f7a222070e2c2ea0f9f84a166a4380e36d3393a2bd1a86474504743e81f267eb

Analysis

max time kernel
137s
max time network
127s
platform
windows10_x64
resource
win10v20201028
submitted
20-01-2021 10:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f7a222070e2c2ea0f9f84a166a4380e36d3393a2bd1a86474504743e81f267eb.exe
Size

5.3MB
MD5

55d2a65e5eeb77c81606dad8bce900e5
SHA1

3e117047e30249d34f03ee075128de89ed2f3256
SHA256

f7a222070e2c2ea0f9f84a166a4380e36d3393a2bd1a86474504743e81f267eb
SHA512

1075a9728a49334ac6dc1774fbe7d37f1e0dbe132be89ccd3beff2493a877d9f008c552b92909140429f432d48771e6b6c738a8bd43ebe863509cc6dd1743550

Score

10^/10

discovery evasion spyware upx

Malware Config

Signatures

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 492 created 496 492 WerFault.exe nnswhxluglah.exe
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Blocklisted process makes network request 5 IoCs

Processes:

RUNDLL32.EXEWScript.exe

flow pid process

26 3104 RUNDLL32.EXE
32 4260 WScript.exe
34 4260 WScript.exe
36 4260 WScript.exe
38 4260 WScript.exe
Executes dropped EXE 5 IoCs

Processes:

4_ico.exe6_ico.exevpn_ico.exeSmartClock.exennswhxluglah.exe

pid process

4072 4_ico.exe
3964 6_ico.exe
3704 vpn_ico.exe
4036 SmartClock.exe
496 nnswhxluglah.exe

description	pid	process	target process
PID 492 created 496	492	WerFault.exe	nnswhxluglah.exe

flow	pid	process
26	3104	RUNDLL32.EXE
32	4260	WScript.exe
34	4260	WScript.exe
36	4260	WScript.exe
38	4260	WScript.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\nnswhxluglah.exe	upx
C:\Users\Admin\AppData\Local\Temp\nnswhxluglah.exe	upx
behavioral2/memory/492-67-0x0000000004B70000-0x0000000004B71000-memory.dmp	upx

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

vpn_ico.exeSmartClock.exe4_ico.exe6_ico.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	vpn_ico.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	vpn_ico.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SmartClock.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	SmartClock.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	4_ico.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	4_ico.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	6_ico.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	6_ico.exe

Drops startup file 1 IoCs

Processes:

4_ico.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk 4_ico.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk	4_ico.exe

Identifies Wine through registry keys 2 TTPs 4 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

4_ico.exe6_ico.exevpn_ico.exeSmartClock.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Wine	4_ico.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Wine	6_ico.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Wine	vpn_ico.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Wine	SmartClock.exe

Loads dropped DLL 5 IoCs

Processes:

f7a222070e2c2ea0f9f84a166a4380e36d3393a2bd1a86474504743e81f267eb.exerundll32.exeRUNDLL32.EXE

pid process

412 f7a222070e2c2ea0f9f84a166a4380e36d3393a2bd1a86474504743e81f267eb.exe
2616 rundll32.exe
2616 rundll32.exe
3104 RUNDLL32.EXE
3104 RUNDLL32.EXE
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

10 ip-api.com
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

6_ico.exe4_ico.exevpn_ico.exeSmartClock.exe

pid process

3964 6_ico.exe
4072 4_ico.exe
3704 vpn_ico.exe
4036 SmartClock.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

492 496 WerFault.exe nnswhxluglah.exe

pid	process
412	f7a222070e2c2ea0f9f84a166a4380e36d3393a2bd1a86474504743e81f267eb.exe
2616	rundll32.exe
2616	rundll32.exe
3104	RUNDLL32.EXE
3104	RUNDLL32.EXE

flow	ioc
10	ip-api.com

pid	process
3964	6_ico.exe
4072	4_ico.exe
3704	vpn_ico.exe
4036	SmartClock.exe

pid	pid_target	process	target process
492	496	WerFault.exe	nnswhxluglah.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

vpn_ico.exeRUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	vpn_ico.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	vpn_ico.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE

Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

3816 timeout.exe
584 timeout.exe
Modifies registry class 1 IoCs

Processes:

vpn_ico.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings vpn_ico.exe

pid	process
3816	timeout.exe
584	timeout.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings	vpn_ico.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	WScript.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

SmartClock.exe

pid process

4036 SmartClock.exe

pid	process
4036	SmartClock.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

Processes:

4_ico.exe6_ico.exevpn_ico.exeSmartClock.exeWerFault.exepowershell.exeRUNDLL32.EXEpowershell.exe

pid	process
4072	4_ico.exe
4072	4_ico.exe
3964	6_ico.exe
3964	6_ico.exe
3704	vpn_ico.exe
3704	vpn_ico.exe
4036	SmartClock.exe
4036	SmartClock.exe
492	WerFault.exe
492	WerFault.exe
492	WerFault.exe
492	WerFault.exe
492	WerFault.exe
492	WerFault.exe
492	WerFault.exe
492	WerFault.exe
492	WerFault.exe
492	WerFault.exe
492	WerFault.exe
492	WerFault.exe
492	WerFault.exe
492	WerFault.exe
492	WerFault.exe
2192	powershell.exe
2192	powershell.exe
2192	powershell.exe
3104	RUNDLL32.EXE
3104	RUNDLL32.EXE
4636	powershell.exe
4636	powershell.exe
4636	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

WerFault.exerundll32.exeRUNDLL32.EXEpowershell.exepowershell.exe

description	pid	process
Token: SeRestorePrivilege	492	WerFault.exe
Token: SeBackupPrivilege	492	WerFault.exe
Token: SeDebugPrivilege	2616	rundll32.exe
Token: SeDebugPrivilege	492	WerFault.exe
Token: SeDebugPrivilege	3104	RUNDLL32.EXE
Token: SeDebugPrivilege	2192	powershell.exe
Token: SeDebugPrivilege	4636	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

RUNDLL32.EXE

pid process

3104 RUNDLL32.EXE

pid	process
3104	RUNDLL32.EXE

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

f7a222070e2c2ea0f9f84a166a4380e36d3393a2bd1a86474504743e81f267eb.exe4_ico.exevpn_ico.exennswhxluglah.exe6_ico.exerundll32.execmd.execmd.exeRUNDLL32.EXEpowershell.exe

