ab16a04319d7fac50b2e33a7a98d5095230a0c5341aefb2dbd14eb2f25d5c561

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
03/07/2024, 07:34

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

218cec096e586e438a2b7197ba0450a1_JaffaCakes118.exe
Size

1.9MB
MD5

218cec096e586e438a2b7197ba0450a1
SHA1

c4c5ea76ea8125186898a434d9e8205ea5b70873
SHA256

ab16a04319d7fac50b2e33a7a98d5095230a0c5341aefb2dbd14eb2f25d5c561
SHA512

146763cec6f308ad90c7e0ab9d947392617a224dce2a15c73988e4bed890897bd17a4634931e8b298e594bf45a953daeb1976461e9744ab30747c45d3a5b3a34
SSDEEP

24576:Bg7Sda6E7lAil1dtwMErG3LJh7Cv/Sk7uqyeuhiKG1u6bHTAnMp4NJtJl1X8Udqh:BYYs/HdUKJhs/S/zeuUo6AMpCXMwZTe

Score

7^/10

adware discovery persistence stealer

Malware Config

Signatures

Executes dropped EXE 8 IoCs

pid	Process
2500	chacha.exe
2568	cha_lhm8_109321.exe
1752	Shell.exe
2716	Shell.exe
2264	IDict.exe
2240	idictrun.exe
1480	OnlineUpg.exe
2088	upgrade.exe

