djvu | 91e8fd048fb5df071ba6e3d7917edcb53122d9cbd9e57dcf4b5e50c72d575c7a

Analysis

max time kernel
124s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28-03-2024 17:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e5477d6420e21e75a4bb411a3947201a.exe
Size

259KB
MD5

e5477d6420e21e75a4bb411a3947201a
SHA1

7120bf0ba0196ecc8cc04dd0c3166185ee3f7892
SHA256

91e8fd048fb5df071ba6e3d7917edcb53122d9cbd9e57dcf4b5e50c72d575c7a
SHA512

de56dddda25e1cf9c5835613e38375f463bbcabe858b846077359b704493ef75b14e6187f21f110103bde70cc61efe17e5dac6d229456271b33afa3406c7020d
SSDEEP

6144:K7vq2CD3/WTO/Ukgn4olUKm4shprkwnf8/9tQ:ERM3/WTO/dgxUWshprDnatQ

Score

10^/10

djvu glupteba lumma redline smokeloader logsdiller cloud (tg: @logsdillabot)pub1 backdoor discovery dropper evasion infostealer loader persistence ransomware spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php

rc4.i32

Extracted

Family

djvu

http://sajdfue.com/test1/get.php

Attributes

extension
.vook
offline_id
1eSPzWRaNslCgtjBZfL5pzvovoiaVI4IZSnvAwt1
payload_url
http://sdfjhuz.com/dl/build2.exe

http://sajdfue.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://wetransfer.com/downloads/3ed7a617738550b0a00c5aa231c0752020240316170955/d71ce1 Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0857PsawqS

rsa_pubkey.plain

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

5.42.65.0:29587

Extracted

Family

lumma

https://resergvearyinitiani.shop/api

Signatures

Detected Djvu ransomware 9 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1376-22-0x0000000002920000-0x0000000002A3B000-memory.dmp	family_djvu
behavioral2/memory/3016-21-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3016-24-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3016-25-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3016-26-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3016-36-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1496-42-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1496-43-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1496-45-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2020-353-0x0000000000400000-0x0000000000ECD000-memory.dmp	family_glupteba
behavioral2/memory/2440-510-0x0000000000400000-0x0000000000ECD000-memory.dmp	family_glupteba

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1948-59-0x0000000000400000-0x0000000000450000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

3532 netsh.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

83A3.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation 83A3.exe
Deletes itself 1 IoCs

Processes:

pid process

3416
Executes dropped EXE 8 IoCs

Processes:

83A3.exe83A3.exe83A3.exe83A3.exe9131.exeBF66.exeEBD7.exeF81D.exe

pid process

1376 83A3.exe
3016 83A3.exe
3648 83A3.exe
1496 83A3.exe
3512 9131.exe
4468 BF66.exe
4988 EBD7.exe
2020 F81D.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

1940 icacls.exe
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
3532	netsh.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	83A3.exe

pid	process
3416

pid	process
1376	83A3.exe
3016	83A3.exe
3648	83A3.exe
1496	83A3.exe
3512	9131.exe
4468	BF66.exe
4988	EBD7.exe
2020	F81D.exe

pid	process
1940	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

83A3.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\2955dfb6-5388-4f1b-8545-dc1631c57ae2\\83A3.exe\" --AutoStart"	83A3.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

explorer.exe

description ioc process

File opened (read-only) \??\F: explorer.exe
File opened (read-only) \??\D: explorer.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service
T1102

Processes:

flow ioc

81 raw.githubusercontent.com
82 raw.githubusercontent.com
86 drive.google.com
87 drive.google.com
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

48 api.2ip.ua
49 api.2ip.ua

description	ioc	process
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe

flow	ioc
81	raw.githubusercontent.com
82	raw.githubusercontent.com
86	drive.google.com
87	drive.google.com

flow	ioc
48	api.2ip.ua
49	api.2ip.ua

Suspicious use of SetThreadContext 3 IoCs

Processes:

83A3.exe83A3.exe9131.exe

description	pid	process	target process
PID 1376 set thread context of 3016	1376	83A3.exe	83A3.exe
PID 3648 set thread context of 1496	3648	83A3.exe	83A3.exe
PID 3512 set thread context of 1948	3512	9131.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

