dcrat | 8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
13-03-2024 00:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe
Size

171KB
MD5

762c43c78ccf4d3b35574149b834f7a7
SHA1

b024585ab11a867a05b97f4de4336c14bb4e54e5
SHA256

8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d
SHA512

83d45a68b4c2a4c9b4ac55a5aa1f66e5dfd84328535f5ada2830592cc7745b6ff39aa57aefe715c9bebab552f569fce1216b8689a85cb3be3d8661e6b2a1f827
SSDEEP

1536:fwXXLANewOH0Tnw7NVPU18mjkV41JYzHXPxCq9ySC8AW4pNhzjDFS1jRJTNg7A+:fExwOHJN6BjkyQ3P6z8AXBzjDI1ak+

Score

10^/10

dcrat djvu smokeloader vidar 7462cf1e49890509e46ee7ab1b511527 pub1 backdoor discovery infostealer persistence ransomware rat stealer trojan

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php

rc4.i32

Extracted

Family

djvu

http://sajdfue.com/test1/get.php

Attributes

extension
.wisz
offline_id
4p0Nzrg1q0ND5of5Gtp2UBjthSXuE8VxnMrd4vt1
payload_url
http://sdfjhuz.com/dl/build2.exe

http://sajdfue.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://wetransfer.com/downloads/a832401adcd58098c699f768ffea4f1720240305114308/7e601a Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0853PsawqS

rsa_pubkey.plain

Extracted

Family

vidar

Version

8.2

Botnet

7462cf1e49890509e46ee7ab1b511527

https://steamcommunity.com/profiles/76561199651834633

https://t.me/raf6ik

Attributes

profile_id_v2
7462cf1e49890509e46ee7ab1b511527
user_agent
Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0

Signatures

DcRat 4 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI		8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\d9d345e5-742b-4e2a-b72c-7f3ecb9eb526\\144D.exe\" --AutoStart"		144D.exe
		2616	schtasks.exe
		2440	schtasks.exe

Detect Vidar Stealer 5 IoCs

stealer

resource	yara_rule
behavioral1/memory/1864-117-0x0000000000400000-0x0000000000644000-memory.dmp	family_vidar_v7
behavioral1/memory/1864-118-0x0000000000400000-0x0000000000644000-memory.dmp	family_vidar_v7
behavioral1/memory/1864-114-0x0000000000400000-0x0000000000644000-memory.dmp	family_vidar_v7
behavioral1/memory/360-113-0x00000000001C0000-0x00000000001F1000-memory.dmp	family_vidar_v7
behavioral1/memory/1864-189-0x0000000000400000-0x0000000000644000-memory.dmp	family_vidar_v7

Detected Djvu ransomware 14 IoCs

resource	yara_rule
behavioral1/memory/2232-30-0x0000000001AB0000-0x0000000001BCB000-memory.dmp	family_djvu
behavioral1/memory/1596-33-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1596-37-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1596-38-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1596-61-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2768-71-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2768-72-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2768-88-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2768-87-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2768-92-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2768-95-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2768-94-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2768-96-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2768-186-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file

Deletes itself 1 IoCs

pid	Process
1248	Process not Found

Executes dropped EXE 14 IoCs

pid	Process
2232	144D.exe
1596	144D.exe
1796	144D.exe
2768	144D.exe
360	build2.exe
1864	build2.exe
2516	build3.exe
2008	build3.exe
2716	mstsca.exe
3060	mstsca.exe
2296	512.exe
488	42CE.exe
1236	mstsca.exe
360	mstsca.exe

Loads dropped DLL 16 IoCs

pid	Process
2232	144D.exe
1596	144D.exe
1596	144D.exe
1796	144D.exe
2768	144D.exe
2768	144D.exe
1712	WerFault.exe
1712	WerFault.exe
1712	WerFault.exe
1712	WerFault.exe
2768	144D.exe
2768	144D.exe
3000	WerFault.exe
3000	WerFault.exe
3000	WerFault.exe
1248	Process not Found

