djvu | 91e8fd048fb5df071ba6e3d7917edcb53122d9cbd9e57dcf4b5e50c72d575c7a

Analysis

max time kernel
70s
max time network
87s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
29-03-2024 02:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

91e8fd048fb5df071ba6e3d7917edcb53122d9cbd9e57dcf4b5e50c72d575c7a.exe
Size

259KB
MD5

e5477d6420e21e75a4bb411a3947201a
SHA1

7120bf0ba0196ecc8cc04dd0c3166185ee3f7892
SHA256

91e8fd048fb5df071ba6e3d7917edcb53122d9cbd9e57dcf4b5e50c72d575c7a
SHA512

de56dddda25e1cf9c5835613e38375f463bbcabe858b846077359b704493ef75b14e6187f21f110103bde70cc61efe17e5dac6d229456271b33afa3406c7020d
SSDEEP

6144:K7vq2CD3/WTO/Ukgn4olUKm4shprkwnf8/9tQ:ERM3/WTO/dgxUWshprDnatQ

Score

10^/10

djvu glupteba lumma redline smokeloader logsdiller cloud (tg: @logsdillabot)pub1 backdoor discovery dropper evasion infostealer loader persistence ransomware spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php

rc4.i32

Extracted

Family

djvu

http://sajdfue.com/test1/get.php

Attributes

extension
.vook
offline_id
1eSPzWRaNslCgtjBZfL5pzvovoiaVI4IZSnvAwt1
payload_url
http://sdfjhuz.com/dl/build2.exe
http://sajdfue.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://wetransfer.com/downloads/3ed7a617738550b0a00c5aa231c0752020240316170955/d71ce1 Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@freshingmail.top Reserve e-mail address to contact us: datarestorehelpyou@airmail.cc Your personal ID: 0857PsawqS

rsa_pubkey.plain

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

5.42.65.0:29587

Extracted

Family

lumma

https://resergvearyinitiani.shop/api

Signatures

Detected Djvu ransomware 9 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4204-21-0x00000000028C0000-0x00000000029DB000-memory.dmp	family_djvu
behavioral2/memory/1324-24-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1324-25-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1324-26-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1324-22-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1324-36-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4640-43-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4640-45-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4640-42-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3376-309-0x0000000000400000-0x0000000000ECD000-memory.dmp	family_glupteba

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2976-59-0x0000000000400000-0x0000000000450000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Detects Windows executables referencing non-Windows User-Agents 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3376-309-0x0000000000400000-0x0000000000ECD000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

Detects executables Discord URL observed in first stage droppers 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3376-309-0x0000000000400000-0x0000000000ECD000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL

Detects executables containing URLs to raw contents of a Github gist 5 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\27EB.exe	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/1796-279-0x00007FF7C94E0000-0x00007FF7CB42C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/3376-309-0x0000000000400000-0x0000000000ECD000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/1796-390-0x00007FF7C94E0000-0x00007FF7CB42C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/1796-424-0x00007FF7C94E0000-0x00007FF7CB42C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL

Detects executables containing artifacts associated with disabling Widnows Defender 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3376-309-0x0000000000400000-0x0000000000ECD000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender

Detects executables referencing many varying, potentially fake Windows User-Agents 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3376-309-0x0000000000400000-0x0000000000ECD000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA

Downloads MZ/PE file

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

3392 netsh.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

AA3B.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation AA3B.exe
Deletes itself 1 IoCs

Processes:

pid process

3392
Executes dropped EXE 8 IoCs

Processes:

AA3B.exeAA3B.exeAA3B.exeAA3B.exeBC9B.exeF530.exe27EB.exe35D6.exe

pid process

4204 AA3B.exe
1324 AA3B.exe
3548 AA3B.exe
4640 AA3B.exe
3084 BC9B.exe
3604 F530.exe
1796 27EB.exe
3376 35D6.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

780 icacls.exe
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
3392	netsh.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	AA3B.exe

pid	process
3392

pid	process
4204	AA3B.exe
1324	AA3B.exe
3548	AA3B.exe
4640	AA3B.exe
3084	BC9B.exe
3604	F530.exe
1796	27EB.exe
3376	35D6.exe

pid	process
780	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

AA3B.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\c1db1913-c679-4e53-8592-65daec1b9e32\\AA3B.exe\" --AutoStart"	AA3B.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service
T1102

