djvu | 471339a0525809eab74b55fed407ac64697dbcfdaf52b21b56cc4a47125e76a8

Analysis

max time kernel
61s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28-03-2024 20:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

471339a0525809eab74b55fed407ac64697dbcfdaf52b21b56cc4a47125e76a8.exe
Size

260KB
MD5

8fdbb8914b3d1d601c0557478886a731
SHA1

8fe3855f2448d0a11cb8191ac7b6c496be3aadec
SHA256

471339a0525809eab74b55fed407ac64697dbcfdaf52b21b56cc4a47125e76a8
SHA512

ee890542b4d67d35b71fcacb0c8fbd578fc7fcad3e852cf55281d72efed573c13e76c603e05a14a44f2a2e3b3ec1d87fc14cf0e507279cab472e14252acd4da7
SSDEEP

3072:sFIby+X2CcC3GnpFoTOz6++aekasG+hXexfgoCOPHAxWwAac5kEzF2cuUyX1A6Z:sm+q2CD30WTOPwktGvgYwAaH8F2N

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php

rc4.i32

Extracted

Family

djvu

http://sajdfue.com/test1/get.php

Attributes

extension
.vook
offline_id
1eSPzWRaNslCgtjBZfL5pzvovoiaVI4IZSnvAwt1
payload_url
http://sdfjhuz.com/dl/build2.exe
http://sajdfue.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://wetransfer.com/downloads/3ed7a617738550b0a00c5aa231c0752020240316170955/d71ce1 Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0857PsawqS

rsa_pubkey.plain

Extracted

Family

vidar

Version

8.6

Botnet

5739ef2bbcd39fcd59c5746bfe4238c5

https://steamcommunity.com/profiles/76561199658817715

https://t.me/sa9ok

Attributes

profile_id_v2
5739ef2bbcd39fcd59c5746bfe4238c5
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

5.42.65.0:29587

Extracted

Family

lumma

https://resergvearyinitiani.shop/api

Signatures

Detect Vidar Stealer 5 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/4768-71-0x0000000000680000-0x00000000006B1000-memory.dmp	family_vidar_v7
behavioral1/memory/508-69-0x0000000000400000-0x0000000000644000-memory.dmp	family_vidar_v7
behavioral1/memory/508-74-0x0000000000400000-0x0000000000644000-memory.dmp	family_vidar_v7
behavioral1/memory/508-75-0x0000000000400000-0x0000000000644000-memory.dmp	family_vidar_v7
behavioral1/memory/508-121-0x0000000000400000-0x0000000000644000-memory.dmp	family_vidar_v7

Detected Djvu ransomware 16 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1532-21-0x0000000002910000-0x0000000002A2B000-memory.dmp	family_djvu
behavioral1/memory/3036-24-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3036-22-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3036-25-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3036-26-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3036-36-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3396-42-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3396-43-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3396-44-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3396-49-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3396-50-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3396-54-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3396-56-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3396-57-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3396-106-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3396-127-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4392-256-0x0000000000400000-0x0000000000ECD000-memory.dmp	family_glupteba
behavioral1/memory/4392-293-0x0000000000400000-0x0000000000ECD000-memory.dmp	family_glupteba

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/5000-93-0x0000000000400000-0x0000000000450000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

3436 netsh.exe

pid	process
3436	netsh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

9A6C.exe9A6C.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	9A6C.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	9A6C.exe

Deletes itself 1 IoCs

Processes:

pid process

3320
Executes dropped EXE 11 IoCs

Processes:

9A6C.exe9A6C.exe9A6C.exe9A6C.exebuild2.exebuild2.exeB19F.exebuild3.exeDD34.exe17CE.exe258A.exe

pid process

1532 9A6C.exe
3036 9A6C.exe
4804 9A6C.exe
3396 9A6C.exe
4768 build2.exe
508 build2.exe
4220 B19F.exe
2384 build3.exe
1048 DD34.exe
3764 17CE.exe
4392 258A.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

3016 icacls.exe
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
3320

pid	process
1532	9A6C.exe
3036	9A6C.exe
4804	9A6C.exe
3396	9A6C.exe
4768	build2.exe
508	build2.exe
4220	B19F.exe
2384	build3.exe
1048	DD34.exe
3764	17CE.exe
4392	258A.exe

pid	process
3016	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

9A6C.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\61560402-4c9b-40fe-a5b8-ba2ca060e76e\\9A6C.exe\" --AutoStart"	9A6C.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service
T1102

