cryptbot | 4d00c84ecb0f03b44c878e617a5343ca2c8d06bfb588b1501d6f2f0c0c8e79fe

Analysis

max time kernel
141s
max time network
138s
platform
windows10_x64
resource
win10v20201028
submitted
01-01-2021 19:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

35f86945ca3277c1531ebd23a10d7c16.exe
Size

631KB
MD5

35f86945ca3277c1531ebd23a10d7c16
SHA1

3e732eeb0e437732b8886be81ed817b2e8091778
SHA256

4d00c84ecb0f03b44c878e617a5343ca2c8d06bfb588b1501d6f2f0c0c8e79fe
SHA512

c319393cbd8eed3efc6eaf6ed802a0e3cda4a68870bfe3f8fe698fed64ebda6f204cac2498f4415fdd6386c04444e3f1d716689284159de34a8f44cce10cb562

Score

10^/10

cryptbot danabot 3 banker discovery evasion spyware stealer trojan upx

Malware Config

Extracted

Family

danabot

Version

1732

Botnet

23.226.132.92:443

23.106.123.249:443

108.62.141.152:443

104.144.64.163:443

Attributes

embedded_hash
49574F66CD0103BBD725C08A9805C2BE

rsa_pubkey.plain

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot
Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Blocklisted process makes network request 5 IoCs

Processes:

RUNDLL32.EXEWScript.exe

flow pid process

32 4176 RUNDLL32.EXE
35 4352 WScript.exe
37 4352 WScript.exe
39 4352 WScript.exe
41 4352 WScript.exe
Downloads MZ/PE file
Executes dropped EXE 6 IoCs

Processes:

File332.exe4_ico.exe6_ico.exevpn_ico.exeSmartClock.exeisenubblreql.exe

pid process

2704 File332.exe
936 4_ico.exe
3940 6_ico.exe
2052 vpn_ico.exe
3876 SmartClock.exe
3884 isenubblreql.exe

flow	pid	process
32	4176	RUNDLL32.EXE
35	4352	WScript.exe
37	4352	WScript.exe
39	4352	WScript.exe
41	4352	WScript.exe

pid	process
2704	File332.exe
936	4_ico.exe
3940	6_ico.exe
2052	vpn_ico.exe
3876	SmartClock.exe
3884	isenubblreql.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\isenubblreql.exe	upx
C:\Users\Admin\AppData\Local\Temp\isenubblreql.exe	upx

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

vpn_ico.exe6_ico.exeSmartClock.exe4_ico.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	vpn_ico.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	vpn_ico.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	6_ico.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	6_ico.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SmartClock.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	SmartClock.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	4_ico.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	4_ico.exe

Drops startup file 1 IoCs

Processes:

4_ico.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk 4_ico.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk	4_ico.exe

Identifies Wine through registry keys 2 TTPs 4 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

6_ico.exevpn_ico.exeSmartClock.exe4_ico.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Wine	6_ico.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Wine	vpn_ico.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Wine	SmartClock.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Wine	4_ico.exe

Loads dropped DLL 3 IoCs

Processes:

File332.exerundll32.exeRUNDLL32.EXE

pid process

2704 File332.exe
4140 rundll32.exe
4176 RUNDLL32.EXE
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

17 ip-api.com
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

vpn_ico.exe6_ico.exe4_ico.exeSmartClock.exe

pid process

2052 vpn_ico.exe
3940 6_ico.exe
936 4_ico.exe
3876 SmartClock.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
2704	File332.exe
4140	rundll32.exe
4176	RUNDLL32.EXE

flow	ioc
17	ip-api.com

pid	process
2052	vpn_ico.exe
3940	6_ico.exe
936	4_ico.exe
3876	SmartClock.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RUNDLL32.EXE35f86945ca3277c1531ebd23a10d7c16.exevpn_ico.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	35f86945ca3277c1531ebd23a10d7c16.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	35f86945ca3277c1531ebd23a10d7c16.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	vpn_ico.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	vpn_ico.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE

Delays execution with timeout.exe 3 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exe

pid process

1056 timeout.exe
996 timeout.exe
4120 timeout.exe
Modifies registry class 1 IoCs

Processes:

vpn_ico.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings vpn_ico.exe

pid	process
1056	timeout.exe
996	timeout.exe
4120	timeout.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings	vpn_ico.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	WScript.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

SmartClock.exe

pid process

3876 SmartClock.exe

pid	process
3876	SmartClock.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