2380 1496 WerFault.exe 83A3.exe
4336 3512 WerFault.exe 9131.exe
3004 3096 WerFault.exe powershell.exe

pid	pid_target	process	target process
2380	1496	WerFault.exe	83A3.exe
4336	3512	WerFault.exe	9131.exe
3004	3096	WerFault.exe	powershell.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

e5477d6420e21e75a4bb411a3947201a.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	e5477d6420e21e75a4bb411a3947201a.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	e5477d6420e21e75a4bb411a3947201a.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	e5477d6420e21e75a4bb411a3947201a.exe

Modifies registry class 9 IoCs

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-566096764-1992588923-1249862864-1000\{E3585D2F-172F-43D0-8741-6EBCE02EFD01}	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

e5477d6420e21e75a4bb411a3947201a.exe

pid	process
4708	e5477d6420e21e75a4bb411a3947201a.exe
4708	e5477d6420e21e75a4bb411a3947201a.exe
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

e5477d6420e21e75a4bb411a3947201a.exe

pid process

4708 e5477d6420e21e75a4bb411a3947201a.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

Processes:

9131.exeRegAsm.exeEBD7.exepowershell.exeexplorer.exe

description	pid	process
Token: SeShutdownPrivilege	3416
Token: SeCreatePagefilePrivilege	3416
Token: SeShutdownPrivilege	3416
Token: SeCreatePagefilePrivilege	3416
Token: SeShutdownPrivilege	3416
Token: SeCreatePagefilePrivilege	3416
Token: SeShutdownPrivilege	3416
Token: SeCreatePagefilePrivilege	3416
Token: SeShutdownPrivilege	3416
Token: SeCreatePagefilePrivilege	3416
Token: SeShutdownPrivilege	3416
Token: SeCreatePagefilePrivilege	3416
Token: SeDebugPrivilege	3512	9131.exe
Token: SeShutdownPrivilege	3416
Token: SeCreatePagefilePrivilege	3416
Token: SeShutdownPrivilege	3416
Token: SeCreatePagefilePrivilege	3416
Token: SeShutdownPrivilege	3416
Token: SeCreatePagefilePrivilege	3416
Token: SeDebugPrivilege	1948	RegAsm.exe
Token: SeShutdownPrivilege	3416
Token: SeCreatePagefilePrivilege	3416
Token: SeDebugPrivilege	4988	EBD7.exe
Token: SeDebugPrivilege	3096	powershell.exe
Token: SeShutdownPrivilege	3416
Token: SeCreatePagefilePrivilege	3416
Token: SeShutdownPrivilege	1964	explorer.exe
Token: SeCreatePagefilePrivilege	1964	explorer.exe
Token: SeShutdownPrivilege	1964	explorer.exe
Token: SeCreatePagefilePrivilege	1964	explorer.exe
Token: SeShutdownPrivilege	1964	explorer.exe
Token: SeCreatePagefilePrivilege	1964	explorer.exe
Token: SeShutdownPrivilege	1964	explorer.exe
Token: SeCreatePagefilePrivilege	1964	explorer.exe
Token: SeShutdownPrivilege	1964	explorer.exe
Token: SeCreatePagefilePrivilege	1964	explorer.exe

Suspicious use of FindShellTrayWindow 7 IoCs

Processes:

explorer.exe

pid process

1964 explorer.exe
1964 explorer.exe
1964 explorer.exe
1964 explorer.exe
1964 explorer.exe
1964 explorer.exe
1964 explorer.exe

Suspicious use of SendNotifyMessage 9 IoCs

Processes:

explorer.exe

pid	process
1964	explorer.exe
1964	explorer.exe
1964	explorer.exe
1964	explorer.exe
1964	explorer.exe
1964	explorer.exe
1964	explorer.exe
1964	explorer.exe
1964	explorer.exe

