djvu | 45733f732df30c20bdc95a802a30d1c1653661fbe6442c229f4a39cc0465ada4

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
15-03-2024 02:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ca4120301ffc74c815e99aba3ad78655.exe
Size

838KB
MD5

ca4120301ffc74c815e99aba3ad78655
SHA1

fb5f9b45d563d86028259a4a5df45d2d1a991ef7
SHA256

45733f732df30c20bdc95a802a30d1c1653661fbe6442c229f4a39cc0465ada4
SHA512

281962ebe1e95a9001d6241cfda4b529b3d4204679ba7bc0ca3dcaf36074cd3e2d8e1d9225cb109f03fd0caed10f68592e2aa638c6db7d40bd1d319355751290
SSDEEP

12288:nQVHXDy9U1nKUglcTNLL2pgVHEbksRWDST5FZFWbbLnQjXg7RDD1XpSUa2+Isbya:QZzy9+hLLnrifZg8jXCDmUlob9z

Score

10^/10

djvu mylobot botnet discovery persistence ransomware

Malware Config

Extracted

Family

djvu

http://astdg.top/fhsgtsspen6/get.php

Attributes

extension
.reqg
offline_id
ioYmb0jtMMtue7xjmkS3WQWGWLR8FTQhb2giQtt1
payload_url
http://securebiz.org/dl/build2.exe

http://astdg.top/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-jTbSQT8ApY Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0324gDrgo

rsa_pubkey.plain

Extracted

Family

mylobot

pqrqtaz.ru:9879

pickcas.ru:6464

quwkbin.ru:3496

rkbupij.ru:6653

pcqmayq.ru:3629

mmuliwe.ru:3541

stoizji.ru:5189

sfdfrhh.ru:3511

ynciazz.ru:4127

mkglhnw.ru:1946

njeeili.ru:9987

dldzeoo.ru:7525

tkbiqjq.ru:5145

uenosbl.ru:2935

faayshc.ru:9865

nttfazc.ru:6761

nfwsyog.ru:7172

uyfusxm.ru:7372

hxkclwx.ru:1294

zgoysam.ru:2338

Signatures

Detected Djvu ransomware 21 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2364-2-0x0000000000C90000-0x0000000000DAB000-memory.dmp	family_djvu
behavioral2/memory/224-3-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/224-4-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/224-5-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/224-6-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/224-15-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3592-20-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3592-21-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3592-22-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3592-27-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3592-28-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3592-38-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3592-60-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3592-62-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3592-63-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3592-65-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3592-67-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3368-100-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3368-101-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3368-102-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3368-103-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Mylobot
Botnet which first appeared in 2017 written in C++.
botnet mylobot
Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ca4120301ffc74c815e99aba3ad78655.execa4120301ffc74c815e99aba3ad78655.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	ca4120301ffc74c815e99aba3ad78655.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	ca4120301ffc74c815e99aba3ad78655.exe

Executes dropped EXE 4 IoCs

Processes:

build2.exebuild2.execa4120301ffc74c815e99aba3ad78655.execa4120301ffc74c815e99aba3ad78655.exe

pid process

3756 build2.exe
4392 build2.exe
1736 ca4120301ffc74c815e99aba3ad78655.exe
3368 ca4120301ffc74c815e99aba3ad78655.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

3540 icacls.exe

pid	process
3756	build2.exe
4392	build2.exe
1736	ca4120301ffc74c815e99aba3ad78655.exe
3368	ca4120301ffc74c815e99aba3ad78655.exe

pid	process
3540	icacls.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ca4120301ffc74c815e99aba3ad78655.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\afe6a77b-d3f1-42e3-91de-7519d3efb631\\ca4120301ffc74c815e99aba3ad78655.exe\" --AutoStart"	ca4120301ffc74c815e99aba3ad78655.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{B6739726-CC4D-7988-B445-919996A2942F} = "c:\\programdata\\{2A63BF16-E47D-E598-B445-919996A2942F}\\87dc6f89.exe"	svchost.exe

Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

12 api.2ip.ua
16 api.2ip.ua
35 api.2ip.ua
193 api.2ip.ua

flow	ioc
12	api.2ip.ua
16	api.2ip.ua
35	api.2ip.ua
193	api.2ip.ua

Suspicious use of SetThreadContext 4 IoCs

Processes:

ca4120301ffc74c815e99aba3ad78655.execa4120301ffc74c815e99aba3ad78655.exebuild2.execa4120301ffc74c815e99aba3ad78655.exe

description	pid	process	target process
PID 2364 set thread context of 224	2364	ca4120301ffc74c815e99aba3ad78655.exe	ca4120301ffc74c815e99aba3ad78655.exe
PID 1332 set thread context of 3592	1332	ca4120301ffc74c815e99aba3ad78655.exe	ca4120301ffc74c815e99aba3ad78655.exe
PID 3756 set thread context of 4392	3756	build2.exe	build2.exe
PID 1736 set thread context of 3368	1736	ca4120301ffc74c815e99aba3ad78655.exe	ca4120301ffc74c815e99aba3ad78655.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 2 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

build2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	build2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	build2.exe

Modifies registry class 3 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\CLSID\{704698EB-C380-BFBD-B445-919996A2942F}	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\CLSID\{2A63BF15-E47E-E598-B445-919996A2942F}	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\CLSID\{2A63BF15-E47E-E598-B445-919996A2942F}\ = "1710469789"	svchost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

ca4120301ffc74c815e99aba3ad78655.execa4120301ffc74c815e99aba3ad78655.exebuild2.exesvchost.execa4120301ffc74c815e99aba3ad78655.exe

pid	process
224	ca4120301ffc74c815e99aba3ad78655.exe
224	ca4120301ffc74c815e99aba3ad78655.exe
3592	ca4120301ffc74c815e99aba3ad78655.exe
3592	ca4120301ffc74c815e99aba3ad78655.exe
4392	build2.exe
4392	build2.exe
4392	build2.exe
4392	build2.exe
4392	build2.exe
4392	build2.exe
388	svchost.exe
388	svchost.exe
3368	ca4120301ffc74c815e99aba3ad78655.exe
3368	ca4120301ffc74c815e99aba3ad78655.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

build2.exe

pid process

4392 build2.exe

pid	process
4392	build2.exe

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

ca4120301ffc74c815e99aba3ad78655.execa4120301ffc74c815e99aba3ad78655.execa4120301ffc74c815e99aba3ad78655.execa4120301ffc74c815e99aba3ad78655.exebuild2.exebuild2.exesvchost.execa4120301ffc74c815e99aba3ad78655.exe

C:\Users\Admin\AppData\Local\Temp\ca4120301ffc74c815e99aba3ad78655.exe
"C:\Users\Admin\AppData\Local\Temp\ca4120301ffc74c815e99aba3ad78655.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Users\Admin\AppData\Local\Temp\ca4120301ffc74c815e99aba3ad78655.exe
  "C:\Users\Admin\AppData\Local\Temp\ca4120301ffc74c815e99aba3ad78655.exe"
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:224
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Users\Admin\AppData\Local\afe6a77b-d3f1-42e3-91de-7519d3efb631" /deny *S-1-1-0:(OI)(CI)(DE,DC)
    3⤵
    - Modifies file permissions
    PID:3540
- - C:\Users\Admin\AppData\Local\Temp\ca4120301ffc74c815e99aba3ad78655.exe
    "C:\Users\Admin\AppData\Local\Temp\ca4120301ffc74c815e99aba3ad78655.exe" --Admin IsNotAutoStart IsNotTask
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1332
  - - C:\Users\Admin\AppData\Local\Temp\ca4120301ffc74c815e99aba3ad78655.exe
      "C:\Users\Admin\AppData\Local\Temp\ca4120301ffc74c815e99aba3ad78655.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      Checks computer location settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3592
    - - C:\Users\Admin\AppData\Local\7dec8043-e79e-4465-be7a-7aca6bd01aef\build2.exe
        
        "C:\Users\Admin\AppData\Local\7dec8043-e79e-4465-be7a-7aca6bd01aef\build2.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3756
      - C:\Users\Admin\AppData\Local\7dec8043-e79e-4465-be7a-7aca6bd01aef\build2.exe
        
        "C:\Users\Admin\AppData\Local\7dec8043-e79e-4465-be7a-7aca6bd01aef\build2.exe"
        6⤵
        Executes dropped EXE
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:4392
        
        C:\Windows\SysWOW64\svchost.exe
        
        "C:\Windows\system32\svchost.exe"
        7⤵
        Adds Run key to start application
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:388

