e2cadb0766cf2fc20a527c917f4475388ef3fbd73b8e0c6d071b695afbb1dba3

Resubmissions

04-07-2024 17:22

240704-vxyavazeql 10

04-07-2024 17:19

240704-vv7rhazenr 10

Analysis

max time kernel
133s
max time network
134s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
04-07-2024 17:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

[DemonArchives]a367e7069b0df249dbcd93f02f05a573.exe
Size

2.6MB
MD5

a367e7069b0df249dbcd93f02f05a573
SHA1

bb9ae315e19ce9dce6cede2268c25c78d01c178a
SHA256

3b2b8b58a5a92c1a6d3a7d68d06661f39757cda0337d46164dc77aeace68adba
SHA512

9427c4cd8d705cae43389f36fa90526c6df7805dc2a718c6d009769948cea7ce728c5ca2efd49a47d1ad2308fd4bb3c3c1ebad64c03e0e3206dd1b36c59ef5c2
SSDEEP

24576:ObCj2sObHtqQ4QEfCr7w7yvuqqNq8FroaSaPXRackmrM4Biq7MhLv9GImmVfq4eS:ObCjPKNqQEfsw43qtmVfq47

Score

10^/10

collection discovery persistence spyware stealer upx

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.mail.me.com
Port:
587
Username:
[email protected]
Password:
RICHARD205lord

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2108	jhdfkldfhndfkjdfnbfklfnf.exe
2280	winmgr119.exe
1660	winmgr119.exe

Loads dropped DLL 1 IoCs

pid	Process
1672	[DemonArchives]a367e7069b0df249dbcd93f02f05a573.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral21/memory/2532-21-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral21/memory/2532-22-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral21/memory/2532-23-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral21/memory/2532-28-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral21/memory/2924-32-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral21/memory/2924-34-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral21/memory/2924-33-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral21/memory/2924-75-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral21/memory/3008-115-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral21/memory/2760-125-0x0000000000400000-0x0000000000491000-memory.dmp	upx

Accesses Microsoft Outlook accounts 1 TTPs 2 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	cvtres.exe
Key opened	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	cvtres.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\jhdfkldfhndfkjdfnbfklfnf = "C:\\ProgramData\\jhdfkldfhndfkjdfnbfklfnf.exe"	[DemonArchives]a367e7069b0df249dbcd93f02f05a573.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\jhdfkldfhndfkjdfnbfklfnf = "C:\\ProgramData\\jhdfkldfhndfkjdfnbfklfnf.exe"	jhdfkldfhndfkjdfnbfklfnf.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
18	ipinfo.io
4	icanhazip.com
6	ipinfo.io

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral21/files/0x0011000000012262-2.dat	autoit_exe
behavioral21/files/0x0037000000016255-9.dat	autoit_exe

Suspicious use of SetThreadContext 8 IoCs

description	pid	Process	procid_target
PID 2108 set thread context of 2592	2108	jhdfkldfhndfkjdfnbfklfnf.exe	29
PID 2592 set thread context of 2532	2592	RegAsm.exe	32
PID 2592 set thread context of 2924	2592	RegAsm.exe	35
PID 2592 set thread context of 1620	2592	RegAsm.exe	41
PID 2108 set thread context of 2464	2108	jhdfkldfhndfkjdfnbfklfnf.exe	80
PID 2464 set thread context of 3008	2464	RegAsm.exe	83
PID 2464 set thread context of 2760	2464	RegAsm.exe	85
PID 2464 set thread context of 664	2464	RegAsm.exe	87