4_ico.exevpn_ico.exe6_ico.exeSmartClock.exepowershell.exeRUNDLL32.EXEpowershell.exe

pid	process
936	4_ico.exe
936	4_ico.exe
2052	vpn_ico.exe
2052	vpn_ico.exe
3940	6_ico.exe
3940	6_ico.exe
3876	SmartClock.exe
3876	SmartClock.exe
4456	powershell.exe
4456	powershell.exe
4456	powershell.exe
4176	RUNDLL32.EXE
4176	RUNDLL32.EXE
4752	powershell.exe
4752	powershell.exe
4752	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

rundll32.exeRUNDLL32.EXEpowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4140	rundll32.exe
Token: SeDebugPrivilege	4176	RUNDLL32.EXE
Token: SeDebugPrivilege	4456	powershell.exe
Token: SeDebugPrivilege	4752	powershell.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

35f86945ca3277c1531ebd23a10d7c16.exeRUNDLL32.EXE

pid process

1124 35f86945ca3277c1531ebd23a10d7c16.exe
1124 35f86945ca3277c1531ebd23a10d7c16.exe
4176 RUNDLL32.EXE

pid	process
1124	35f86945ca3277c1531ebd23a10d7c16.exe
1124	35f86945ca3277c1531ebd23a10d7c16.exe
4176	RUNDLL32.EXE

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

35f86945ca3277c1531ebd23a10d7c16.execmd.exeFile332.exe4_ico.exevpn_ico.exe6_ico.execmd.execmd.exeisenubblreql.exerundll32.exeRUNDLL32.EXEpowershell.exe