Loads dropped DLL 40 IoCs

pid	Process
2840	218cec096e586e438a2b7197ba0450a1_JaffaCakes118.exe
2840	218cec096e586e438a2b7197ba0450a1_JaffaCakes118.exe
2500	chacha.exe
2568	cha_lhm8_109321.exe
2568	cha_lhm8_109321.exe
2568	cha_lhm8_109321.exe
2568	cha_lhm8_109321.exe
2568	cha_lhm8_109321.exe
2568	cha_lhm8_109321.exe
2568	cha_lhm8_109321.exe
1752	Shell.exe
1752	Shell.exe
1752	Shell.exe
2568	cha_lhm8_109321.exe
2568	cha_lhm8_109321.exe
2716	Shell.exe
2716	Shell.exe
2716	Shell.exe
2568	cha_lhm8_109321.exe
2568	cha_lhm8_109321.exe
2264	IDict.exe
2264	IDict.exe
2264	IDict.exe
2264	IDict.exe
2264	IDict.exe
2264	IDict.exe
2240	idictrun.exe
2240	idictrun.exe
2240	idictrun.exe
2240	idictrun.exe
2264	IDict.exe
2264	IDict.exe
1480	OnlineUpg.exe
1480	OnlineUpg.exe
1480	OnlineUpg.exe
1480	OnlineUpg.exe
1480	OnlineUpg.exe
2088	upgrade.exe
2088	upgrade.exe
2088	upgrade.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CNN_Running = "C:\\Program Files (x86)\\IDict\\IDictRun.exe"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CNN_IDict = "C:\\Program Files (x86)\\IDict\\IDict.exe -aut"	Shell.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B92E890B-4A57-4E65-82CC-CBB152F4DA9D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B92E890B-4A57-4E65-82CC-CBB152F4DA9D}\	regsvr32.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\IDict\Images\_Btn3_down.bmp	cha_lhm8_109321.exe
File created	C:\Program Files (x86)\IDict\Data\ticai.ico	cha_lhm8_109321.exe
File created	C:\Program Files (x86)\IDict\Images\Thumbs.db	cha_lhm8_109321.exe
File created	C:\Program Files (x86)\IDict\Data\movie.ico	cha_lhm8_109321.exe
File created	C:\Program Files (x86)\IDict\Images\_SysBtn2x_down.bmp	cha_lhm8_109321.exe
File created	C:\Program Files (x86)\IDict\weather\gif\Ð¡Óê-ÖÐÓê.gif	cha_lhm8_109321.exe
File created	C:\Program Files (x86)\IDict\Images\_Btn3_On.bmp	cha_lhm8_109321.exe
File created	C:\Program Files (x86)\IDict\Data\sfz.ico	cha_lhm8_109321.exe
File created	C:\Program Files (x86)\IDict\weather\gif\´óÑ©.gif	cha_lhm8_109321.exe
File created	C:\Program Files (x86)\IDict\Data\redian.ico	cha_lhm8_109321.exe
File created	C:\Program Files (x86)\IDict\weather\gif\Ð¡Ñ©-ÖÐÑ©.gif	cha_lhm8_109321.exe
File created	C:\Program Files (x86)\IDict\Images\_Demo.gif	cha_lhm8_109321.exe
File created	C:\Program Files (x86)\IDict\Images\_search_on.bmp	cha_lhm8_109321.exe
File created	C:\Program Files (x86)\IDict\weather\gif\ÑïÉ³.gif	cha_lhm8_109321.exe
File created	C:\Program Files (x86)\IDict\Images\_Btn2.bmp	cha_lhm8_109321.exe
File created	C:\Program Files (x86)\IDict\Images\__tab_v_ds.bmp	cha_lhm8_109321.exe
File created	C:\Program Files (x86)\IDict\Images\_search_down.bmp	cha_lhm8_109321.exe
File created	C:\Program Files (x86)\IDict\weather\gif\¶àÔÆ.gif	cha_lhm8_109321.exe
File created	C:\Program Files (x86)\IDict\weather\gif\Ð¡Ñ©.gif	cha_lhm8_109321.exe
File created	C:\Program Files (x86)\IDict\Images\_MiniSys2_on.bmp	cha_lhm8_109321.exe
File created	C:\Program Files (x86)\IDict\Images\_Tog_toL_on.bmp	cha_lhm8_109321.exe
File created	C:\Program Files (x86)\IDict\weather\gif\ÖÐÑ©.gif	cha_lhm8_109321.exe
File created	C:\Program Files (x86)\IDict\weather\gif\¶³Óê.gif	cha_lhm8_109321.exe
File created	C:\Program Files (x86)\IDict\Images\__Opr_D.bmp	cha_lhm8_109321.exe
File created	C:\Program Files (x86)\IDict\Images\_MiniSys1.bmp	cha_lhm8_109321.exe
File created	C:\Program Files (x86)\IDict\weather\gif\ÌØ´ó±©Óê.gif	cha_lhm8_109321.exe
File opened for modification	C:\Program Files (x86)\IDict\upgrade.exe	OnlineUpg.exe
File created	C:\Program Files (x86)\IDict\upgrade.exe	OnlineUpg.exe
File created	C:\Program Files (x86)\IDict\Images\_LineBtn_mask.bmp	cha_lhm8_109321.exe
File created	C:\Program Files (x86)\IDict\Images\_MainTab1.bmp	cha_lhm8_109321.exe
File created	C:\Program Files (x86)\IDict\Images\_SysBtn2_down.bmp	cha_lhm8_109321.exe
File created	C:\Program Files (x86)\IDict\IDict.exe	cha_lhm8_109321.exe
File created	C:\Program Files (x86)\IDict\Images\_logon.bmp	cha_lhm8_109321.exe
File created	C:\Program Files (x86)\IDict\weather\gif\ÖÐÑ©-´óÑ©.gif	cha_lhm8_109321.exe
File created	C:\Program Files (x86)\IDict\Images\_Tog_toL_down.bmp	cha_lhm8_109321.exe
File created	C:\Program Files (x86)\IDict\Images\_MiniTab1_sel.bmp	cha_lhm8_109321.exe
File created	C:\Program Files (x86)\IDict\Images\_ListSel.jpg	cha_lhm8_109321.exe
File created	C:\Program Files (x86)\IDict\Images\_SysBtn1_on.bmp	cha_lhm8_109321.exe
File created	C:\Program Files (x86)\IDict\Images\__Up_N.bmp	cha_lhm8_109321.exe
File created	C:\Program Files (x86)\IDict\IDictRun.exe	cha_lhm8_109321.exe
File created	C:\Program Files (x86)\IDict\Images\_MsnClose_down.bmp	cha_lhm8_109321.exe
File created	C:\Program Files (x86)\IDict\Images\__btnover.bmp	cha_lhm8_109321.exe
File created	C:\Program Files (x86)\IDict\weather\gif\ÕóÓê.gif	cha_lhm8_109321.exe
File created	C:\Program Files (x86)\IDict\Images\_BackRight.jpg	cha_lhm8_109321.exe
File created	C:\Program Files (x86)\IDict\Images\_Btn2_down.bmp	cha_lhm8_109321.exe
File created	C:\Program Files (x86)\IDict\Images\_MsnClose.bmp	cha_lhm8_109321.exe
File created	C:\Program Files (x86)\IDict\Images\_htm.ico	cha_lhm8_109321.exe
File created	C:\Program Files (x86)\IDict\Data\caipu.ico	cha_lhm8_109321.exe
File created	C:\Program Files (x86)\IDict\Data\google.ico	cha_lhm8_109321.exe
File created	C:\Program Files (x86)\IDict\weather\gif\É³³¾±©.gif	cha_lhm8_109321.exe
File created	C:\Program Files (x86)\IDict\Images\_BackMini_Left.jpg	cha_lhm8_109321.exe
File created	C:\Program Files (x86)\IDict\Images\_Btn3.bmp	cha_lhm8_109321.exe
File created	C:\Program Files (x86)\IDict\Data\wscs.ico	cha_lhm8_109321.exe
File created	C:\Program Files (x86)\IDict\Images\_MiniTab_mask.bmp	cha_lhm8_109321.exe
File created	C:\Program Files (x86)\IDict\Shell.exe	cha_lhm8_109321.exe
File opened for modification	C:\Program Files (x86)\IDict\User\Position.ini	Shell.exe
File created	C:\Program Files (x86)\IDict\Data\newsa.htm	cha_lhm8_109321.exe
File created	C:\Program Files (x86)\IDict\Data\shenghuo.ico	cha_lhm8_109321.exe
File created	C:\Program Files (x86)\IDict\Images\_SysBtn3_on.bmp	cha_lhm8_109321.exe
File created	C:\Program Files (x86)\IDict\Images\__tab_v_m.bmp	cha_lhm8_109321.exe
File created	C:\Program Files (x86)\IDict\Data\baidu.ico	cha_lhm8_109321.exe
File created	C:\Program Files (x86)\IDict\Images\_Close.bmp	cha_lhm8_109321.exe
File created	C:\Program Files (x86)\IDict\Images\_MiniSys2.bmp	cha_lhm8_109321.exe
File opened for modification	C:\Program Files (x86)\IDict\user\pid.dat	cha_lhm8_109321.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\5B85E413.dll	218cec096e586e438a2b7197ba0450a1_JaffaCakes118.exe
File opened for modification	C:\Windows\5B85E413.dll	218cec096e586e438a2b7197ba0450a1_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 3 IoCs

installer

resource	yara_rule
behavioral1/files/0x000e000000015c58-8.dat	nsis_installer_2
behavioral1/files/0x0007000000015ca2-16.dat	nsis_installer_1
behavioral1/files/0x0007000000015ca2-16.dat	nsis_installer_2