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	RegAsm.exe

NTFS ADS 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\[DemonArchives]a367e7069b0df249dbcd93f02f05a573.exe:Zone.Identifier:$DATA	[DemonArchives]a367e7069b0df249dbcd93f02f05a573.exe
File created	C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe:Zone.Identifier:$DATA	jhdfkldfhndfkjdfnbfklfnf.exe
File created	C:\ProgramData\winmgr119.exe:Zone.Identifier:$DATA	winmgr119.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2204	schtasks.exe
1664	schtasks.exe
3032	schtasks.exe
2300	schtasks.exe
3000	schtasks.exe
1656	schtasks.exe
2008	schtasks.exe
2144	schtasks.exe
1496	schtasks.exe
2424	schtasks.exe
2308	schtasks.exe
2708	schtasks.exe
1632	schtasks.exe
2752	schtasks.exe
1512	schtasks.exe
1032	schtasks.exe
896	schtasks.exe
2780	schtasks.exe
2468	schtasks.exe
1940	schtasks.exe
1668	schtasks.exe
2856	schtasks.exe
2328	schtasks.exe
1836	schtasks.exe

Suspicious behavior: EnumeratesProcesses 63 IoCs

pid	Process
1672	[DemonArchives]a367e7069b0df249dbcd93f02f05a573.exe
2108	jhdfkldfhndfkjdfnbfklfnf.exe
2108	jhdfkldfhndfkjdfnbfklfnf.exe
2592	RegAsm.exe
2592	RegAsm.exe
2592	RegAsm.exe
2592	RegAsm.exe
2592	RegAsm.exe
2592	RegAsm.exe
2592	RegAsm.exe
2592	RegAsm.exe
2108	jhdfkldfhndfkjdfnbfklfnf.exe
2592	RegAsm.exe
2592	RegAsm.exe
2108	jhdfkldfhndfkjdfnbfklfnf.exe
2108	jhdfkldfhndfkjdfnbfklfnf.exe
2108	jhdfkldfhndfkjdfnbfklfnf.exe
2108	jhdfkldfhndfkjdfnbfklfnf.exe
2108	jhdfkldfhndfkjdfnbfklfnf.exe
2592	RegAsm.exe
2592	RegAsm.exe
2592	RegAsm.exe
2592	RegAsm.exe
2592	RegAsm.exe
2592	RegAsm.exe
2280	winmgr119.exe
2108	jhdfkldfhndfkjdfnbfklfnf.exe
2108	jhdfkldfhndfkjdfnbfklfnf.exe
2108	jhdfkldfhndfkjdfnbfklfnf.exe
2592	RegAsm.exe
2592	RegAsm.exe
2592	RegAsm.exe
2592	RegAsm.exe
2592	RegAsm.exe
2592	RegAsm.exe
2108	jhdfkldfhndfkjdfnbfklfnf.exe
2108	jhdfkldfhndfkjdfnbfklfnf.exe
2108	jhdfkldfhndfkjdfnbfklfnf.exe
2108	jhdfkldfhndfkjdfnbfklfnf.exe
2108	jhdfkldfhndfkjdfnbfklfnf.exe
2108	jhdfkldfhndfkjdfnbfklfnf.exe
2108	jhdfkldfhndfkjdfnbfklfnf.exe
2108	jhdfkldfhndfkjdfnbfklfnf.exe
2108	jhdfkldfhndfkjdfnbfklfnf.exe
2592	RegAsm.exe
2592	RegAsm.exe
2592	RegAsm.exe
2592	RegAsm.exe
2592	RegAsm.exe
2592	RegAsm.exe
1660	winmgr119.exe
2108	jhdfkldfhndfkjdfnbfklfnf.exe
2464	RegAsm.exe
2464	RegAsm.exe
2464	RegAsm.exe
2464	RegAsm.exe
2464	RegAsm.exe
2464	RegAsm.exe
2464	RegAsm.exe
2464	RegAsm.exe
2464	RegAsm.exe
2464	RegAsm.exe
2108	jhdfkldfhndfkjdfnbfklfnf.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2592	RegAsm.exe
Token: SeDebugPrivilege	2532	cvtres.exe
Token: SeDebugPrivilege	2924	cvtres.exe
Token: SeDebugPrivilege	1620	cvtres.exe
Token: SeDebugPrivilege	2464	RegAsm.exe
Token: SeDebugPrivilege	3008	cvtres.exe
Token: SeDebugPrivilege	2760	cvtres.exe
Token: SeDebugPrivilege	664	cvtres.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2592	RegAsm.exe
2464	RegAsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1672 wrote to memory of 2108	1672	[DemonArchives]a367e7069b0df249dbcd93f02f05a573.exe	28
PID 1672 wrote to memory of 2108	1672	[DemonArchives]a367e7069b0df249dbcd93f02f05a573.exe	28
PID 1672 wrote to memory of 2108	1672	[DemonArchives]a367e7069b0df249dbcd93f02f05a573.exe	28
PID 1672 wrote to memory of 2108	1672	[DemonArchives]a367e7069b0df249dbcd93f02f05a573.exe	28
PID 2108 wrote to memory of 2592	2108	jhdfkldfhndfkjdfnbfklfnf.exe	29
PID 2108 wrote to memory of 2592	2108	jhdfkldfhndfkjdfnbfklfnf.exe	29
PID 2108 wrote to memory of 2592	2108	jhdfkldfhndfkjdfnbfklfnf.exe	29
PID 2108 wrote to memory of 2592	2108	jhdfkldfhndfkjdfnbfklfnf.exe	29