C:\Users\Admin\AppData\Local\afe6a77b-d3f1-42e3-91de-7519d3efb631\ca4120301ffc74c815e99aba3ad78655.exe
C:\Users\Admin\AppData\Local\afe6a77b-d3f1-42e3-91de-7519d3efb631\ca4120301ffc74c815e99aba3ad78655.exe --Task
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Users\Admin\AppData\Local\afe6a77b-d3f1-42e3-91de-7519d3efb631\ca4120301ffc74c815e99aba3ad78655.exe
  C:\Users\Admin\AppData\Local\afe6a77b-d3f1-42e3-91de-7519d3efb631\ca4120301ffc74c815e99aba3ad78655.exe --Task
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
d67fa48cf6cf5f1818b732ea24db1d6e

SHA1
44858909775b98c384307149a53b231f084427f6

SHA256
1dd5acc0e95a7e0a6eea0ce7e4ab2665c928db84a241f4006a06791343b84d27

SHA512
c89132c4ac4a3e34e37ba33d98347af7c6a0394eceafb043cfd99e5d41d68575287cc537831a3f42924c975f7716aa0c531c6f619fac2df1c17daca658b926a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
563eeaeda72f1bebe8625e75c113b6a2

SHA1
511caeac166b85abe05d11d0ee14ae30d4274c65

SHA256
8a498f009e0bb601d30b069e75935de0f39c27339473540d10229ab2171f2a3b

SHA512
ad33057436e4041304fcc8573c612671d126d74b954b887b3f2d1617d8595fbc374881ecb19e8eb28aebaed226e3d7a01394d4335a361d5ebfe31ddd2116f039

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
392B

MD5
a4baa35ad25ad9165bc6eb9921a9b724

SHA1
842123e85d8a7ce585af4beff3aa87d9d2f64e75

SHA256
3214baba881dcc5a07f55cfe8ab1105fa1581384b9ca89a590ba88b80b4ce52e

SHA512
ddfd304c79b73306a015cebf3257646495783bd8f60f35005d578ad29297bcccacc0f1c6e1141241a61a83056bf62f7c5ec994daaddfa32789d3ec7dfffa1dcc

Download Submit
C:\Users\Admin\AppData\Local\7dec8043-e79e-4465-be7a-7aca6bd01aef\build2.exe

Filesize
576KB

MD5
2e085fcd5f16febf51893d9054b4e565

SHA1
a7af6e55904934b7813b1ca03278a6f00f6c9774

SHA256
2226caaeaeb0d4c3cbae31480531a200d8119c174bcccdf9fb20d8006abc4298

SHA512
7f633cd190286fa183d637572c0eab61a9498323d9f3716e9e0a59d28b7ab9cb83179c894409810b161f73c005d838eecb18d0cd672adaff628f83526cda8d09

Download Submit
C:\Users\Admin\AppData\Local\afe6a77b-d3f1-42e3-91de-7519d3efb631\ca4120301ffc74c815e99aba3ad78655.exe

Filesize
838KB

MD5
ca4120301ffc74c815e99aba3ad78655

SHA1
fb5f9b45d563d86028259a4a5df45d2d1a991ef7

SHA256
45733f732df30c20bdc95a802a30d1c1653661fbe6442c229f4a39cc0465ada4

SHA512
281962ebe1e95a9001d6241cfda4b529b3d4204679ba7bc0ca3dcaf36074cd3e2d8e1d9225cb109f03fd0caed10f68592e2aa638c6db7d40bd1d319355751290

Download Submit
memory/224-5-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/224-15-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/224-6-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/224-3-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/224-4-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/388-49-0x0000000001150000-0x0000000001186000-memory.dmp