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2020	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\d9d345e5-742b-4e2a-b72c-7f3ecb9eb526\\144D.exe\" --AutoStart"	144D.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
19	api.2ip.ua
21	api.2ip.ua
30	api.2ip.ua

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 2232 set thread context of 1596	2232	144D.exe	34
PID 1796 set thread context of 2768	1796	144D.exe	38
PID 360 set thread context of 1864	360	build2.exe	41
PID 2516 set thread context of 2008	2516	build3.exe	46
PID 2716 set thread context of 3060	2716	mstsca.exe	51
PID 1236 set thread context of 360	1236	mstsca.exe	61

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1712	1864	WerFault.exe	41
3000	2296	WerFault.exe	54

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2440	schtasks.exe
2616	schtasks.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	build2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	build2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	build2.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1704	8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe
1704	8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe
1248	Process not Found
1248	Process not Found
1248	Process not Found
1248	Process not Found
1248	Process not Found
1248	Process not Found
1248	Process not Found
1248	Process not Found
1248	Process not Found
1248	Process not Found
1248	Process not Found
1248	Process not Found
1248	Process not Found
1248	Process not Found
1248	Process not Found
1248	Process not Found
1248	Process not Found
1248	Process not Found
1248	Process not Found
1248	Process not Found
1248	Process not Found
1248	Process not Found
1248	Process not Found
1248	Process not Found
1248	Process not Found
1248	Process not Found
1248	Process not Found
1248	Process not Found
1248	Process not Found
1248	Process not Found
1248	Process not Found
1248	Process not Found
1248	Process not Found
1248	Process not Found
1248	Process not Found
1248	Process not Found
1248	Process not Found
1248	Process not Found
1248	Process not Found
1248	Process not Found
1248	Process not Found
1248	Process not Found
1248	Process not Found
1248	Process not Found
1248	Process not Found
1248	Process not Found
1248	Process not Found
1248	Process not Found
1248	Process not Found
1248	Process not Found
1248	Process not Found
1248	Process not Found
1248	Process not Found
1248	Process not Found
1248	Process not Found
1248	Process not Found
1248	Process not Found
1248	Process not Found
1248	Process not Found
1248	Process not Found
1248	Process not Found
1248	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1704	8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1248	Process not Found
Token: SeShutdownPrivilege	1248	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1248 wrote to memory of 2540	1248	Process not Found	28
PID 1248 wrote to memory of 2540	1248	Process not Found	28
PID 1248 wrote to memory of 2540	1248	Process not Found	28
PID 2540 wrote to memory of 2736	2540	cmd.exe	30