description	pid	process	target process
PID 1124 wrote to memory of 2704	1124	35f86945ca3277c1531ebd23a10d7c16.exe	File332.exe
PID 1124 wrote to memory of 2704	1124	35f86945ca3277c1531ebd23a10d7c16.exe	File332.exe
PID 1124 wrote to memory of 2704	1124	35f86945ca3277c1531ebd23a10d7c16.exe	File332.exe
PID 1124 wrote to memory of 2040	1124	35f86945ca3277c1531ebd23a10d7c16.exe	cmd.exe
PID 1124 wrote to memory of 2040	1124	35f86945ca3277c1531ebd23a10d7c16.exe	cmd.exe
PID 1124 wrote to memory of 2040	1124	35f86945ca3277c1531ebd23a10d7c16.exe	cmd.exe
PID 2040 wrote to memory of 1056	2040	cmd.exe	timeout.exe
PID 2040 wrote to memory of 1056	2040	cmd.exe	timeout.exe
PID 2040 wrote to memory of 1056	2040	cmd.exe	timeout.exe
PID 2704 wrote to memory of 936	2704	File332.exe	4_ico.exe
PID 2704 wrote to memory of 936	2704	File332.exe	4_ico.exe
PID 2704 wrote to memory of 936	2704	File332.exe	4_ico.exe
PID 2704 wrote to memory of 3940	2704	File332.exe	6_ico.exe
PID 2704 wrote to memory of 3940	2704	File332.exe	6_ico.exe
PID 2704 wrote to memory of 3940	2704	File332.exe	6_ico.exe
PID 2704 wrote to memory of 2052	2704	File332.exe	vpn_ico.exe
PID 2704 wrote to memory of 2052	2704	File332.exe	vpn_ico.exe
PID 2704 wrote to memory of 2052	2704	File332.exe	vpn_ico.exe
PID 936 wrote to memory of 3876	936	4_ico.exe	SmartClock.exe
PID 936 wrote to memory of 3876	936	4_ico.exe	SmartClock.exe
PID 936 wrote to memory of 3876	936	4_ico.exe	SmartClock.exe
PID 2052 wrote to memory of 3884	2052	vpn_ico.exe	isenubblreql.exe
PID 2052 wrote to memory of 3884	2052	vpn_ico.exe	isenubblreql.exe
PID 2052 wrote to memory of 3884	2052	vpn_ico.exe	isenubblreql.exe
PID 2052 wrote to memory of 1096	2052	vpn_ico.exe	WScript.exe
PID 2052 wrote to memory of 1096	2052	vpn_ico.exe	WScript.exe
PID 2052 wrote to memory of 1096	2052	vpn_ico.exe	WScript.exe
PID 3940 wrote to memory of 4076	3940	6_ico.exe	cmd.exe
PID 3940 wrote to memory of 4076	3940	6_ico.exe	cmd.exe
PID 3940 wrote to memory of 4076	3940	6_ico.exe	cmd.exe
PID 4076 wrote to memory of 996	4076	cmd.exe	timeout.exe
PID 4076 wrote to memory of 996	4076	cmd.exe	timeout.exe
PID 4076 wrote to memory of 996	4076	cmd.exe	timeout.exe
PID 3940 wrote to memory of 1064	3940	6_ico.exe	cmd.exe
PID 3940 wrote to memory of 1064	3940	6_ico.exe	cmd.exe
PID 3940 wrote to memory of 1064	3940	6_ico.exe	cmd.exe
PID 1064 wrote to memory of 4120	1064	cmd.exe	timeout.exe
PID 1064 wrote to memory of 4120	1064	cmd.exe	timeout.exe
PID 1064 wrote to memory of 4120	1064	cmd.exe	timeout.exe
PID 3884 wrote to memory of 4140	3884	isenubblreql.exe	rundll32.exe
PID 3884 wrote to memory of 4140	3884	isenubblreql.exe	rundll32.exe
PID 3884 wrote to memory of 4140	3884	isenubblreql.exe	rundll32.exe
PID 4140 wrote to memory of 4176	4140	rundll32.exe	RUNDLL32.EXE
PID 4140 wrote to memory of 4176	4140	rundll32.exe	RUNDLL32.EXE
PID 4140 wrote to memory of 4176	4140	rundll32.exe	RUNDLL32.EXE
PID 2052 wrote to memory of 4352	2052	vpn_ico.exe	WScript.exe
PID 2052 wrote to memory of 4352	2052	vpn_ico.exe	WScript.exe
PID 2052 wrote to memory of 4352	2052	vpn_ico.exe	WScript.exe
PID 4176 wrote to memory of 4456	4176	RUNDLL32.EXE	powershell.exe
PID 4176 wrote to memory of 4456	4176	RUNDLL32.EXE	powershell.exe
PID 4176 wrote to memory of 4456	4176	RUNDLL32.EXE	powershell.exe
PID 4176 wrote to memory of 4752	4176	RUNDLL32.EXE	powershell.exe
PID 4176 wrote to memory of 4752	4176	RUNDLL32.EXE	powershell.exe
PID 4176 wrote to memory of 4752	4176	RUNDLL32.EXE	powershell.exe
PID 4752 wrote to memory of 4924	4752	powershell.exe	nslookup.exe
PID 4752 wrote to memory of 4924	4752	powershell.exe	nslookup.exe
PID 4752 wrote to memory of 4924	4752	powershell.exe	nslookup.exe
PID 4176 wrote to memory of 4960	4176	RUNDLL32.EXE	schtasks.exe
PID 4176 wrote to memory of 4960	4176	RUNDLL32.EXE	schtasks.exe
PID 4176 wrote to memory of 4960	4176	RUNDLL32.EXE	schtasks.exe
PID 4176 wrote to memory of 5008	4176	RUNDLL32.EXE	schtasks.exe
PID 4176 wrote to memory of 5008	4176	RUNDLL32.EXE	schtasks.exe
PID 4176 wrote to memory of 5008	4176	RUNDLL32.EXE	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\35f86945ca3277c1531ebd23a10d7c16.exe
"C:\Users\Admin\AppData\Local\Temp\35f86945ca3277c1531ebd23a10d7c16.exe"
1⤵
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1124
- C:\Users\Admin\AppData\Local\Temp\File332.exe
  "C:\Users\Admin\AppData\Local\Temp\File332.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Users\Admin\AppData\Local\Temp\New Feature\4_ico.exe
    "C:\Users\Admin\AppData\Local\Temp\New Feature\4_ico.exe"
    3⤵
    - Executes dropped EXE
    - Checks BIOS information in registry
    - Drops startup file
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:936
  - - C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
      "C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
      4⤵
      Executes dropped EXE
      Checks BIOS information in registry
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: AddClipboardFormatListener
      Suspicious behavior: EnumeratesProcesses
      PID:3876
- - C:\Users\Admin\AppData\Local\Temp\New Feature\6_ico.exe
    "C:\Users\Admin\AppData\Local\Temp\New Feature\6_ico.exe"
    3⤵
    - Executes dropped EXE
    - Checks BIOS information in registry
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3940
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\aqsploqydye & timeout 2 & del /f /q "C:\Users\Admin\AppData\Local\Temp\New Feature\6_ico.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4076
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        5⤵
        Delays execution with timeout.exe
        
        PID:996
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\aqsploqydye & timeout 2 & del /f /q "C:\Users\Admin\AppData\Local\Temp\New Feature\6_ico.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1064
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        5⤵
        Delays execution with timeout.exe
        
        PID:4120
- - C:\Users\Admin\AppData\Local\Temp\New Feature\vpn_ico.exe
    "C:\Users\Admin\AppData\Local\Temp\New Feature\vpn_ico.exe"
    3⤵
    - Executes dropped EXE
    - Checks BIOS information in registry
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2052
  - - C:\Users\Admin\AppData\Local\Temp\isenubblreql.exe
      "C:\Users\Admin\AppData\Local\Temp\isenubblreql.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3884
    - - C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\ISENUB~1.DLL,Z C:\Users\Admin\AppData\Local\Temp\ISENUB~1.EXE
        5⤵
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4140
      - C:\Windows\SysWOW64\RUNDLL32.EXE
        
        C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\ISENUB~1.DLL,dVceLDZnBaz9
        6⤵
        Blocklisted process makes network request
        Loads dropped DLL
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:4176
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpE6FA.tmp.ps1"
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4456
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpFB40.tmp.ps1"
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4752
        
