f761860dedc916d3ba75130f503d2b6c68469fea0132c4a8a298410c2cbb6d2d

Analysis

max time kernel
142s
max time network
134s
platform
windows10_x64
resource
win10v20201028
submitted
18-01-2021 12:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

638KB
MD5

2c57749822cc2b1db2ebdd5531cc2ee1
SHA1

ab941b0ea53e92346f379976abac27d737f9576c
SHA256

f761860dedc916d3ba75130f503d2b6c68469fea0132c4a8a298410c2cbb6d2d
SHA512

d8ac819d7588e74c93cdf68f8cd6fb99135f2167264f41f11b06b074ff0f5a554bbd214e7545a76acacbd7a1467872d74940db4a90a79305f7c6ef797ac7c2cd

Score

10^/10

discovery evasion spyware upx

Malware Config

Signatures

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 4416 created 3908 4416 WerFault.exe cykxqcy.exe
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Blocklisted process makes network request 5 IoCs

Processes:

RUNDLL32.EXEWScript.exe

flow pid process

34 4468 RUNDLL32.EXE
42 2712 WScript.exe
44 2712 WScript.exe
46 2712 WScript.exe
48 2712 WScript.exe
Executes dropped EXE 6 IoCs

Processes:

File51.exe4_ico.exe6_ico.exevpn_ico.exeSmartClock.execykxqcy.exe

pid process

4044 File51.exe
4068 4_ico.exe
1152 6_ico.exe
1564 vpn_ico.exe
3628 SmartClock.exe
3908 cykxqcy.exe

description	pid	process	target process
PID 4416 created 3908	4416	WerFault.exe	cykxqcy.exe

flow	pid	process
34	4468	RUNDLL32.EXE
42	2712	WScript.exe
44	2712	WScript.exe
46	2712	WScript.exe
48	2712	WScript.exe

pid	process
4044	File51.exe
4068	4_ico.exe
1152	6_ico.exe
1564	vpn_ico.exe
3628	SmartClock.exe
3908	cykxqcy.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\cykxqcy.exe	upx
C:\Users\Admin\AppData\Local\Temp\cykxqcy.exe	upx
behavioral2/memory/4416-88-0x00000000049C0000-0x00000000049C1000-memory.dmp	upx

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SmartClock.exe6_ico.exe4_ico.exevpn_ico.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	SmartClock.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	6_ico.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	6_ico.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	4_ico.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	4_ico.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	vpn_ico.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	vpn_ico.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SmartClock.exe

Drops startup file 1 IoCs

Processes:

4_ico.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk 4_ico.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk	4_ico.exe

Identifies Wine through registry keys 2 TTPs 4 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

6_ico.exevpn_ico.exeSmartClock.exe4_ico.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Wine	6_ico.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Wine	vpn_ico.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Wine	SmartClock.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Wine	4_ico.exe

Loads dropped DLL 4 IoCs

Processes:

File51.exerundll32.exeRUNDLL32.EXE

pid process

4044 File51.exe
4368 rundll32.exe
4368 rundll32.exe
4468 RUNDLL32.EXE
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

18 ip-api.com
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

4_ico.exe6_ico.exevpn_ico.exeSmartClock.exe

pid process

4068 4_ico.exe
1152 6_ico.exe
1564 vpn_ico.exe
3628 SmartClock.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4416 3908 WerFault.exe cykxqcy.exe

pid	process
4044	File51.exe
4368	rundll32.exe
4368	rundll32.exe
4468	RUNDLL32.EXE

flow	ioc
18	ip-api.com

pid	pid_target	process	target process
4416	3908	WerFault.exe	cykxqcy.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

file.exevpn_ico.exeRUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	file.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	vpn_ico.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	vpn_ico.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE

Delays execution with timeout.exe 3 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exe

pid process

3292 timeout.exe
4284 timeout.exe
4348 timeout.exe
Modifies registry class 1 IoCs

Processes:

vpn_ico.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings vpn_ico.exe

pid	process
3292	timeout.exe
4284	timeout.exe
4348	timeout.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings	vpn_ico.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	WScript.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

SmartClock.exe

pid process

3628 SmartClock.exe

pid	process
3628	SmartClock.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

Processes:

4_ico.exe6_ico.exevpn_ico.exeSmartClock.exeWerFault.exepowershell.exeRUNDLL32.EXEpowershell.exe

pid	process
4068	4_ico.exe
4068	4_ico.exe
1152	6_ico.exe
1152	6_ico.exe
1564	vpn_ico.exe
1564	vpn_ico.exe
3628	SmartClock.exe
3628	SmartClock.exe
4416	WerFault.exe
4416	WerFault.exe
4416	WerFault.exe
4416	WerFault.exe
4416	WerFault.exe
4416	WerFault.exe
4416	WerFault.exe
4416	WerFault.exe
4416	WerFault.exe
4416	WerFault.exe
4416	WerFault.exe
4416	WerFault.exe
4416	WerFault.exe
4416	WerFault.exe
4416	WerFault.exe
4728	powershell.exe
4728	powershell.exe
4728	powershell.exe
4468	RUNDLL32.EXE
4468	RUNDLL32.EXE
4992	powershell.exe
4992	powershell.exe
4992	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