PID 2540 wrote to memory of 2736	2540	cmd.exe	30
PID 2540 wrote to memory of 2736	2540	cmd.exe	30
PID 1248 wrote to memory of 2232	1248	Process not Found	33
PID 1248 wrote to memory of 2232	1248	Process not Found	33
PID 1248 wrote to memory of 2232	1248	Process not Found	33
PID 1248 wrote to memory of 2232	1248	Process not Found	33
PID 2232 wrote to memory of 1596	2232	144D.exe	34
PID 2232 wrote to memory of 1596	2232	144D.exe	34
PID 2232 wrote to memory of 1596	2232	144D.exe	34
PID 2232 wrote to memory of 1596	2232	144D.exe	34
PID 2232 wrote to memory of 1596	2232	144D.exe	34
PID 2232 wrote to memory of 1596	2232	144D.exe	34
PID 2232 wrote to memory of 1596	2232	144D.exe	34
PID 2232 wrote to memory of 1596	2232	144D.exe	34
PID 2232 wrote to memory of 1596	2232	144D.exe	34
PID 2232 wrote to memory of 1596	2232	144D.exe	34
PID 2232 wrote to memory of 1596	2232	144D.exe	34
PID 1596 wrote to memory of 2020	1596	144D.exe	36
PID 1596 wrote to memory of 2020	1596	144D.exe	36
PID 1596 wrote to memory of 2020	1596	144D.exe	36
PID 1596 wrote to memory of 2020	1596	144D.exe	36
PID 1596 wrote to memory of 1796	1596	144D.exe	37
PID 1596 wrote to memory of 1796	1596	144D.exe	37
PID 1596 wrote to memory of 1796	1596	144D.exe	37
PID 1596 wrote to memory of 1796	1596	144D.exe	37
PID 1796 wrote to memory of 2768	1796	144D.exe	38
PID 1796 wrote to memory of 2768	1796	144D.exe	38
PID 1796 wrote to memory of 2768	1796	144D.exe	38
PID 1796 wrote to memory of 2768	1796	144D.exe	38
PID 1796 wrote to memory of 2768	1796	144D.exe	38
PID 1796 wrote to memory of 2768	1796	144D.exe	38
PID 1796 wrote to memory of 2768	1796	144D.exe	38
PID 1796 wrote to memory of 2768	1796	144D.exe	38
PID 1796 wrote to memory of 2768	1796	144D.exe	38
PID 1796 wrote to memory of 2768	1796	144D.exe	38
PID 1796 wrote to memory of 2768	1796	144D.exe	38
PID 2768 wrote to memory of 360	2768	144D.exe	40
PID 2768 wrote to memory of 360	2768	144D.exe	40
PID 2768 wrote to memory of 360	2768	144D.exe	40
PID 2768 wrote to memory of 360	2768	144D.exe	40
PID 360 wrote to memory of 1864	360	build2.exe	41
PID 360 wrote to memory of 1864	360	build2.exe	41
PID 360 wrote to memory of 1864	360	build2.exe	41
PID 360 wrote to memory of 1864	360	build2.exe	41
PID 360 wrote to memory of 1864	360	build2.exe	41
PID 360 wrote to memory of 1864	360	build2.exe	41
PID 360 wrote to memory of 1864	360	build2.exe	41
PID 360 wrote to memory of 1864	360	build2.exe	41
PID 360 wrote to memory of 1864	360	build2.exe	41
PID 360 wrote to memory of 1864	360	build2.exe	41
PID 360 wrote to memory of 1864	360	build2.exe	41
PID 1864 wrote to memory of 1712	1864	build2.exe	44
PID 1864 wrote to memory of 1712	1864	build2.exe	44
PID 1864 wrote to memory of 1712	1864	build2.exe	44
PID 1864 wrote to memory of 1712	1864	build2.exe	44
PID 2768 wrote to memory of 2516	2768	144D.exe	45
PID 2768 wrote to memory of 2516	2768	144D.exe	45
PID 2768 wrote to memory of 2516	2768	144D.exe	45
PID 2768 wrote to memory of 2516	2768	144D.exe	45
PID 2516 wrote to memory of 2008	2516	build3.exe	46