Processes:

flow ioc

75 drive.google.com
68 raw.githubusercontent.com
70 raw.githubusercontent.com
74 drive.google.com
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

28 api.2ip.ua
29 api.2ip.ua

flow	ioc
75	drive.google.com
68	raw.githubusercontent.com
70	raw.githubusercontent.com
74	drive.google.com

flow	ioc
28	api.2ip.ua
29	api.2ip.ua

Suspicious use of SetThreadContext 3 IoCs

Processes:

AA3B.exeAA3B.exeBC9B.exe

description	pid	process	target process
PID 4204 set thread context of 1324	4204	AA3B.exe	AA3B.exe
PID 3548 set thread context of 4640	3548	AA3B.exe	AA3B.exe
PID 3084 set thread context of 2976	3084	BC9B.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4712 4640 WerFault.exe AA3B.exe
2680 3084 WerFault.exe BC9B.exe

pid	pid_target	process	target process
4712	4640	WerFault.exe	AA3B.exe
2680	3084	WerFault.exe	BC9B.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

91e8fd048fb5df071ba6e3d7917edcb53122d9cbd9e57dcf4b5e50c72d575c7a.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	91e8fd048fb5df071ba6e3d7917edcb53122d9cbd9e57dcf4b5e50c72d575c7a.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	91e8fd048fb5df071ba6e3d7917edcb53122d9cbd9e57dcf4b5e50c72d575c7a.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	91e8fd048fb5df071ba6e3d7917edcb53122d9cbd9e57dcf4b5e50c72d575c7a.exe

Modifies registry class 7 IoCs

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-275798769-4264537674-1142822080-1000\{BCA2216F-F947-4F21-9A98-7975EB669881}	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

91e8fd048fb5df071ba6e3d7917edcb53122d9cbd9e57dcf4b5e50c72d575c7a.exe

pid	process
4948	91e8fd048fb5df071ba6e3d7917edcb53122d9cbd9e57dcf4b5e50c72d575c7a.exe
4948	91e8fd048fb5df071ba6e3d7917edcb53122d9cbd9e57dcf4b5e50c72d575c7a.exe
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

91e8fd048fb5df071ba6e3d7917edcb53122d9cbd9e57dcf4b5e50c72d575c7a.exe

pid process

4948 91e8fd048fb5df071ba6e3d7917edcb53122d9cbd9e57dcf4b5e50c72d575c7a.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

Processes:

BC9B.exeRegAsm.exe27EB.exepowershell.exeexplorer.exe

description	pid	process
Token: SeShutdownPrivilege	3392
Token: SeCreatePagefilePrivilege	3392
Token: SeShutdownPrivilege	3392
Token: SeCreatePagefilePrivilege	3392
Token: SeShutdownPrivilege	3392
Token: SeCreatePagefilePrivilege	3392
Token: SeShutdownPrivilege	3392
Token: SeCreatePagefilePrivilege	3392
Token: SeShutdownPrivilege	3392
Token: SeCreatePagefilePrivilege	3392
Token: SeShutdownPrivilege	3392
Token: SeCreatePagefilePrivilege	3392
Token: SeDebugPrivilege	3084	BC9B.exe
Token: SeShutdownPrivilege	3392
Token: SeCreatePagefilePrivilege	3392
Token: SeShutdownPrivilege	3392
Token: SeCreatePagefilePrivilege	3392
Token: SeShutdownPrivilege	3392
Token: SeCreatePagefilePrivilege	3392
Token: SeDebugPrivilege	2976	RegAsm.exe
Token: SeShutdownPrivilege	3392
Token: SeCreatePagefilePrivilege	3392
Token: SeDebugPrivilege	1796	27EB.exe
Token: SeDebugPrivilege	4964	powershell.exe
Token: SeShutdownPrivilege	3392
Token: SeCreatePagefilePrivilege	3392
Token: SeShutdownPrivilege	4912	explorer.exe
Token: SeCreatePagefilePrivilege	4912	explorer.exe
Token: SeShutdownPrivilege	4912	explorer.exe
Token: SeCreatePagefilePrivilege	4912	explorer.exe
Token: SeShutdownPrivilege	4912	explorer.exe
Token: SeCreatePagefilePrivilege	4912	explorer.exe
Token: SeShutdownPrivilege	4912	explorer.exe
Token: SeCreatePagefilePrivilege	4912	explorer.exe

