exe	build2.exe
PID 2232 wrote to memory of 1652	2232	build2.exe	build2.exe
PID 2232 wrote to memory of 1652	2232	build2.exe	build2.exe
PID 2232 wrote to memory of 1652	2232	build2.exe	build2.exe
PID 2232 wrote to memory of 1652	2232	build2.exe	build2.exe
PID 2232 wrote to memory of 1652	2232	build2.exe	build2.exe
PID 2232 wrote to memory of 1652	2232	build2.exe	build2.exe
PID 2232 wrote to memory of 1652	2232	build2.exe	build2.exe
PID 1652 wrote to memory of 2284	1652	build2.exe	WerFault.exe
PID 1652 wrote to memory of 2284	1652	build2.exe	WerFault.exe
PID 1652 wrote to memory of 2284	1652	build2.exe	WerFault.exe
PID 1652 wrote to memory of 2284	1652	build2.exe	WerFault.exe
PID 1244 wrote to memory of 2800	1244		28E6.exe
PID 1244 wrote to memory of 2800	1244		28E6.exe
PID 1244 wrote to memory of 2800	1244		28E6.exe
PID 1244 wrote to memory of 2800	1244		28E6.exe
PID 988 wrote to memory of 2784	988	E6B8.exe	build3.exe
PID 988 wrote to memory of 2784	988	E6B8.exe	build3.exe
PID 988 wrote to memory of 2784	988	E6B8.exe	build3.exe

C:\Users\Admin\AppData\Local\Temp\a6bda3b1e990cdc4da5b889f8c4d5a717ac32107a22720e81c9268d0af553e9c.exe
"C:\Users\Admin\AppData\Local\Temp\a6bda3b1e990cdc4da5b889f8c4d5a717ac32107a22720e81c9268d0af553e9c.exe"
1⤵
- DcRat
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1700

C:\Users\Admin\AppData\Local\Temp\C774.exe
C:\Users\Admin\AppData\Local\Temp\C774.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1828

C:\Users\Admin\AppData\Local\Temp\E6B8.exe
C:\Users\Admin\AppData\Local\Temp\E6B8.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2540
- C:\Users\Admin\AppData\Local\Temp\E6B8.exe
  C:\Users\Admin\AppData\Local\Temp\E6B8.exe
  2⤵
  - DcRat
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2908
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Users\Admin\AppData\Local\4be56eb3-c661-48fc-a8f3-f18a6135be16" /deny *S-1-1-0:(OI)(CI)(DE,DC)
    3⤵
    - Modifies file permissions
    PID:2152
- - C:\Users\Admin\AppData\Local\Temp\E6B8.exe
    "C:\Users\Admin\AppData\Local\Temp\E6B8.exe" --Admin IsNotAutoStart IsNotTask
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1548
  - - C:\Users\Admin\AppData\Local\Temp\E6B8.exe
      "C:\Users\Admin\AppData\Local\Temp\E6B8.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:988
    - - C:\Users\Admin\AppData\Local\564a32a0-4e91-4295-a1b8-85a67fdda0f5\build2.exe
        
        "C:\Users\Admin\AppData\Local\564a32a0-4e91-4295-a1b8-85a67fdda0f5\build2.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2232
      - C:\Users\Admin\AppData\Local\564a32a0-4e91-4295-a1b8-85a67fdda0f5\build2.exe
        
        "C:\Users\Admin\AppData\Local\564a32a0-4e91-4295-a1b8-85a67fdda0f5\build2.exe"
        6⤵
        Executes dropped EXE
        Modifies system certificate store
        Suspicious use of WriteProcessMemory
        
        PID:1652
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 1452
        7⤵
        Loads dropped DLL
        Program crash
        
        PID:2284
    - - C:\Users\Admin\AppData\Local\564a32a0-4e91-4295-a1b8-85a67fdda0f5\build3.exe
        
        "C:\Users\Admin\AppData\Local\564a32a0-4e91-4295-a1b8-85a67fdda0f5\build3.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2784
      - C:\Users\Admin\AppData\Local\564a32a0-4e91-4295-a1b8-85a67fdda0f5\build3.exe
        
        "C:\Users\Admin\AppData\Local\564a32a0-4e91-4295-a1b8-85a67fdda0f5\build3.exe"
        6⤵
        Executes dropped EXE
        
        PID:1464
        
        C:\Windows\SysWOW64\schtasks.exe
        
        /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
        7⤵
        DcRat
        Creates scheduled task(s)
        
        PID:3052

C:\Users\Admin\AppData\Local\Temp\28E6.exe
C:\Users\Admin\AppData\Local\Temp\28E6.exe
1⤵
- Executes dropped EXE
PID:2800

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\31EC.bat" "
1⤵
PID:2448
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
  2⤵
  PID:1080