Processes:

flow ioc

86 raw.githubusercontent.com
89 drive.google.com
90 drive.google.com
85 raw.githubusercontent.com
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

24 api.2ip.ua
25 api.2ip.ua
30 api.2ip.ua

flow	ioc
86	raw.githubusercontent.com
89	drive.google.com
90	drive.google.com
85	raw.githubusercontent.com

flow	ioc
24	api.2ip.ua
25	api.2ip.ua
30	api.2ip.ua

Suspicious use of SetThreadContext 4 IoCs

Processes:

9A6C.exe9A6C.exebuild2.exeB19F.exe

description	pid	process	target process
PID 1532 set thread context of 3036	1532	9A6C.exe	9A6C.exe
PID 4804 set thread context of 3396	4804	9A6C.exe	9A6C.exe
PID 4768 set thread context of 508	4768	build2.exe	build2.exe
PID 4220 set thread context of 5000	4220	B19F.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1092 4220 WerFault.exe B19F.exe
2188 508 WerFault.exe build2.exe

pid	pid_target	process	target process
1092	4220	WerFault.exe	B19F.exe
2188	508	WerFault.exe	build2.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

471339a0525809eab74b55fed407ac64697dbcfdaf52b21b56cc4a47125e76a8.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	471339a0525809eab74b55fed407ac64697dbcfdaf52b21b56cc4a47125e76a8.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	471339a0525809eab74b55fed407ac64697dbcfdaf52b21b56cc4a47125e76a8.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	471339a0525809eab74b55fed407ac64697dbcfdaf52b21b56cc4a47125e76a8.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

471339a0525809eab74b55fed407ac64697dbcfdaf52b21b56cc4a47125e76a8.exe

pid	process
2656	471339a0525809eab74b55fed407ac64697dbcfdaf52b21b56cc4a47125e76a8.exe
2656	471339a0525809eab74b55fed407ac64697dbcfdaf52b21b56cc4a47125e76a8.exe
3320
3320
3320
3320
3320
3320
3320
3320
3320
3320
3320
3320
3320
3320
3320
3320
3320
3320
3320
3320
3320
3320
3320
3320
3320
3320
3320
3320
3320
3320
3320
3320
3320
3320
3320
3320
3320
3320
3320
3320
3320
3320
3320
3320
3320
3320
3320
3320
3320
3320
3320
3320
3320
3320
3320
3320
3320
3320
3320
3320
3320
3320

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

471339a0525809eab74b55fed407ac64697dbcfdaf52b21b56cc4a47125e76a8.exe

pid process

2656 471339a0525809eab74b55fed407ac64697dbcfdaf52b21b56cc4a47125e76a8.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

B19F.exeRegAsm.exe17CE.exe

description	pid	process
Token: SeShutdownPrivilege	3320
Token: SeCreatePagefilePrivilege	3320
Token: SeShutdownPrivilege	3320
Token: SeCreatePagefilePrivilege	3320
Token: SeShutdownPrivilege	3320
Token: SeCreatePagefilePrivilege	3320
Token: SeShutdownPrivilege	3320
Token: SeCreatePagefilePrivilege	3320
Token: SeShutdownPrivilege	3320
Token: SeCreatePagefilePrivilege	3320
Token: SeShutdownPrivilege	3320
Token: SeCreatePagefilePrivilege	3320
Token: SeDebugPrivilege	4220	B19F.exe
Token: SeShutdownPrivilege	3320
Token: SeCreatePagefilePrivilege	3320
Token: SeShutdownPrivilege	3320
Token: SeCreatePagefilePrivilege	3320
Token: SeShutdownPrivilege	3320
Token: SeCreatePagefilePrivilege	3320
Token: SeShutdownPrivilege	3320
Token: SeCreatePagefilePrivilege	3320
Token: SeDebugPrivilege	5000	RegAsm.exe
Token: SeDebugPrivilege	3764	17CE.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exe9A6C.exe9A6C.exe9A6C.exe9A6C.exebuild2.exeB19F.exe