description	pid	process	target process
PID 412 wrote to memory of 4072	412	f7a222070e2c2ea0f9f84a166a4380e36d3393a2bd1a86474504743e81f267eb.exe	4_ico.exe
PID 412 wrote to memory of 4072	412	f7a222070e2c2ea0f9f84a166a4380e36d3393a2bd1a86474504743e81f267eb.exe	4_ico.exe
PID 412 wrote to memory of 4072	412	f7a222070e2c2ea0f9f84a166a4380e36d3393a2bd1a86474504743e81f267eb.exe	4_ico.exe
PID 412 wrote to memory of 3964	412	f7a222070e2c2ea0f9f84a166a4380e36d3393a2bd1a86474504743e81f267eb.exe	6_ico.exe
PID 412 wrote to memory of 3964	412	f7a222070e2c2ea0f9f84a166a4380e36d3393a2bd1a86474504743e81f267eb.exe	6_ico.exe
PID 412 wrote to memory of 3964	412	f7a222070e2c2ea0f9f84a166a4380e36d3393a2bd1a86474504743e81f267eb.exe	6_ico.exe
PID 412 wrote to memory of 3704	412	f7a222070e2c2ea0f9f84a166a4380e36d3393a2bd1a86474504743e81f267eb.exe	vpn_ico.exe
PID 412 wrote to memory of 3704	412	f7a222070e2c2ea0f9f84a166a4380e36d3393a2bd1a86474504743e81f267eb.exe	vpn_ico.exe
PID 412 wrote to memory of 3704	412	f7a222070e2c2ea0f9f84a166a4380e36d3393a2bd1a86474504743e81f267eb.exe	vpn_ico.exe
PID 4072 wrote to memory of 4036	4072	4_ico.exe	SmartClock.exe
PID 4072 wrote to memory of 4036	4072	4_ico.exe	SmartClock.exe
PID 4072 wrote to memory of 4036	4072	4_ico.exe	SmartClock.exe
PID 3704 wrote to memory of 496	3704	vpn_ico.exe	nnswhxluglah.exe
PID 3704 wrote to memory of 496	3704	vpn_ico.exe	nnswhxluglah.exe
PID 3704 wrote to memory of 496	3704	vpn_ico.exe	nnswhxluglah.exe
PID 3704 wrote to memory of 728	3704	vpn_ico.exe	WScript.exe
PID 3704 wrote to memory of 728	3704	vpn_ico.exe	WScript.exe
PID 3704 wrote to memory of 728	3704	vpn_ico.exe	WScript.exe
PID 496 wrote to memory of 2616	496	nnswhxluglah.exe	rundll32.exe
PID 496 wrote to memory of 2616	496	nnswhxluglah.exe	rundll32.exe
PID 496 wrote to memory of 2616	496	nnswhxluglah.exe	rundll32.exe
PID 3964 wrote to memory of 3912	3964	6_ico.exe	cmd.exe
PID 3964 wrote to memory of 3912	3964	6_ico.exe	cmd.exe
PID 3964 wrote to memory of 3912	3964	6_ico.exe	cmd.exe
PID 2616 wrote to memory of 3104	2616	rundll32.exe	RUNDLL32.EXE
PID 2616 wrote to memory of 3104	2616	rundll32.exe	RUNDLL32.EXE
PID 2616 wrote to memory of 3104	2616	rundll32.exe	RUNDLL32.EXE
PID 3912 wrote to memory of 3816	3912	cmd.exe	timeout.exe
PID 3912 wrote to memory of 3816	3912	cmd.exe	timeout.exe
PID 3912 wrote to memory of 3816	3912	cmd.exe	timeout.exe
PID 3964 wrote to memory of 2168	3964	6_ico.exe	cmd.exe
PID 3964 wrote to memory of 2168	3964	6_ico.exe	cmd.exe
PID 3964 wrote to memory of 2168	3964	6_ico.exe	cmd.exe
PID 2168 wrote to memory of 584	2168	cmd.exe	timeout.exe
PID 2168 wrote to memory of 584	2168	cmd.exe	timeout.exe
PID 2168 wrote to memory of 584	2168	cmd.exe	timeout.exe
PID 3104 wrote to memory of 2192	3104	RUNDLL32.EXE	powershell.exe
PID 3104 wrote to memory of 2192	3104	RUNDLL32.EXE	powershell.exe
PID 3104 wrote to memory of 2192	3104	RUNDLL32.EXE	powershell.exe
PID 3704 wrote to memory of 4260	3704	vpn_ico.exe	WScript.exe
PID 3704 wrote to memory of 4260	3704	vpn_ico.exe	WScript.exe
PID 3704 wrote to memory of 4260	3704	vpn_ico.exe	WScript.exe
PID 3104 wrote to memory of 4636	3104	RUNDLL32.EXE	powershell.exe
PID 3104 wrote to memory of 4636	3104	RUNDLL32.EXE	powershell.exe
PID 3104 wrote to memory of 4636	3104	RUNDLL32.EXE	powershell.exe
PID 4636 wrote to memory of 4816	4636	powershell.exe	nslookup.exe
PID 4636 wrote to memory of 4816	4636	powershell.exe	nslookup.exe
PID 4636 wrote to memory of 4816	4636	powershell.exe	nslookup.exe
PID 3104 wrote to memory of 4856	3104	RUNDLL32.EXE	schtasks.exe
PID 3104 wrote to memory of 4856	3104	RUNDLL32.EXE	schtasks.exe
PID 3104 wrote to memory of 4856	3104	RUNDLL32.EXE	schtasks.exe
PID 3104 wrote to memory of 4904	3104	RUNDLL32.EXE	schtasks.exe
PID 3104 wrote to memory of 4904	3104	RUNDLL32.EXE	schtasks.exe
PID 3104 wrote to memory of 4904	3104	RUNDLL32.EXE	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\f7a222070e2c2ea0f9f84a166a4380e36d3393a2bd1a86474504743e81f267eb.exe
"C:\Users\Admin\AppData\Local\Temp\f7a222070e2c2ea0f9f84a166a4380e36d3393a2bd1a86474504743e81f267eb.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:412

C:\Users\Admin\AppData\Local\Temp\New Feature\4_ico.exe
"C:\Users\Admin\AppData\Local\Temp\New Feature\4_ico.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Drops startup file
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4072

C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
PID:4036

C:\Users\Admin\AppData\Local\Temp\New Feature\6_ico.exe
"C:\Users\Admin\AppData\Local\Temp\New Feature\6_ico.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3964

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\kmiyjgkfgk & timeout 2 & del /f /q "C:\Users\Admin\AppData\Local\Temp\New Feature\6_ico.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:3912

C:\Windows\SysWOW64\timeout.exe
timeout 2
4⤵
- Delays execution with timeout.exe
PID:3816

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\kmiyjgkfgk & timeout 2 & del /f /q "C:\Users\Admin\AppData\Local\Temp\New Feature\6_ico.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:2168

C:\Windows\SysWOW64\timeout.exe
timeout 2
4⤵
- Delays execution with timeout.exe
PID:584

C:\Users\Admin\AppData\Local\Temp\New Feature\vpn_ico.exe
"C:\Users\Admin\AppData\Local\Temp\New Feature\vpn_ico.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3704

C:\Users\Admin\AppData\Local\Temp\nnswhxluglah.exe
"C:\Users\Admin\AppData\Local\Temp\nnswhxluglah.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:496

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\NNSWHX~1.DLL,Z C:\Users\Admin\AppData\Local\Temp\NNSWHX~1.EXE
4⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2616

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\NNSWHX~1.DLL,sF1TLDYaBaz5
5⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3104