        C:\Windows\SysWOW64\nslookup.exe
        
        "C:\Windows\system32\nslookup.exe" -type=any localhost
        8⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
        7⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
        7⤵
        
        PID:5008
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yppumwlckp.vbs"
      4⤵
      PID:1096
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ktqwrrog.vbs"
      4⤵
      Blocklisted process makes network request
      Modifies system certificate store
      PID:4352
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\mMesjwWnlc & timeout 2 & del /f /q "C:\Users\Admin\AppData\Local\Temp\35f86945ca3277c1531ebd23a10d7c16.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Windows\SysWOW64\timeout.exe
    timeout 2
    3⤵
    - Delays execution with timeout.exe
    PID:1056

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\aqsploqydye\46173476.txt

MD5
01936bff0a823cb97755357e626e09d2

SHA1
996a52bc3fcfc7b47a41efcc23522460d82b40de

SHA256
14cd286904825e3a3ae68fee961567ced4f008e8783c6b737e75b62f5cc1239a

SHA512
27bd4e4397ed211106a69df692021ecc804ea372a9a44dfe7be366bc3962e575e30afa5b51bb35a8bdb6b65f98232585992d413f05215436d03d25f3afc6c460

Download Submit
C:\ProgramData\aqsploqydye\8372422.txt

MD5
681e86c44d5f65b11eab4613008ac6fb

SHA1
8b404015c1281d4cf9fc5ad48bbbd6db16ccff4c

SHA256
4513bce79a3e5dd52833962e18e28021052ce284504bc201cc7efaf627342d4d

SHA512
fdfd791d3fc4150c4ed12792cabac523bfd6d1ab6483138a60fb20f8ecd87d553c37162f4f644ca3860fabc61bbaaeea4dafec0da4367175fe015c979e5d9ba0

Download Submit
C:\ProgramData\aqsploqydye\Files\_INFOR~1.TXT

MD5
c325724c2ea37b55a1cb436df0e5793b

SHA1
0ac9c3df7f4e4721a45eb269083c8fade9e97d1d

SHA256
1e8447ebf8f0b1ac5fc23d090ea05eaccca01389a6d5bbd33260bdfe4341dbcc

SHA512
164e7d9e87eb8bf26632b982df74f144bb91a8cebd4722d531af107d470a1720483ff69a37bd1dcbc7cef93107c01f9a04bbe83deb8da7cf084b6703ec96c18a

Download Submit
C:\ProgramData\aqsploqydye\NL_202~1.ZIP

MD5
707f04a49b1f6cd2db7c7378c01def52

SHA1
bd028ddeff794daebba718c5c6022bfbc33d0532

SHA256
665ef9b93ed794d12a3e1b129615ba0b4d79e4a8f9d3c95ea410169587754a4f

SHA512
7ac76831cd0b31047c4776ecf3b6776453fab180cfadcc570e4d8641c7ce988f59a91341fb6d802fba33376a09dfaea1da0e197114d030f7715fce9730b03b08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5
47eebe401625bbc55e75dbfb72e9e89a

SHA1
db3b2135942d2532c59b9788253638eb77e5995e

SHA256
f1cd56000c44bbdb6880b5b133731f493fe8cba8198c5a861da6ae7b489ed0c3

SHA512
590b149863d58be346e7927c28501375cc570858d2f156d234b03d68b86c5c0667a1038e2b6f6639172bf95638ca9f7c70f45270951abbcdf43b1be853b81d56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
4452b10f48e6c7e63178958d7577d9f5

SHA1
c330ee14a5d2428c3243cdace5a884108cb8b2d4

SHA256
d959c30b254f9bfd57780df1d7ddd9f8991cbe230a3a7036448af8a2476a3d52

SHA512
47da5fdc56cb35d92eaa3b53f96f2ecb744d508f9fce4f3509a5cdf91f81ad9655ed6005a6b476cff2ba7375087660cc5d4606bb5bf1dcf53b009d3c05ff2b9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\A0E9.tmp

MD5
cdd5d3be31d0bacc72acc5d25144187c

SHA1
46e86e56609a595f49f7e78f572d5a2e576e771d

SHA256
d2b1660fb3ad57af256f1b674029573f96a1bf5a52c275966e124cb903f1a42a

SHA512
b1f569142d2fe906a8127a60c8d07961a5fbe782556e1ff22fcf6a79e867414e373d14b3c033730f5eb9894c5533ab6f455a739c9dec1b6a110dcbfc21458cfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\File332.exe