PID 2108 wrote to memory of 2592	2108	jhdfkldfhndfkjdfnbfklfnf.exe	29
PID 2108 wrote to memory of 2592	2108	jhdfkldfhndfkjdfnbfklfnf.exe	29
PID 2108 wrote to memory of 2592	2108	jhdfkldfhndfkjdfnbfklfnf.exe	29
PID 2108 wrote to memory of 2592	2108	jhdfkldfhndfkjdfnbfklfnf.exe	29
PID 2108 wrote to memory of 2592	2108	jhdfkldfhndfkjdfnbfklfnf.exe	29
PID 2108 wrote to memory of 2752	2108	jhdfkldfhndfkjdfnbfklfnf.exe	30
PID 2108 wrote to memory of 2752	2108	jhdfkldfhndfkjdfnbfklfnf.exe	30
PID 2108 wrote to memory of 2752	2108	jhdfkldfhndfkjdfnbfklfnf.exe	30
PID 2108 wrote to memory of 2752	2108	jhdfkldfhndfkjdfnbfklfnf.exe	30
PID 2592 wrote to memory of 2532	2592	RegAsm.exe	32
PID 2592 wrote to memory of 2532	2592	RegAsm.exe	32
PID 2592 wrote to memory of 2532	2592	RegAsm.exe	32
PID 2592 wrote to memory of 2532	2592	RegAsm.exe	32
PID 2592 wrote to memory of 2532	2592	RegAsm.exe	32
PID 2592 wrote to memory of 2532	2592	RegAsm.exe	32
PID 2592 wrote to memory of 2532	2592	RegAsm.exe	32
PID 2592 wrote to memory of 2532	2592	RegAsm.exe	32
PID 2592 wrote to memory of 2924	2592	RegAsm.exe	35
PID 2592 wrote to memory of 2924	2592	RegAsm.exe	35
PID 2592 wrote to memory of 2924	2592	RegAsm.exe	35
PID 2592 wrote to memory of 2924	2592	RegAsm.exe	35
PID 2592 wrote to memory of 2924	2592	RegAsm.exe	35
PID 2592 wrote to memory of 2924	2592	RegAsm.exe	35
PID 2592 wrote to memory of 2924	2592	RegAsm.exe	35
PID 2592 wrote to memory of 2924	2592	RegAsm.exe	35
PID 2108 wrote to memory of 3000	2108	jhdfkldfhndfkjdfnbfklfnf.exe	37
PID 2108 wrote to memory of 3000	2108	jhdfkldfhndfkjdfnbfklfnf.exe	37
PID 2108 wrote to memory of 3000	2108	jhdfkldfhndfkjdfnbfklfnf.exe	37
PID 2108 wrote to memory of 3000	2108	jhdfkldfhndfkjdfnbfklfnf.exe	37
PID 2592 wrote to memory of 1620	2592	RegAsm.exe	41
PID 2592 wrote to memory of 1620	2592	RegAsm.exe	41
PID 2592 wrote to memory of 1620	2592	RegAsm.exe	41
PID 2592 wrote to memory of 1620	2592	RegAsm.exe	41
PID 2592 wrote to memory of 1620	2592	RegAsm.exe	41
PID 2592 wrote to memory of 1620	2592	RegAsm.exe	41
PID 2592 wrote to memory of 1620	2592	RegAsm.exe	41
PID 2108 wrote to memory of 1656	2108	jhdfkldfhndfkjdfnbfklfnf.exe	43
PID 2108 wrote to memory of 1656	2108	jhdfkldfhndfkjdfnbfklfnf.exe	43
PID 2108 wrote to memory of 1656	2108	jhdfkldfhndfkjdfnbfklfnf.exe	43
PID 2108 wrote to memory of 1656	2108	jhdfkldfhndfkjdfnbfklfnf.exe	43
PID 2108 wrote to memory of 2008	2108	jhdfkldfhndfkjdfnbfklfnf.exe	45
PID 2108 wrote to memory of 2008	2108	jhdfkldfhndfkjdfnbfklfnf.exe	45
PID 2108 wrote to memory of 2008	2108	jhdfkldfhndfkjdfnbfklfnf.exe	45
PID 2108 wrote to memory of 2008	2108	jhdfkldfhndfkjdfnbfklfnf.exe	45
PID 2108 wrote to memory of 2144	2108	jhdfkldfhndfkjdfnbfklfnf.exe	47
PID 2108 wrote to memory of 2144	2108	jhdfkldfhndfkjdfnbfklfnf.exe	47
PID 2108 wrote to memory of 2144	2108	jhdfkldfhndfkjdfnbfklfnf.exe	47
PID 2108 wrote to memory of 2144	2108	jhdfkldfhndfkjdfnbfklfnf.exe	47
PID 2108 wrote to memory of 2204	2108	jhdfkldfhndfkjdfnbfklfnf.exe	49
PID 2108 wrote to memory of 2204	2108	jhdfkldfhndfkjdfnbfklfnf.exe	49
PID 2108 wrote to memory of 2204	2108	jhdfkldfhndfkjdfnbfklfnf.exe	49
PID 2108 wrote to memory of 2204	2108	jhdfkldfhndfkjdfnbfklfnf.exe	49
PID 2108 wrote to memory of 1940	2108	jhdfkldfhndfkjdfnbfklfnf.exe	51
PID 2108 wrote to memory of 1940	2108	jhdfkldfhndfkjdfnbfklfnf.exe	51
PID 2108 wrote to memory of 1940	2108	jhdfkldfhndfkjdfnbfklfnf.exe	51
PID 2108 wrote to memory of 1940	2108	jhdfkldfhndfkjdfnbfklfnf.exe	51