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpBD5A.tmp.ps1"
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2192

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpE084.tmp.ps1"
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4636

C:\Windows\SysWOW64\nslookup.exe
"C:\Windows\system32\nslookup.exe" -type=any localhost
7⤵
PID:4816

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
6⤵
PID:4856

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
6⤵
PID:4904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 496 -s 556
4⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:492

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\imoqfgybpun.vbs"
3⤵
PID:728

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\piwwirwd.vbs"
3⤵
- Blocklisted process makes network request
- Modifies system certificate store
PID:4260

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\kmiyjgkfgk\46173476.txt
MD5
0aacf6d8ba053299abb8366831cfc053

SHA1
ec08730f5ee757a571f7e5374dbddd7c02c94d6d

SHA256
9d9f0462009c1d0fa9b95dd66b5fa7fb8871150994e055d8ea9a8205c33d76ee

SHA512
5020b24d304f6991a0a25ac2d49116ed2f96298e9f47e82b57ae73cb1c8e6e56800afd3387b5d179d067879627f83af607bff80667d6a405ac1ddd255b6020ca

Download Submit
C:\ProgramData\kmiyjgkfgk\8372422.txt
MD5
1d33d504c150f0d87ac21ed56c00d22e

SHA1
5e2656d8ab56ca2c9b2bba8d3aaac0df89f0b7d5

SHA256
18e6873b0e044b2ca56a332fea56966197ef8c94ebc4d378b7a8668640dea048

SHA512
cf0504c6c77aa3c7eda031c5ebd73e96787a5f8ce20657a3acd231c7898622388b426998a3ab87f4d681da7b9620e4c87d07130f536551b6f88711e1a6d72c1f

Download Submit
C:\ProgramData\kmiyjgkfgk\Files\_INFOR~1.TXT
MD5
c34a41c9fa74e5952d888b16829aa44f

SHA1
5cede3294d280f6c3a40eb2f7afc1e7a6abfefdb

SHA256
cf47cd2d2be93167ad2efddab042eb171b5373e534c3e7a823abf5d2334cb32f

SHA512
720840817c731daf291ea670ba91dca16f9160eb291450c99da4e1fece4fe38324121015c8ad90a3930632f34a9526e47df2cd3c19e6a7c09f11e6aaeace0a14

Download Submit
C:\ProgramData\kmiyjgkfgk\NL_202~1.ZIP
MD5
eeb51601018f66de98a6e98f454347f6

SHA1
6ae3126b63d7617993e068fad84463322f473d94

SHA256
d7eedf445c97ff6cdf62c5edf21dfe7c7716c7be63927aeac66245841966eac3

SHA512
81792b085d2b5eb757ff1997b010ee42b190c6d5ceb976bfaa4be7d5ec992fffe89a10031ad5e76948cb9a18a6075ef82d6f14e9ad309c453fab73d6746384ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
47eebe401625bbc55e75dbfb72e9e89a

SHA1
db3b2135942d2532c59b9788253638eb77e5995e

SHA256
f1cd56000c44bbdb6880b5b133731f493fe8cba8198c5a861da6ae7b489ed0c3

SHA512
590b149863d58be346e7927c28501375cc570858d2f156d234b03d68b86c5c0667a1038e2b6f6639172bf95638ca9f7c70f45270951abbcdf43b1be853b81d56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
0a6d3eaa0fc8ab73ffb333073212f157

SHA1
f9594b9e8f5b5308e3dfd2c074c5307972033cd3

SHA256
fe164b41b1bff7941a03630e4b8602e4ac28c7c98e2aa92d17eaf28389c3a123

SHA512
0d16c3610c06df9918963fc3fa8bcac189f567efc7f2cc3fdcfe63c302c17713fabffdfc2a0fb8710b0c097858aed81e8b63927bcc48da1cef3d9951e0702e1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\NNSWHX~1.DLL
MD5
9061b56858cf1cde2aa7e713595dd082

SHA1
0cfa9dd828c9591cbe96e8823d32dc45a005a682

SHA256
6b22bfbc4fa1eb86787e290327ac9321f2e7f5d7e16b32cd79f4efb61dd5d13c

SHA512
2aa0833e9759034782676e4598a471e19a3dc061d64a8ed67be3d81f90225bfae89b434df27476cf76a785599ba056c18ddae1b6277501677676ddffb971aa5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\4_ico.exe
MD5
05f88876bd20a59fe64a85f6f34f3adf

SHA1
0c27e8fc0b82f0b022fbe0fb20eb4f2b18f0c62c

SHA256
4b1ba8c0531a57d866e69aa47f49942f6994555b2524efbf593409f24bb45c7a

SHA512
ab8f071d17485e6bb08682bdd38ee544b827448c2c4d2fb135140e0a239f4c86e92d03146172f1464d6a065260ce421835f2a945d772ed0f7eb936158d01aef7