MD5
5c96362633fdd8b984535046fdf2ba4a

SHA1
9bae53f9695ee57aca78cb06182a9e26f62f6441

SHA256
83ce6b854a0aba9c96894f0efa435c45f4e1d7a4d49e334bcccfdf3b0d409aa7

SHA512
0257eac0903b6f4c2a1c09655d2d12b00601271ec7da16031c4b24e13a48ce407974092e1b93439bf148783fd39e37d36f3cbf366fa1dc64c373ce6a1f8796d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\File332.exe

MD5
5c96362633fdd8b984535046fdf2ba4a

SHA1
9bae53f9695ee57aca78cb06182a9e26f62f6441

SHA256
83ce6b854a0aba9c96894f0efa435c45f4e1d7a4d49e334bcccfdf3b0d409aa7

SHA512
0257eac0903b6f4c2a1c09655d2d12b00601271ec7da16031c4b24e13a48ce407974092e1b93439bf148783fd39e37d36f3cbf366fa1dc64c373ce6a1f8796d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ISENUB~1.DLL

MD5
56835ac37523e903a4ccc1255467888e

SHA1
0c22ec0b7312322e52651021aa853115d91996b0

SHA256
ab9e74c5ce2c9b1fd7b086a8f1d93cea1baf7b8f7847892cfc7b20288a831281

SHA512
ea6dad63e9be6c4b8a63339ccf4d55217e4b8297cabe45c8d6ffa883b4ed3b3375fc802b1c19f5cc7aa8f8dcd383b732bf4b56b9704fcd61c50618519b19eb94

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\4_ico.exe

MD5
62919fef863ca16909c69f4bf88c1bce

SHA1
eda0d5601e1d5075c2cb6f7578639d46bb7107b1

SHA256
37e42610b8bdd6aab2de9dbb643246367b70bf80ec954b5990a565662d30acc6

SHA512
f9754bd46da4241ebecb14a64a9608d9eec967ddec66e9903f54012a2790485e11517df3f1c4eefefc684498d088167773215494b04985bba0d0ecbb003d3672

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\4_ico.exe

MD5
62919fef863ca16909c69f4bf88c1bce

SHA1
eda0d5601e1d5075c2cb6f7578639d46bb7107b1

SHA256
37e42610b8bdd6aab2de9dbb643246367b70bf80ec954b5990a565662d30acc6

SHA512
f9754bd46da4241ebecb14a64a9608d9eec967ddec66e9903f54012a2790485e11517df3f1c4eefefc684498d088167773215494b04985bba0d0ecbb003d3672

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\6_ico.exe

MD5
36621eb0e31bad37a15add3a7d459f6c

SHA1
3174db2da6d95ee9e51c469145be38e74f65ad54

SHA256
8365cfe75aa5bf40bbb4f74bcffaf52e84ad687b73d31957d6c2bbb31825220b

SHA512
0ea284364995906abed71e20933a670c5293f2d1aee999e98a3171945fe0365362bd00ae52a04bb26db33e79d806be169cf7f837e453e4232a1e65d080541e77

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\6_ico.exe

MD5
36621eb0e31bad37a15add3a7d459f6c

SHA1
3174db2da6d95ee9e51c469145be38e74f65ad54

SHA256
8365cfe75aa5bf40bbb4f74bcffaf52e84ad687b73d31957d6c2bbb31825220b

SHA512
0ea284364995906abed71e20933a670c5293f2d1aee999e98a3171945fe0365362bd00ae52a04bb26db33e79d806be169cf7f837e453e4232a1e65d080541e77

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\vpn_ico.exe

MD5
06121b08cbbbd3e03d5ec7f4856591e2

SHA1
0f437ba8f0c231e783c697cb88111c77ceda68c0

SHA256
cfc44eb12265f2e7b3bed5af211b8590c8cb893d6d5cb4d57f476d5c40a8a3f0

SHA512
d8a34dba296218d7b228297bdf2c8312afbaf8394da859fa86cc357dbcd7ecd7fd9cf4737a8100961f40d8dd43941f4f5d7cf1c20e388242f10c7a4edaee09f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\vpn_ico.exe

MD5
06121b08cbbbd3e03d5ec7f4856591e2

SHA1
0f437ba8f0c231e783c697cb88111c77ceda68c0

SHA256
cfc44eb12265f2e7b3bed5af211b8590c8cb893d6d5cb4d57f476d5c40a8a3f0

SHA512
d8a34dba296218d7b228297bdf2c8312afbaf8394da859fa86cc357dbcd7ecd7fd9cf4737a8100961f40d8dd43941f4f5d7cf1c20e388242f10c7a4edaee09f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\isenubblreql.exe

MD5
9de8700660961db553cb33fb50f81f45

SHA1
c069db78ad3c80a6464b1099de1e17d3d5c539e8

SHA256
406b0088c46fccefc0de35dc243dae3472124373e561c4f5e5275a47ac40708b

SHA512
2a7aad814097910e5f2dde090a996484508f620e54824811431e07f0ae361176b502bea40176eaf64427603f6ca452ce43a4d9514b607c55d787670372eebea1