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main	IDict.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IDict.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IDict.exe

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B92E890B-4A57-4E65-82CC-CBB152F4DA9D}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B92E890B-4A57-4E65-82CC-CBB152F4DA9D}\InprocServer32\ = "C:\\Windows\\5B85E413.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B92E890B-4A57-4E65-82CC-CBB152F4DA9D}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\5B85E413.Ñ¸À×¿´¿´Ïà¹Ø²å¼þ	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\5B85E413.Ñ¸À×¿´¿´Ïà¹Ø²å¼þ\Clsid	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B92E890B-4A57-4E65-82CC-CBB152F4DA9D}\ProgID\ = "5B85E413.Ñ¸À×¿´¿´Ïà¹Ø²å¼þ"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B92E890B-4A57-4E65-82CC-CBB152F4DA9D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B92E890B-4A57-4E65-82CC-CBB152F4DA9D}\ = "Ñ¸À×¿´¿´Ïà¹Ø²å¼þ"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\5B85E413.Ñ¸À×¿´¿´Ïà¹Ø²å¼þ\ = "Ñ¸À×¿´¿´Ïà¹Ø²å¼þ"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\5B85E413.Ñ¸À×¿´¿´Ïà¹Ø²å¼þ\Clsid\ = "{B92E890B-4A57-4E65-82CC-CBB152F4DA9D}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B92E890B-4A57-4E65-82CC-CBB152F4DA9D}\ProgID	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1752	Shell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2264	IDict.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2264	IDict.exe

Suspicious use of SetWindowsHookEx 20 IoCs

pid	Process
1752	Shell.exe
2716	Shell.exe
2264	IDict.exe
2264	IDict.exe
2240	idictrun.exe
2264	IDict.exe
2264	IDict.exe
2240	idictrun.exe
2240	idictrun.exe
2264	IDict.exe
2264	IDict.exe
2264	IDict.exe
2264	IDict.exe
2264	IDict.exe
2264	IDict.exe
2264	IDict.exe
1480	OnlineUpg.exe
2088	upgrade.exe
2088	upgrade.exe
2088	upgrade.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 2840 wrote to memory of 2500	2840	218cec096e586e438a2b7197ba0450a1_JaffaCakes118.exe	30
PID 2840 wrote to memory of 2500	2840	218cec096e586e438a2b7197ba0450a1_JaffaCakes118.exe	30
PID 2840 wrote to memory of 2500	2840	218cec096e586e438a2b7197ba0450a1_JaffaCakes118.exe	30
PID 2840 wrote to memory of 2500	2840	218cec096e586e438a2b7197ba0450a1_JaffaCakes118.exe	30
PID 2500 wrote to memory of 2568	2500	chacha.exe	31
PID 2500 wrote to memory of 2568	2500	chacha.exe	31
PID 2500 wrote to memory of 2568	2500	chacha.exe	31
PID 2500 wrote to memory of 2568	2500	chacha.exe	31
PID 2500 wrote to memory of 2568	2500	chacha.exe	31
PID 2500 wrote to memory of 2568	2500	chacha.exe	31
PID 2500 wrote to memory of 2568	2500	chacha.exe	31
PID 2568 wrote to memory of 1752	2568	cha_lhm8_109321.exe	32
PID 2568 wrote to memory of 1752	2568	cha_lhm8_109321.exe	32
PID 2568 wrote to memory of 1752	2568	cha_lhm8_109321.exe	32
PID 2568 wrote to memory of 1752	2568	cha_lhm8_109321.exe	32
PID 2568 wrote to memory of 1752	2568	cha_lhm8_109321.exe	32
PID 2568 wrote to memory of 1752	2568	cha_lhm8_109321.exe	32
PID 2568 wrote to memory of 1752	2568	cha_lhm8_109321.exe	32
PID 2568 wrote to memory of 2716	2568	cha_lhm8_109321.exe	33
PID 2568 wrote to memory of 2716	2568	cha_lhm8_109321.exe	33
PID 2568 wrote to memory of 2716	2568	cha_lhm8_109321.exe	33
PID 2568 wrote to memory of 2716	2568	cha_lhm8_109321.exe	33
PID 2568 wrote to memory of 2716	2568	cha_lhm8_109321.exe	33
PID 2568 wrote to memory of 2716	2568	cha_lhm8_109321.exe	33
PID 2568 wrote to memory of 2716	2568	cha_lhm8_109321.exe	33
PID 2568 wrote to memory of 2264	2568	cha_lhm8_109321.exe	34
PID 2568 wrote to memory of 2264	2568	cha_lhm8_109321.exe	34
PID 2568 wrote to memory of 2264	2568	cha_lhm8_109321.exe	34
PID 2568 wrote to memory of 2264	2568	cha_lhm8_109321.exe	34
PID 2568 wrote to memory of 2264	2568	cha_lhm8_109321.exe	34
PID 2568 wrote to memory of 2264	2568	cha_lhm8_109321.exe	34
PID 2568 wrote to memory of 2264	2568	cha_lhm8_109321.exe	34
PID 2264 wrote to memory of 2240	2264	IDict.exe	35
PID 2264 wrote to memory of 2240	2264	IDict.exe	35
PID 2264 wrote to memory of 2240	2264	IDict.exe	35
PID 2264 wrote to memory of 2240	2264	IDict.exe	35
PID 2264 wrote to memory of 2240	2264	IDict.exe	35
PID 2264 wrote to memory of 2240	2264	IDict.exe	35
PID 2264 wrote to memory of 2240	2264	IDict.exe	35
PID 2264 wrote to memory of 1480	2264	IDict.exe	38
PID 2264 wrote to memory of 1480	2264	IDict.exe	38
PID 2264 wrote to memory of 1480	2264	IDict.exe	38
PID 2264 wrote to memory of 1480	2264	IDict.exe	38
PID 2264 wrote to memory of 1480	2264	IDict.exe	38
PID 2264 wrote to memory of 1480	2264	IDict.exe	38
PID 2264 wrote to memory of 1480	2264	IDict.exe	38
PID 1480 wrote to memory of 2088	1480	OnlineUpg.exe	39
PID 1480 wrote to memory of 2088	1480	OnlineUpg.exe	39
PID 1480 wrote to memory of 2088	1480	OnlineUpg.exe	39
PID 1480 wrote to memory of 2088	1480	OnlineUpg.exe	39
PID 1480 wrote to memory of 2088	1480	OnlineUpg.exe	39
PID 1480 wrote to memory of 2088	1480	OnlineUpg.exe	39
PID 1480 wrote to memory of 2088	1480	OnlineUpg.exe	39
PID 2840 wrote to memory of 1704	2840	218cec096e586e438a2b7197ba0450a1_JaffaCakes118.exe	40
PID 2840 wrote to memory of 1704	2840	218cec096e586e438a2b7197ba0450a1_JaffaCakes118.exe	40
PID 2840 wrote to memory of 1704	2840	218cec096e586e438a2b7197ba0450a1_JaffaCakes118.exe	40
PID 2840 wrote to memory of 1704	2840	218cec096e586e438a2b7197ba0450a1_JaffaCakes118.exe	40
PID 2840 wrote to memory of 1704	2840	218cec096e586e438a2b7197ba0450a1_JaffaCakes118.exe	40
PID 2840 wrote to memory of 1704	2840	218cec096e586e438a2b7197ba0450a1_JaffaCakes118.exe	40
PID 2840 wrote to memory of 1704	2840	218cec096e586e438a2b7197ba0450a1_JaffaCakes118.exe	40