C:\Users\Admin\AppData\Local\Temp\589E.exe
C:\Users\Admin\AppData\Local\Temp\589E.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
PID:1016

C:\Users\Admin\AppData\Local\Temp\62FB.exe
C:\Users\Admin\AppData\Local\Temp\62FB.exe
1⤵
- Executes dropped EXE
PID:108

C:\Windows\system32\taskeng.exe
taskeng.exe {CE8CE0D8-9CBF-46F5-BF48-14FFDA9B7398} S-1-5-21-1603059206-2004189698-4139800220-1000:AILVMYUM\Admin:Interactive:[1]
1⤵
PID:2056
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2652
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    3⤵
    - Executes dropped EXE
    PID:2960
  - - C:\Windows\SysWOW64\schtasks.exe
      /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
      4⤵
      DcRat
      Creates scheduled task(s)
      PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
486aebeeb76a792eeaf8ab052521a435

SHA1
ac8b734bc9a5afb32cbfec95387bfa655913a323

SHA256
70074beff23c35473462d486e1162bce89af86dae5123b6aab7bfbb6d9bf8e61

SHA512
5da5c0f18cd8b3e6233adcce9d97b25f5842ba8ed503c3b28b98d6c417ffd6f59f3375309ae2ac2fff2670c9cb547b5e465f0063ccd66ebbe61e17347ceee2cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
47c9c06a2dfb0b4b23732cea04fb6b3a

SHA1
55230fb5fac2a558b4222dd5c22f33aec4df3e0d

SHA256
b155ed4a1eb1cfdaa66491e007bfaffde70110d78e58cc19d2f132dbc37b41fa

SHA512
e3b394ff9c11a538ce8e99aefedc4b4087f6c18b4dd448c8814109263f3e46778a8f51801f95c139eca481bd0afdeb7c373780c84b51e6b4caf9b0cdaeef0faa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f0c50516f8018ad548a11707d92bc78e

SHA1
1358796c51a1acfa40bcfc539504b9f6b45acac7

SHA256
9a7581fe65434d710fbc6d049cf33ef0e0424fcdc440c74ebdc4b22b95f0e7e2

SHA512
0caa1feaf115dda674cc9905fb5547d0dd733d765fdf5d931a46a9d044a671e7620b12579e2899b35fdf35dfd5029418b21987ba2dab54b23dcca576cfc2c89b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a199cac2c79f6c7e896d14bb3aaf8dcf

SHA1
13b50a66d5dc058826f55dfcb24f0c435b6260ef

SHA256
8812ef8d89efba5a778a6abf56adcc6415b2b09c88084c8584e34008148e6ba5

SHA512
02324cd4631addb611e5b42d7f36bf419d07920ae9c00c5a3d768294f574c30179f290d547fa5a5a5576ebd62bed91132ba16332fd03c226fb0a89d1a81441f2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1d5acdc3bac4103c754757236f7eead4

SHA1
ca54ce94bd27dce8701f8c5c1b1d95b66c2e0a31

SHA256
744268ad201b38ce4d027475d79982fc64d2df2e9ce43271ebe3b1556e78135d

SHA512
6206e5aff72f8dda63e4e6b67a59b24667e888aef250335627faf0e3832ff2c3d0fcb9c7f34281ebd47cbb93dbd78ac3417cc146aac652bae06df9fc9181161a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b93878492ee3bf4e01606501c83ccc24

SHA1
e9c34daa877a6a92c3c7c980b3d34076e666c044

SHA256
fc235ef14980bc676b16eec4c1dd3466f62fe4feb18ffd056a39c3f2edf4f718

SHA512
3cb3547238c92643b2673cbf60ab93d4e59d44db63e799db24991674b1bbc65e05b96bc2e6e6699cdb94c4ec08b83911cfc8f2137feefebab7b882dc57aa90df

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
392B

MD5
86acebcde13ff55a7a1cc23de91401b2

SHA1
004ccb2c607867db4db3cb6fcfbdbec31061eee3

SHA256
d7955d4b8bf23c60764b80296c997e5c017018a806120fd0007151483be086bc

SHA512
adbe97e3e10326bdc80b27cf9330d89d5dc78d64c3839b7010a71812c0d3c9b023b7304d90e170e22a100d0afcb9bbaccda93cc8e1d1c9b485f624405127554d

Download Submit
C:\Users\Admin\AppData\Local\Temp\28E6.exe

Filesize
6.3MB

MD5
b1e8d4d7dd26612c17eccbf66b280e7c

SHA1
97dd5e81a4014fb54ef5ac3f1db88519843c85c2

SHA256
e3940372b04a4cb2177ae409c195debccfe004600d73a39d429a577d248d4cb2

SHA512
ff70dd3103128cd36bd1da3a734e635ec76d53a5629fc1f05941d6cadb9e82310da0ea298dcf449ef17c42a70ea7d787a75585ffa37a74f9007ca91a4481ecc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\31EC.bat

