danabot | 311a51eef668a68b50238afa2b983f99d8c92149493a63a9aaf64205cee2267b

Analysis

max time kernel
136s
max time network
128s
platform
windows10_x64
resource
win10v20201028
submitted
04-02-2021 02:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

nq8qKG6gEK7T9JHBQ7UA.exe
Size

5.2MB
MD5

f679b1ac6c3352b57474d05c88c80133
SHA1

f7ea6d5eb0cdecdc3ae1c550f7d3430cb490432c
SHA256

311a51eef668a68b50238afa2b983f99d8c92149493a63a9aaf64205cee2267b
SHA512

31bcae552d0c46361611dc51ebeb79e2bcf776c2167839f3bf6d85c560efce759863f2c24b3d5d5ba4ec374ca0aac22cfe8953f44a78e7d20480f4af14db8e5f

Score

10^/10

danabot 3 banker discovery evasion spyware stealer trojan

Malware Config

Extracted

Family

danabot

Version

1765

Botnet

193.34.167.163:443

78.138.98.136:443

134.119.186.198:443

172.93.201.39:443

Attributes

embedded_hash
82C66843DE542BC5CB88F713DE39B52B

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Blocklisted process makes network request 7 IoCs

Processes:

WScript.exeRUNDLL32.EXE

flow pid process

27 4172 WScript.exe
29 4172 WScript.exe
32 4172 WScript.exe
34 4172 WScript.exe
37 2912 RUNDLL32.EXE
40 2912 RUNDLL32.EXE
41 2912 RUNDLL32.EXE
Executes dropped EXE 5 IoCs

Processes:

4_ico.exe6_ico.exevpn_ico.exeSmartClock.exejubhtpeaqd.exe

pid process

4092 4_ico.exe
1820 6_ico.exe
3696 vpn_ico.exe
4056 SmartClock.exe
2252 jubhtpeaqd.exe

flow	pid	process
27	4172	WScript.exe
29	4172	WScript.exe
32	4172	WScript.exe
34	4172	WScript.exe
37	2912	RUNDLL32.EXE
40	2912	RUNDLL32.EXE
41	2912	RUNDLL32.EXE

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6_ico.exevpn_ico.exeSmartClock.exe4_ico.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	6_ico.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	vpn_ico.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	vpn_ico.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SmartClock.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	SmartClock.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	4_ico.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	4_ico.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	6_ico.exe

Drops startup file 1 IoCs

Processes:

4_ico.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk 4_ico.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk	4_ico.exe

Identifies Wine through registry keys 2 TTPs 4 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

4_ico.exe6_ico.exevpn_ico.exeSmartClock.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Wine	4_ico.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Wine	6_ico.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Wine	vpn_ico.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Wine	SmartClock.exe

Loads dropped DLL 5 IoCs

Processes:

nq8qKG6gEK7T9JHBQ7UA.exerundll32.exeRUNDLL32.EXE

pid process

740 nq8qKG6gEK7T9JHBQ7UA.exe
208 rundll32.exe
208 rundll32.exe
2912 RUNDLL32.EXE
2912 RUNDLL32.EXE
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

7 ip-api.com
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

4_ico.exe6_ico.exevpn_ico.exeSmartClock.exe

pid process

4092 4_ico.exe
1820 6_ico.exe
3696 vpn_ico.exe
4056 SmartClock.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
740	nq8qKG6gEK7T9JHBQ7UA.exe
208	rundll32.exe
208	rundll32.exe
2912	RUNDLL32.EXE
2912	RUNDLL32.EXE

flow	ioc
7	ip-api.com

Checks processor information in registry 2 TTPs 24 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RUNDLL32.EXEvpn_ico.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	RUNDLL32.EXE
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	vpn_ico.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	vpn_ico.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	RUNDLL32.EXE

Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

3672 timeout.exe
3164 timeout.exe
Modifies registry class 1 IoCs

Processes:

vpn_ico.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings vpn_ico.exe

pid	process
3672	timeout.exe
3164	timeout.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings	vpn_ico.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	WScript.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

SmartClock.exe

pid process

4056 SmartClock.exe

pid	process
4056	SmartClock.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