C:\Users\Admin\AppData\Local\Temp\218cec096e586e438a2b7197ba0450a1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\218cec096e586e438a2b7197ba0450a1_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2840
- \??\c:\softdown\chacha.exe
  c:\softdown\chacha.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2500
- - \??\c:\¹¤¾ß°ü\cha_lhm8_109321.exe
    c:\¹¤¾ß°ü\cha_lhm8_109321.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:2568
  - - C:\Program Files (x86)\IDict\Shell.exe
      "C:\Program Files (x86)\IDict\Shell.exe" /KILL
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:1752
  - - C:\Program Files (x86)\IDict\Shell.exe
      "C:\Program Files (x86)\IDict\Shell.exe" /INSTALL /UNINSTSBOX
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      PID:2716
  - - C:\Program Files (x86)\IDict\IDict.exe
      "C:\Program Files (x86)\IDict\IDict.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2264
    - - C:\Program Files (x86)\IDict\idictrun.exe
        
        "C:\Program Files (x86)\IDict\idictrun.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2240
    - - C:\Program Files (x86)\IDict\OnlineUpg.exe
        
        "C:\Program Files (x86)\IDict\OnlineUpg.exe" -upgrade1234567-hwnd459104-progc:\program files (x86)\idict\idict.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1480
      - C:\Program Files (x86)\IDict\upgrade.exe
        
        "C:\Program Files (x86)\IDict\upgrade.exe" -upgrade7654321-serverde1234567-hwnd459104-progc:\program files (x86)\idict\idict.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2088
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 C:\Windows\5B85E413.dll -s
  2⤵
  - Installs/modifies Browser Helper Object
  - Modifies registry class
  PID:1704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\IDict\Images\_Back.jpg

Filesize
35KB

MD5
37e47e87e73173244fe520e7a4ae7510

SHA1
729a64ef115a9a2fe723da5d60e43f6543b7353c

SHA256
9bc895adb5798b9a9733d4523d33acda01d4dabd357e19dcf9e3df6adf5fb2e0

SHA512
1e1e9165c3efe0f9839e9aa7247460c0e0088e082af6414b1a5d74934da1343894ade5d6629bc2fe892592da103c438edfe569e18df4cbf39ede7e74c544fb75

Download Submit
C:\Program Files (x86)\IDict\Images\_BackMini_Left.jpg

Filesize
12KB

MD5
f3901867c6ef7a5c871a2ca55ba64773

SHA1
565f8a9ff5e9ab9931c131c2fde5161ce2f1eaba

SHA256
86049dfdf5e3f0c2feb6d82d0e587697b650f1abe5dfedbf83218991296c5196

SHA512
c37abf15ba6c71f19518efbf198df788be67f7abe298bb007226dc164a9b70cf01baccb87f7b4320b4b52f22fa245e1cc6ecbaa1d850504c7cbd9cd3ca7ce672