Filesize
77B

MD5
55cc761bf3429324e5a0095cab002113

SHA1
2cc1ef4542a4e92d4158ab3978425d517fafd16d

SHA256
d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a

SHA512
33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

Download Submit
C:\Users\Admin\AppData\Local\Temp\589E.exe

Filesize
1.8MB

MD5
01cc26ecbfdeebceb71a8164da05fef3

SHA1
2bcadbcc1329fde8d7eb7b4ddee33a9690715b0a

SHA256
b8c3dd017ddb8ea416e886acf134b17e91c44b8ccc1eec03f760bb4b328ab00f

SHA512
006da3cbcca6bebfa82bb6d6d046e1a9a9a5bf8346bbc5ce30c1eb8b8249b930f9aaf8bbf92058183529e31827a8504f8f6b3710c0bb3e6a8a02b888e6766bb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\62FB.exe

Filesize
63KB

MD5
cbfbeaf0a6e70056f43406053cd61f1e

SHA1
b7088a9f29b8ab84aedaffec81441580775d5393

SHA256
fa776a4e5e0653f7856a19c3a9fbdad306eb9365cb553bc223d8075be5f5cd3b

SHA512
2930b11123191108d66e1bba5cb43f34ca963c424f6dd9c61751db62cef3039773dd100c179909d30099953513ca6eb07e29732af7928d2602c35a8020271c5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\C774.exe

Filesize
259KB

MD5
5ead0a4dc3bf605775d48f0442ba371e

SHA1
36250ca49ef272946f09e442a65625bbde8ce714

SHA256
4f61b6ed6fa23715adf50cd5f3a74a427fc65006404338d9d9ad242d02f1222f

SHA512
06f479022c5cb1de9fa5ae96766f8b35c8e692bb86f7bfad4fa583a65b0b44f68ce0b895f9845b55b02b49a02462377561a3d06eed00ef84ec9f3290a8bc2b85

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF7B7.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\E6B8.exe

Filesize
788KB

MD5
1e962c67893e14647c2b57a8b4fe25d4

SHA1
2f2ce07ed3712576d8629f42bc7d377cc5b2d62a

SHA256
c87c4bf8647258e7215f77f8b2ca29a4c507a2ff0f55f434cc3706f805291a3f

SHA512
1d256f3d66e252f54e46a56f01aca379d823d3e40af517604363a939084702e3ebb71eeed0c174ea608b4752b07f1f0493955f062167f0114462e06df58f1f37

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar119E.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
\Users\Admin\AppData\Local\564a32a0-4e91-4295-a1b8-85a67fdda0f5\build2.exe

Filesize
255KB

MD5
c57c76d6dc6ed6b6e534d8180294fc2d

SHA1
6c164812674571f84eeba36d07e47241ca22c40e

SHA256
4e8d80a17217b51fde5079a5c195b4dc24890797cf6346c366a59c9c35847a2b

SHA512
6f92fe7f51aeecc12c216b4b801cc6320e70f89ac1bf5f9905df6bf2f753b7045da78d238cceddb0d93bac0feabaf8f4ffbb65acded8ba679515444f166a56a3

Download Submit
\Users\Admin\AppData\Local\564a32a0-4e91-4295-a1b8-85a67fdda0f5\build3.exe

Filesize
299KB

MD5
41b883a061c95e9b9cb17d4ca50de770

SHA1
1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad

SHA256
fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408

SHA512
cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

Download Submit
memory/108-397-0x0000000073110000-0x00000000737FE000-memory.dmp

Filesize
6.9MB

Download
memory/108-400-0x00000000049E0000-0x0000000004A20000-memory.dmp

Filesize
256KB

Download
memory/108-396-0x00000000010A0000-0x00000000010B4000-memory.dmp

Filesize
80KB

Download
memory/108-408-0x00000000049E0000-0x0000000004A20000-memory.dmp

Filesize
256KB

Download
memory/108-406-0x0000000073110000-0x00000000737FE000-memory.dmp

Filesize
6.9MB

Download
memory/108-401-0x0000000000590000-0x00000000005A0000-memory.dmp

Filesize
64KB

Download
memory/108-398-0x0000000000330000-0x000000000034A000-memory.dmp

Filesize
104KB

Download
memory/108-399-0x00000000049E0000-0x0000000004A20000-memory.dmp

Filesize
256KB

Download
memory/988-74-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/988-255-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/988-73-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/988-117-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/988-87-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/988-88-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/988-92-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/988-94-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/988-95-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1016-372-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/1016-389-0x00000000005D0000-0x00000000005D1000-memory.dmp