C:\Users\Admin\AppData\Local\Temp\[DemonArchives]a367e7069b0df249dbcd93f02f05a573.exe
"C:\Users\Admin\AppData\Local\Temp\[DemonArchives]a367e7069b0df249dbcd93f02f05a573.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1672
- C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe
  C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2108
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    0
    3⤵
    - Suspicious use of SetThreadContext
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2592
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe -f "C:\Users\Admin\AppData\Local\Temp\tmpC0DF.tmp"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2532
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe -f "C:\Users\Admin\AppData\Local\Temp\tmpC1DA.tmp"
      4⤵
      Accesses Microsoft Outlook accounts
      Suspicious use of AdjustPrivilegeToken
      PID:2924
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe -f "C:\Users\Admin\AppData\Local\Temp\tmpD5EF.tmp"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1620
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2752
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3000
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1656
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2008
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2144
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2204
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1940
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1664
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1512
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1032
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:896
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3032
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1836
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1668
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2856
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2328
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2424
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2308
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2708
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    0
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2464
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe -f "C:\Users\Admin\AppData\Local\Temp\tmp3505.tmp"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3008
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe -f "C:\Users\Admin\AppData\Local\Temp\tmp360F.tmp"
      4⤵
      Accesses Microsoft Outlook accounts
      Suspicious use of AdjustPrivilegeToken
      PID:2760
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe -f "C:\Users\Admin\AppData\Local\Temp\tmp36AC.tmp"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:664
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2468
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1632
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2300
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1496
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2780