Download Submit
C:\Program Files (x86)\IDict\Images\_BackMini_Mid.jpg

Filesize
2KB

MD5
85dfe4cf11b74d8ec7c844ce0510c042

SHA1
8021b08aa0ed8e2d138703907cd35dfe10aaee5e

SHA256
b1b3546ce8ee171135288737b37e8733546cd3ab29e6a0971567434d8c08e47a

SHA512
67df7a155f9d2c8203a5c3d8fc956603d82e320ca7ebe82f8e0a54e0e28ef87b194248747dc6d912d60be6588bdde7bfeb62b7a03d87924647239ca90e5223ff

Download Submit
C:\Program Files (x86)\IDict\Images\_BackMini_Right.jpg

Filesize
4KB

MD5
a93ecd6154afcc518ed057d41db76722

SHA1
7da1a71ae8a5fd4b777c7ba60926043717446d59

SHA256
830ab47ca0bea1aa78d87c594c3ffa0624ba0837ab74cc812198e20b2d6b54ca

SHA512
2946d40e2fcf008d66e6af47af09d16fac93aa5b9cfdd210057d53fdfc4eb32152684ac931a5b08d884fd1bd2d865458500d8c99fd31ff924692fe1094b97f2d

Download Submit
C:\Program Files (x86)\IDict\Images\_BackRight.jpg

Filesize
3KB

MD5
a5d1e46294e23cd7f16492b38601c553

SHA1
7be3a71706b3b4193bafacc94540fd86217c1019

SHA256
d5368a8e9b23cb7e6fba83d1d76cefaa4b87aca69c4d64d932f95ecd48341a00

SHA512
322f6d2d9c84e4299fbf090a74252f89840588965dc9fb7be991530040bc54de4f6fd4723569d1ba4475a352e5932c2913647738eecbdea1d9fc4c3c2abd297c

Download Submit
C:\Program Files (x86)\IDict\Images\_Dingyue.jpg

Filesize
3KB

MD5
897625c5aff466c0f1f7321ff9307f81

SHA1
bc615fff2804041573acb1f074349a3a7852c69e

SHA256
5613d089e2ba6b886e2cdb295d1042257b3394faf6a43db1cb526d4b5f3bfec7

SHA512
30f9823f7fd84d8fc22d2d58445100a33d6b6f6808c94205345fafb4fe61ed2a1652bca4cfc319d925abaff61e08e01dc3aace671d5e03c33a308cde90a7ec0a

Download Submit
C:\Program Files (x86)\IDict\Images\_Everyday_Left.jpg

Filesize
3KB

MD5
40a40a9df7144423d7ecbfd67033d15b

SHA1
94b0e2526e9088347f2cdfe2f3d93e47fcdff0d7

SHA256
4ed6b5cfa694dee8974602407a89f652f03ecad810dded2f87281f862b79a26c

SHA512
948832d2432c226aed873aeedc4a8c40e2b297f677006b6c79f016dd83e312509b633c56d34dadaafd59fc9505389ef7f9a8e24e2e02b79749b3275873a1d52c

Download Submit
C:\Program Files (x86)\IDict\Images\_Everyday_Mid.jpg

Filesize
2KB

MD5
214478e4a2e526abb8982d8a8dca9fa2

SHA1
d2a6f653286ab750baa72a5594e0757ea29b883f

SHA256
cdee5549ce7d77f25c079c5eac657f42c56a58094e495f4ca235f25d61648cbd

SHA512
f609811147f107d68100f8da33448fbd736d8571f54ef26d9bfd4352d75cb5b47680e0cf8c2cb1acc96c5956c9a2287c64e95ba3dab201cbc3c4dc114e46f335

Download Submit
C:\Program Files (x86)\IDict\Images\_Everyday_Right.jpg

Filesize
3KB

MD5
23bc58d2245f8419183b5caf73198f7d

SHA1
1bedb74627828f719866843cf163a39692a35cbb

SHA256
aedb8389c8279aec220f0a477377e6cd6cd4213178a3014da3bfb6b7cfb472f5

SHA512
efbf5162d23e820136e97e774646183d06492c7beef5641b592eb0ee1cbc74b15512a4e7e96fab35709040ccd6606ba3b1449dbb9594507ff112214c40ac18e6

Download Submit
C:\Program Files (x86)\IDict\Images\_Logo.jpg

Filesize
3KB

MD5
fcb21a5ac519523361aaab20a35af0ba

SHA1
51055f1f1f698c8768f15af7ff6f248b61094d2d

SHA256
d14e6a401c30ad4baa3fe38dfe35f58bd547204aa2a93cf6a7fafb8ccb58549c

SHA512
57d59e16ea7f73e2868f9cbd0842370171279ddf80dd168f3521a7a017ebe5961c4fba8a1f7bb9f46be879bfa592878c5be2299052a6b4c3387e8ab5c765012e

Download Submit
C:\Program Files (x86)\IDict\Images\_MsnTip.jpg

Filesize
12KB

MD5
504f06cb9ec202d11a63bb4d4fa07612

SHA1
69b00f9d1b9a0323467604e1335760da9037f3d9

SHA256
e7b70d494432e93a556d2e902395d5c034f5660d5090ea6a3d7c977e7fc24bbb

SHA512
7a666fba281da3cf8b03c5ea340e65ec79159336c5f09762ef2400719abaf5536ad79da4a39def85451da47cd6b77f83f14937bfd55c8638b0c44eb8eb4c43ef