description	pid	process	target process
PID 3320 wrote to memory of 3008	3320		cmd.exe
PID 3320 wrote to memory of 3008	3320		cmd.exe
PID 3008 wrote to memory of 4724	3008	cmd.exe	reg.exe
PID 3008 wrote to memory of 4724	3008	cmd.exe	reg.exe
PID 3320 wrote to memory of 1532	3320		9A6C.exe
PID 3320 wrote to memory of 1532	3320		9A6C.exe
PID 3320 wrote to memory of 1532	3320		9A6C.exe
PID 1532 wrote to memory of 3036	1532	9A6C.exe	9A6C.exe
PID 1532 wrote to memory of 3036	1532	9A6C.exe	9A6C.exe
PID 1532 wrote to memory of 3036	1532	9A6C.exe	9A6C.exe
PID 1532 wrote to memory of 3036	1532	9A6C.exe	9A6C.exe
PID 1532 wrote to memory of 3036	1532	9A6C.exe	9A6C.exe
PID 1532 wrote to memory of 3036	1532	9A6C.exe	9A6C.exe
PID 1532 wrote to memory of 3036	1532	9A6C.exe	9A6C.exe
PID 1532 wrote to memory of 3036	1532	9A6C.exe	9A6C.exe
PID 1532 wrote to memory of 3036	1532	9A6C.exe	9A6C.exe
PID 1532 wrote to memory of 3036	1532	9A6C.exe	9A6C.exe
PID 3036 wrote to memory of 3016	3036	9A6C.exe	icacls.exe
PID 3036 wrote to memory of 3016	3036	9A6C.exe	icacls.exe
PID 3036 wrote to memory of 3016	3036	9A6C.exe	icacls.exe
PID 3036 wrote to memory of 4804	3036	9A6C.exe	9A6C.exe
PID 3036 wrote to memory of 4804	3036	9A6C.exe	9A6C.exe
PID 3036 wrote to memory of 4804	3036	9A6C.exe	9A6C.exe
PID 4804 wrote to memory of 3396	4804	9A6C.exe	9A6C.exe
PID 4804 wrote to memory of 3396	4804	9A6C.exe	9A6C.exe
PID 4804 wrote to memory of 3396	4804	9A6C.exe	9A6C.exe
PID 4804 wrote to memory of 3396	4804	9A6C.exe	9A6C.exe
PID 4804 wrote to memory of 3396	4804	9A6C.exe	9A6C.exe
PID 4804 wrote to memory of 3396	4804	9A6C.exe	9A6C.exe
PID 4804 wrote to memory of 3396	4804	9A6C.exe	9A6C.exe
PID 4804 wrote to memory of 3396	4804	9A6C.exe	9A6C.exe
PID 4804 wrote to memory of 3396	4804	9A6C.exe	9A6C.exe
PID 4804 wrote to memory of 3396	4804	9A6C.exe	9A6C.exe
PID 3396 wrote to memory of 4768	3396	9A6C.exe	build2.exe
PID 3396 wrote to memory of 4768	3396	9A6C.exe	build2.exe
PID 3396 wrote to memory of 4768	3396	9A6C.exe	build2.exe
PID 4768 wrote to memory of 508	4768	build2.exe	build2.exe
PID 4768 wrote to memory of 508	4768	build2.exe	build2.exe
PID 4768 wrote to memory of 508	4768	build2.exe	build2.exe
PID 4768 wrote to memory of 508	4768	build2.exe	build2.exe
PID 4768 wrote to memory of 508	4768	build2.exe	build2.exe
PID 4768 wrote to memory of 508	4768	build2.exe	build2.exe
PID 4768 wrote to memory of 508	4768	build2.exe	build2.exe
PID 4768 wrote to memory of 508	4768	build2.exe	build2.exe
PID 4768 wrote to memory of 508	4768	build2.exe	build2.exe
PID 4768 wrote to memory of 508	4768	build2.exe	build2.exe
PID 3320 wrote to memory of 4220	3320		B19F.exe
PID 3320 wrote to memory of 4220	3320		B19F.exe
PID 3320 wrote to memory of 4220	3320		B19F.exe
PID 4220 wrote to memory of 3500	4220	B19F.exe	RegAsm.exe
PID 4220 wrote to memory of 3500	4220	B19F.exe	RegAsm.exe
PID 4220 wrote to memory of 3500	4220	B19F.exe	RegAsm.exe
PID 4220 wrote to memory of 5000	4220	B19F.exe	RegAsm.exe
PID 4220 wrote to memory of 5000	4220	B19F.exe	RegAsm.exe
PID 4220 wrote to memory of 5000	4220	B19F.exe	RegAsm.exe
PID 4220 wrote to memory of 5000	4220	B19F.exe	RegAsm.exe
PID 4220 wrote to memory of 5000	4220	B19F.exe	RegAsm.exe
PID 4220 wrote to memory of 5000	4220	B19F.exe	RegAsm.exe
PID 4220 wrote to memory of 5000	4220	B19F.exe	RegAsm.exe
PID 4220 wrote to memory of 5000	4220	B19F.exe	RegAsm.exe
PID 3396 wrote to memory of 2384	3396	9A6C.exe	build3.exe
PID 3396 wrote to memory of 2384	3396	9A6C.exe	build3.exe
PID 3396 wrote to memory of 2384	3396	9A6C.exe	build3.exe
PID 3320 wrote to memory of 1048	3320		DD34.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\471339a0525809eab74b55fed407ac64697dbcfdaf52b21b56cc4a47125e76a8.exe
"C:\Users\Admin\AppData\Local\Temp\471339a0525809eab74b55fed407ac64697dbcfdaf52b21b56cc4a47125e76a8.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8BA6.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:3008