WerFault.exerundll32.exeRUNDLL32.EXEpowershell.exepowershell.exe

description	pid	process
Token: SeRestorePrivilege	4416	WerFault.exe
Token: SeBackupPrivilege	4416	WerFault.exe
Token: SeDebugPrivilege	4368	rundll32.exe
Token: SeDebugPrivilege	4468	RUNDLL32.EXE
Token: SeDebugPrivilege	4416	WerFault.exe
Token: SeDebugPrivilege	4728	powershell.exe
Token: SeDebugPrivilege	4992	powershell.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

file.exeRUNDLL32.EXE

pid process

756 file.exe
756 file.exe
4468 RUNDLL32.EXE

pid	process
756	file.exe
756	file.exe
4468	RUNDLL32.EXE

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

file.execmd.exeFile51.exe4_ico.exevpn_ico.exe6_ico.execmd.execmd.execykxqcy.exerundll32.exeRUNDLL32.EXEpowershell.exe

description	pid	process	target process
PID 756 wrote to memory of 4044	756	file.exe	File51.exe
PID 756 wrote to memory of 4044	756	file.exe	File51.exe
PID 756 wrote to memory of 4044	756	file.exe	File51.exe
PID 756 wrote to memory of 2708	756	file.exe	cmd.exe
PID 756 wrote to memory of 2708	756	file.exe	cmd.exe
PID 756 wrote to memory of 2708	756	file.exe	cmd.exe
PID 2708 wrote to memory of 3292	2708	cmd.exe	timeout.exe
PID 2708 wrote to memory of 3292	2708	cmd.exe	timeout.exe
PID 2708 wrote to memory of 3292	2708	cmd.exe	timeout.exe
PID 4044 wrote to memory of 4068	4044	File51.exe	4_ico.exe
PID 4044 wrote to memory of 4068	4044	File51.exe	4_ico.exe
PID 4044 wrote to memory of 4068	4044	File51.exe	4_ico.exe
PID 4044 wrote to memory of 1152	4044	File51.exe	6_ico.exe
PID 4044 wrote to memory of 1152	4044	File51.exe	6_ico.exe
PID 4044 wrote to memory of 1152	4044	File51.exe	6_ico.exe
PID 4044 wrote to memory of 1564	4044	File51.exe	vpn_ico.exe
PID 4044 wrote to memory of 1564	4044	File51.exe	vpn_ico.exe
PID 4044 wrote to memory of 1564	4044	File51.exe	vpn_ico.exe
PID 4068 wrote to memory of 3628	4068	4_ico.exe	SmartClock.exe
PID 4068 wrote to memory of 3628	4068	4_ico.exe	SmartClock.exe
PID 4068 wrote to memory of 3628	4068	4_ico.exe	SmartClock.exe
PID 1564 wrote to memory of 3908	1564	vpn_ico.exe	cykxqcy.exe
PID 1564 wrote to memory of 3908	1564	vpn_ico.exe	cykxqcy.exe
PID 1564 wrote to memory of 3908	1564	vpn_ico.exe	cykxqcy.exe
PID 1564 wrote to memory of 4140	1564	vpn_ico.exe	WScript.exe
PID 1564 wrote to memory of 4140	1564	vpn_ico.exe	WScript.exe
PID 1564 wrote to memory of 4140	1564	vpn_ico.exe	WScript.exe
PID 1152 wrote to memory of 4212	1152	6_ico.exe	cmd.exe
PID 1152 wrote to memory of 4212	1152	6_ico.exe	cmd.exe
PID 1152 wrote to memory of 4212	1152	6_ico.exe	cmd.exe
PID 4212 wrote to memory of 4284	4212	cmd.exe	timeout.exe
PID 4212 wrote to memory of 4284	4212	cmd.exe	timeout.exe
PID 4212 wrote to memory of 4284	4212	cmd.exe	timeout.exe
PID 1152 wrote to memory of 4300	1152	6_ico.exe	cmd.exe
PID 1152 wrote to memory of 4300	1152	6_ico.exe	cmd.exe
PID 1152 wrote to memory of 4300	1152	6_ico.exe	cmd.exe
PID 4300 wrote to memory of 4348	4300	cmd.exe	timeout.exe
PID 4300 wrote to memory of 4348	4300	cmd.exe	timeout.exe
PID 4300 wrote to memory of 4348	4300	cmd.exe	timeout.exe
PID 3908 wrote to memory of 4368	3908	cykxqcy.exe	rundll32.exe
PID 3908 wrote to memory of 4368	3908	cykxqcy.exe	rundll32.exe
PID 3908 wrote to memory of 4368	3908	cykxqcy.exe	rundll32.exe
PID 4368 wrote to memory of 4468	4368	rundll32.exe	RUNDLL32.EXE
PID 4368 wrote to memory of 4468	4368	rundll32.exe	RUNDLL32.EXE
PID 4368 wrote to memory of 4468	4368	rundll32.exe	RUNDLL32.EXE
PID 4468 wrote to memory of 4728	4468	RUNDLL32.EXE	powershell.exe
PID 4468 wrote to memory of 4728	4468	RUNDLL32.EXE	powershell.exe
PID 4468 wrote to memory of 4728	4468	RUNDLL32.EXE	powershell.exe
PID 4468 wrote to memory of 4992	4468	RUNDLL32.EXE	powershell.exe
PID 4468 wrote to memory of 4992	4468	RUNDLL32.EXE	powershell.exe
PID 4468 wrote to memory of 4992	4468	RUNDLL32.EXE	powershell.exe
PID 4992 wrote to memory of 4100	4992	powershell.exe	nslookup.exe
PID 4992 wrote to memory of 4100	4992	powershell.exe	nslookup.exe
PID 4992 wrote to memory of 4100	4992	powershell.exe	nslookup.exe
PID 4468 wrote to memory of 4320	4468	RUNDLL32.EXE	schtasks.exe
PID 4468 wrote to memory of 4320	4468	RUNDLL32.EXE	schtasks.exe
PID 4468 wrote to memory of 4320	4468	RUNDLL32.EXE	schtasks.exe
PID 1564 wrote to memory of 2712	1564	vpn_ico.exe	WScript.exe
PID 1564 wrote to memory of 2712	1564	vpn_ico.exe	WScript.exe
PID 1564 wrote to memory of 2712	1564	vpn_ico.exe	WScript.exe
PID 4468 wrote to memory of 4124	4468	RUNDLL32.EXE	schtasks.exe
PID 4468 wrote to memory of 4124	4468	RUNDLL32.EXE	schtasks.exe
PID 4468 wrote to memory of 4124	4468	RUNDLL32.EXE	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:756