Suspicious use of WriteProcessMemory 62 IoCs

Processes:

cmd.exe83A3.exe83A3.exe83A3.exe9131.execmd.exeF81D.exe

description	pid	process	target process
PID 3416 wrote to memory of 3408	3416		cmd.exe
PID 3416 wrote to memory of 3408	3416		cmd.exe
PID 3408 wrote to memory of 4468	3408	cmd.exe	reg.exe
PID 3408 wrote to memory of 4468	3408	cmd.exe	reg.exe
PID 3416 wrote to memory of 1376	3416		83A3.exe
PID 3416 wrote to memory of 1376	3416		83A3.exe
PID 3416 wrote to memory of 1376	3416		83A3.exe
PID 1376 wrote to memory of 3016	1376	83A3.exe	83A3.exe
PID 1376 wrote to memory of 3016	1376	83A3.exe	83A3.exe
PID 1376 wrote to memory of 3016	1376	83A3.exe	83A3.exe
PID 1376 wrote to memory of 3016	1376	83A3.exe	83A3.exe
PID 1376 wrote to memory of 3016	1376	83A3.exe	83A3.exe
PID 1376 wrote to memory of 3016	1376	83A3.exe	83A3.exe
PID 1376 wrote to memory of 3016	1376	83A3.exe	83A3.exe
PID 1376 wrote to memory of 3016	1376	83A3.exe	83A3.exe
PID 1376 wrote to memory of 3016	1376	83A3.exe	83A3.exe
PID 1376 wrote to memory of 3016	1376	83A3.exe	83A3.exe
PID 3016 wrote to memory of 1940	3016	83A3.exe	icacls.exe
PID 3016 wrote to memory of 1940	3016	83A3.exe	icacls.exe
PID 3016 wrote to memory of 1940	3016	83A3.exe	icacls.exe
PID 3016 wrote to memory of 3648	3016	83A3.exe	83A3.exe
PID 3016 wrote to memory of 3648	3016	83A3.exe	83A3.exe
PID 3016 wrote to memory of 3648	3016	83A3.exe	83A3.exe
PID 3648 wrote to memory of 1496	3648	83A3.exe	83A3.exe
PID 3648 wrote to memory of 1496	3648	83A3.exe	83A3.exe
PID 3648 wrote to memory of 1496	3648	83A3.exe	83A3.exe
PID 3648 wrote to memory of 1496	3648	83A3.exe	83A3.exe
PID 3648 wrote to memory of 1496	3648	83A3.exe	83A3.exe
PID 3648 wrote to memory of 1496	3648	83A3.exe	83A3.exe
PID 3648 wrote to memory of 1496	3648	83A3.exe	83A3.exe
PID 3648 wrote to memory of 1496	3648	83A3.exe	83A3.exe
PID 3648 wrote to memory of 1496	3648	83A3.exe	83A3.exe
PID 3648 wrote to memory of 1496	3648	83A3.exe	83A3.exe
PID 3416 wrote to memory of 3512	3416		9131.exe
PID 3416 wrote to memory of 3512	3416		9131.exe
PID 3416 wrote to memory of 3512	3416		9131.exe
PID 3512 wrote to memory of 1484	3512	9131.exe	RegAsm.exe
PID 3512 wrote to memory of 1484	3512	9131.exe	RegAsm.exe
PID 3512 wrote to memory of 1484	3512	9131.exe	RegAsm.exe
PID 3512 wrote to memory of 1948	3512	9131.exe	RegAsm.exe
PID 3512 wrote to memory of 1948	3512	9131.exe	RegAsm.exe
PID 3512 wrote to memory of 1948	3512	9131.exe	RegAsm.exe
PID 3512 wrote to memory of 1948	3512	9131.exe	RegAsm.exe
PID 3512 wrote to memory of 1948	3512	9131.exe	RegAsm.exe
PID 3512 wrote to memory of 1948	3512	9131.exe	RegAsm.exe
PID 3512 wrote to memory of 1948	3512	9131.exe	RegAsm.exe
PID 3512 wrote to memory of 1948	3512	9131.exe	RegAsm.exe
PID 3416 wrote to memory of 4468	3416		BF66.exe
PID 3416 wrote to memory of 4468	3416		BF66.exe
PID 3416 wrote to memory of 4468	3416		BF66.exe
PID 3416 wrote to memory of 3916	3416		cmd.exe
PID 3416 wrote to memory of 3916	3416		cmd.exe
PID 3916 wrote to memory of 3924	3916	cmd.exe	reg.exe
PID 3916 wrote to memory of 3924	3916	cmd.exe	reg.exe
PID 3416 wrote to memory of 4988	3416		EBD7.exe
PID 3416 wrote to memory of 4988	3416		EBD7.exe
PID 3416 wrote to memory of 2020	3416		F81D.exe
PID 3416 wrote to memory of 2020	3416		F81D.exe
PID 3416 wrote to memory of 2020	3416		F81D.exe
PID 2020 wrote to memory of 3096	2020	F81D.exe	powershell.exe
PID 2020 wrote to memory of 3096	2020	F81D.exe	powershell.exe
PID 2020 wrote to memory of 3096	2020	F81D.exe	powershell.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\e5477d6420e21e75a4bb411a3947201a.exe
"C:\Users\Admin\AppData\Local\Temp\e5477d6420e21e75a4bb411a3947201a.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8A10.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:3408