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
2⤵
PID:4724

C:\Users\Admin\AppData\Local\Temp\9A6C.exe
C:\Users\Admin\AppData\Local\Temp\9A6C.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1532

C:\Users\Admin\AppData\Local\Temp\9A6C.exe
C:\Users\Admin\AppData\Local\Temp\9A6C.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3036

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\61560402-4c9b-40fe-a5b8-ba2ca060e76e" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:3016

C:\Users\Admin\AppData\Local\Temp\9A6C.exe
"C:\Users\Admin\AppData\Local\Temp\9A6C.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4804

C:\Users\Admin\AppData\Local\Temp\9A6C.exe
"C:\Users\Admin\AppData\Local\Temp\9A6C.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3396

C:\Users\Admin\AppData\Local\5c43164f-df4f-4f22-b3e5-db1fb35e4b58\build2.exe
"C:\Users\Admin\AppData\Local\5c43164f-df4f-4f22-b3e5-db1fb35e4b58\build2.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4768

C:\Users\Admin\AppData\Local\5c43164f-df4f-4f22-b3e5-db1fb35e4b58\build2.exe
"C:\Users\Admin\AppData\Local\5c43164f-df4f-4f22-b3e5-db1fb35e4b58\build2.exe"
6⤵
- Executes dropped EXE
PID:508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 508 -s 2132
7⤵
- Program crash
PID:2188

C:\Users\Admin\AppData\Local\5c43164f-df4f-4f22-b3e5-db1fb35e4b58\build3.exe
"C:\Users\Admin\AppData\Local\5c43164f-df4f-4f22-b3e5-db1fb35e4b58\build3.exe"
5⤵
- Executes dropped EXE
PID:2384

C:\Users\Admin\AppData\Local\Temp\B19F.exe
C:\Users\Admin\AppData\Local\Temp\B19F.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4220

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:3500

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4220 -s 844
2⤵
- Program crash
PID:1092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4220 -ip 4220
1⤵
PID:1552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 508 -ip 508
1⤵
PID:3648

C:\Users\Admin\AppData\Local\Temp\DD34.exe
C:\Users\Admin\AppData\Local\Temp\DD34.exe
1⤵
- Executes dropped EXE
PID:1048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DF77.bat" "
1⤵
PID:4128

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
2⤵
PID:3916

C:\Users\Admin\AppData\Local\Temp\17CE.exe
C:\Users\Admin\AppData\Local\Temp\17CE.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3764

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
2⤵
PID:4636

C:\Users\Admin\AppData\Local\Temp\258A.exe
C:\Users\Admin\AppData\Local\Temp\258A.exe
1⤵
- Executes dropped EXE
PID:4392

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
2⤵
PID:1812

C:\Users\Admin\AppData\Local\Temp\258A.exe
"C:\Users\Admin\AppData\Local\Temp\258A.exe"
2⤵
PID:2916

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
PID:676

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
3⤵
PID:4040

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:3436

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
PID:4516

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
PID:2412

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3360

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2984

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4476

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3048

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3108

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4216

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3032

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2768

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3652

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
1KB

MD5
913d4ffe7b4dcc57225d84d352e06abc

SHA1
9531a176c280a1b9d544dc7ebf7b1e4107fedc63

SHA256
75fd1a3412a91ff68ebb9d40936c1db5e6fa812e90e1ce89891ee9817e346126

SHA512
3ad3fb9414eb63610cc61f0b352c0c075ad1067e44fbbe512eb8385160663ff818e2091abc0486f674f75d7052a1f446bf6cf908ecf77f5183f548723139d320