Filesize
216KB

Download
memory/388-55-0x0000000001150000-0x0000000001186000-memory.dmp

Filesize
216KB

Download
memory/388-48-0x0000000001150000-0x0000000001186000-memory.dmp

Filesize
216KB

Download
memory/388-46-0x0000000001150000-0x0000000001186000-memory.dmp

Filesize
216KB

Download
memory/388-50-0x0000000001150000-0x0000000001186000-memory.dmp

Filesize
216KB

Download
memory/388-47-0x0000000001150000-0x0000000001186000-memory.dmp

Filesize
216KB

Download
memory/388-51-0x0000000001150000-0x0000000001186000-memory.dmp

Filesize
216KB

Download
memory/1332-18-0x0000000000AE0000-0x0000000000B78000-memory.dmp

Filesize
608KB

Download
memory/1736-97-0x0000000000A60000-0x0000000000AF8000-memory.dmp

Filesize
608KB

Download
memory/2364-2-0x0000000000C90000-0x0000000000DAB000-memory.dmp

Filesize
1.1MB

Download
memory/2364-1-0x0000000000AB0000-0x0000000000B49000-memory.dmp

Filesize
612KB

Download
memory/3368-100-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3368-101-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3368-102-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3368-103-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3592-54-0x00000000031F0000-0x00000000031F1000-memory.dmp

Filesize
4KB

Download
memory/3592-28-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3592-20-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3592-21-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3592-22-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3592-27-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3592-67-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3592-38-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3592-60-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3592-62-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3592-63-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3592-65-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3756-40-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/4392-45-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4392-41-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4392-52-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4392-43-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4392-44-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download