Suspicious use of FindShellTrayWindow 7 IoCs

Processes:

explorer.exe

pid process

4912 explorer.exe
4912 explorer.exe
4912 explorer.exe
4912 explorer.exe
4912 explorer.exe
4912 explorer.exe
4912 explorer.exe

Suspicious use of SendNotifyMessage 9 IoCs

Processes:

explorer.exe

pid	process
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe
4912	explorer.exe

Suspicious use of WriteProcessMemory 62 IoCs

Processes:

cmd.exeAA3B.exeAA3B.exeAA3B.exeBC9B.execmd.exe35D6.exe

description	pid	process	target process
PID 3392 wrote to memory of 3160	3392		cmd.exe
PID 3392 wrote to memory of 3160	3392		cmd.exe
PID 3160 wrote to memory of 4796	3160	cmd.exe	reg.exe
PID 3160 wrote to memory of 4796	3160	cmd.exe	reg.exe
PID 3392 wrote to memory of 4204	3392		AA3B.exe
PID 3392 wrote to memory of 4204	3392		AA3B.exe
PID 3392 wrote to memory of 4204	3392		AA3B.exe
PID 4204 wrote to memory of 1324	4204	AA3B.exe	AA3B.exe
PID 4204 wrote to memory of 1324	4204	AA3B.exe	AA3B.exe
PID 4204 wrote to memory of 1324	4204	AA3B.exe	AA3B.exe
PID 4204 wrote to memory of 1324	4204	AA3B.exe	AA3B.exe
PID 4204 wrote to memory of 1324	4204	AA3B.exe	AA3B.exe
PID 4204 wrote to memory of 1324	4204	AA3B.exe	AA3B.exe
PID 4204 wrote to memory of 1324	4204	AA3B.exe	AA3B.exe
PID 4204 wrote to memory of 1324	4204	AA3B.exe	AA3B.exe
PID 4204 wrote to memory of 1324	4204	AA3B.exe	AA3B.exe
PID 4204 wrote to memory of 1324	4204	AA3B.exe	AA3B.exe
PID 1324 wrote to memory of 780	1324	AA3B.exe	icacls.exe
PID 1324 wrote to memory of 780	1324	AA3B.exe	icacls.exe
PID 1324 wrote to memory of 780	1324	AA3B.exe	icacls.exe
PID 1324 wrote to memory of 3548	1324	AA3B.exe	AA3B.exe
PID 1324 wrote to memory of 3548	1324	AA3B.exe	AA3B.exe
PID 1324 wrote to memory of 3548	1324	AA3B.exe	AA3B.exe
PID 3548 wrote to memory of 4640	3548	AA3B.exe	AA3B.exe
PID 3548 wrote to memory of 4640	3548	AA3B.exe	AA3B.exe
PID 3548 wrote to memory of 4640	3548	AA3B.exe	AA3B.exe
PID 3548 wrote to memory of 4640	3548	AA3B.exe	AA3B.exe
PID 3548 wrote to memory of 4640	3548	AA3B.exe	AA3B.exe
PID 3548 wrote to memory of 4640	3548	AA3B.exe	AA3B.exe
PID 3548 wrote to memory of 4640	3548	AA3B.exe	AA3B.exe
PID 3548 wrote to memory of 4640	3548	AA3B.exe	AA3B.exe
PID 3548 wrote to memory of 4640	3548	AA3B.exe	AA3B.exe
PID 3548 wrote to memory of 4640	3548	AA3B.exe	AA3B.exe
PID 3392 wrote to memory of 3084	3392		BC9B.exe
PID 3392 wrote to memory of 3084	3392		BC9B.exe
PID 3392 wrote to memory of 3084	3392		BC9B.exe
PID 3084 wrote to memory of 3164	3084	BC9B.exe	RegAsm.exe
PID 3084 wrote to memory of 3164	3084	BC9B.exe	RegAsm.exe
PID 3084 wrote to memory of 3164	3084	BC9B.exe	RegAsm.exe
PID 3084 wrote to memory of 2976	3084	BC9B.exe	RegAsm.exe
PID 3084 wrote to memory of 2976	3084	BC9B.exe	RegAsm.exe
PID 3084 wrote to memory of 2976	3084	BC9B.exe	RegAsm.exe
PID 3084 wrote to memory of 2976	3084	BC9B.exe	RegAsm.exe
PID 3084 wrote to memory of 2976	3084	BC9B.exe	RegAsm.exe
PID 3084 wrote to memory of 2976	3084	BC9B.exe	RegAsm.exe
PID 3084 wrote to memory of 2976	3084	BC9B.exe	RegAsm.exe
PID 3084 wrote to memory of 2976	3084	BC9B.exe	RegAsm.exe
PID 3392 wrote to memory of 3604	3392		F530.exe
PID 3392 wrote to memory of 3604	3392		F530.exe
PID 3392 wrote to memory of 3604	3392		F530.exe
PID 3392 wrote to memory of 2892	3392		cmd.exe
PID 3392 wrote to memory of 2892	3392		cmd.exe
PID 2892 wrote to memory of 4672	2892	cmd.exe	reg.exe
PID 2892 wrote to memory of 4672	2892	cmd.exe	reg.exe
PID 3392 wrote to memory of 1796	3392		27EB.exe
PID 3392 wrote to memory of 1796	3392		27EB.exe
PID 3392 wrote to memory of 3376	3392		35D6.exe
PID 3392 wrote to memory of 3376	3392		35D6.exe
PID 3392 wrote to memory of 3376	3392		35D6.exe
PID 3376 wrote to memory of 4964	3376	35D6.exe	powershell.exe
PID 3376 wrote to memory of 4964	3376	35D6.exe	powershell.exe
PID 3376 wrote to memory of 4964	3376	35D6.exe	powershell.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\91e8fd048fb5df071ba6e3d7917edcb53122d9cbd9e57dcf4b5e50c72d575c7a.exe
"C:\Users\Admin\AppData\Local\Temp\91e8fd048fb5df071ba6e3d7917edcb53122d9cbd9e57dcf4b5e50c72d575c7a.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\92CA.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:3160