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\4_ico.exe
MD5
05f88876bd20a59fe64a85f6f34f3adf

SHA1
0c27e8fc0b82f0b022fbe0fb20eb4f2b18f0c62c

SHA256
4b1ba8c0531a57d866e69aa47f49942f6994555b2524efbf593409f24bb45c7a

SHA512
ab8f071d17485e6bb08682bdd38ee544b827448c2c4d2fb135140e0a239f4c86e92d03146172f1464d6a065260ce421835f2a945d772ed0f7eb936158d01aef7

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\6_ico.exe
MD5
e4bbb795b6ce39c25a836faee97029c5

SHA1
81953d7005796acf41196f3c210b7e7828969ddf

SHA256
16d0d77a6a6ba8b5bca4cf3809e30e4bc67439a9407ea24ab1f5bbd714aa37be

SHA512
20c6104fabdca5c995d90e5b50f317d6f4244ddf05d6c530d07428eebe0e1661238cfcbb86d44af8a9fd801bfe122717cb3665a9b1c9ed5ca0d0cc6f904f2bb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\6_ico.exe
MD5
e4bbb795b6ce39c25a836faee97029c5

SHA1
81953d7005796acf41196f3c210b7e7828969ddf

SHA256
16d0d77a6a6ba8b5bca4cf3809e30e4bc67439a9407ea24ab1f5bbd714aa37be

SHA512
20c6104fabdca5c995d90e5b50f317d6f4244ddf05d6c530d07428eebe0e1661238cfcbb86d44af8a9fd801bfe122717cb3665a9b1c9ed5ca0d0cc6f904f2bb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\vpn_ico.exe
MD5
ec56651f4ce61513bfd1cc4db6a443b6

SHA1
b090a9b79a8d95e935d13414d27fad906c3189a9

SHA256
03924e7e117fd3cfac6a5196e55b0176f341ee4e8683e119abd8efff60dc8899

SHA512
b217c48a21377b9287a0a78df404c018e8cbb929b46e7bb52e1cac3049f563da102bad1f68d04886f848e9d15afc21221736710728a8dfa3c82d85cab5f275dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\vpn_ico.exe
MD5
ec56651f4ce61513bfd1cc4db6a443b6

SHA1
b090a9b79a8d95e935d13414d27fad906c3189a9

SHA256
03924e7e117fd3cfac6a5196e55b0176f341ee4e8683e119abd8efff60dc8899

SHA512
b217c48a21377b9287a0a78df404c018e8cbb929b46e7bb52e1cac3049f563da102bad1f68d04886f848e9d15afc21221736710728a8dfa3c82d85cab5f275dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\imoqfgybpun.vbs
MD5
f039ea488f4e1b3a801aabfdc62228de

SHA1
24b22fc93bdc0bbc9b833a6a22f390eb3105e9d2

SHA256
a1e51a433d3c2dd68d0c31bf574d4bba9906fb63834c8020001d5273cc5bbadb

SHA512
b82e6151c5d70bb723347f516edfd8b50ea24509b56e1c15a09611ff2ff387a194f1790716a43e937ce33a67539003b21b66a14bfed5e13d4862be95047f7075

Download Submit
C:\Users\Admin\AppData\Local\Temp\nnswhxluglah.exe
MD5
75f5fc157ffab1800464c4739781bd96

SHA1
777186c7b0518d6846902743135873235537ffd8

SHA256
aa6900e737e2763758862260526d0654c0e71ed3a5d0f5c4d987cdc83ab9204e

SHA512
182373177f89574b5b8e01170e28fe10ac6f2f71bae5d3b6a436ae27bbec5abcc1184d910dc64663d8ee07ba8312aef8acdd6a2355eeb9ab8dab3ae73671dc70

Download Submit
C:\Users\Admin\AppData\Local\Temp\nnswhxluglah.exe
MD5
75f5fc157ffab1800464c4739781bd96

SHA1
777186c7b0518d6846902743135873235537ffd8

SHA256
aa6900e737e2763758862260526d0654c0e71ed3a5d0f5c4d987cdc83ab9204e

SHA512
182373177f89574b5b8e01170e28fe10ac6f2f71bae5d3b6a436ae27bbec5abcc1184d910dc64663d8ee07ba8312aef8acdd6a2355eeb9ab8dab3ae73671dc70

Download Submit
C:\Users\Admin\AppData\Local\Temp\piwwirwd.vbs
MD5
abd08e069d71479a341b223542ea1c67