C:\Users\Admin\AppData\Local\Temp\File51.exe
"C:\Users\Admin\AppData\Local\Temp\File51.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4044

C:\Users\Admin\AppData\Local\Temp\New Feature\4_ico.exe
"C:\Users\Admin\AppData\Local\Temp\New Feature\4_ico.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Drops startup file
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4068

C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
4⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
PID:3628

C:\Users\Admin\AppData\Local\Temp\New Feature\6_ico.exe
"C:\Users\Admin\AppData\Local\Temp\New Feature\6_ico.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1152

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\jkhrmwungum & timeout 2 & del /f /q "C:\Users\Admin\AppData\Local\Temp\New Feature\6_ico.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:4212

C:\Windows\SysWOW64\timeout.exe
timeout 2
5⤵
- Delays execution with timeout.exe
PID:4284

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\jkhrmwungum & timeout 2 & del /f /q "C:\Users\Admin\AppData\Local\Temp\New Feature\6_ico.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:4300

C:\Windows\SysWOW64\timeout.exe
timeout 2
5⤵
- Delays execution with timeout.exe
PID:4348

C:\Users\Admin\AppData\Local\Temp\New Feature\vpn_ico.exe
"C:\Users\Admin\AppData\Local\Temp\New Feature\vpn_ico.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1564

C:\Users\Admin\AppData\Local\Temp\cykxqcy.exe
"C:\Users\Admin\AppData\Local\Temp\cykxqcy.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3908

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\CYKXQC~1.DLL,Z C:\Users\Admin\AppData\Local\Temp\cykxqcy.exe
5⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4368

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\CYKXQC~1.DLL,kVY7
6⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4468

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpA0AA.tmp.ps1"
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4728

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpB5EA.tmp.ps1"
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4992

C:\Windows\SysWOW64\nslookup.exe
"C:\Windows\system32\nslookup.exe" -type=any localhost
8⤵
PID:4100

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
7⤵
PID:4320

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
7⤵
PID:4124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3908 -s 552
5⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4416

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\xtkretwg.vbs"
4⤵
PID:4140

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\sjxltgtyhjla.vbs"
4⤵
- Blocklisted process makes network request
- Modifies system certificate store
PID:2712

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\G80oUo6rG6 & timeout 2 & del /f /q "C:\Users\Admin\AppData\Local\Temp\file.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2708

C:\Windows\SysWOW64\timeout.exe
timeout 2
3⤵
- Delays execution with timeout.exe
PID:3292

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\jkhrmwungum\46173476.txt
MD5
8b19f6aa1bc99b4877fe1ad46a8e5ada

SHA1
9fbb5f3ce5252f757da353cd8cc0bfdcdf9f4a23

SHA256
993c2ae5da336d368f80eedad2e3c7a2abc4511b6a7e1abca0badc21cbbaebe2

SHA512
e0d451afd4bc6eb4845eaa436ef534952787044b8c4b9fb026d9b1318af0d47c0b7868affa8ce46bac2c53e568a824cc61c984cba43606f6994e4a680ecee19c

Download Submit
C:\ProgramData\jkhrmwungum\8372422.txt
MD5
681e86c44d5f65b11eab4613008ac6fb

SHA1
8b404015c1281d4cf9fc5ad48bbbd6db16ccff4c

SHA256
4513bce79a3e5dd52833962e18e28021052ce284504bc201cc7efaf627342d4d

SHA512
fdfd791d3fc4150c4ed12792cabac523bfd6d1ab6483138a60fb20f8ecd87d553c37162f4f644ca3860fabc61bbaaeea4dafec0da4367175fe015c979e5d9ba0

Download Submit
C:\ProgramData\jkhrmwungum\Files\_INFOR~1.TXT
MD5
c325724c2ea37b55a1cb436df0e5793b