Filesize
4KB

Download
memory/1016-373-0x0000000000E90000-0x0000000000E91000-memory.dmp

Filesize
4KB

Download
memory/1016-371-0x0000000000E10000-0x0000000000E11000-memory.dmp

Filesize
4KB

Download
memory/1016-370-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/1016-369-0x0000000000890000-0x0000000000D3D000-memory.dmp

Filesize
4.7MB

Download
memory/1016-368-0x0000000077720000-0x0000000077722000-memory.dmp

Filesize
8KB

Download
memory/1016-367-0x0000000000890000-0x0000000000D3D000-memory.dmp

Filesize
4.7MB

Download
memory/1016-375-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/1016-376-0x0000000000840000-0x0000000000841000-memory.dmp

Filesize
4KB

Download
memory/1016-377-0x0000000000D60000-0x0000000000D61000-memory.dmp

Filesize
4KB

Download
memory/1016-374-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/1016-378-0x0000000000E40000-0x0000000000E41000-memory.dmp

Filesize
4KB

Download
memory/1016-379-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/1016-380-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download
memory/1016-381-0x0000000000830000-0x0000000000831000-memory.dmp

Filesize
4KB

Download
memory/1016-382-0x0000000000EA0000-0x0000000000EA1000-memory.dmp

Filesize
4KB

Download
memory/1016-388-0x0000000000890000-0x0000000000D3D000-memory.dmp

Filesize
4.7MB

Download
memory/1016-390-0x0000000002530000-0x0000000002531000-memory.dmp

Filesize
4KB

Download
memory/1244-4-0x0000000002B90000-0x0000000002BA6000-memory.dmp

Filesize
88KB

Download
memory/1244-21-0x0000000003AE0000-0x0000000003AF6000-memory.dmp

Filesize
88KB

Download
memory/1464-288-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1464-295-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1464-293-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1464-290-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1548-66-0x0000000004410000-0x00000000044A1000-memory.dmp

Filesize
580KB

Download
memory/1548-65-0x0000000004410000-0x00000000044A1000-memory.dmp

Filesize
580KB

Download
memory/1652-118-0x0000000000400000-0x0000000000644000-memory.dmp

Filesize
2.3MB

Download
memory/1652-116-0x0000000000400000-0x0000000000644000-memory.dmp

Filesize
2.3MB

Download
memory/1652-112-0x0000000000400000-0x0000000000644000-memory.dmp

Filesize
2.3MB

Download
memory/1652-109-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1652-257-0x0000000000400000-0x0000000000644000-memory.dmp

Filesize
2.3MB

Download
memory/1700-2-0x0000000000220000-0x000000000022B000-memory.dmp

Filesize
44KB

Download
memory/1700-8-0x0000000000220000-0x000000000022B000-memory.dmp

Filesize
44KB

Download
memory/1700-3-0x0000000000400000-0x0000000002BF4000-memory.dmp

Filesize
40.0MB

Download
memory/1700-5-0x0000000000400000-0x0000000002BF4000-memory.dmp

Filesize
40.0MB

Download
memory/1700-1-0x0000000002CE0000-0x0000000002DE0000-memory.dmp

Filesize
1024KB

Download
memory/1828-19-0x0000000002CE0000-0x0000000002DE0000-memory.dmp

Filesize
1024KB

Download
memory/1828-22-0x0000000000400000-0x0000000002BEC000-memory.dmp

Filesize
39.9MB

Download
memory/1828-20-0x0000000000400000-0x0000000002BEC000-memory.dmp

Filesize
39.9MB

Download
memory/2232-113-0x0000000000230000-0x0000000000261000-memory.dmp

Filesize
196KB

Download
memory/2232-111-0x00000000005E0000-0x00000000006E0000-memory.dmp

Filesize
1024KB

Download
memory/2540-32-0x0000000000300000-0x0000000000391000-memory.dmp

Filesize
580KB

Download
memory/2540-31-0x0000000000300000-0x0000000000391000-memory.dmp

Filesize
580KB

Download
memory/2540-33-0x0000000004570000-0x000000000468B000-memory.dmp

Filesize
1.1MB

Download
memory/2652-418-0x0000000000970000-0x0000000000A70000-memory.dmp

Filesize
1024KB

Download
memory/2784-287-0x0000000000220000-0x0000000000224000-memory.dmp

Filesize
16KB

Download
memory/2784-285-0x0000000000910000-0x0000000000A10000-memory.dmp

Filesize
1024KB

Download
memory/2800-266-0x0000000077730000-0x0000000077731000-memory.dmp

Filesize
4KB

Download
memory/2800-260-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/2800-282-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/2800-277-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/2800-267-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/2800-278-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/2800-264-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/2800-263-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/2800-262-0x00000000001A0000-0x0000000000FCB000-memory.dmp

Filesize
14.2MB

Download
memory/2800-280-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/2800-258-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/2908-38-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2908-41-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2908-42-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2908-62-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2908-36-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2960-424-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download