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
2⤵
PID:4796

C:\Users\Admin\AppData\Local\Temp\AA3B.exe
C:\Users\Admin\AppData\Local\Temp\AA3B.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4204

C:\Users\Admin\AppData\Local\Temp\AA3B.exe
C:\Users\Admin\AppData\Local\Temp\AA3B.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1324

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\c1db1913-c679-4e53-8592-65daec1b9e32" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:780

C:\Users\Admin\AppData\Local\Temp\AA3B.exe
"C:\Users\Admin\AppData\Local\Temp\AA3B.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3548

C:\Users\Admin\AppData\Local\Temp\AA3B.exe
"C:\Users\Admin\AppData\Local\Temp\AA3B.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Executes dropped EXE
PID:4640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4640 -s 568
5⤵
- Program crash
PID:4712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4640 -ip 4640
1⤵
PID:3420

C:\Users\Admin\AppData\Local\Temp\BC9B.exe
C:\Users\Admin\AppData\Local\Temp\BC9B.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3084

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:3164

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3084 -s 776
2⤵
- Program crash
PID:2680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3084 -ip 3084
1⤵
PID:4632

C:\Users\Admin\AppData\Local\Temp\F530.exe
C:\Users\Admin\AppData\Local\Temp\F530.exe
1⤵
- Executes dropped EXE
PID:3604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\F7C2.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:2892

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
2⤵
PID:4672

C:\Users\Admin\AppData\Local\Temp\27EB.exe
C:\Users\Admin\AppData\Local\Temp\27EB.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1796

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
2⤵
PID:1672

C:\Users\Admin\AppData\Local\Temp\35D6.exe
C:\Users\Admin\AppData\Local\Temp\35D6.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3376

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4964

C:\Users\Admin\AppData\Local\Temp\35D6.exe
"C:\Users\Admin\AppData\Local\Temp\35D6.exe"
2⤵
PID:4900