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
2⤵
PID:4468

C:\Users\Admin\AppData\Local\Temp\83A3.exe
C:\Users\Admin\AppData\Local\Temp\83A3.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1376

C:\Users\Admin\AppData\Local\Temp\83A3.exe
C:\Users\Admin\AppData\Local\Temp\83A3.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3016

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\2955dfb6-5388-4f1b-8545-dc1631c57ae2" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:1940

C:\Users\Admin\AppData\Local\Temp\83A3.exe
"C:\Users\Admin\AppData\Local\Temp\83A3.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3648

C:\Users\Admin\AppData\Local\Temp\83A3.exe
"C:\Users\Admin\AppData\Local\Temp\83A3.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Executes dropped EXE
PID:1496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1496 -s 568
5⤵
- Program crash
PID:2380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1496 -ip 1496
1⤵
PID:4440

C:\Users\Admin\AppData\Local\Temp\9131.exe
C:\Users\Admin\AppData\Local\Temp\9131.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3512

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:1484

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3512 -s 836
2⤵
- Program crash
PID:4336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3512 -ip 3512
1⤵
PID:4708

C:\Users\Admin\AppData\Local\Temp\BF66.exe
C:\Users\Admin\AppData\Local\Temp\BF66.exe
1⤵
- Executes dropped EXE
PID:4468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\C15B.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:3916

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
2⤵
PID:3924

C:\Users\Admin\AppData\Local\Temp\EBD7.exe
C:\Users\Admin\AppData\Local\Temp\EBD7.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4988

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
2⤵
PID:3424

C:\Users\Admin\AppData\Local\Temp\F81D.exe
C:\Users\Admin\AppData\Local\Temp\F81D.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3096 -s 2412
3⤵
- Program crash
PID:3004

C:\Users\Admin\AppData\Local\Temp\F81D.exe
"C:\Users\Admin\AppData\Local\Temp\F81D.exe"
2⤵
PID:2440

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
PID:3840

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
3⤵
PID:3392

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:3532

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
PID:3424

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
PID:2552

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
3⤵
PID:2768

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
PID:4452

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3096 -ip 3096
1⤵
PID:1816

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2292

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4516

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:464

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4052

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2920

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2192

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:8

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4428

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
Filesize
471B

MD5
4305f3b83ea7e48583ca9863f6a51c75

SHA1
83587d71d6baeca1bc553f67a84c399789c91cb5

SHA256
2251e0ab16b12b3590efe8b9793dc002345123f8a9dd98c4c31c957995b99273

SHA512
94c77f16fa66618ed073af0157d191efd39b9ef78ff7113a224117c8156594b36076b40ab7aafb8ec534dd82a069339486b693c8d672e431e2330be4a4c4eea5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
Filesize
412B

MD5
9cf716c47e637e9a55b15f45c552e73e

SHA1
191bc91ad59305c3e6af8f1deacdfa89dd276cc1

SHA256
a70cf28f826af417dcf52ab5dc85e6f646124077749fd2ffa3d3aff1c5fc3e94

SHA512
05b5688f65e879d3fd99a119c03ca7f4fb9a8aeba5294a8f63fce1b0004f080718a24e9e3627b29906c6249d022e5a0bab91c2bc4d082c1aaf3f454f1aa29fb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat
Filesize
1022B