C:\Windows\system32\taskeng.exe
taskeng.exe {3DD372C0-919C-4F26-87BD-B628DC6903BF} S-1-5-21-268080393-3149932598-1824759070-1000:UHRQKJCP\Admin:Interactive:[1]
1⤵
PID:2416
- C:\ProgramData\winmgr119.exe
  C:\ProgramData\winmgr119.exe
  2⤵
  - Executes dropped EXE
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2280
- C:\ProgramData\winmgr119.exe
  C:\ProgramData\winmgr119.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\khaxFMfI\009276b996b04917a9a60a951037d8a6

Filesize
16B

MD5
636e4614487ecf2c5a833bb3c5c29585

SHA1
7b6b6d2ca8c017ecea9815db184bbd572de5b75d

SHA256
5cae12936fed817cebfc80f9fc734408bbffaf5958647b7abe11858b6910d80f

SHA512
f0c44c5643e9f7616bd853eb1d425f2a3b14927b58710ec7bdfd715350bb2b3a1b5c130763871fee2a3bf0ca54a5fa6a299082fc452329e0a884cf7b8edb47bf

Download Submit
C:\ProgramData\khaxFMfI\189d625f98324bab87032800e1e7f084

Filesize
8B

MD5
45e35fe76f699c0b13ddfa9ad340f6d5

SHA1
187ffd441f8a518bb9b7de92e2028a98c5211f78

SHA256
504fedadfecaa93f2648ce5602b00a12afc99449f5a67a2f47926eed233dd716

SHA512
b52132d634485ad1f98428b3d8b1b60295c85e004a92059f761f45482bf1e9cea8905cc40e8b585c65dfde1906cd9e16ebe0b4f2cd7a749092181aaa57937109

Download Submit
C:\ProgramData\khaxFMfI\2c945db753d341ef9b0f02d75d493749

Filesize
8B

MD5
79d806a3f689da7fa606f6985d82af9c

SHA1
e304312416d635da7c2a5953ebe2d243a7cd33b7

SHA256
ec2b2f71ffe08e88d2978431047942dc1b1e0a878c753deccdd492a7c129ac3e

SHA512
597a3865c702c8242ccc7e44daa6b212f50b0f699716153db83a54fea679c158531fab646935a3255918a41b9cce30283614051bb29d9d3843e8ab7a16f5e87c

Download Submit
C:\ProgramData\khaxFMfI\47928f366bbf48c9ad07f8d6a7670eaf

Filesize
88B

MD5
31fc3b4624950f6b8faf0b6bfd62c85b

SHA1
35a7bb3fbf7343ff3e262b72722830bda4dee686

SHA256
0aa586b6686f59c779e6d440c94934c7000bfb9398f5e4630d71cd5448035d37

SHA512
0828399091a9ee63764cbbb4d5f3be6c71303badea0b814d5fd03d2485cd2b9b440d67888e98a5a66c4893cc056fb650bdecbd9a32d218ae8435ccde5830e21b