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
Filesize
471B

MD5
4305f3b83ea7e48583ca9863f6a51c75

SHA1
83587d71d6baeca1bc553f67a84c399789c91cb5

SHA256
2251e0ab16b12b3590efe8b9793dc002345123f8a9dd98c4c31c957995b99273

SHA512
94c77f16fa66618ed073af0157d191efd39b9ef78ff7113a224117c8156594b36076b40ab7aafb8ec534dd82a069339486b693c8d672e431e2330be4a4c4eea5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
410B

MD5
d98031f4f29dbb207ee3467cbb65f162

SHA1
9c0679aecd86dd30f1c9d56551c8f13b95ccc495

SHA256
4fda7e656655366021b787609304d82e67f7fc43789a7802b4bcd39340ebc7e1

SHA512
3dcd108c8b4d8710ef94e40362c7fa11184e59cb3113c0edfa3dda004c6894d62b6f9cb953518a1f50aabcbac28e8fe8c1e37c9dd17dcb0bb3a5044d93718fc1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
Filesize
412B

MD5
58fb98e7ed335a82c3ffc1d185e56292

SHA1
d9f55f5d8cb4f31d8af27fd53315f816803cb691

SHA256
74a4703172ae180eff85b77c5b00ad82bb623ff65892b694300d72c6231e0db4

SHA512
4418d8d4897a87d89fe747a60740e155debca02cd9b680ce657e1683ad8496f8bf809e911c2a0f639fb38bc4099ce07dc5a61045a5fbdc896f596e4307e8203f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
392B

MD5
04f0e43343e127af6f22ef2b8d92b727

SHA1
74432077c2035df6e683a6ab2671a9d4f0c8bd12

SHA256
2f582049c8cb2f83d0c38f6a0c5fc62e6522e68d8e1085f1aeb951b76f7eb7f6

SHA512
5d596a5fee9987dbf98325a85168fa5fa261b4ea119bf6817ad15d6027ad8a003cecc2021a06506aba4605dfab7e6965b8c48aab0726ed97edeb555ede1521e0

Download Submit
C:\Users\Admin\AppData\Local\5c43164f-df4f-4f22-b3e5-db1fb35e4b58\build2.exe
Filesize
277KB

MD5
8dae8b6a6be6e3527183594d1c26a2d3

SHA1
b87e40cee60869a36e79c88c8a3a34baf0bc4889

SHA256
afce72cd3bc717c784962083066e3ede2b0aaadbe0908ec7360096c923774fa5

SHA512
0bf065700db647efba39a13a58242a595907e6c11885575cf0bdad9e23ab40583c8a6535464e46d75d075e20d88b7a6305a761df9da787fdc8728483dd48f96e

Download Submit
C:\Users\Admin\AppData\Local\5c43164f-df4f-4f22-b3e5-db1fb35e4b58\build3.exe
Filesize
299KB

MD5
41b883a061c95e9b9cb17d4ca50de770

SHA1
1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad

SHA256
fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408

SHA512
cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat
Filesize
1022B

MD5
9a0b02a123a54859326766d3d08af0d9

SHA1
2ce6c0e7fd42fd0705f3dff1a3194882bafd2e70

SHA256
f582404f4932b98752a2378564bfa0b3a661202a33bbc12e8b6db39598f32e91

SHA512
7ac27bde49415f7bcffc9e8058ed855f56513a5a10c385fef79f5dee983dc38795d4488d9364173802906025dc6fbb9f402790cd03e973393a92bf17a56aec3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\17CE.exe
Filesize
30.6MB

MD5
ff35671d54d612772b0c22c141a3056e

SHA1
d005a27cd48556bf17eb9c2b43af49b67347cc0e

SHA256
2f625ea35f82332c639049c4a849f39cd2b74acb013880d156a2f647497c2512

SHA512
9a40a657f196036ef07c410db225f7a023f7299abc078cefd5d97489e7359ce9c640d72b98fedbf3f11ebaba1987b0acd5c7892b1ba5b5ae18709037df45790e

Download Submit
C:\Users\Admin\AppData\Local\Temp\258A.exe
Filesize
4.1MB

MD5
5d1e9321deb7332be15cae2971fc26c0

SHA1
cd84786a761e375c257fc7165ae360b0c00a232b

SHA256
750d94a7cfe19ef443791b99f172a68c077f79f7c37c03e4a1ac3f0090ea901a

SHA512
a4cd617d0bbaf75d7ee143fa5a4ea8ea15a46856bfb2b6c27b7853a130b639d3493f2c6df5dc9611edaeb7fe05cb56b21b66de7ebfe945eac7d815b1b59f74d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\8BA6.bat
Filesize
77B