SHA1
0ac9c3df7f4e4721a45eb269083c8fade9e97d1d

SHA256
1e8447ebf8f0b1ac5fc23d090ea05eaccca01389a6d5bbd33260bdfe4341dbcc

SHA512
164e7d9e87eb8bf26632b982df74f144bb91a8cebd4722d531af107d470a1720483ff69a37bd1dcbc7cef93107c01f9a04bbe83deb8da7cf084b6703ec96c18a

Download Submit
C:\ProgramData\jkhrmwungum\NL_202~1.ZIP
MD5
50939972f47337428a78826a962544fa

SHA1
40c7f80c1319626b9cc952e6e65a6f7072c0f2dc

SHA256
3f1dfe2618e6b2506cf6050b2924e2a16aadb30cb444b6017c07fc5792dea50b

SHA512
8db4cf5c4709cc95fa49a0bd1783b6b7d507b60c6715871cc0014a67e2ea4048eaf489c64ae63044d6d753425da6593e9f7ad3274e9ad993876068b6e4658100

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
47eebe401625bbc55e75dbfb72e9e89a

SHA1
db3b2135942d2532c59b9788253638eb77e5995e

SHA256
f1cd56000c44bbdb6880b5b133731f493fe8cba8198c5a861da6ae7b489ed0c3

SHA512
590b149863d58be346e7927c28501375cc570858d2f156d234b03d68b86c5c0667a1038e2b6f6639172bf95638ca9f7c70f45270951abbcdf43b1be853b81d56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
3cd0c7adc048655395ebd8b29ec8ce8c

SHA1
62ee46f5c5eebbb0644835109e1edbc0b130d1ba

SHA256
33556f9663e3e1355198e18b27e94133d7433380d39d9908219052348268426d

SHA512
458fe916156721bc342bf68885eea5b05531a3a5f13609edaef4f9ee2df72b5a6f92cbee9c34083e127c5f0b616dba774e419dad6a9fda4b4c4b727c63a5f3a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\CYKXQC~1.DLL
MD5
172575774e2f59cc02f10380717e7fb3

SHA1
bea6ca450e7cef5af22605ca1ee74cc816bb9058

SHA256
00cbb4405a38539a62e3b91fdc967ad6c2a4c6844bf10fd66f4dece7b1d5dd87

SHA512
25dad4befa0d9c96611955798c614498589060353845a132870a0f37f97d31885b8c8cf75aef456e333b94dc2995e439f797a7de2a73737639085e25ce2845cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\File51.exe
MD5
2ebe80e99870dad48dc81b56b3b2d0d0

SHA1
51940c58e7ee8d651eb85904a410b753fbcdeef8

SHA256
e45a3ed92d97f94869e330797fd03e29a1d50b5041ff04adb4c4c39606f50833

SHA512
1aa823adef705c2a9dc94a5c99cbb19f75b9680f6797207b4e71ee77277804644beb56c30ff3b9148234846c3d8ceaed65f62285a732e3fa0e5d1479218c514f

Download Submit
C:\Users\Admin\AppData\Local\Temp\File51.exe
MD5
2ebe80e99870dad48dc81b56b3b2d0d0

SHA1
51940c58e7ee8d651eb85904a410b753fbcdeef8

SHA256
e45a3ed92d97f94869e330797fd03e29a1d50b5041ff04adb4c4c39606f50833

SHA512
1aa823adef705c2a9dc94a5c99cbb19f75b9680f6797207b4e71ee77277804644beb56c30ff3b9148234846c3d8ceaed65f62285a732e3fa0e5d1479218c514f

Download Submit
C:\Users\Admin\AppData\Local\Temp\G80oUo6rG6\0YFFUP~1.ZIP
MD5
580d2fe035ac4f8760815fbba34d54a7

SHA1
a667289a4f1277d057dcb4d2bff8e0adde341754

SHA256
06d7a3a02d1ae47fa320347ff26887768ab99dae0b6cef3b472c6de41eaebf94

SHA512
ed00bcd81f65ced6f7c853f8af131a40f6a090446891b7f19b26c5dd5a9722c801218ea832d3fce7186e7996f7aafad6c9fed2d72bfe300bf7f7556a98ee05b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\G80oUo6rG6\RBWGZX~1.ZIP
MD5
5c45393f6da2111d2b9422b8fe48425c

SHA1
b64236fb656c3cb7e7be4b23101ef632373f9faf

SHA256
4cbcc2740abc1e9ab95c0a4e145c33ff74a264cf15873582dc68d03f15c033ab

SHA512
50f1d862422c633dbd640e835157a8ae93c71621df89ea55675721acb9dee7969454fcbdc6f101a8c8e1ba03f2ab0876228a6bc852a63fcb51211b3aa4a65a2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\G80oUo6rG6\_Files\_INFOR~1.TXT
MD5
dbf8b6e43a8d558de2a78dae1409e569

SHA1
39add7041b8e8c2ad26cafada4dfd95244676eb4

SHA256
91ee2049febd3019ffee49ab56310b3e61e38358ca51f3086d4184cbc9544fe3

SHA512
c60d6d3c8a022623b6af4004fdb5fa53fe97154bf1402fd880c25e2466fe655f4a625020c4a2bbbf84d66ecec04fd2600a211ebc397d5378800feeb56df65e07