Download Submit
C:\ProgramData\winmgr119.exe

Filesize
2.6MB

MD5
677efe7441f8b1d7852b31a866b5aac2

SHA1
d683be641b137fb6e37d8ec779ddae1c62595cbc

SHA256
98c654fce653c712c211e967ab61bb40eb53050283a8214e2805e629f103ed0a

SHA512
6562571ea0981bb6904cdabfa48bba88d8fdadd539212f00902067a78d20bd5bb248da55dc31c4938b4b7b321ead7b13b9f5a04c54d9f0f72b4c962de371cc60

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarCAC7.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC0DF.tmp

Filesize
399B

MD5
e4bf4f7accc657622fe419c0d62419ab

SHA1
c2856936dd3de05bad0da5ca94d6b521e40ab5a2

SHA256
b32fa68b79c5a7ceaa89e8e537efe33a963c499666202611329944bd2c09318e

SHA512
85dc223e39a16ddeba53a4b3d6c9eff14d30ec67dfda1e650da2c9057f640edd033a31868915a31caac0d325d240a7f634f62cd52fbd2adc68bd1d9cb6281431

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC1DA.tmp

Filesize
400B

MD5
de4e5ff058882957cf8a3b5f839a031f

SHA1
0b3d8279120fb5fa27efbd9eee89695aa040fc24

SHA256
ef54f46b9f1e342fc12e035ae94f57c61ea4e8be4e116f0a1c6f86310f400f49

SHA512
a6b0d557e9eec4e56630e5ba64495df318f4fd959fffbdcbf77831185b067906917c9117a0ecd6ac817c7860d5d831cce15820d715657d81e2d817d9fab9fb72

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD5EF.tmp

Filesize
391B

MD5
3525ea58bba48993ea0d01b65ea71381

SHA1
1b917678fdd969e5ee5916e5899e7c75a979cf4d

SHA256
681bcee53cf679ac674e700136f9229b9184fe60ed6410dbd7a33d462ed13ae2

SHA512
5aad8dca43ec85882daf50c469bd04dcf0b62affc8bc605b3e289496a2679d4d548fea8bb0aea7080bbfbcdcab9d275fc6797b9c95b64f9f97ecf79583a83986

Download Submit
\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe

Filesize
2.6MB

MD5
cfb95fc2f75c14c1caf8642cc3a14a51

SHA1
7704c433772c83ae283f516302b862c7b2a40a3a

SHA256
4548fb30e0393139570ae4e383cd66ec7de14f8b44aa8ebce9f3fd2c4714e674

SHA512
8a44bcd748591ef249a7c56f920583a2ed5bf78c081dbaf814377173361f4a0ed30367383d0e915743cbbd2bbc1fdf5469f2b8f56ac9567555837e2606502b2a

Download Submit
memory/664-131-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1620-81-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1620-79-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1620-78-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2464-104-0x0000000000190000-0x000000000025A000-memory.dmp

Filesize
808KB

Download
memory/2464-101-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2464-102-0x0000000000190000-0x000000000025A000-memory.dmp

Filesize
808KB

Download
memory/2464-103-0x0000000000190000-0x000000000025A000-memory.dmp

Filesize
808KB

Download
memory/2532-22-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2532-28-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2532-21-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2532-23-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2592-17-0x0000000073EB2000-0x0000000073EB4000-memory.dmp

Filesize
8KB

Download
memory/2592-85-0x0000000073EB2000-0x0000000073EB4000-memory.dmp

Filesize
8KB

Download
memory/2592-14-0x0000000000230000-0x00000000002FA000-memory.dmp

Filesize
808KB

Download
memory/2592-16-0x0000000000230000-0x00000000002FA000-memory.dmp

Filesize
808KB

Download
memory/2592-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2592-10-0x0000000000230000-0x00000000002FA000-memory.dmp

Filesize
808KB

Download
memory/2592-12-0x0000000000230000-0x00000000002FA000-memory.dmp

Filesize
808KB

Download
memory/2760-125-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2924-32-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2924-34-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2924-33-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2924-75-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3008-115-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download