MD5
55cc761bf3429324e5a0095cab002113

SHA1
2cc1ef4542a4e92d4158ab3978425d517fafd16d

SHA256
d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a

SHA512
33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

Download Submit
C:\Users\Admin\AppData\Local\Temp\9A6C.exe
Filesize
758KB

MD5
6ad966859e42d5dc1f1741a1342661b5

SHA1
acbb017fd42cf3ee91b2d6bb4839b8ff5c8edc86

SHA256
c7b11ca29d31194bcb76dfdce3e0a58bfa674285fe55e3ca1409bd191ad8af9d

SHA512
e41c255be14540c9135ee98719937d3a64bffc794ca9261fadaf876925619a89f26f4ab3671f03b5b49278db032b4cf9b28fafcdb49e6bd1679670894724857a

Download Submit
C:\Users\Admin\AppData\Local\Temp\B19F.exe
Filesize
392KB

MD5
89ec2c6bf09ed9a38bd11acb2a41cd1b

SHA1
408549982b687ca8dd5efb0e8b704a374bd8909d

SHA256
da1e155c46ca6b23409d059b6d85341c0b86c92d2c69dbda85eef3894313662d

SHA512
c565dbb25dd35ae8dce2a4cf15640053aca8b99c5c78db23648e6618ef316362b77142c6524b47089a7ea05632adee091ec5e82ed95aeb86d2331b8c5f8cc56a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DD34.exe
Filesize
6.5MB

MD5
9e52aa572f0afc888c098db4c0f687ff

SHA1
ef7c2bb222e69ad0e10c8686eb03dcbee7933c2b

SHA256
4a40f9d491f09521f4b0c6076a0eb488f6d8e1cf4b67aa6569c2ccce13556443

SHA512
d0991e682ae8c954721e905753b56c01f91b85313beb9996331793c3efa8acc13d574ef5ba44853ecc3e05822931ed655bad1924fa11b774a43e015f42185f62

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_r3uecnt0.odv.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
1fb9d2088ded5cec6042bbf2a86be17c

SHA1
5736e0d6194fc506d123dc47af028bb8483c9b5e

SHA256
fab7b5115c5348f4c800c9b2fe95f9c4b6ba97504d27f136e0e2b59f5fabe716

SHA512
2b959ba8fa28af83d8e11f8fb06a99fcaee3c713580bd46a73c4bc97bcb78c07d8b271fc1484a825342587b06ce526f389d3babbb6320491307b492de1c2af86

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/508-121-0x0000000000400000-0x0000000000644000-memory.dmp