MD5
9a0b02a123a54859326766d3d08af0d9

SHA1
2ce6c0e7fd42fd0705f3dff1a3194882bafd2e70

SHA256
f582404f4932b98752a2378564bfa0b3a661202a33bbc12e8b6db39598f32e91

SHA512
7ac27bde49415f7bcffc9e8058ed855f56513a5a10c385fef79f5dee983dc38795d4488d9364173802906025dc6fbb9f402790cd03e973393a92bf17a56aec3b

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\1SA07OI6\microsoft.windows[1].xml
Filesize
97B

MD5
fb9854a5b056cc3d006b38bf0eab1b7c

SHA1
0a2b0432e2e9938be1f652c2247827e47b265f44

SHA256
3d454d15255bb82fb8a4cfa40ea848af32395be899aaaf83b6d626a814aa21c2

SHA512
20366182bf5a658b19e3df4eef2fa4e484bdcecc85a893834fbcb2b0ab64100a7694c3dbbdf1597bf3e3a747ede6fe7b81aab5f07653ef40a515edbef90ed00d

Download Submit
C:\Users\Admin\AppData\Local\Temp\83A3.exe
Filesize
757KB

MD5
12406f0680a53a731d28ee671c5313ba

SHA1
066617eebf2a4445aeee0b124f30ca2354995184

SHA256
df0c257665d04aed4cf830fbfcf4e088694ef9ddeecfe2d783dcb762f70b03f0

SHA512
02ed5adeeb38d4b3f511fa8ed959cb251fd3b8b8a348595936c64ca75298d67cde10e2418ef40ee63f31cca331ab6ee82a5ed9a992082bfd01fdec4eac0c57b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\8A10.bat
Filesize
77B

MD5
55cc761bf3429324e5a0095cab002113

SHA1
2cc1ef4542a4e92d4158ab3978425d517fafd16d

SHA256
d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a

SHA512
33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

Download Submit
C:\Users\Admin\AppData\Local\Temp\9131.exe
Filesize
392KB

MD5
89ec2c6bf09ed9a38bd11acb2a41cd1b

SHA1
408549982b687ca8dd5efb0e8b704a374bd8909d

SHA256
da1e155c46ca6b23409d059b6d85341c0b86c92d2c69dbda85eef3894313662d

SHA512
c565dbb25dd35ae8dce2a4cf15640053aca8b99c5c78db23648e6618ef316362b77142c6524b47089a7ea05632adee091ec5e82ed95aeb86d2331b8c5f8cc56a

Download Submit
C:\Users\Admin\AppData\Local\Temp\BF66.exe
Filesize
6.5MB

MD5
9e52aa572f0afc888c098db4c0f687ff

SHA1
ef7c2bb222e69ad0e10c8686eb03dcbee7933c2b

SHA256
4a40f9d491f09521f4b0c6076a0eb488f6d8e1cf4b67aa6569c2ccce13556443

SHA512
d0991e682ae8c954721e905753b56c01f91b85313beb9996331793c3efa8acc13d574ef5ba44853ecc3e05822931ed655bad1924fa11b774a43e015f42185f62

Download Submit
C:\Users\Admin\AppData\Local\Temp\EBD7.exe
Filesize
30.6MB

MD5
ff35671d54d612772b0c22c141a3056e

SHA1
d005a27cd48556bf17eb9c2b43af49b67347cc0e

SHA256
2f625ea35f82332c639049c4a849f39cd2b74acb013880d156a2f647497c2512

SHA512
9a40a657f196036ef07c410db225f7a023f7299abc078cefd5d97489e7359ce9c640d72b98fedbf3f11ebaba1987b0acd5c7892b1ba5b5ae18709037df45790e

Download Submit
C:\Users\Admin\AppData\Local\Temp\F81D.exe
Filesize
4.1MB

MD5
94e7b3098b7e793eb30c083ab99ec5cd

SHA1
fc9b58a211a5a4d74422a2ca6c8f68cda5ea7a83

SHA256
b07ccecc3f44715293ef1a725efc057781fd7de561e05601e85cfb43b0ad03a1

SHA512
d57830843544506136d781e974c872eba1bbef2f0362830a3cc1271401ae2b932cd9c660eb3e65b59e60631fa68b7d8b9108be218cf0f72fa7a1540ab3c87bc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3b0gzbcd.ijn.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
a51036f05dc3f494ca20cbb52479f981