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
PID:3752

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
3⤵
PID:4436

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:3392

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
PID:2372

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
PID:3936

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4912

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1204

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1768

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1032

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1680

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4120

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2320

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3900

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4012

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

File and Directory Permissions Modification

T1222

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
Filesize
471B

MD5
4305f3b83ea7e48583ca9863f6a51c75

SHA1
83587d71d6baeca1bc553f67a84c399789c91cb5

SHA256
2251e0ab16b12b3590efe8b9793dc002345123f8a9dd98c4c31c957995b99273

SHA512
94c77f16fa66618ed073af0157d191efd39b9ef78ff7113a224117c8156594b36076b40ab7aafb8ec534dd82a069339486b693c8d672e431e2330be4a4c4eea5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
Filesize
412B

MD5
3b7537e4022c965e2597e8ff2e93ad36

SHA1
8a828c00d2eac2c4b815722744e88f81c0dab6ef

SHA256
7e1a7106e4c95f321f594acf91803b2da2d9332ceed50ae533c2616982d24c04

SHA512
54d824e3231a1e7802726a20ddc4c88e0186956ba206f887d60e63f7189e83f2115647ae7087cbd3c6f5e39cf49f4c3defaa0dd4ab6ed8d426c25ab1a5dfb08f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat
Filesize
1022B

MD5
e18d7470ed6cb4f48be981a5472a22a4

SHA1
eb936724d97a4401589e14366d88d68c508edeb0

SHA256
39845d5b6e38fe5f8f5e5caad31eb4922bb67c626cc6b16911d25ba4fd411378

SHA512
90d22f4aba59e38b465ee076c8e9409f3e2c96c1dfbf9d67ee09f81c2a77f2db01201c1b6733401ba1387a43cb28edcb1eacf277b5c27dd7380c91e61f6c7029

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres
Filesize
2KB

MD5
75cb601514b72ab61dfd3996f5af1404

SHA1
0c4742f8e840976a45f80db9308928456d421dd9

SHA256
701fa1af6ce25d1d74548d3688a82a3b2562a05652ea09186c5d3ca18b464938

SHA512
14b5ae090b4fa05d3b05b1e0da336548b977b9c21e103120f6e67990f50e5c5a6409ddd544a56e97b678864fab3dd838b2d0f5de83728bcfdff2a04cc2ff1ce9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\UXZE23G7\microsoft.windows[1].xml
Filesize
97B

MD5
cf431c7d433b1384d2f6df919483feeb

SHA1
f8ab70eb8a468990556a07731e8f4f698b8a159e

SHA256
12be83d718acf262c1535d1109ed07b917a3fd7d55f8a0d8f5d5bcdeeafcf626

SHA512
be8ba596a5c29006d5edc9e4089b63ec120062de8e2297b34756dea825b68a0afe361a9b5bcd9a8a9390308ddc97d3108328437b20cd14b89dda54a2991c4218

Download Submit
C:\Users\Admin\AppData\Local\Temp\27EB.exe
Filesize
30.6MB

MD5
ff35671d54d612772b0c22c141a3056e

SHA1
d005a27cd48556bf17eb9c2b43af49b67347cc0e

SHA256
2f625ea35f82332c639049c4a849f39cd2b74acb013880d156a2f647497c2512

SHA512
9a40a657f196036ef07c410db225f7a023f7299abc078cefd5d97489e7359ce9c640d72b98fedbf3f11ebaba1987b0acd5c7892b1ba5b5ae18709037df45790e

Download Submit
C:\Users\Admin\AppData\Local\Temp\35D6.exe
Filesize
4.1MB

MD5
e445c438749eab1cc57d98407a83875a

SHA1
4b67b8f084aaf3a7a89534b32beab4e5faef674d

SHA256
f5cb5ace2b7d35f46c14eb827cf041dba371d5b9b9c8c7ef8ca4af01faebab37

SHA512
1e338586df2dcf4a77f9605860e18c5feb6f0cdabf7165877a53996af944aac361a4ca1faa2cce791a0d1336458965888d05af495bb6e2faac6031ed3cd160d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\92CA.bat
Filesize
77B

MD5
55cc761bf3429324e5a0095cab002113

SHA1
2cc1ef4542a4e92d4158ab3978425d517fafd16d

SHA256
d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a

SHA512
33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

Download Submit
C:\Users\Admin\AppData\Local\Temp\AA3B.exe
Filesize
759KB

MD5
46a230d9be88dd7dca63ab0ec41c0b14

SHA1
8072cc39226b6b18164eb58a81ce7433fae55c58

SHA256
59b4a0b07d2a7901e49e8cc55c2eae5b457fde6e8b25295374a3e4ee37e207b5

SHA512
8c21b6c8f33608e47ead31e1e731a7cd4791d53a05f4574143156f067669a4ced8b48ffcd4f13f5d9cf9eb63dfa7873d8f491b4a02e05370fd03ca210adf9a28