Filesize
2.3MB

Download
memory/508-75-0x0000000000400000-0x0000000000644000-memory.dmp

Filesize
2.3MB

Download
memory/508-74-0x0000000000400000-0x0000000000644000-memory.dmp

Filesize
2.3MB

Download
memory/508-69-0x0000000000400000-0x0000000000644000-memory.dmp

Filesize
2.3MB

Download
memory/1048-134-0x00000000007D0000-0x00000000014B5000-memory.dmp

Filesize
12.9MB

Download
memory/1048-175-0x0000000003D40000-0x0000000003E40000-memory.dmp

Filesize
1024KB

Download
memory/1048-181-0x0000000003D40000-0x0000000003E40000-memory.dmp

Filesize
1024KB

Download
memory/1048-180-0x0000000003D40000-0x0000000003E40000-memory.dmp

Filesize
1024KB

Download
memory/1048-179-0x0000000003D40000-0x0000000003E40000-memory.dmp

Filesize
1024KB

Download
memory/1048-178-0x0000000003D40000-0x0000000003E40000-memory.dmp

Filesize
1024KB

Download
memory/1048-176-0x0000000003D40000-0x0000000003E40000-memory.dmp

Filesize
1024KB

Download
memory/1048-177-0x0000000003D40000-0x0000000003E40000-memory.dmp

Filesize
1024KB

Download
memory/1048-174-0x0000000003D40000-0x0000000003E40000-memory.dmp

Filesize
1024KB

Download
memory/1048-173-0x0000000003D40000-0x0000000003E40000-memory.dmp

Filesize
1024KB

Download
memory/1048-172-0x0000000003D40000-0x0000000003E40000-memory.dmp

Filesize
1024KB

Download
memory/1048-171-0x0000000003D40000-0x0000000003E40000-memory.dmp

Filesize
1024KB

Download
memory/1048-166-0x0000000003D40000-0x0000000003E40000-memory.dmp

Filesize
1024KB

Download
memory/1048-170-0x0000000003D40000-0x0000000003E40000-memory.dmp

Filesize
1024KB

Download
memory/1048-169-0x0000000003D40000-0x0000000003E40000-memory.dmp

Filesize
1024KB

Download
memory/1048-168-0x0000000003D40000-0x0000000003E40000-memory.dmp

Filesize
1024KB

Download
memory/1048-167-0x0000000003D40000-0x0000000003E40000-memory.dmp

Filesize
1024KB

Download
memory/1048-165-0x0000000003D40000-0x0000000003E40000-memory.dmp

Filesize
1024KB

Download
memory/1048-163-0x0000000003D40000-0x0000000003E40000-memory.dmp

Filesize
1024KB

Download
memory/1048-164-0x0000000003D40000-0x0000000003E40000-memory.dmp

Filesize
1024KB

Download
memory/1048-162-0x0000000003D40000-0x0000000003E40000-memory.dmp

Filesize
1024KB

Download
memory/1048-161-0x0000000003D40000-0x0000000003E40000-memory.dmp

Filesize
1024KB

Download
memory/1048-160-0x0000000003D40000-0x0000000003E40000-memory.dmp

Filesize
1024KB

Download
memory/1048-159-0x0000000003D40000-0x0000000003E40000-memory.dmp

Filesize
1024KB

Download
memory/1048-158-0x0000000003D40000-0x0000000003E40000-memory.dmp

Filesize
1024KB

Download
memory/1048-156-0x0000000003D40000-0x0000000003E40000-memory.dmp

Filesize
1024KB

Download
memory/1048-157-0x0000000003D40000-0x0000000003E40000-memory.dmp

Filesize
1024KB

Download
memory/1048-155-0x0000000003D40000-0x0000000003E40000-memory.dmp

Filesize
1024KB

Download
memory/1048-149-0x00000000030D0000-0x0000000003102000-memory.dmp

Filesize
200KB

Download
memory/1048-150-0x00000000030D0000-0x0000000003102000-memory.dmp

Filesize
200KB

Download
memory/1048-153-0x00000000030D0000-0x0000000003102000-memory.dmp

Filesize
200KB

Download
memory/1048-152-0x00000000030D0000-0x0000000003102000-memory.dmp

Filesize
200KB

Download
memory/1048-151-0x00000000030D0000-0x0000000003102000-memory.dmp

Filesize
200KB

Download
memory/1048-148-0x00000000007D0000-0x00000000014B5000-memory.dmp

Filesize
12.9MB

Download
memory/1048-145-0x00000000030A0000-0x00000000030A1000-memory.dmp

Filesize
4KB

Download
memory/1048-146-0x00000000030B0000-0x00000000030B1000-memory.dmp

Filesize
4KB

Download
memory/1048-147-0x00000000030C0000-0x00000000030C1000-memory.dmp

Filesize
4KB

Download
memory/1048-143-0x00000000007D0000-0x00000000014B5000-memory.dmp

Filesize
12.9MB

Download
memory/1048-141-0x00000000016B0000-0x00000000016B1000-memory.dmp

Filesize
4KB

Download
memory/1048-142-0x00000000016C0000-0x00000000016C1000-memory.dmp

Filesize
4KB

Download
memory/1048-144-0x0000000003090000-0x0000000003091000-memory.dmp

Filesize
4KB

Download
memory/1532-21-0x0000000002910000-0x0000000002A2B000-memory.dmp

Filesize
1.1MB

Download
memory/1532-20-0x0000000002650000-0x00000000026E9000-memory.dmp

Filesize
612KB

Download
memory/2656-3-0x0000000000400000-0x0000000000AEA000-memory.dmp

Filesize
6.9MB

Download
memory/2656-1-0x0000000000B10000-0x0000000000C10000-memory.dmp

Filesize
1024KB

Download
memory/2656-2-0x0000000002820000-0x000000000282B000-memory.dmp

Filesize
44KB

Download
memory/2656-5-0x0000000000400000-0x0000000000AEA000-memory.dmp

Filesize
6.9MB

Download
memory/2768-375-0x000001C989000000-0x000001C989020000-memory.dmp

Filesize
128KB

Download
memory/2768-373-0x000001C988BF0000-0x000001C988C10000-memory.dmp

Filesize
128KB

Download
memory/2768-371-0x000001C988C30000-0x000001C988C50000-memory.dmp

Filesize
128KB

Download
memory/2916-390-0x0000000000400000-0x0000000000ECD000-memory.dmp

Filesize
10.8MB

Download
memory/3036-22-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3036-36-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3036-25-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3036-26-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3036-24-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3320-4-0x00000000078E0000-0x00000000078F6000-memory.dmp