Download Submit
C:\Users\Admin\AppData\Local\Temp\G80oUo6rG6\_Files\_SCREE~1.JPE
MD5
baef945d2dcd7bd7d2f19a4f4fdac226

SHA1
924f7c1d2e26df48bdaeb35ec2d93f50f4322349

SHA256
e39e46d2a3244a83e904fac888ab1a74d82f9e8ad62f423a9e81726a876455f4

SHA512
6fbc778ef0ff34cc9bb0a2cb14c7dc4869319ce68999bf49745224a98dc98c29740e31d5c2691fee864fcbb29b52df3e6c17631220ea60977dd8ef797b7308a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\G80oUo6rG6\files_\SCREEN~1.JPG
MD5
baef945d2dcd7bd7d2f19a4f4fdac226

SHA1
924f7c1d2e26df48bdaeb35ec2d93f50f4322349

SHA256
e39e46d2a3244a83e904fac888ab1a74d82f9e8ad62f423a9e81726a876455f4

SHA512
6fbc778ef0ff34cc9bb0a2cb14c7dc4869319ce68999bf49745224a98dc98c29740e31d5c2691fee864fcbb29b52df3e6c17631220ea60977dd8ef797b7308a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\G80oUo6rG6\files_\SYSTEM~1.TXT
MD5
f0a8a0f7f5d29d6a18e0439abdaface0

SHA1
42eb3069e9df7aec39cb7f3f833cdd751265b354

SHA256
732268b3764ff04badb16b27aec7383bdbd60a1b260c6ecf50bf2e6e296287ce

SHA512
cb8a136eb4f5fe8d795b4ff6e7f92c60da2e00d7e717694de3996e61339dc93e47447dad8881c805872bdb97e42feb6c6405754ae50242beffb0a787021ed13a

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\4_ico.exe
MD5
f807550ed868461e52b3af2669f1688a

SHA1
5f1fa80f631e9e479677cea73078089d8995ce9c

SHA256
d595f5dad24c64f6135214b3f8dad1f2ebf01b49f58b16c6588e9ec5f9da9f25

SHA512
28349ee7354ed4932f0957a0e14b57123f932d85bea6baa32c2094062b8360011a0f3690561367331448362c5c002dee9a0304cfd6e4a54023c6d98d36494a77

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\4_ico.exe
MD5
f807550ed868461e52b3af2669f1688a

SHA1
5f1fa80f631e9e479677cea73078089d8995ce9c

SHA256
d595f5dad24c64f6135214b3f8dad1f2ebf01b49f58b16c6588e9ec5f9da9f25

SHA512
28349ee7354ed4932f0957a0e14b57123f932d85bea6baa32c2094062b8360011a0f3690561367331448362c5c002dee9a0304cfd6e4a54023c6d98d36494a77

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\6_ico.exe
MD5
ce187c8e140d6f1329877a2ae0128a7c

SHA1
96106084440083c434929ff1414f28198665a26b

SHA256
df2df3fba35989757ae3921fa819543aa63f305385ee8d4a3d1e682e751db045

SHA512
f3d5d7d9c681dd9f5f3e4c3108e3899a04d0905581b31008e65a1da235665a3c86716211042f32c96ed6b251075458efdbe83c446edbf8c5a936348089f8f636

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\6_ico.exe
MD5
ce187c8e140d6f1329877a2ae0128a7c

SHA1
96106084440083c434929ff1414f28198665a26b

SHA256
df2df3fba35989757ae3921fa819543aa63f305385ee8d4a3d1e682e751db045

SHA512
f3d5d7d9c681dd9f5f3e4c3108e3899a04d0905581b31008e65a1da235665a3c86716211042f32c96ed6b251075458efdbe83c446edbf8c5a936348089f8f636

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\vpn_ico.exe
MD5
239bdf56b4a121cba18cc5aaa8c2f6a4

SHA1
f543dea6be05c6ca9bffceaf3999e0c68d323f99

SHA256
6f2381314fdc3741357a5549422f00587a2f25241c4976bbe1d0e902288740ad

SHA512
9cd12f58a27e7b83e14d4e58091ed206a3a90a82ba2007ddd3f6d811ed22e5ee937d2fe2f54d1a9283342500086c142f7bd6767748b95e3cae1d120f89f361be

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\vpn_ico.exe
MD5
239bdf56b4a121cba18cc5aaa8c2f6a4

SHA1
f543dea6be05c6ca9bffceaf3999e0c68d323f99

SHA256
6f2381314fdc3741357a5549422f00587a2f25241c4976bbe1d0e902288740ad

SHA512
9cd12f58a27e7b83e14d4e58091ed206a3a90a82ba2007ddd3f6d811ed22e5ee937d2fe2f54d1a9283342500086c142f7bd6767748b95e3cae1d120f89f361be

Download Submit
C:\Users\Admin\AppData\Local\Temp\cykxqcy.exe
MD5
7ae8447db714441c8a0b0e239cadfe89

SHA1
63764c23149a819d12e367708d7735b0fd9fb110

SHA256
de1cbe12d46e3e92a45715972a3ef5b030260fc0e900f8d79f221c2330e24aba

SHA512
31f55f0d57e3a8ce2e830929dbcef5a9ba43625a6dd7310bbb4dcfd513084df9cd76873950a5fea50cf5b031055c2e05b2a5a21a027e79be0ef05470462b8670