Download Submit
C:\Users\Admin\AppData\Local\Temp\BC9B.exe
Filesize
392KB

MD5
89ec2c6bf09ed9a38bd11acb2a41cd1b

SHA1
408549982b687ca8dd5efb0e8b704a374bd8909d

SHA256
da1e155c46ca6b23409d059b6d85341c0b86c92d2c69dbda85eef3894313662d

SHA512
c565dbb25dd35ae8dce2a4cf15640053aca8b99c5c78db23648e6618ef316362b77142c6524b47089a7ea05632adee091ec5e82ed95aeb86d2331b8c5f8cc56a

Download Submit
C:\Users\Admin\AppData\Local\Temp\F530.exe
Filesize
6.5MB

MD5
9e52aa572f0afc888c098db4c0f687ff

SHA1
ef7c2bb222e69ad0e10c8686eb03dcbee7933c2b

SHA256
4a40f9d491f09521f4b0c6076a0eb488f6d8e1cf4b67aa6569c2ccce13556443

SHA512
d0991e682ae8c954721e905753b56c01f91b85313beb9996331793c3efa8acc13d574ef5ba44853ecc3e05822931ed655bad1924fa11b774a43e015f42185f62

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wrpmkhxj.h3f.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
e3b515ab710e66d9751ee3a286346afc

SHA1
1dbaa2f8dff96158a7d31673fcc0124fb3384af5

SHA256
087c6955d6668cdcd1d5888fab0df5779d5efc8b2ac86c450cdbdc87df88d2cd

SHA512
f088f3a0762578b8482908b00ebc9d2f58e3e0aa12253a83b4aedb2e5cb74012142fedf4d5d9b7dbe73f24b02c82c889217569c9e5b5be752035f67de80d5c98

Download Submit
memory/1324-24-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1324-25-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1324-26-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1324-36-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1324-22-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1672-429-0x00000000007F0000-0x000000000083B000-memory.dmp

Filesize
300KB

Download
memory/1672-418-0x00000000007F0000-0x000000000083B000-memory.dmp

Filesize
300KB

Download
memory/1680-341-0x000001BBFEDF0000-0x000001BBFEE10000-memory.dmp

Filesize
128KB

Download
memory/1680-338-0x000001BBFEE30000-0x000001BBFEE50000-memory.dmp

Filesize
128KB

Download
memory/1680-343-0x000001BBFF290000-0x000001BBFF2B0000-memory.dmp

Filesize
128KB

Download
memory/1768-332-0x0000000004200000-0x0000000004201000-memory.dmp

Filesize
4KB

Download
memory/1796-424-0x00007FF7C94E0000-0x00007FF7CB42C000-memory.dmp

Filesize
31.3MB

Download
memory/1796-279-0x00007FF7C94E0000-0x00007FF7CB42C000-memory.dmp

Filesize
31.3MB

Download
memory/1796-390-0x00007FF7C94E0000-0x00007FF7CB42C000-memory.dmp

Filesize
31.3MB

Download
memory/2976-66-0x00000000054A0000-0x00000000054B0000-memory.dmp

Filesize
64KB

Download
memory/2976-65-0x0000000005660000-0x000000000566A000-memory.dmp

Filesize
40KB

Download
memory/2976-69-0x0000000005800000-0x000000000590A000-memory.dmp

Filesize
1.0MB

Download
memory/2976-59-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2976-73-0x0000000006040000-0x00000000060A6000-memory.dmp