Download Submit
C:\Program Files (x86)\IDict\Images\_OfflineTip.jpg

Filesize
10KB

MD5
34d1959827385216907e90023a1fc372

SHA1
8e53825a2fe793cd4ddeb5593162b60eba22aee2

SHA256
7bb3ec21384c483ac5bc5b116a81f3abd9455b362aebb8dc1cc40088609e1734

SHA512
7a71ae246d3fa639740afe9e5a55bcf28dbb4bb43c636d5b7d50f56ad0e89b7f4c0dd7924c6953bdbbcdc8548223181ebbe77e7e34f990cf70a8c959c1abe240

Download Submit
C:\Program Files (x86)\IDict\Images\_SysBtn1.bmp

Filesize
1KB

MD5
da636e05f5ee40dd9652a5a0fbf6c1a5

SHA1
451a0fad045b6bd2b48decd2111e0509281bc624

SHA256
1556b15234a4f828e6dddf1593675f73d1378beaa470eed935166a633cf0c149

SHA512
db0cd0ad60702c235a737b4a4f6c25dea631d233f3ae1031d35b93245dd29472cd5e9061a4b8615d015ea755200272f2dfe15aa5680c7de1d0b6b490b416db91

Download Submit
C:\Program Files (x86)\IDict\Images\_Title.jpg

Filesize
3KB

MD5
c5abf872274d187b1e39f8aaac8bf609

SHA1
6f214a4f8c6eaee7b2b03628da6e99f07b88e1ad

SHA256
6d2aa20ca070ad525aa2ccc69e400ec49b778efbef6c252e60afd671f3d429b3

SHA512
66ea1793952353c4317fe52c96aa446f8a1f46c4ff3ed3424d3cc6f3b6c5b5f31a4d4f3c5dfad4bd2bb7e5098948110cb420ef7a08932c7249d6d7fbb0cbed35

Download Submit
C:\Program Files (x86)\IDict\Images\_Tooltip.jpg

Filesize
2KB

MD5
0570511cc68fce88e967d99d057cfa5a

SHA1
15c48a63331578a4c7afc2a78a8171669f64ed00

SHA256
7711e71757111acd6f245d306b8cab16fafeea84f1691c4f76f47d4213c5cdd4

SHA512
aebd481447dc25f464bf8449ee6d4130d486b4a850a598493b5df819326560428af570522eecf09ebab35e3221ae914677cc54b446ffa11ab37bdb4e098d658e

Download Submit
C:\Program Files (x86)\IDict\Images\_cnnic.ico

Filesize
894B

MD5
4069e3c74970953da9f22e79a09a3de9

SHA1
1bf5e611e0da70ba6e363c6fb9451d7e1359e98f

SHA256
3dd4a8eb623714879188283b4ce57608eda719e9470fb852d73dc500f0e4405f

SHA512
de2a0b2ce543c7c2594cff754dc23f3020b656b852ce2d7748a9cc9ac98e8012b3355341025c4e1febc70bbaedd41c383764a907c17f7f3697fd217227543b78

Download Submit
C:\Program Files (x86)\IDict\Images\_everyday.bmp

Filesize
668B

MD5
1a38a643753a439dc310765fc2b6032d

SHA1
daafd1697bbf4499bf7d84ab03cb29024ddcc4bc

SHA256
e57fef474e5dd69855102f6cb964c041b1352cc41ad55f206f7477e76b002079

SHA512
c239109fd90b773efd595100c6729cde1e49d559e4de0383cc0e3b6e1650ecd98c363cc115931bab21475d30ecdb992a304cd4afa009fb2c2f6fa5f9b07a10ee

Download Submit
C:\Program Files (x86)\IDict\Images\_everyday_down.bmp

Filesize
668B

MD5
ca1d506ddeb0f504adef0369f982eb8c

SHA1
e9744c99316358295eee88cb0e32e725f423c032

SHA256
4cb7bb63c78bae3b3ec24c0778d28c7cc5fa21780c3e272f6f348f7f4cad88f4

SHA512
72c28b31af7202e578c8e079480df534472e806bfc5f2a1f5ede746187334c8e6c27117e7b6d38b8385cb0aea3ba51ffeb851ba4395ecff374924c20c656e0d9

Download Submit
C:\Program Files (x86)\IDict\Images\_htm.ico

Filesize
894B

MD5
2f695eb12cbdd8d061cd8cc2f3a8cbec

SHA1
9c8118f489f49ab5156be79154d76ea491ca84d4

SHA256
994fd01edd6b65151bd15fb42e9ff0bb8bfbd99fd8148f37f7791fb04603a61f

SHA512
31fd6a5e12096aabefb07076b607970107eef596452b673cd2844b40099813d8245167cba8ca04060f589a6844e829b5b6149ec22dc104b73c49958a92a3719c

Download Submit
C:\Program Files (x86)\IDict\Skin\StdSkin.ini

Filesize
1KB

MD5
5e8dbced459f13ca06c0ba4dbbb1102c

SHA1
a8082f4185f26f4d65fef84afac9921cf4ad9218

SHA256
a9f5b24a0c74ec02cdc5273a8ded850280b38f73dbc1f9fe381efe190fdf04d9

SHA512
27b9c6c603a5bac3b300aeb27eeb7f4f77d1a8d6810309fecf4bd02b537b166d953713108281d2585988b4f50bb7e373f5e407bbae4ce6309116a8a4b981b582