Filesize
88KB

Download
memory/3320-246-0x0000000001250000-0x0000000001251000-memory.dmp

Filesize
4KB

Download
memory/3396-56-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3396-127-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3396-42-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3396-57-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3396-106-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3396-50-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3396-54-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3396-49-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3396-44-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3396-43-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3764-253-0x00007FF79F010000-0x00007FF7A0F5C000-memory.dmp

Filesize
31.3MB

Download
memory/3764-387-0x00007FF79F010000-0x00007FF7A0F5C000-memory.dmp

Filesize
31.3MB

Download
memory/3764-315-0x00007FF79F010000-0x00007FF7A0F5C000-memory.dmp

Filesize
31.3MB

Download
memory/4216-365-0x0000000003F70000-0x0000000003F71000-memory.dmp

Filesize
4KB

Download
memory/4220-109-0x0000000002620000-0x0000000004620000-memory.dmp

Filesize
32.0MB

Download
memory/4220-88-0x0000000073220000-0x00000000739D0000-memory.dmp

Filesize
7.7MB

Download
memory/4220-90-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download
memory/4220-89-0x0000000004C20000-0x0000000004C30000-memory.dmp

Filesize
64KB

Download
memory/4220-120-0x0000000073220000-0x00000000739D0000-memory.dmp

Filesize
7.7MB

Download
memory/4220-87-0x0000000000040000-0x00000000000A4000-memory.dmp

Filesize
400KB

Download
memory/4392-256-0x0000000000400000-0x0000000000ECD000-memory.dmp

Filesize
10.8MB

Download
memory/4392-293-0x0000000000400000-0x0000000000ECD000-memory.dmp

Filesize
10.8MB

Download
memory/4636-388-0x0000000000A40000-0x0000000000A8B000-memory.dmp

Filesize
300KB

Download
memory/4636-385-0x0000000000A40000-0x0000000000A8B000-memory.dmp

Filesize
300KB

Download
memory/4768-71-0x0000000000680000-0x00000000006B1000-memory.dmp

Filesize
196KB

Download
memory/4768-70-0x0000000000750000-0x0000000000850000-memory.dmp

Filesize
1024KB

Download
memory/4804-39-0x0000000000D20000-0x0000000000DBF000-memory.dmp

Filesize
636KB

Download
memory/5000-118-0x0000000005A80000-0x0000000005ABC000-memory.dmp

Filesize
240KB

Download
memory/5000-119-0x0000000005AC0000-0x0000000005B0C000-memory.dmp

Filesize
304KB

Download
memory/5000-117-0x0000000005A20000-0x0000000005A32000-memory.dmp

Filesize
72KB

Download
memory/5000-115-0x0000000006890000-0x0000000006EA8000-memory.dmp

Filesize
6.1MB

Download
memory/5000-111-0x00000000057B0000-0x0000000005842000-memory.dmp

Filesize
584KB

Download
memory/5000-93-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/5000-110-0x0000000005CC0000-0x0000000006264000-memory.dmp

Filesize
5.6MB

Download
memory/5000-116-0x0000000005B10000-0x0000000005C1A000-memory.dmp

Filesize
1.0MB

Download
memory/5000-124-0x0000000006420000-0x0000000006486000-memory.dmp

Filesize
408KB

Download
memory/5000-125-0x00000000072C0000-0x0000000007482000-memory.dmp

Filesize
1.8MB

Download
memory/5000-114-0x00000000057A0000-0x00000000057AA000-memory.dmp

Filesize
40KB

Download
memory/5000-112-0x0000000073220000-0x00000000739D0000-memory.dmp

Filesize
7.7MB

Download
memory/5000-113-0x0000000005760000-0x0000000005770000-memory.dmp

Filesize
64KB

Download
memory/5000-126-0x00000000079C0000-0x0000000007EEC000-memory.dmp

Filesize
5.2MB

Download
memory/5000-128-0x00000000077E0000-0x0000000007830000-memory.dmp

Filesize
320KB

Download