description	pid	process	target process
PID 2364 wrote to memory of 224	2364	ca4120301ffc74c815e99aba3ad78655.exe	ca4120301ffc74c815e99aba3ad78655.exe
PID 2364 wrote to memory of 224	2364	ca4120301ffc74c815e99aba3ad78655.exe	ca4120301ffc74c815e99aba3ad78655.exe
PID 2364 wrote to memory of 224	2364	ca4120301ffc74c815e99aba3ad78655.exe	ca4120301ffc74c815e99aba3ad78655.exe
PID 2364 wrote to memory of 224	2364	ca4120301ffc74c815e99aba3ad78655.exe	ca4120301ffc74c815e99aba3ad78655.exe
PID 2364 wrote to memory of 224	2364	ca4120301ffc74c815e99aba3ad78655.exe	ca4120301ffc74c815e99aba3ad78655.exe
PID 2364 wrote to memory of 224	2364	ca4120301ffc74c815e99aba3ad78655.exe	ca4120301ffc74c815e99aba3ad78655.exe
PID 2364 wrote to memory of 224	2364	ca4120301ffc74c815e99aba3ad78655.exe	ca4120301ffc74c815e99aba3ad78655.exe
PID 2364 wrote to memory of 224	2364	ca4120301ffc74c815e99aba3ad78655.exe	ca4120301ffc74c815e99aba3ad78655.exe
PID 2364 wrote to memory of 224	2364	ca4120301ffc74c815e99aba3ad78655.exe	ca4120301ffc74c815e99aba3ad78655.exe
PID 2364 wrote to memory of 224	2364	ca4120301ffc74c815e99aba3ad78655.exe	ca4120301ffc74c815e99aba3ad78655.exe
PID 224 wrote to memory of 3540	224	ca4120301ffc74c815e99aba3ad78655.exe	icacls.exe
PID 224 wrote to memory of 3540	224	ca4120301ffc74c815e99aba3ad78655.exe	icacls.exe
PID 224 wrote to memory of 3540	224	ca4120301ffc74c815e99aba3ad78655.exe	icacls.exe
PID 224 wrote to memory of 1332	224	ca4120301ffc74c815e99aba3ad78655.exe	ca4120301ffc74c815e99aba3ad78655.exe
PID 224 wrote to memory of 1332	224	ca4120301ffc74c815e99aba3ad78655.exe	ca4120301ffc74c815e99aba3ad78655.exe
PID 224 wrote to memory of 1332	224	ca4120301ffc74c815e99aba3ad78655.exe	ca4120301ffc74c815e99aba3ad78655.exe
PID 1332 wrote to memory of 3592	1332	ca4120301ffc74c815e99aba3ad78655.exe	ca4120301ffc74c815e99aba3ad78655.exe
PID 1332 wrote to memory of 3592	1332	ca4120301ffc74c815e99aba3ad78655.exe	ca4120301ffc74c815e99aba3ad78655.exe
PID 1332 wrote to memory of 3592	1332	ca4120301ffc74c815e99aba3ad78655.exe	ca4120301ffc74c815e99aba3ad78655.exe
PID 1332 wrote to memory of 3592	1332	ca4120301ffc74c815e99aba3ad78655.exe	ca4120301ffc74c815e99aba3ad78655.exe
PID 1332 wrote to memory of 3592	1332	ca4120301ffc74c815e99aba3ad78655.exe	ca4120301ffc74c815e99aba3ad78655.exe
PID 1332 wrote to memory of 3592	1332	ca4120301ffc74c815e99aba3ad78655.exe	ca4120301ffc74c815e99aba3ad78655.exe
PID 1332 wrote to memory of 3592	1332	ca4120301ffc74c815e99aba3ad78655.exe	ca4120301ffc74c815e99aba3ad78655.exe
PID 1332 wrote to memory of 3592	1332	ca4120301ffc74c815e99aba3ad78655.exe	ca4120301ffc74c815e99aba3ad78655.exe
PID 1332 wrote to memory of 3592	1332	ca4120301ffc74c815e99aba3ad78655.exe	ca4120301ffc74c815e99aba3ad78655.exe
PID 1332 wrote to memory of 3592	1332	ca4120301ffc74c815e99aba3ad78655.exe	ca4120301ffc74c815e99aba3ad78655.exe
PID 3592 wrote to memory of 3756	3592	ca4120301ffc74c815e99aba3ad78655.exe	build2.exe
PID 3592 wrote to memory of 3756	3592	ca4120301ffc74c815e99aba3ad78655.exe	build2.exe
PID 3592 wrote to memory of 3756	3592	ca4120301ffc74c815e99aba3ad78655.exe	build2.exe
PID 3756 wrote to memory of 4392	3756	build2.exe	build2.exe
PID 3756 wrote to memory of 4392	3756	build2.exe	build2.exe
PID 3756 wrote to memory of 4392	3756	build2.exe	build2.exe
PID 3756 wrote to memory of 4392	3756	build2.exe	build2.exe
PID 3756 wrote to memory of 4392	3756	build2.exe	build2.exe
PID 3756 wrote to memory of 4392	3756	build2.exe	build2.exe
PID 3756 wrote to memory of 4392	3756	build2.exe	build2.exe
PID 3756 wrote to memory of 4392	3756	build2.exe	build2.exe
PID 3756 wrote to memory of 4392	3756	build2.exe	build2.exe
PID 4392 wrote to memory of 388	4392	build2.exe	svchost.exe
PID 4392 wrote to memory of 388	4392	build2.exe	svchost.exe
PID 4392 wrote to memory of 388	4392	build2.exe	svchost.exe
PID 4392 wrote to memory of 388	4392	build2.exe	svchost.exe
PID 388 wrote to memory of 3592	388	svchost.exe	ca4120301ffc74c815e99aba3ad78655.exe
PID 388 wrote to memory of 3592	388	svchost.exe	ca4120301ffc74c815e99aba3ad78655.exe
PID 1736 wrote to memory of 3368	1736	ca4120301ffc74c815e99aba3ad78655.exe	ca4120301ffc74c815e99aba3ad78655.exe
PID 1736 wrote to memory of 3368	1736	ca4120301ffc74c815e99aba3ad78655.exe	ca4120301ffc74c815e99aba3ad78655.exe
PID 1736 wrote to memory of 3368	1736	ca4120301ffc74c815e99aba3ad78655.exe	ca4120301ffc74c815e99aba3ad78655.exe
PID 1736 wrote to memory of 3368	1736	ca4120301ffc74c815e99aba3ad78655.exe	ca4120301ffc74c815e99aba3ad78655.exe
PID 1736 wrote to memory of 3368	1736	ca4120301ffc74c815e99aba3ad78655.exe	ca4120301ffc74c815e99aba3ad78655.exe
PID 1736 wrote to memory of 3368	1736	ca4120301ffc74c815e99aba3ad78655.exe	ca4120301ffc74c815e99aba3ad78655.exe
PID 1736 wrote to memory of 3368	1736	ca4120301ffc74c815e99aba3ad78655.exe	ca4120301ffc74c815e99aba3ad78655.exe
PID 1736 wrote to memory of 3368	1736	ca4120301ffc74c815e99aba3ad78655.exe	ca4120301ffc74c815e99aba3ad78655.exe
PID 1736 wrote to memory of 3368	1736	ca4120301ffc74c815e99aba3ad78655.exe	ca4120301ffc74c815e99aba3ad78655.exe
PID 1736 wrote to memory of 3368	1736	ca4120301ffc74c815e99aba3ad78655.exe	ca4120301ffc74c815e99aba3ad78655.exe