Filesize
408KB

Download
memory/2976-74-0x0000000006FE0000-0x00000000071A2000-memory.dmp

Filesize
1.8MB

Download
memory/2976-75-0x00000000076E0000-0x0000000007C0C000-memory.dmp

Filesize
5.2MB

Download
memory/2976-76-0x0000000007670000-0x00000000076C0000-memory.dmp

Filesize
320KB

Download
memory/2976-78-0x0000000075360000-0x0000000075B10000-memory.dmp

Filesize
7.7MB

Download
memory/2976-71-0x0000000005790000-0x00000000057CC000-memory.dmp

Filesize
240KB

Download
memory/2976-70-0x0000000005730000-0x0000000005742000-memory.dmp

Filesize
72KB

Download
memory/2976-61-0x0000000005960000-0x0000000005F04000-memory.dmp

Filesize
5.6MB

Download
memory/2976-68-0x0000000006530000-0x0000000006B48000-memory.dmp

Filesize
6.1MB

Download
memory/2976-72-0x0000000005910000-0x000000000595C000-memory.dmp

Filesize
304KB

Download
memory/2976-64-0x0000000075360000-0x0000000075B10000-memory.dmp

Filesize
7.7MB

Download
memory/2976-62-0x00000000054D0000-0x0000000005562000-memory.dmp

Filesize
584KB

Download
memory/3084-63-0x00000000029F0000-0x00000000049F0000-memory.dmp

Filesize
32.0MB

Download
memory/3084-67-0x0000000075360000-0x0000000075B10000-memory.dmp

Filesize
7.7MB

Download
memory/3084-58-0x0000000004F10000-0x0000000004F11000-memory.dmp

Filesize
4KB

Download
memory/3084-55-0x00000000050A0000-0x00000000050B0000-memory.dmp

Filesize
64KB

Download
memory/3084-54-0x0000000075360000-0x0000000075B10000-memory.dmp

Filesize
7.7MB

Download
memory/3084-53-0x00000000005B0000-0x0000000000614000-memory.dmp

Filesize
400KB

Download
memory/3376-309-0x0000000000400000-0x0000000000ECD000-memory.dmp

Filesize
10.8MB

Download
memory/3392-267-0x0000000002990000-0x0000000002991000-memory.dmp

Filesize
4KB

Download
memory/3392-4-0x0000000002A50000-0x0000000002A66000-memory.dmp

Filesize
88KB

Download
memory/3548-39-0x0000000002770000-0x000000000280B000-memory.dmp

Filesize
620KB

Download
memory/3604-109-0x0000000003B80000-0x0000000003C80000-memory.dmp

Filesize
1024KB

Download
memory/3604-105-0x0000000003B80000-0x0000000003C80000-memory.dmp

Filesize
1024KB

Download
memory/3604-107-0x0000000003B80000-0x0000000003C80000-memory.dmp

Filesize
1024KB

Download
memory/3604-110-0x0000000003B80000-0x0000000003C80000-memory.dmp

Filesize
1024KB

Download
memory/3604-111-0x0000000003B80000-0x0000000003C80000-memory.dmp

Filesize
1024KB

Download
memory/3604-114-0x0000000003B80000-0x0000000003C80000-memory.dmp

Filesize
1024KB

Download
memory/3604-113-0x0000000003B80000-0x0000000003C80000-memory.dmp

Filesize
1024KB

Download
memory/3604-112-0x0000000003B80000-0x0000000003C80000-memory.dmp

Filesize
1024KB

Download
memory/3604-115-0x0000000003B80000-0x0000000003C80000-memory.dmp

Filesize
1024KB

Download
memory/3604-116-0x0000000003B80000-0x0000000003C80000-memory.dmp

Filesize
1024KB

Download
memory/3604-117-0x0000000003B80000-0x0000000003C80000-memory.dmp

Filesize
1024KB

Download
memory/3604-118-0x0000000003B80000-0x0000000003C80000-memory.dmp

Filesize
1024KB

Download
memory/3604-119-0x0000000003B80000-0x0000000003C80000-memory.dmp

Filesize
1024KB

Download
memory/3604-120-0x0000000003B80000-0x0000000003C80000-memory.dmp

Filesize
1024KB

Download
memory/3604-121-0x0000000003B80000-0x0000000003C80000-memory.dmp

Filesize
1024KB

Download
memory/3604-122-0x0000000003B80000-0x0000000003C80000-memory.dmp

Filesize
1024KB

Download
memory/3604-123-0x0000000003B80000-0x0000000003C80000-memory.dmp

Filesize
1024KB

Download
memory/3604-125-0x0000000003B80000-0x0000000003C80000-memory.dmp