SHA1
4f26d17b15240b2a7d9cbeaf1c70f05a17118914

SHA256
d49d4ecf2b429afc864eb09d844a06410a3d49c71a1ced7977a87aa2520f5917

SHA512
a9d905d5128a4671867968fedf3445619ae5c343e41fedf1808e3ed7e2bca075a8507840d8f4f2b634f1051aebe03d4d066d24790edf8544df48de2006752b5d

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
b8b9a0d523f304d078fdfe6501ebbfca

SHA1
4b6494093507e00d230aed6c6f155c7d58ec43a5

SHA256
f5397da8f0a989f3eca53cfa52bf21a619f21d2e38a0ee719540ef85e24614ac

SHA512
36dfdda735407234e0afded46c61f27a9bd22b5c427c3dd2a0dc82160978c1635e3a30fa9f9bdfa7f6bf63a72922c6f2d16c9b31ae2edeff847c43641b83d200

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
7760b4e2294c8871bacf358657d37c70

SHA1
748311b766a29c6322fcfc3225154b27692f4472

SHA256
f7e6c1251de7d8fcdf1c614e507faefda5850866fc4fa5423b595a41d5c65769

SHA512
268b59837a55fbe3044b5c5f49bc4b46ced2073ba40bf65956e4f2f6bc33ba96f4d5946316653176f805da9a6766e56fd5106e54320a8a4e522854f7de0f6622

Download Submit
memory/8-473-0x00000210573D0000-0x00000210573F0000-memory.dmp

Filesize
128KB

Download
memory/8-475-0x0000021057390000-0x00000210573B0000-memory.dmp

Filesize
128KB

Download
memory/8-478-0x00000210577A0000-0x00000210577C0000-memory.dmp

Filesize
128KB

Download
memory/1376-20-0x00000000027D0000-0x0000000002869000-memory.dmp

Filesize
612KB

Download
memory/1376-22-0x0000000002920000-0x0000000002A3B000-memory.dmp

Filesize
1.1MB

Download
memory/1496-43-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1496-45-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1496-42-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1948-71-0x0000000005160000-0x000000000519C000-memory.dmp

Filesize
240KB

Download
memory/1948-103-0x0000000075350000-0x0000000075B00000-memory.dmp

Filesize
7.7MB

Download
memory/1948-66-0x0000000004E80000-0x0000000004E8A000-memory.dmp

Filesize
40KB

Download
memory/1948-65-0x00000000050C0000-0x00000000050D0000-memory.dmp

Filesize
64KB

Download
memory/1948-68-0x0000000005F30000-0x0000000006548000-memory.dmp

Filesize
6.1MB

Download
memory/1948-69-0x00000000051E0000-0x00000000052EA000-memory.dmp

Filesize
1.0MB

Download
memory/1948-70-0x0000000005100000-0x0000000005112000-memory.dmp

Filesize
72KB

Download
memory/1948-124-0x00000000050C0000-0x00000000050D0000-memory.dmp

Filesize
64KB

Download
memory/1948-72-0x00000000052F0000-0x000000000533C000-memory.dmp

Filesize
304KB

Download
memory/1948-73-0x0000000005A10000-0x0000000005A76000-memory.dmp

Filesize
408KB

Download
memory/1948-74-0x0000000007640000-0x0000000007690000-memory.dmp

Filesize
320KB

Download
memory/1948-75-0x0000000006B40000-0x0000000006D02000-memory.dmp

Filesize
1.8MB

Download
memory/1948-76-0x0000000007BC0000-0x00000000080EC000-memory.dmp

Filesize
5.2MB

Download
memory/1948-64-0x0000000004E90000-0x0000000004F22000-memory.dmp

Filesize
584KB

Download
memory/1948-63-0x0000000005360000-0x0000000005904000-memory.dmp

Filesize
5.6MB

Download
memory/1948-59-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1948-62-0x0000000075350000-0x0000000075B00000-memory.dmp