Download Submit
C:\Users\Admin\AppData\Local\Temp\isenubblreql.exe

MD5
9de8700660961db553cb33fb50f81f45

SHA1
c069db78ad3c80a6464b1099de1e17d3d5c539e8

SHA256
406b0088c46fccefc0de35dc243dae3472124373e561c4f5e5275a47ac40708b

SHA512
2a7aad814097910e5f2dde090a996484508f620e54824811431e07f0ae361176b502bea40176eaf64427603f6ca452ce43a4d9514b607c55d787670372eebea1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ktqwrrog.vbs

MD5
7d25e40379c1f6231db098febd3fe589

SHA1
93536dd702cf7cdeacc566caf157c8d79a7d70a1

SHA256
42a304d0c9e0f165dc73960f998863ddf0b7c5cf8a4e469fa2584bc0905e099b

SHA512
4526f99522c94184b38fbcfed882917871034b5232ac699a23fece07f2e4a09f281fcbaac42317bacc8132f901385f5aec8d65cad822ce726a78b4cd5a115e57

Download Submit
C:\Users\Admin\AppData\Local\Temp\mMesjwWnlc\6UpaOnrc.zip

MD5
19c25cb7a271074108b173959c61d1a2

SHA1
b165d05805d1d8a43b00849c254742596099e798

SHA256
9bdfbf1ffeec158d69f8966be4c2b118f82472474bf6ea5869c846bac1196fb4

SHA512
0e334a337ebaf9ec89865228fcf2455171508231b39fc822bd3c074147e1b925f6fcb84cdcf02c970014e1258b5685ac82a91047b874b8371d2f94757b537014

Download Submit
C:\Users\Admin\AppData\Local\Temp\mMesjwWnlc\FBAVMG~1.ZIP

MD5
bb50c3dcbcb5ceb0e6adb4daba3f852d

SHA1
b7c8e1d671544e04c319e1106e3b15fb3ada16d9

SHA256
a1408ef033acf1a72f12bad34583fcbed10f2ea87e9c9681d51e6fbda78035f0

SHA512
1fe6953260eac660b55b4457399875a613edb71ceb298e67ec369cfff2bb7a790ff56d49438c6481cfa1a14af8148b0e440a3b6875fd39614d7c53bf751fd37b

Download Submit
C:\Users\Admin\AppData\Local\Temp\mMesjwWnlc\_Files\_INFOR~1.TXT

MD5
5fb7f961a32fb75bd6ce3884706b2089

SHA1
931e719197afd48cc0e24ac44ea162cfa9e33866

SHA256
4a232b84ce0a2399c01f97679781ef121e49a04e26a20da02746530b624941e0

SHA512
ee7a48d05df66997fd849847cb4d34b943a366452776d5792579b89daa6e3818d1f5badfe420b6d672e72f81ce592b8e51ffb1bceb59ff195a873e0337c56e67

Download Submit
C:\Users\Admin\AppData\Local\Temp\mMesjwWnlc\_Files\_SCREE~1.JPE

MD5
1353e4116c8959e331b2e3ce4b13dfe6

SHA1
6ecabb482eaede9efca672430826868e104cb16d

SHA256
4b295baebcf9b722f7ab9f62a1943ff21bb6f8cb54e4a2417a98ef197087872e

SHA512
76b51b660d07461f1514961efdc6b8ee7a0976d5bbd2b3e8422ff41309a71dec95d5163172aca425513926f05aebde4746a34f0e938d340271ab83bb53147b33

Download Submit
C:\Users\Admin\AppData\Local\Temp\mMesjwWnlc\files_\SCREEN~1.JPG

MD5
1353e4116c8959e331b2e3ce4b13dfe6

SHA1
6ecabb482eaede9efca672430826868e104cb16d

SHA256
4b295baebcf9b722f7ab9f62a1943ff21bb6f8cb54e4a2417a98ef197087872e

SHA512
76b51b660d07461f1514961efdc6b8ee7a0976d5bbd2b3e8422ff41309a71dec95d5163172aca425513926f05aebde4746a34f0e938d340271ab83bb53147b33

Download Submit
C:\Users\Admin\AppData\Local\Temp\mMesjwWnlc\files_\SYSTEM~1.TXT

MD5
dc3b8f9bc40ad5f22be6609785579cf0

SHA1
801ea79f5be7ac5100c8dbb784deaa036301540e

SHA256
58b195e6c2d4d4736f4eb735b247f267f9fec7a81220b2e75fe09ead7710f15a

SHA512
b049d49e58b37d35421532840201a93ddd47d56b980f52a1bb282de159d2540dd131022c883299beee6f7bd0c725bf5a5d950a5d9da31410e6d7ecdbb23b7bd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE6FA.tmp.ps1