Download Submit
C:\Users\Admin\AppData\Local\Temp\cykxqcy.exe
MD5
7ae8447db714441c8a0b0e239cadfe89

SHA1
63764c23149a819d12e367708d7735b0fd9fb110

SHA256
de1cbe12d46e3e92a45715972a3ef5b030260fc0e900f8d79f221c2330e24aba

SHA512
31f55f0d57e3a8ce2e830929dbcef5a9ba43625a6dd7310bbb4dcfd513084df9cd76873950a5fea50cf5b031055c2e05b2a5a21a027e79be0ef05470462b8670

Download Submit
C:\Users\Admin\AppData\Local\Temp\sjxltgtyhjla.vbs
MD5
819c70c67d9277c37cb42bef05bf7894

SHA1
4fa660e4d7951e0cc8bed143d967c1d1177a1887

SHA256
f632613f9145d0de9b07dc79fee84d13b48d1d0f614c696d3a089572029b5b69

SHA512
5f886f861255bb3b78505b90c7298b09c5f5ff9a0a71c1cff3a4466fcd2fd012b57814403a2b50dde227ae80f7618bc8be6c5116f1ff563e042c4ec37e544fb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA0AA.tmp.ps1
MD5
c960b9b2b04c4663c211fa4146d0b3ad

SHA1
737fc17ef5d48f047d9aa043ba2cef0fe5919135

SHA256
d2f012948e2e48c5cb432338886f46ad8b084c23a020bc5addd38c104b4c2aef

SHA512
1314590ba78b41bfb4e268a74bbdc959db7ae4f749459080c9f39766825a22b311e48a21ae686008a51ebf09996c5b692aaa41dd0fcabef22cc6eaf793a6957a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA0AB.tmp
MD5
c416c12d1b2b1da8c8655e393b544362

SHA1
fb1a43cd8e1c556c2d25f361f42a21293c29e447

SHA256
0600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046

SHA512
cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB5EA.tmp.ps1
MD5
3a153ec3e03c075d9d92e1b9944125e9

SHA1
d0de22d7e9ebc66927a6b296cd0e91ef360fcea9

SHA256
9680ecb8a6f64fe67a345572fdc08055bf205101a4892ca331a6550861d9e386

SHA512
e3a1058d7f9aec132f02450dd3571a9a1d0fd5821ca3c825c702d1dfec6fb134bcc325b094e667fb384d060d3221c6344be1489010fec8479929198d89acdfbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB5EB.tmp
MD5
1860260b2697808b80802352fe324782

SHA1
f07b4cb6a8133d8dd942fc285d63cb3ce5a1ed6b

SHA256
0c4bb6ae7726faa47aef8459bcf37bf9ca16f0b93fd52790932adaf7845d1fb1

SHA512
d9fd458e2fe871e93199d7f3783133ded898d824024d9525e8c9af2af31892b13f3fb147d3bfda7dfd7659b7072f5cd1d6c3ebfe2dbf5893afd00e59a96aa94f

Download Submit
C:\Users\Admin\AppData\Local\Temp\xtkretwg.vbs
MD5
e9a6878282ee7c2d134473dd943704c6

SHA1
829ac8e4bd150809702e1e117fd5d03b821bf34f

SHA256
cfd03462e15e028c4e7b8b119f08858c04f73f80b433e476b827c2db19ffe456

SHA512
b03c388c340eb490755f10b099762a5b59932ab18bd10f864640e76ee30eabb60c9e57580f9d280a17e1d25332b39f594d5d36280f72481c3c0902fa18b22d70

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
f807550ed868461e52b3af2669f1688a

SHA1
5f1fa80f631e9e479677cea73078089d8995ce9c

SHA256
d595f5dad24c64f6135214b3f8dad1f2ebf01b49f58b16c6588e9ec5f9da9f25

SHA512
28349ee7354ed4932f0957a0e14b57123f932d85bea6baa32c2094062b8360011a0f3690561367331448362c5c002dee9a0304cfd6e4a54023c6d98d36494a77

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
f807550ed868461e52b3af2669f1688a

SHA1
5f1fa80f631e9e479677cea73078089d8995ce9c

SHA256
d595f5dad24c64f6135214b3f8dad1f2ebf01b49f58b16c6588e9ec5f9da9f25

SHA512
28349ee7354ed4932f0957a0e14b57123f932d85bea6baa32c2094062b8360011a0f3690561367331448362c5c002dee9a0304cfd6e4a54023c6d98d36494a77

Download Submit
\Users\Admin\AppData\Local\Temp\CYKXQC~1.DLL
MD5
172575774e2f59cc02f10380717e7fb3

SHA1
bea6ca450e7cef5af22605ca1ee74cc816bb9058

SHA256
00cbb4405a38539a62e3b91fdc967ad6c2a4c6844bf10fd66f4dece7b1d5dd87

SHA512
25dad4befa0d9c96611955798c614498589060353845a132870a0f37f97d31885b8c8cf75aef456e333b94dc2995e439f797a7de2a73737639085e25ce2845cf