SHA1
a8c14df135031aadf95004ca2cfd67bf3ed10ded

SHA256
09de680a14569f4a8f284ade3514722d6921a7c280a844e6bd5755f067fbd476

SHA512
aad38a82fd3273b0f1168c6dbd42d26260fb2aaa0a28a6e9674e881df2e032f703c495d14d3997ea9942f305f247b80eec460219fe450d739a6f4a0850e87245

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBD5A.tmp.ps1
MD5
57981a46ba749be69005a9671b721625

SHA1
15530a9f8250cba306726f36f5d12ba94f0afd10

SHA256
afdc656a93fd791dd8088370f8696748e6f610bcf8e064968ae62a41908a9cb0

SHA512
4675637f69a4465aca1987f33f685b7904f12bae9ebc76f51bf2660fe40e74be585dbf91cc21256757b1a271f249c21662d69843203c016911d1a0f682e46369

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBD5B.tmp
MD5
c416c12d1b2b1da8c8655e393b544362

SHA1
fb1a43cd8e1c556c2d25f361f42a21293c29e447

SHA256
0600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046

SHA512
cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE084.tmp.ps1
MD5
5b48990f490e848b3464160a77b77a9b

SHA1
1cc8b71e705614104a1c22e584438d8675080299

SHA256
32dec3f5b6a6f5c3305d02d8d63bd2a9e0658aa4b601cd1033a33124499dcd1d

SHA512
9b5d25908bcc4b1853018c6b93e4db39262203be3d382fa4705d1d07ff176617de2759d23a3dee2702bf3bd8c7be5ed173f9b4173f73f345bd48a42345edb0df

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE085.tmp
MD5
1860260b2697808b80802352fe324782

SHA1
f07b4cb6a8133d8dd942fc285d63cb3ce5a1ed6b

SHA256
0c4bb6ae7726faa47aef8459bcf37bf9ca16f0b93fd52790932adaf7845d1fb1

SHA512
d9fd458e2fe871e93199d7f3783133ded898d824024d9525e8c9af2af31892b13f3fb147d3bfda7dfd7659b7072f5cd1d6c3ebfe2dbf5893afd00e59a96aa94f

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
05f88876bd20a59fe64a85f6f34f3adf

SHA1
0c27e8fc0b82f0b022fbe0fb20eb4f2b18f0c62c

SHA256
4b1ba8c0531a57d866e69aa47f49942f6994555b2524efbf593409f24bb45c7a

SHA512
ab8f071d17485e6bb08682bdd38ee544b827448c2c4d2fb135140e0a239f4c86e92d03146172f1464d6a065260ce421835f2a945d772ed0f7eb936158d01aef7

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
05f88876bd20a59fe64a85f6f34f3adf

SHA1
0c27e8fc0b82f0b022fbe0fb20eb4f2b18f0c62c

SHA256
4b1ba8c0531a57d866e69aa47f49942f6994555b2524efbf593409f24bb45c7a

SHA512
ab8f071d17485e6bb08682bdd38ee544b827448c2c4d2fb135140e0a239f4c86e92d03146172f1464d6a065260ce421835f2a945d772ed0f7eb936158d01aef7

Download Submit
\Users\Admin\AppData\Local\Temp\NNSWHX~1.DLL
MD5
9061b56858cf1cde2aa7e713595dd082

SHA1
0cfa9dd828c9591cbe96e8823d32dc45a005a682

SHA256
6b22bfbc4fa1eb86787e290327ac9321f2e7f5d7e16b32cd79f4efb61dd5d13c

SHA512
2aa0833e9759034782676e4598a471e19a3dc061d64a8ed67be3d81f90225bfae89b434df27476cf76a785599ba056c18ddae1b6277501677676ddffb971aa5e

Download Submit
\Users\Admin\AppData\Local\Temp\NNSWHX~1.DLL
MD5
9061b56858cf1cde2aa7e713595dd082

SHA1
0cfa9dd828c9591cbe96e8823d32dc45a005a682

SHA256
6b22bfbc4fa1eb86787e290327ac9321f2e7f5d7e16b32cd79f4efb61dd5d13c

SHA512
2aa0833e9759034782676e4598a471e19a3dc061d64a8ed67be3d81f90225bfae89b434df27476cf76a785599ba056c18ddae1b6277501677676ddffb971aa5e

Download Submit
\Users\Admin\AppData\Local\Temp\NNSWHX~1.DLL
MD5
9061b56858cf1cde2aa7e713595dd082

SHA1
0cfa9dd828c9591cbe96e8823d32dc45a005a682

SHA256
6b22bfbc4fa1eb86787e290327ac9321f2e7f5d7e16b32cd79f4efb61dd5d13c

SHA512
2aa0833e9759034782676e4598a471e19a3dc061d64a8ed67be3d81f90225bfae89b434df27476cf76a785599ba056c18ddae1b6277501677676ddffb971aa5e