MD5
bdfca81c95ff42f6c9466f8176109275

SHA1
8dd8b7432d21c71d2b899ccf618ccec7ba1e31bf

SHA256
818bb6f2315da32853d4ab088f928d5aa41afe250444ac3b1a04d459a6eaabed

SHA512
4abbf79dd159656b73f6e657ae86b38d4dcd3997b3681f14e99ccf967f40c0ea3a874062ea43430b1a1c382fdcdf866ecb1c9cd62aa0ae7a30b6051d2c237155

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE6FB.tmp

MD5
c416c12d1b2b1da8c8655e393b544362

SHA1
fb1a43cd8e1c556c2d25f361f42a21293c29e447

SHA256
0600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046

SHA512
cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFB40.tmp.ps1

MD5
bbbe7111bd509b09f2257a774b766795

SHA1
f543a5c9443b992366f645e9351f9db22175273e

SHA256
055f6620b78d10663b83509776ad7edb476afb48ea968c7b8446de5df16d11c0

SHA512
92eb21770e8121fefc647ef499b2411648d177ff3606c44af0f1b1ab2b2969bba2e0f895424ca481e4a061bbc42cbeaaa3fa91ded81ab41a3145227f1038abc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFB41.tmp

MD5
1860260b2697808b80802352fe324782

SHA1
f07b4cb6a8133d8dd942fc285d63cb3ce5a1ed6b

SHA256
0c4bb6ae7726faa47aef8459bcf37bf9ca16f0b93fd52790932adaf7845d1fb1

SHA512
d9fd458e2fe871e93199d7f3783133ded898d824024d9525e8c9af2af31892b13f3fb147d3bfda7dfd7659b7072f5cd1d6c3ebfe2dbf5893afd00e59a96aa94f

Download Submit
C:\Users\Admin\AppData\Local\Temp\yppumwlckp.vbs

MD5
6f1fc22b1e3e014102221ee268f6d35a

SHA1
e1bc12dca4ce030e2e93d116b0670b4b30d2e606

SHA256
92bed5c6cdbf620b096dcf4425f27edf5d40902ec98dbbf997167124b5c72431

SHA512
20ea0dc19dfa93395e04110d0da17c942b01a268b86c46ce4293e232f52918e1cb289512e7e4f33c8cce9ec0c7ada8b362c640f63beee801d0faeb3f196606a5

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

MD5
62919fef863ca16909c69f4bf88c1bce

SHA1
eda0d5601e1d5075c2cb6f7578639d46bb7107b1

SHA256
37e42610b8bdd6aab2de9dbb643246367b70bf80ec954b5990a565662d30acc6

SHA512
f9754bd46da4241ebecb14a64a9608d9eec967ddec66e9903f54012a2790485e11517df3f1c4eefefc684498d088167773215494b04985bba0d0ecbb003d3672

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

MD5
62919fef863ca16909c69f4bf88c1bce

SHA1
eda0d5601e1d5075c2cb6f7578639d46bb7107b1

SHA256
37e42610b8bdd6aab2de9dbb643246367b70bf80ec954b5990a565662d30acc6

SHA512
f9754bd46da4241ebecb14a64a9608d9eec967ddec66e9903f54012a2790485e11517df3f1c4eefefc684498d088167773215494b04985bba0d0ecbb003d3672

Download Submit
\Users\Admin\AppData\Local\Temp\ISENUB~1.DLL

MD5
56835ac37523e903a4ccc1255467888e

SHA1
0c22ec0b7312322e52651021aa853115d91996b0

SHA256
ab9e74c5ce2c9b1fd7b086a8f1d93cea1baf7b8f7847892cfc7b20288a831281

SHA512
ea6dad63e9be6c4b8a63339ccf4d55217e4b8297cabe45c8d6ffa883b4ed3b3375fc802b1c19f5cc7aa8f8dcd383b732bf4b56b9704fcd61c50618519b19eb94

Download Submit
\Users\Admin\AppData\Local\Temp\ISENUB~1.DLL

MD5
56835ac37523e903a4ccc1255467888e

SHA1
0c22ec0b7312322e52651021aa853115d91996b0

SHA256
ab9e74c5ce2c9b1fd7b086a8f1d93cea1baf7b8f7847892cfc7b20288a831281

SHA512
ea6dad63e9be6c4b8a63339ccf4d55217e4b8297cabe45c8d6ffa883b4ed3b3375fc802b1c19f5cc7aa8f8dcd383b732bf4b56b9704fcd61c50618519b19eb94

Download Submit
\Users\Admin\AppData\Local\Temp\nsn9A14.tmp\UAC.dll

MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
memory/936-26-0x0000000004900000-0x0000000004901000-memory.dmp

Filesize
4KB

Download
memory/936-29-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/936-15-0x0000000000000000-mapping.dmp