Filesize
1024KB

Download
memory/3604-124-0x0000000003B80000-0x0000000003C80000-memory.dmp

Filesize
1024KB

Download
memory/3604-127-0x0000000003B80000-0x0000000003C80000-memory.dmp

Filesize
1024KB

Download
memory/3604-126-0x0000000003B80000-0x0000000003C80000-memory.dmp

Filesize
1024KB

Download
memory/3604-130-0x0000000003C80000-0x0000000003C81000-memory.dmp

Filesize
4KB

Download
memory/3604-128-0x0000000003B80000-0x0000000003C80000-memory.dmp

Filesize
1024KB

Download
memory/3604-129-0x0000000003B80000-0x0000000003C80000-memory.dmp

Filesize
1024KB

Download
memory/3604-132-0x0000000003C80000-0x0000000003C81000-memory.dmp

Filesize
4KB

Download
memory/3604-133-0x0000000003C80000-0x0000000003C81000-memory.dmp

Filesize
4KB

Download
memory/3604-134-0x0000000003C80000-0x0000000003C81000-memory.dmp

Filesize
4KB

Download
memory/3604-131-0x0000000003C80000-0x0000000003C81000-memory.dmp

Filesize
4KB

Download
memory/3604-106-0x0000000003B80000-0x0000000003C80000-memory.dmp

Filesize
1024KB

Download
memory/3604-108-0x0000000003B80000-0x0000000003C80000-memory.dmp

Filesize
1024KB

Download
memory/3604-104-0x0000000003B80000-0x0000000003C80000-memory.dmp

Filesize
1024KB

Download
memory/3604-103-0x0000000003B80000-0x0000000003C80000-memory.dmp

Filesize
1024KB

Download
memory/3604-102-0x0000000003B80000-0x0000000003C80000-memory.dmp

Filesize
1024KB

Download
memory/3604-101-0x0000000003B80000-0x0000000003C80000-memory.dmp

Filesize
1024KB

Download
memory/3604-100-0x0000000001490000-0x0000000001491000-memory.dmp

Filesize
4KB

Download
memory/3604-98-0x00000000001A0000-0x0000000000E85000-memory.dmp

Filesize
12.9MB

Download
memory/3604-97-0x0000000001480000-0x0000000001481000-memory.dmp

Filesize
4KB

Download
memory/3604-96-0x0000000001470000-0x0000000001471000-memory.dmp

Filesize
4KB

Download
memory/3604-94-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

Filesize
4KB

Download
memory/3604-95-0x0000000001460000-0x0000000001461000-memory.dmp

Filesize
4KB

Download
memory/3604-92-0x0000000000FE0000-0x0000000000FE1000-memory.dmp

Filesize
4KB

Download
memory/3604-93-0x00000000001A0000-0x0000000000E85000-memory.dmp

Filesize
12.9MB

Download
memory/3604-91-0x0000000000FD0000-0x0000000000FD1000-memory.dmp

Filesize
4KB

Download
memory/3604-83-0x00000000001A0000-0x0000000000E85000-memory.dmp

Filesize
12.9MB

Download
memory/3900-412-0x0000027170DE0000-0x0000027170E00000-memory.dmp

Filesize
128KB

Download
memory/3900-414-0x0000027170DA0000-0x0000027170DC0000-memory.dmp

Filesize
128KB

Download
memory/3900-416-0x00000271713B0000-0x00000271713D0000-memory.dmp

Filesize
128KB

Download
memory/4120-401-0x0000000004400000-0x0000000004401000-memory.dmp

Filesize
4KB

Download
memory/4204-21-0x00000000028C0000-0x00000000029DB000-memory.dmp

Filesize
1.1MB

Download
memory/4204-20-0x00000000026D0000-0x0000000002772000-memory.dmp

Filesize
648KB

Download
memory/4640-43-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4640-45-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4640-42-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4900-456-0x0000000000400000-0x0000000000ECD000-memory.dmp

Filesize
10.8MB

Download
memory/4948-1-0x0000000000CD0000-0x0000000000DD0000-memory.dmp

Filesize
1024KB

Download
memory/4948-2-0x0000000000C90000-0x0000000000C9B000-memory.dmp

Filesize
44KB

Download
memory/4948-3-0x0000000000400000-0x0000000000AEA000-memory.dmp

Filesize
6.9MB

Download
memory/4948-5-0x0000000000400000-0x0000000000AEA000-memory.dmp

Filesize
6.9MB

Download