C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe
"C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe"
1⤵
- DcRat
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1704

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\A3AF.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:2540
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
  2⤵
  PID:2736

C:\Users\Admin\AppData\Local\Temp\144D.exe
C:\Users\Admin\AppData\Local\Temp\144D.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Users\Admin\AppData\Local\Temp\144D.exe
  C:\Users\Admin\AppData\Local\Temp\144D.exe
  2⤵
  - DcRat
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1596
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Users\Admin\AppData\Local\d9d345e5-742b-4e2a-b72c-7f3ecb9eb526" /deny *S-1-1-0:(OI)(CI)(DE,DC)
    3⤵
    - Modifies file permissions
    PID:2020
- - C:\Users\Admin\AppData\Local\Temp\144D.exe
    "C:\Users\Admin\AppData\Local\Temp\144D.exe" --Admin IsNotAutoStart IsNotTask
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1796
  - - C:\Users\Admin\AppData\Local\Temp\144D.exe
      "C:\Users\Admin\AppData\Local\Temp\144D.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2768
    - - C:\Users\Admin\AppData\Local\bf2668cb-a340-45e2-ae98-6dd876fbb84b\build2.exe
        
        "C:\Users\Admin\AppData\Local\bf2668cb-a340-45e2-ae98-6dd876fbb84b\build2.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:360
      - C:\Users\Admin\AppData\Local\bf2668cb-a340-45e2-ae98-6dd876fbb84b\build2.exe
        
        "C:\Users\Admin\AppData\Local\bf2668cb-a340-45e2-ae98-6dd876fbb84b\build2.exe"
        6⤵
        Executes dropped EXE
        Modifies system certificate store
        Suspicious use of WriteProcessMemory
        
        PID:1864
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1864 -s 1420
        7⤵
        Loads dropped DLL
        Program crash
        
        PID:1712
    - - C:\Users\Admin\AppData\Local\bf2668cb-a340-45e2-ae98-6dd876fbb84b\build3.exe
        
        "C:\Users\Admin\AppData\Local\bf2668cb-a340-45e2-ae98-6dd876fbb84b\build3.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2516
      - C:\Users\Admin\AppData\Local\bf2668cb-a340-45e2-ae98-6dd876fbb84b\build3.exe
        
        "C:\Users\Admin\AppData\Local\bf2668cb-a340-45e2-ae98-6dd876fbb84b\build3.exe"
        6⤵
        Executes dropped EXE
        
        PID:2008
        
        C:\Windows\SysWOW64\schtasks.exe
        
        /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
        7⤵
        DcRat
        Creates scheduled task(s)
        
        PID:2616

C:\Windows\system32\taskeng.exe
taskeng.exe {E7A2A9B4-5FD5-4B12-9B20-BF3E392B84C9} S-1-5-21-1298544033-3225604241-2703760938-1000:IZKCKOTP\Admin:Interactive:[1]
1⤵
PID:2256
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2716
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    3⤵
    - Executes dropped EXE
    PID:3060
  - - C:\Windows\SysWOW64\schtasks.exe
      /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
      4⤵
      DcRat
      Creates scheduled task(s)
      PID:2440
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:1236
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    3⤵
    - Executes dropped EXE
    PID:360

C:\Users\Admin\AppData\Local\Temp\512.exe
C:\Users\Admin\AppData\Local\Temp\512.exe
1⤵
- Executes dropped EXE
PID:2296
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2296 -s 124
  2⤵
  - Loads dropped DLL
  - Program crash
  PID:3000

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\2040.bat" "
1⤵
PID:2304
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
  2⤵
  PID:1760

C:\Users\Admin\AppData\Local\Temp\42CE.exe
C:\Users\Admin\AppData\Local\Temp\42CE.exe
1⤵
- Executes dropped EXE
PID:488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
a76a4d2836ddebbb5640efb5ffaa566b

SHA1
0e0a9a04a0b2fa6680a29bfeccdc029fe81bdbe7

SHA256
315d52f0713aa99da7c66fa92ef2599d542c068367661a42718c6b90df7a02ac

SHA512
4033d1a248c418e45dd2708582f32eda17d99724c4c956b6533eda52365453f64102ca3140d1d2e11d87e22e2d10e46c3385cddbec3a20d0c4547fc143139314

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
80ea19369e68296f697809d129fc6aab

SHA1
83ed21c4c290249519e69d94575218b7768b49f8

SHA256
508a813b6655edba28f072a5074a65c576ad11ee3e3573f1c78060598fa989b6

SHA512
1848a66176dd46d5873587105b6248355ef718fd6a7439e225816d142b2dfe5375f373ec7ba34f89435327deda3b46bab90080b84104d6706aedae821b1fc1fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
924b3a794d280b281518067400a90bf4