Download
memory/936-31-0x0000000004900000-0x0000000004901000-memory.dmp

Filesize
4KB

Download
memory/936-30-0x0000000004900000-0x0000000004901000-memory.dmp

Filesize
4KB

Download
memory/996-47-0x0000000000000000-mapping.dmp

Download
memory/1056-14-0x0000000000000000-mapping.dmp

Download
memory/1064-49-0x0000000000000000-mapping.dmp

Download
memory/1096-40-0x0000000000000000-mapping.dmp

Download
memory/1124-2-0x0000000004BB0000-0x0000000004BB1000-memory.dmp

Filesize
4KB

Download
memory/2040-5-0x0000000000000000-mapping.dmp

Download
memory/2052-20-0x0000000000000000-mapping.dmp

Download
memory/2052-24-0x0000000005400000-0x0000000005401000-memory.dmp

Filesize
4KB

Download
memory/2052-27-0x0000000005C00000-0x0000000005C01000-memory.dmp

Filesize
4KB

Download
memory/2704-3-0x0000000000000000-mapping.dmp

Download
memory/3876-35-0x0000000004AB0000-0x0000000004AB1000-memory.dmp

Filesize
4KB

Download
memory/3876-36-0x00000000052B0000-0x00000000052B1000-memory.dmp

Filesize
4KB

Download
memory/3876-32-0x0000000000000000-mapping.dmp

Download
memory/3884-48-0x0000000006D60000-0x0000000006D61000-memory.dmp

Filesize
4KB

Download
memory/3884-37-0x0000000000000000-mapping.dmp

Download
memory/3940-28-0x0000000004D10000-0x0000000004D11000-memory.dmp

Filesize
4KB

Download
memory/3940-17-0x0000000000000000-mapping.dmp

Download
memory/3940-25-0x0000000004510000-0x0000000004511000-memory.dmp

Filesize
4KB

Download
memory/4076-42-0x0000000000000000-mapping.dmp

Download
memory/4120-50-0x0000000000000000-mapping.dmp

Download
memory/4140-54-0x0000000004E30000-0x000000000548F000-memory.dmp

Filesize
6.4MB

Download
memory/4140-51-0x0000000000000000-mapping.dmp

Download
memory/4176-58-0x0000000005220000-0x000000000587F000-memory.dmp

Filesize
6.4MB

Download
memory/4176-55-0x0000000000000000-mapping.dmp

Download
memory/4352-59-0x0000000000000000-mapping.dmp

Download
memory/4456-63-0x00000000069E0000-0x00000000069E1000-memory.dmp

Filesize
4KB

Download
memory/4456-66-0x00000000079B0000-0x00000000079B1000-memory.dmp

Filesize
4KB

Download
memory/4456-70-0x0000000008300000-0x0000000008301000-memory.dmp

Filesize
4KB

Download
memory/4456-71-0x0000000008200000-0x0000000008201000-memory.dmp

Filesize
4KB

Download
memory/4456-68-0x0000000007B70000-0x0000000007B71000-memory.dmp

Filesize
4KB

Download
memory/4456-73-0x0000000006CD0000-0x0000000006CD1000-memory.dmp

Filesize
4KB

Download
memory/4456-74-0x0000000009950000-0x0000000009951000-memory.dmp

Filesize
4KB

Download
memory/4456-75-0x0000000008EE0000-0x0000000008EE1000-memory.dmp

Filesize
4KB

Download
memory/4456-76-0x00000000082E0000-0x00000000082E1000-memory.dmp

Filesize
4KB

Download
memory/4456-67-0x0000000007B00000-0x0000000007B01000-memory.dmp

Filesize
4KB

Download
memory/4456-61-0x0000000000000000-mapping.dmp

Download
memory/4456-69-0x0000000007940000-0x0000000007941000-memory.dmp

Filesize
4KB

Download
memory/4456-62-0x00000000711D0000-0x00000000718BE000-memory.dmp

Filesize
6.9MB

Download
memory/4456-64-0x0000000007050000-0x0000000007051000-memory.dmp

Filesize
4KB

Download
memory/4456-65-0x0000000007730000-0x0000000007731000-memory.dmp

Filesize
4KB

Download
memory/4752-89-0x00000000084F0000-0x00000000084F1000-memory.dmp

Filesize
4KB

Download
memory/4752-86-0x0000000007F80000-0x0000000007F81000-memory.dmp

Filesize
4KB

Download
memory/4752-80-0x0000000070D90000-0x000000007147E000-memory.dmp

Filesize
6.9MB

Download
memory/4752-78-0x0000000000000000-mapping.dmp

Download
memory/4924-94-0x0000000000000000-mapping.dmp

Download
memory/4960-96-0x0000000000000000-mapping.dmp

Download
memory/5008-97-0x0000000000000000-mapping.dmp

Download