Download Submit
C:\Program Files (x86)\IDict\config.dat

Filesize
1KB

MD5
8dc829e4784be833bb93a3092be9cc1c

SHA1
1351d928e8976528f62557a95881bafc068323d2

SHA256
d79d5329573ba4ee78aaf4060696929bb84878d986d3e2176c5a812fcf50a403

SHA512
07bc932fd15dbae9f223e047ef3a8af05ddb52ae2360ee0cfe67713ca48dbce32693a96c823d430e037e33cdafc7e38ac8a184162bf4fb5b40fe2821e8a19ab4

Download Submit
C:\Program Files (x86)\IDict\idictrun.exe

Filesize
59KB

MD5
1fd887634aa4bc208daa0fc58771c059

SHA1
8979ae48cb54bd0ec99b8ed3f9c2a4cab06e110f

SHA256
82b8df243e5275d71553312480463c2a895733c6355651efeefad963e7f38788

SHA512
264a6677cdb49866c893f26070894352087e6e9f00ae21d3b29d7f87a18a3e02add08f8570d72fac8644397b1e5c5ebca826ae6b4c38b3f5a9d2f5c48e475ddb

Download Submit
C:\Program Files (x86)\IDict\upgrade.exe

Filesize
83KB

MD5
1a9bcb38109cd602f4ee97845f99968d

SHA1
8696309b17a3a4d96a81297f9610824604e2e2e4

SHA256
c6da51bd5d80c2546a5d77c93f1b69fc9b42a293c8292482696e951f1ff19c20

SHA512
183512323bd5b87eb39ddabf35fdfe13412d88e9eb350f28abcf5b40cda2d543ac79da8e44dcb5f579355e511d0dc7de4ca04dc1b877f6c71fc2726f3d73663d

Download Submit
C:\Program Files (x86)\IDict\weather\city.ini

Filesize
2KB

MD5
6668daef568366b8f959a77a6e5cc0f3

SHA1
9061ac527d90830505d281d8ddd95090db23cb29

SHA256
c62741b4f8f264f7c4a7496e86570985f40696e833a7bff0944c9921904b2675

SHA512
82834ba6671a5a9d81f6d15f2f32813e2c488b63131701291ed1a929db46911e02d10990491cb76c84e07711d496bc28278c2f1ace66f9b26b0c15dddcf0e50c

Download Submit
C:\Program Files (x86)\IDict\weather\weather.ini

Filesize
126B

MD5
23ea365f04afe8c8cdce9be254ba1fe5

SHA1
44bddc84e2f7fa2abb4d44b7872bf846b4a6603f

SHA256
0f05d8ee1b1a3c68bc9471d3d217bdddc7f6977e4195953c1e4d5849bb077e77

SHA512
3cb62ffde9a03342301ccc10d1584545e4bc7cf87d7aae4c89a860796b9be60130e17fee05ba5b58b73ec7117e46ddc6f2631ef9f805a32315b51d6d153316fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj4971.tmp\ioSpecial.ini

Filesize
568B

MD5
13a0da3fedce40760b09c41b559e7d24

SHA1
b4dc3d1aa20c26efd0aadebcba553851dbc2607a

SHA256
8ddab0b0dd2ffb122ec78d7636fb527349493c7b79231762562dd69e7e65390c

SHA512
c481c425ce98ede97df83ae3efaf507c6fdb32d9800e8200174a387b3e722cec39be6ba23f8a0f631d87d0ebb9568e2b6869798438b695502bde9490c5e3d8d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj4971.tmp\ioSpecial.ini

Filesize
732B

MD5
fa37fa3cd17cbe6801045d1b8380aa64

SHA1
b5f8f4fdfad9e0efa67791b6cb1d358b58219186

SHA256
c6df42ae5de6e58eca1ec1b56eb79343f29387c8715d324dedfeee103f543c0c

SHA512
921dab4e22875fe5877ab6f87fc2fee9701316e56d289b50b91cf3c4fc3fbe8e53a5134f24f1bd3db74ed0502302961a5f52ac63ad95de9f371b48c3466b12c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj4971.tmp\ioSpecial.ini

Filesize
391B

MD5
32aade27dc4ddb04002d7548bb3f826c

SHA1
a7a2cb321528d20102bf976985ef68c0d512d311

SHA256
a810761205d275a3d24e50ce946f78da25297e044d4478d2a2239330eec2ba10

SHA512
14c318f10f320a9d0e64bee5d6c5c0192f018ddddda78540f506b75e52ddbc2734d6986a36976b5fe3b7d2b5d148f0951dc772346a0d311a4e443f435a00ead3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj4971.tmp\ioSpecial.ini

Filesize
758B

MD5
9ad690fde85ad2ca95c0ea806351ddda

SHA1
e867a0ed88689b286619f582e0ff094c7c4d4b45

SHA256
1baf7d0a6977fc42c53c55b2122bca4a956b99c94bce20cff7cbb0fb43beb3f0

SHA512
588cdafeac99704241863ab0505fdebf2254b3e5f091dfae38847fa43e1f605a3f712dddebfe7cc03dc664e5d58d1ed8a02df8a6e6f14be547490c1af2b06f2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj4971.tmp\ioSpecial.ini

Filesize
595B

MD5
442f18d4d61be67f8139f4cd7bc7bd47

SHA1
96122e6e8a318850daad808f05f7648d6d50556d

SHA256
972104bcbcf1d97f3780ac17838a9ceeeef7925150e0a8bc71c1109fa0f9288d

SHA512
6f457783d530221aa5b77a9b1d32b489a90c3ac6901c5c89618126a2824e6dcca7e00d6a6d385f63dc0e79bd0ed8472c4d91d3c723f63c5ea8e7c916548bc536