Download Submit
\Users\Admin\AppData\Local\Temp\NNSWHX~1.DLL
MD5
9061b56858cf1cde2aa7e713595dd082

SHA1
0cfa9dd828c9591cbe96e8823d32dc45a005a682

SHA256
6b22bfbc4fa1eb86787e290327ac9321f2e7f5d7e16b32cd79f4efb61dd5d13c

SHA512
2aa0833e9759034782676e4598a471e19a3dc061d64a8ed67be3d81f90225bfae89b434df27476cf76a785599ba056c18ddae1b6277501677676ddffb971aa5e

Download Submit
\Users\Admin\AppData\Local\Temp\nsi748B.tmp\UAC.dll
MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
memory/492-66-0x0000000004B70000-0x0000000004B71000-memory.dmp

Filesize
4KB

Download
memory/492-67-0x0000000004B70000-0x0000000004B71000-memory.dmp

Filesize
4KB

Download
memory/496-58-0x0000000000400000-0x00000000007E8000-memory.dmp

Filesize
3.9MB

Download
memory/496-56-0x00000000055B0000-0x000000000597A000-memory.dmp

Filesize
3.8MB

Download
memory/496-55-0x0000000005980000-0x0000000005981000-memory.dmp

Filesize
4KB

Download
memory/496-57-0x0000000005980000-0x0000000005D5C000-memory.dmp

Filesize
3.9MB

Download
memory/496-50-0x0000000000000000-mapping.dmp

Download
memory/584-88-0x0000000000000000-mapping.dmp

Download
memory/728-53-0x0000000000000000-mapping.dmp

Download
memory/2168-80-0x0000000000000000-mapping.dmp

Download
memory/2192-95-0x00000000080D0000-0x00000000080D1000-memory.dmp

Filesize
4KB

Download
memory/2192-107-0x0000000009890000-0x0000000009891000-memory.dmp

Filesize
4KB

Download
memory/2192-110-0x0000000005053000-0x0000000005054000-memory.dmp

Filesize
4KB

Download
memory/2192-108-0x00000000076B0000-0x00000000076B1000-memory.dmp

Filesize
4KB

Download
memory/2192-106-0x000000000A310000-0x000000000A311000-memory.dmp

Filesize
4KB

Download
memory/2192-103-0x0000000008C50000-0x0000000008C51000-memory.dmp

Filesize
4KB

Download
memory/2192-101-0x0000000008B30000-0x0000000008B31000-memory.dmp

Filesize
4KB

Download
memory/2192-100-0x0000000008C80000-0x0000000008C81000-memory.dmp

Filesize
4KB

Download
memory/2192-99-0x0000000008730000-0x0000000008731000-memory.dmp

Filesize
4KB

Download
memory/2192-98-0x00000000082C0000-0x00000000082C1000-memory.dmp

Filesize
4KB

Download
memory/2192-97-0x0000000008170000-0x0000000008171000-memory.dmp

Filesize
4KB

Download
memory/2192-96-0x0000000008250000-0x0000000008251000-memory.dmp

Filesize
4KB

Download
memory/2192-94-0x0000000005052000-0x0000000005053000-memory.dmp

Filesize
4KB

Download
memory/2192-93-0x0000000007A70000-0x0000000007A71000-memory.dmp

Filesize
4KB

Download
memory/2192-92-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/2192-91-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/2192-90-0x0000000070560000-0x0000000070C4E000-memory.dmp