Download Submit
\Users\Admin\AppData\Local\Temp\CYKXQC~1.DLL
MD5
172575774e2f59cc02f10380717e7fb3

SHA1
bea6ca450e7cef5af22605ca1ee74cc816bb9058

SHA256
00cbb4405a38539a62e3b91fdc967ad6c2a4c6844bf10fd66f4dece7b1d5dd87

SHA512
25dad4befa0d9c96611955798c614498589060353845a132870a0f37f97d31885b8c8cf75aef456e333b94dc2995e439f797a7de2a73737639085e25ce2845cf

Download Submit
\Users\Admin\AppData\Local\Temp\CYKXQC~1.DLL
MD5
172575774e2f59cc02f10380717e7fb3

SHA1
bea6ca450e7cef5af22605ca1ee74cc816bb9058

SHA256
00cbb4405a38539a62e3b91fdc967ad6c2a4c6844bf10fd66f4dece7b1d5dd87

SHA512
25dad4befa0d9c96611955798c614498589060353845a132870a0f37f97d31885b8c8cf75aef456e333b94dc2995e439f797a7de2a73737639085e25ce2845cf

Download Submit
\Users\Admin\AppData\Local\Temp\nsx6568.tmp\UAC.dll
MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
memory/756-2-0x0000000004990000-0x0000000004991000-memory.dmp

Filesize
4KB

Download
memory/756-4-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/756-3-0x00000000048D0000-0x0000000004970000-memory.dmp