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj4971.tmp\option.ini

Filesize
378B

MD5
fcff3827beed5a165c4b1a5548bcf231

SHA1
022a28744380ce3238bc4b9e4087d8325809d16d

SHA256
d81cfa1e6c1e1f92480462f186ebe27bca6cc1e6bf41913abf4e62c382b357ad

SHA512
61db05a63c306764cf8a073694b72d7ceaae21c8c01e47d7e3ba631932cf5c7aa8170beec7c9a43f541e9ed04db962427053a755aa6caf6a48926c723a50149a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj4971.tmp\option.ini

Filesize
426B

MD5
cbcbbfb55cee4b76b97c6b0284d7da06

SHA1
a36fe82bc2278c14e41d32803c29a23d84ddbd5c

SHA256
7b8b7234550b6a5063bc60898caf7c7a7643ee27cf2cf1cd8e3496165029b23f

SHA512
acde884e5279fdf990d9851704775eab469aa2cd9543c45cb90a5b7d37f7e5bd3126d78784ac136208dff320cd6578c846d8a050dc7c69c5ab3258feb502b88a

Download Submit
\Program Files (x86)\IDict\IDict.exe

Filesize
231KB

MD5
04453808d21cf704d2f8f5a06bb0377d

SHA1
20c299b99a185360ed9458ca57af27844514425a

SHA256
4a45f7236553aea150ca053ca9aa192494cd43b2f1ce222f1f259383b874ed52

SHA512
38e973ecc88fb45ac5d4029d3d698778404723c83bbd0869ec01c1989c92c138c8ed34b95fc2800535a11237fd66dd7733f5ea6f74c76cd7dd7ea795574c5c7a

Download Submit
\Program Files (x86)\IDict\IDictlib.dll

Filesize
247KB

MD5
dc6410a37b4302a7682f9645ff3d0129

SHA1
f4885a7641761304e3190a010dac1cce7164236a

SHA256
1b7834db68bbef7a85b8d8b575202a352162ad333f0dd73458ca6e0e46e49acf

SHA512
6634dd79753014258f755957fce048239794f97e3076c02b047d4ed7dbefe5d1c0653928f26a9818a1bcb2ca718e0014ce6732209b18da3e72bf63f32b8a02b6

Download Submit
\Program Files (x86)\IDict\Shell.exe

Filesize
55KB

MD5
a676de00ea1373037d0d27ffec16a95d

SHA1
4056f5cc517d2a14a02730241a4174e55bf8ad20

SHA256
7619835b4c03f7ad77c5ad7eeea704d669b00d21d498caa6b0ecd798f2db5198

SHA512
706c49252b3377d63cbdd9062dd1dc4ba5742b7326a506f60496ca14cedf20e76f6d27a338659926f255cf4330407b5214dd08f258c6e387aed626afe9b943dc

Download Submit
\Users\Admin\AppData\Local\Temp\nsj4971.tmp\InstallOptions.dll

Filesize
14KB

MD5
0dc0cc7a6d9db685bf05a7e5f3ea4781

SHA1
5d8b6268eeec9d8d904bc9d988a4b588b392213f

SHA256
8e287326f1cdd5ef2dcd7a72537c68cbe4299ceb1f820707c5820f3aa6d8206c

SHA512
814dd17ebb434f4a3356f716c783ab7f569f9ee34ce5274fa50392526925f044798f8006198ac7afe3d1c2ca83a2ca8c472ca53fec5f12bbfbbe0707abacd6b0

Download Submit
\Users\Admin\AppData\Local\Temp\nsj4971.tmp\System.dll

Filesize
11KB

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit
\softdown\chacha.exe

Filesize
686KB

MD5
d21fca4acf59f9cde85478ae166d3805

SHA1
023391af9e5405107f8a721d23813ae9d2071cb6

SHA256
1c66138653b70f87ad94db95570223e88b166acb76b2272081fadc34a07a1125

SHA512
7873fcf2dcacf18bf34b617a7c2a34510ec0861e5cbe0caecba875f7cc6750e297c6c81d9aa87dcf0c594a9fb6deb5f9bb33869fe3399f0c6a90171a348daf47

Download Submit
\¹¤¾ß°ü\cha_lhm8_109321.exe

Filesize
574KB

MD5
644c3bc638b67970930cd64cb1d805b0

SHA1
4e505aaf317e2237a6ec33ccc9463cf6c7ba47cc

SHA256
1d9fb820c2915d8c8f2dfa20f0b67fd19570e719c78091d038a9ee4a0ff601eb

SHA512
dc0a6931047bda096adc46a6c1156bb9a3e1042f7ef3911136963f7497d219d0eb78b78a31d340fcebb18fd04c2cfddef38d385f891bff0b59be9c6e509756bd

Download Submit
memory/1704-589-0x00000000006C0000-0x0000000000754000-memory.dmp

Filesize
592KB

Download
memory/2500-398-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/2500-580-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/2840-24-0x0000000000400000-0x00000000005E6000-memory.dmp

Filesize
1.9MB

Download
memory/2840-3-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2840-1-0x0000000000400000-0x00000000005E6000-memory.dmp

Filesize
1.9MB

Download
memory/2840-0-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2840-590-0x0000000000400000-0x00000000005E6000-memory.dmp

Filesize
1.9MB

Download