Filesize
6.9MB

Download
memory/2192-89-0x0000000000000000-mapping.dmp

Download
memory/2616-59-0x0000000000000000-mapping.dmp

Download
memory/2616-63-0x0000000000C01000-0x0000000000FB7000-memory.dmp

Filesize
3.7MB

Download
memory/2616-85-0x0000000004961000-0x0000000004FBD000-memory.dmp

Filesize
6.4MB

Download
memory/3104-79-0x0000000000A51000-0x0000000000E07000-memory.dmp

Filesize
3.7MB

Download
memory/3104-75-0x0000000000000000-mapping.dmp

Download
memory/3104-87-0x0000000004961000-0x0000000004FBD000-memory.dmp

Filesize
6.4MB

Download
memory/3704-18-0x0000000005570000-0x0000000005571000-memory.dmp

Filesize
4KB

Download
memory/3704-16-0x0000000004D70000-0x0000000004D71000-memory.dmp

Filesize
4KB

Download
memory/3704-33-0x0000000004F50000-0x0000000004F51000-memory.dmp

Filesize
4KB

Download
memory/3704-30-0x0000000004F60000-0x0000000004F61000-memory.dmp

Filesize
4KB

Download
memory/3704-32-0x0000000004F70000-0x0000000004F71000-memory.dmp

Filesize
4KB

Download
memory/3704-9-0x0000000000000000-mapping.dmp

Download
memory/3704-20-0x0000000004F90000-0x0000000004F91000-memory.dmp

Filesize
4KB

Download
memory/3704-31-0x0000000004F80000-0x0000000004F81000-memory.dmp

Filesize
4KB

Download
memory/3816-76-0x0000000000000000-mapping.dmp

Download
memory/3912-65-0x0000000000000000-mapping.dmp

Download
memory/3964-35-0x0000000005270000-0x0000000005271000-memory.dmp

Filesize
4KB

Download
memory/3964-13-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/3964-6-0x0000000000000000-mapping.dmp

Download
memory/3964-19-0x00000000777A4000-0x00000000777A5000-memory.dmp

Filesize
4KB

Download
memory/3964-22-0x0000000005290000-0x0000000005291000-memory.dmp

Filesize
4KB

Download
memory/3964-23-0x0000000005280000-0x0000000005281000-memory.dmp

Filesize
4KB

Download
memory/3964-64-0x00000000052B0000-0x00000000052B1000-memory.dmp

Filesize
4KB

Download
memory/3964-14-0x0000000005560000-0x0000000005561000-memory.dmp

Filesize
4KB

Download
memory/3964-34-0x00000000052A0000-0x00000000052A1000-memory.dmp

Filesize
4KB

Download
memory/4036-46-0x0000000004F50000-0x0000000004F51000-memory.dmp

Filesize
4KB

Download
memory/4036-48-0x0000000004FB0000-0x0000000004FB1000-memory.dmp

Filesize
4KB

Download
memory/4036-36-0x0000000000000000-mapping.dmp

Download
memory/4036-39-0x0000000004DC0000-0x0000000004DC1000-memory.dmp

Filesize
4KB

Download
memory/4036-40-0x00000000055C0000-0x00000000055C1000-memory.dmp

Filesize
4KB

Download
memory/4036-43-0x0000000004F90000-0x0000000004F91000-memory.dmp

Filesize
4KB

Download
memory/4036-44-0x0000000004FA0000-0x0000000004FA1000-memory.dmp

Filesize
4KB

Download
memory/4036-45-0x0000000004F80000-0x0000000004F81000-memory.dmp

Filesize
4KB

Download
memory/4036-49-0x0000000004FC0000-0x0000000004FC1000-memory.dmp

Filesize
4KB

Download
memory/4036-47-0x0000000004F70000-0x0000000004F71000-memory.dmp

Filesize
4KB

Download
memory/4072-17-0x0000000004940000-0x0000000004941000-memory.dmp

Filesize
4KB

Download
memory/4072-25-0x0000000004B30000-0x0000000004B31000-memory.dmp

Filesize
4KB

Download
memory/4072-28-0x0000000004AF0000-0x0000000004AF1000-memory.dmp

Filesize
4KB

Download
memory/4072-29-0x0000000004B10000-0x0000000004B11000-memory.dmp

Filesize
4KB

Download
memory/4072-27-0x0000000004B20000-0x0000000004B21000-memory.dmp

Filesize
4KB

Download
memory/4072-26-0x0000000004B40000-0x0000000004B41000-memory.dmp

Filesize
4KB

Download
memory/4072-3-0x0000000000000000-mapping.dmp

Download
memory/4072-12-0x0000000004940000-0x0000000004941000-memory.dmp

Filesize
4KB

Download
memory/4072-15-0x0000000005140000-0x0000000005141000-memory.dmp

Filesize
4KB

Download
memory/4260-104-0x0000000000000000-mapping.dmp

Download
memory/4636-116-0x00000000011F0000-0x00000000011F1000-memory.dmp

Filesize
4KB

Download
memory/4636-121-0x00000000074F0000-0x00000000074F1000-memory.dmp

Filesize
4KB

Download
memory/4636-117-0x00000000011F2000-0x00000000011F3000-memory.dmp

Filesize
4KB

Download
memory/4636-124-0x0000000007A00000-0x0000000007A01000-memory.dmp

Filesize
4KB

Download
memory/4636-113-0x0000000070170000-0x000000007085E000-memory.dmp

Filesize
6.9MB

Download
memory/4636-111-0x0000000000000000-mapping.dmp

Download
memory/4636-131-0x00000000011F3000-0x00000000011F4000-memory.dmp

Filesize
4KB

Download
memory/4816-129-0x0000000000000000-mapping.dmp

Download
memory/4856-132-0x0000000000000000-mapping.dmp

Download
memory/4904-133-0x0000000000000000-mapping.dmp

Download