Filesize
640KB

Download
memory/1152-27-0x0000000005250000-0x0000000005251000-memory.dmp

Filesize
4KB

Download
memory/1152-39-0x00000000053D0000-0x00000000053D1000-memory.dmp

Filesize
4KB

Download
memory/1152-38-0x0000000005400000-0x0000000005401000-memory.dmp

Filesize
4KB

Download
memory/1152-37-0x00000000053E0000-0x00000000053E1000-memory.dmp

Filesize
4KB

Download
memory/1152-36-0x00000000053F0000-0x00000000053F1000-memory.dmp

Filesize
4KB

Download
memory/1152-29-0x0000000005A50000-0x0000000005A51000-memory.dmp

Filesize
4KB

Download
memory/1152-19-0x0000000000000000-mapping.dmp

Download
memory/1152-69-0x0000000005410000-0x0000000005411000-memory.dmp

Filesize
4KB

Download
memory/1564-48-0x0000000004BA0000-0x0000000004BA1000-memory.dmp

Filesize
4KB

Download
memory/1564-30-0x00000000049E0000-0x00000000049E1000-memory.dmp

Filesize
4KB

Download
memory/1564-49-0x0000000004BE0000-0x0000000004BE1000-memory.dmp

Filesize
4KB

Download
memory/1564-23-0x0000000000000000-mapping.dmp

Download
memory/1564-31-0x00000000051E0000-0x00000000051E1000-memory.dmp

Filesize
4KB

Download
memory/1564-45-0x0000000004BB0000-0x0000000004BB1000-memory.dmp

Filesize
4KB

Download
memory/1564-47-0x0000000004BC0000-0x0000000004BC1000-memory.dmp

Filesize
4KB

Download
memory/1564-46-0x0000000004BD0000-0x0000000004BD1000-memory.dmp

Filesize
4KB

Download
memory/2708-8-0x0000000000000000-mapping.dmp

Download
memory/2712-136-0x0000000000000000-mapping.dmp

Download
memory/3292-16-0x0000000000000000-mapping.dmp

Download
memory/3628-57-0x00000000056E0000-0x00000000056E1000-memory.dmp

Filesize
4KB

Download
memory/3628-61-0x0000000005700000-0x0000000005701000-memory.dmp

Filesize
4KB

Download
memory/3628-60-0x00000000056D0000-0x00000000056D1000-memory.dmp

Filesize
4KB

Download
memory/3628-63-0x0000000005720000-0x0000000005721000-memory.dmp

Filesize
4KB

Download
memory/3628-58-0x00000000056F0000-0x00000000056F1000-memory.dmp

Filesize
4KB

Download
memory/3628-62-0x0000000005710000-0x0000000005711000-memory.dmp

Filesize
4KB

Download
memory/3628-54-0x0000000005CF0000-0x0000000005CF1000-memory.dmp

Filesize
4KB

Download
memory/3628-53-0x00000000054F0000-0x00000000054F1000-memory.dmp

Filesize
4KB

Download
memory/3628-50-0x0000000000000000-mapping.dmp

Download
memory/3628-59-0x00000000056B0000-0x00000000056B1000-memory.dmp

Filesize
4KB

Download
memory/3908-64-0x0000000000000000-mapping.dmp

Download
memory/3908-74-0x0000000000400000-0x00000000007E8000-memory.dmp

Filesize
3.9MB

Download
memory/3908-73-0x0000000005AA0000-0x0000000005E7C000-memory.dmp

Filesize
3.9MB

Download
memory/3908-72-0x00000000056D0000-0x0000000005A9A000-memory.dmp

Filesize
3.8MB

Download
memory/3908-70-0x0000000005AA0000-0x0000000005AA1000-memory.dmp

Filesize
4KB

Download
memory/4044-5-0x0000000000000000-mapping.dmp

Download
memory/4068-28-0x0000000005BF0000-0x0000000005BF1000-memory.dmp

Filesize
4KB

Download
memory/4068-44-0x00000000055C0000-0x00000000055C1000-memory.dmp

Filesize
4KB

Download
memory/4068-43-0x00000000055A0000-0x00000000055A1000-memory.dmp

Filesize
4KB

Download
memory/4068-42-0x00000000055E0000-0x00000000055E1000-memory.dmp

Filesize
4KB

Download
memory/4068-41-0x0000000005600000-0x0000000005601000-memory.dmp

Filesize
4KB

Download
memory/4068-33-0x00000000777D4000-0x00000000777D5000-memory.dmp

Filesize
4KB

Download
memory/4068-32-0x00000000053F0000-0x00000000053F1000-memory.dmp

Filesize
4KB

Download
memory/4068-26-0x00000000053F0000-0x00000000053F1000-memory.dmp

Filesize
4KB

Download
memory/4068-17-0x0000000000000000-mapping.dmp

Download
memory/4068-40-0x00000000055F0000-0x00000000055F1000-memory.dmp

Filesize
4KB

Download
memory/4100-132-0x0000000000000000-mapping.dmp

Download
memory/4124-138-0x0000000000000000-mapping.dmp

Download
memory/4140-67-0x0000000000000000-mapping.dmp

Download
memory/4212-71-0x0000000000000000-mapping.dmp

Download
memory/4284-79-0x0000000000000000-mapping.dmp

Download
memory/4300-80-0x0000000000000000-mapping.dmp

Download
memory/4320-135-0x0000000000000000-mapping.dmp

Download
memory/4348-81-0x0000000000000000-mapping.dmp

Download
memory/4368-92-0x0000000004B71000-0x00000000051CE000-memory.dmp

Filesize
6.4MB

Download
memory/4368-86-0x00000000047A1000-0x0000000004B58000-memory.dmp

Filesize
3.7MB

Download
memory/4368-82-0x0000000000000000-mapping.dmp

Download
memory/4416-88-0x00000000049C0000-0x00000000049C1000-memory.dmp

Filesize
4KB

Download
memory/4416-87-0x00000000049C0000-0x00000000049C1000-memory.dmp

Filesize
4KB

Download
memory/4468-93-0x0000000005101000-0x000000000575E000-memory.dmp

Filesize
6.4MB

Download
memory/4468-90-0x0000000000000000-mapping.dmp

Download
memory/4728-105-0x0000000007DB0000-0x0000000007DB1000-memory.dmp

Filesize
4KB

Download
memory/4728-98-0x0000000007240000-0x0000000007241000-memory.dmp

Filesize
4KB

Download
memory/4728-104-0x0000000007530000-0x0000000007531000-memory.dmp

Filesize
4KB

Download
memory/4728-108-0x0000000007E00000-0x0000000007E01000-memory.dmp

Filesize
4KB

Download
memory/4728-109-0x0000000009480000-0x0000000009481000-memory.dmp

Filesize
4KB

Download
memory/4728-110-0x0000000008A00000-0x0000000008A01000-memory.dmp

Filesize
4KB

Download
memory/4728-111-0x0000000008AD0000-0x0000000008AD1000-memory.dmp

Filesize
4KB

Download
memory/4728-102-0x00000000041D0000-0x00000000041D1000-memory.dmp

Filesize
4KB

Download
memory/4728-94-0x0000000000000000-mapping.dmp

Download
memory/4728-103-0x00000000041D2000-0x00000000041D3000-memory.dmp

Filesize
4KB

Download
memory/4728-95-0x0000000070610000-0x0000000070CFE000-memory.dmp

Filesize
6.9MB

Download
memory/4728-116-0x00000000041D3000-0x00000000041D4000-memory.dmp

Filesize
4KB

Download
memory/4728-96-0x0000000006530000-0x0000000006531000-memory.dmp

Filesize
4KB

Download
memory/4728-97-0x0000000006BA0000-0x0000000006BA1000-memory.dmp

Filesize
4KB

Download
memory/4728-106-0x0000000007CD0000-0x0000000007CD1000-memory.dmp

Filesize
4KB

Download
memory/4728-101-0x0000000007610000-0x0000000007611000-memory.dmp

Filesize
4KB

Download
memory/4728-99-0x00000000074C0000-0x00000000074C1000-memory.dmp

Filesize
4KB

Download
memory/4728-100-0x00000000072E0000-0x00000000072E1000-memory.dmp

Filesize
4KB

Download
memory/4992-127-0x0000000008510000-0x0000000008511000-memory.dmp

Filesize
4KB

Download
memory/4992-124-0x00000000080D0000-0x00000000080D1000-memory.dmp

Filesize
4KB

Download
memory/4992-134-0x0000000004C33000-0x0000000004C34000-memory.dmp

Filesize
4KB

Download
memory/4992-119-0x0000000004C32000-0x0000000004C33000-memory.dmp

Filesize
4KB

Download
memory/4992-118-0x0000000004C30000-0x0000000004C31000-memory.dmp

Filesize
4KB

Download
memory/4992-115-0x00000000700B0000-0x000000007079E000-memory.dmp

Filesize
6.9MB

Download
memory/4992-113-0x0000000000000000-mapping.dmp

Download