Filesize
7.7MB

Download
memory/2020-353-0x0000000000400000-0x0000000000ECD000-memory.dmp

Filesize
10.8MB

Download
memory/2440-510-0x0000000000400000-0x0000000000ECD000-memory.dmp

Filesize
10.8MB

Download
memory/2920-466-0x0000000002C80000-0x0000000002C81000-memory.dmp

Filesize
4KB

Download
memory/3016-36-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3016-21-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3016-24-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3016-25-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3016-26-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3416-4-0x0000000003350000-0x0000000003366000-memory.dmp

Filesize
88KB

Download
memory/3416-321-0x0000000001280000-0x0000000001281000-memory.dmp

Filesize
4KB

Download
memory/3424-515-0x0000000000F40000-0x0000000000F8B000-memory.dmp

Filesize
300KB

Download
memory/3424-511-0x0000000000F40000-0x0000000000F8B000-memory.dmp

Filesize
300KB

Download
memory/3512-54-0x0000000075350000-0x0000000075B00000-memory.dmp

Filesize
7.7MB

Download
memory/3512-67-0x0000000075350000-0x0000000075B00000-memory.dmp

Filesize
7.7MB

Download
memory/3512-53-0x0000000000070000-0x00000000000D4000-memory.dmp

Filesize
400KB

Download
memory/3512-55-0x0000000004C10000-0x0000000004C20000-memory.dmp

Filesize
64KB

Download
memory/3512-61-0x00000000024E0000-0x00000000044E0000-memory.dmp

Filesize
32.0MB

Download
memory/3512-56-0x00000000049C0000-0x00000000049C1000-memory.dmp

Filesize
4KB

Download
memory/3648-39-0x0000000002670000-0x0000000002711000-memory.dmp

Filesize
644KB

Download
memory/4052-396-0x0000021080730000-0x0000021080750000-memory.dmp

Filesize
128KB

Download
memory/4052-399-0x00000210806F0000-0x0000021080710000-memory.dmp

Filesize
128KB

Download
memory/4052-400-0x0000021080D20000-0x0000021080D40000-memory.dmp

Filesize
128KB

Download
memory/4468-123-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/4468-100-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/4468-112-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/4468-111-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/4468-110-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/4468-109-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/4468-108-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/4468-107-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/4468-106-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/4468-104-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/4468-114-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/4468-125-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/4468-126-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/4468-133-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/4468-132-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/4468-131-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/4468-130-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/4468-129-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/4468-128-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/4468-127-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/4468-115-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/4468-116-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/4468-117-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/4468-118-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/4468-122-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/4468-81-0x0000000000750000-0x0000000001435000-memory.dmp

Filesize
12.9MB

Download
memory/4468-89-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4468-91-0x0000000000750000-0x0000000001435000-memory.dmp

Filesize
12.9MB

Download
memory/4468-93-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/4468-90-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/4468-119-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/4468-120-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/4468-121-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/4468-92-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/4468-105-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/4468-102-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/4468-101-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/4468-113-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/4468-98-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/4468-95-0x0000000000590000-0x0000000000591000-memory.dmp

Filesize
4KB

Download
memory/4468-99-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/4468-96-0x0000000000750000-0x0000000001435000-memory.dmp

Filesize
12.9MB

Download
memory/4468-94-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/4516-388-0x0000000004CB0000-0x0000000004CB1000-memory.dmp

Filesize
4KB

Download
memory/4708-5-0x0000000000400000-0x0000000000AEA000-memory.dmp

Filesize
6.9MB

Download
memory/4708-3-0x0000000000400000-0x0000000000AEA000-memory.dmp

Filesize
6.9MB

Download
memory/4708-2-0x0000000002820000-0x000000000282B000-memory.dmp

Filesize
44KB

Download
memory/4708-1-0x0000000000C80000-0x0000000000D80000-memory.dmp

Filesize
1024KB

Download
memory/4988-436-0x00007FF725A80000-0x00007FF7279CC000-memory.dmp

Filesize
31.3MB

Download
memory/4988-327-0x00007FF725A80000-0x00007FF7279CC000-memory.dmp

Filesize
31.3MB

Download
memory/4988-514-0x00007FF725A80000-0x00007FF7279CC000-memory.dmp

Filesize
31.3MB

Download