SHA1
e363cfe3cfdcb4ac46fc9c6505b9ac7cb006a356

SHA256
312c1a09e0e51152b4b35fbe491ce448b1f712b1fbdfa688e00bc956c97af172

SHA512
414e7e3f1c0471c19243919660c462fb558b096db1f82ba3590349329cb05109ee93a04677c37392acb09b49740cd34cff12a88f610ba4766f0ee0a453dbfc33

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
392B

MD5
f50551b45d9d598517bfdabd1ac6f4a7

SHA1
5d13575398c30631c7a2df81721253ea967905a2

SHA256
4bbfd12ee83102d09887a94122ea1f33fb9730a95dbc2617ba5116539d172134

SHA512
9e803763076a28c6de34baf1d4c4d1dc9c78bd9a724ab5e2eb72f4e61171aa838e70b3a16b600e8c5a9afdd608af839efd8e6a2a23024b5358ddc9c2f4f52349

Download Submit
C:\Users\Admin\AppData\Local\Temp\144D.exe

Filesize
782KB

MD5
109125669dc1ccce29f0c630d2d985eb

SHA1
2d1b211ff69b6d3ff178ee9716263631e8f39027

SHA256
1718fb956c30c4a56490ecfc903ef34ed514ec13c1101d44ff4cf87095e5b064

SHA512
92bbf2eb15f7083bf5b3d376e15289c5d5e027b38100ec7cf5db6f811fde1a8e21ef32c87b9dd5120c096fdfcb7307fe4987e5c92d81fbd2c2807bb076074ea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\144D.exe

Filesize
768KB

MD5
7bccb641f42dec236be4c60ef68881a9

SHA1
ce5fcf17eb701acc7d96197e07d4bd302fae3a26

SHA256
39850189a6997c495f5509d4849d05cd91b459d7f6c877f9be93a005e8b9cb21

SHA512
7d39efd12815633a992ac64afbff79125e645970d6c7aa1f9f94f0bea777a89409916c52d84d453a39a82787b44d4543be73faf4b78842134f5eebdd95eaca39

Download Submit
C:\Users\Admin\AppData\Local\Temp\144D.exe

Filesize
64KB

MD5
22761e10064393568fe7040fe4cf30a0

SHA1
55bc964c2dfce23f105251366b6717333bf3502a

SHA256
2a144d6efb11881d8d1b560cd4a611cd46c1207dbc07c431e94eecc6f5cb345e

SHA512
92f3d0b258cadc9d9d9a28a5ab4ddd10b7958d980c27414c9f2e794d8b9757bd41825d1c13adbee635a307c0667fe15443e5b886daa567711013300dfb206e56

Download Submit
C:\Users\Admin\AppData\Local\Temp\42CE.exe

Filesize
6.1MB

MD5
86c6d381bc0a62b581b01775c8c3f060

SHA1
202986670f03d0c0df5b7306c6d93271d3639951

SHA256
4c00b8de0a3475cd7475e40f7cfed94a0e475226483a4277835a67363e401cb2

SHA512
dc61a428d388b7392c2b242cd50623096d3b7d04f7b65c0c88c25b5d48e3ddb85fe94ff5eb566654bcbed8e6b4b111c1e3341436383268fbd6df31fdd19e6a16

Download Submit
C:\Users\Admin\AppData\Local\Temp\512.exe

Filesize
2.2MB

MD5
6c83f9fc17558984ab87be3f05b9ef62

SHA1
2c749a818af63849d0938d4bd4c27d471fa3fa49

SHA256
cf1ea19b06e59407c08a3af74606373e3a7dc100ba07d38b779eb79778c7f95d

SHA512
c0402f05a67e61f98bcb4a4c5b8167cea78657eef2ff5928f43ada39d00c976d6c6d72d13d4da1cab7d824cedf3d6a0dfe5bcddb7ab2ef22ec58e62387001821

Download Submit
C:\Users\Admin\AppData\Local\Temp\A3AF.bat

Filesize
77B

MD5
55cc761bf3429324e5a0095cab002113

SHA1
2cc1ef4542a4e92d4158ab3978425d517fafd16d

SHA256
d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a

SHA512
33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab20D9.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4635.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar484D.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
C:\Users\Admin\AppData\Local\bf2668cb-a340-45e2-ae98-6dd876fbb84b\build3.exe

Filesize
299KB

MD5
41b883a061c95e9b9cb17d4ca50de770

SHA1
1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad

SHA256
fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408

SHA512
cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

Download Submit
\Users\Admin\AppData\Local\Temp\144D.exe

Filesize
576KB

MD5
760f31189cbe24163385801f66b94be7

SHA1
c60804817aca0cd94d1f0a2426c6c972fb8e405b

SHA256
66c2ea73ef157f0f7cd558d13c604c5656e6af5a8fb9c2f436019cd08a7ce56d

SHA512
52d2e9196b848a7d5f51c50d844a862bea159638df330bd6b81498e99cdd17f1ce6024ba411146f3a07a485dafb9e9872bfaee714595eb5f69e7519a64fa65b9

Download Submit
\Users\Admin\AppData\Local\Temp\144D.exe

Filesize
256KB

MD5
d204d78acc5a68472862c384018dd1a3

SHA1
5c91a06e04474e91f0a21d9d609d365f83990b03

SHA256
531d078ecb17cb4e48ce6927034f46848dcc9ed807df82b6a44941662fd4ec63

SHA512
4187092e3127b5523ad66e56f25df9247839c1006fa9da063ee04a6bc11a0cb9a8edc764096fb47135cabe64259752a5abc9eba75eed1acf8ef95b8b1d452b6e

Download Submit
\Users\Admin\AppData\Local\Temp\42CE.exe

Filesize
6.9MB

MD5
cc027a9db129924f2940cce65a3a71e0

SHA1
b0e64d66c9aec2e0de0f7726f6179c8bd2602896

SHA256
3413c39a8123480dc468ee36bfb924b832138c54b4731f90a9c214f6ecde28e1

SHA512
f9a06d43f091b740e8c970ebd8f3a57ad35baba6f4e0f6d683072e0ecdbd80751be076fbe3c2af41169658bf15504435ba40ed5e798dbb9a3e7471478692a39a

Download Submit
\Users\Admin\AppData\Local\Temp\512.exe

Filesize
2.1MB

MD5
18814a4748efd9b1ab3ebd24f6bc44c1

SHA1
a3424d33503dd6089f13f1ebdb656929cb80fbe1

SHA256
1faca15afff96249d8048df8ead75f804f09da24d38821ec84a94ac346fe5b02

SHA512
238343f4d4dfceeaafaa6d9a89485cead0d13108fc4a77cdd3710436d77518e0970b0f1f974817c750e9a602b83705575620399bc6e5ca1cd8bc206d63664a1b

Download Submit
\Users\Admin\AppData\Local\Temp\512.exe

Filesize
2.0MB

MD5
36ef38dd8880a7db85af5845523a772f

SHA1
90c671006c30908b7be19ed4f55142e2ea99ed78

SHA256
2cb72689d9174422da75e24d4aa2d7fb7407b6172d9a316fe38e97c13685cf56

SHA512
3d582c991f2cf17e377efe092e8da24bad383357fb95d801659dfdc7f3c3cbf1a5cad9eb9fc7e6f52f68902b4b6dc57602826452476213a4769b73e7e99ba817

Download Submit
\Users\Admin\AppData\Local\Temp\512.exe

Filesize
1.9MB

MD5
42ece680975299ddbda787b4ae695996

SHA1
82a6bac93db2bd144e81ce678275644fe9c10a17

SHA256
cc6dd3c146ce1a9919a34570e1c3bb19e85d6d95d1131835c647c17ebc974eab

SHA512
dfafaa0dfa1d47c1fe3eb2283fb5a27c6df2a27871259830e8b8748d126a0c64f706e647e5b0ebe091d843e9278625a04a07f270f2ede0cccc40f5db1de91f7b

Download Submit
\Users\Admin\AppData\Local\bf2668cb-a340-45e2-ae98-6dd876fbb84b\build2.exe

Filesize
306KB

MD5
88c5ca503e8fecbca8ee889a892b165c

SHA1
2ec61a72dc88584abda48f19fb8e4d2847264aed

SHA256
41f6207540f5197717e1c601b43c9c89a5109ff3aab98fe80f6645f0ebd2a153

SHA512
366035a481a439854094d13f8a0b9bf26e706dd43100421d92724baa1f9b1ceac74669e42e9331867a3c364f8e2f0c05d3387e5dea9d8669d29832614fa7b4b9

Download Submit
memory/360-109-0x0000000000300000-0x0000000000400000-memory.dmp

Filesize
1024KB

Download
memory/360-113-0x00000000001C0000-0x00000000001F1000-memory.dmp

Filesize
196KB

Download
memory/1236-300-0x0000000000960000-0x0000000000A60000-memory.dmp

Filesize
1024KB

Download
memory/1248-4-0x0000000002DA0000-0x0000000002DB6000-memory.dmp

Filesize
88KB

Download
memory/1596-31-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1596-38-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1596-33-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1596-61-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1596-37-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1704-3-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1704-5-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1704-1-0x0000000000630000-0x0000000000730000-memory.dmp

Filesize
1024KB

Download
memory/1704-2-0x0000000000220000-0x000000000022B000-memory.dmp

Filesize
44KB

Download
memory/1796-64-0x0000000000350000-0x00000000003E1000-memory.dmp

Filesize
580KB

Download
memory/1796-63-0x0000000000350000-0x00000000003E1000-memory.dmp

Filesize
580KB

Download
memory/1864-189-0x0000000000400000-0x0000000000644000-memory.dmp

Filesize
2.3MB

Download
memory/1864-111-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1864-117-0x0000000000400000-0x0000000000644000-memory.dmp

Filesize
2.3MB

Download
memory/1864-118-0x0000000000400000-0x0000000000644000-memory.dmp

Filesize
2.3MB

Download
memory/1864-114-0x0000000000400000-0x0000000000644000-memory.dmp

Filesize
2.3MB

Download
memory/2008-200-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2008-191-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2008-195-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2008-198-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2232-36-0x0000000000220000-0x00000000002B1000-memory.dmp

Filesize
580KB

Download
memory/2232-26-0x0000000000220000-0x00000000002B1000-memory.dmp

Filesize
580KB

Download
memory/2232-27-0x0000000000220000-0x00000000002B1000-memory.dmp

Filesize
580KB

Download
memory/2232-30-0x0000000001AB0000-0x0000000001BCB000-memory.dmp

Filesize
1.1MB

Download
memory/2296-265-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/2296-294-0x0000000000220000-0x0000000000F05000-memory.dmp

Filesize
12.9MB

Download
memory/2296-248-0x0000000000220000-0x0000000000F05000-memory.dmp

Filesize
12.9MB

Download
memory/2296-228-0x0000000000220000-0x0000000000F05000-memory.dmp

Filesize
12.9MB

Download
memory/2296-233-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/2296-235-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/2296-237-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/2516-193-0x0000000000220000-0x0000000000224000-memory.dmp

Filesize
16KB

Download
memory/2516-192-0x00000000009B0000-0x0000000000AB0000-memory.dmp

Filesize
1024KB

Download
memory/2716-211-0x0000000000980000-0x0000000000A80000-memory.dmp

Filesize
1024KB

Download
memory/2768-88-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2768-72-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2768-71-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2768-96-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2768-87-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2768-92-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2768-186-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2768-95-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2768-94-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download