4_ico.exe6_ico.exevpn_ico.exeSmartClock.exepowershell.exeRUNDLL32.EXEpowershell.exe

pid	process
4092	4_ico.exe
4092	4_ico.exe
1820	6_ico.exe
1820	6_ico.exe
3696	vpn_ico.exe
3696	vpn_ico.exe
4056	SmartClock.exe
4056	SmartClock.exe
3176	powershell.exe
3176	powershell.exe
3176	powershell.exe
2912	RUNDLL32.EXE
2912	RUNDLL32.EXE
1188	powershell.exe
1188	powershell.exe
1188	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

rundll32.exeRUNDLL32.EXEpowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	208	rundll32.exe
Token: SeDebugPrivilege	2912	RUNDLL32.EXE
Token: SeDebugPrivilege	3176	powershell.exe
Token: SeDebugPrivilege	1188	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

RUNDLL32.EXE

pid process

2912 RUNDLL32.EXE

pid	process
2912	RUNDLL32.EXE

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

nq8qKG6gEK7T9JHBQ7UA.exe4_ico.exevpn_ico.exe6_ico.exejubhtpeaqd.execmd.execmd.exerundll32.exeRUNDLL32.EXEpowershell.exe

description	pid	process	target process
PID 740 wrote to memory of 4092	740	nq8qKG6gEK7T9JHBQ7UA.exe	4_ico.exe
PID 740 wrote to memory of 4092	740	nq8qKG6gEK7T9JHBQ7UA.exe	4_ico.exe
PID 740 wrote to memory of 4092	740	nq8qKG6gEK7T9JHBQ7UA.exe	4_ico.exe
PID 740 wrote to memory of 1820	740	nq8qKG6gEK7T9JHBQ7UA.exe	6_ico.exe
PID 740 wrote to memory of 1820	740	nq8qKG6gEK7T9JHBQ7UA.exe	6_ico.exe
PID 740 wrote to memory of 1820	740	nq8qKG6gEK7T9JHBQ7UA.exe	6_ico.exe
PID 740 wrote to memory of 3696	740	nq8qKG6gEK7T9JHBQ7UA.exe	vpn_ico.exe
PID 740 wrote to memory of 3696	740	nq8qKG6gEK7T9JHBQ7UA.exe	vpn_ico.exe
PID 740 wrote to memory of 3696	740	nq8qKG6gEK7T9JHBQ7UA.exe	vpn_ico.exe
PID 4092 wrote to memory of 4056	4092	4_ico.exe	SmartClock.exe
PID 4092 wrote to memory of 4056	4092	4_ico.exe	SmartClock.exe
PID 4092 wrote to memory of 4056	4092	4_ico.exe	SmartClock.exe
PID 3696 wrote to memory of 2252	3696	vpn_ico.exe	jubhtpeaqd.exe
PID 3696 wrote to memory of 2252	3696	vpn_ico.exe	jubhtpeaqd.exe
PID 3696 wrote to memory of 2252	3696	vpn_ico.exe	jubhtpeaqd.exe
PID 3696 wrote to memory of 4064	3696	vpn_ico.exe	WScript.exe
PID 3696 wrote to memory of 4064	3696	vpn_ico.exe	WScript.exe
PID 3696 wrote to memory of 4064	3696	vpn_ico.exe	WScript.exe
PID 1820 wrote to memory of 3872	1820	6_ico.exe	cmd.exe
PID 1820 wrote to memory of 3872	1820	6_ico.exe	cmd.exe
PID 1820 wrote to memory of 3872	1820	6_ico.exe	cmd.exe
PID 1820 wrote to memory of 3928	1820	6_ico.exe	cmd.exe
PID 1820 wrote to memory of 3928	1820	6_ico.exe	cmd.exe
PID 1820 wrote to memory of 3928	1820	6_ico.exe	cmd.exe
PID 2252 wrote to memory of 208	2252	jubhtpeaqd.exe	rundll32.exe
PID 2252 wrote to memory of 208	2252	jubhtpeaqd.exe	rundll32.exe
PID 2252 wrote to memory of 208	2252	jubhtpeaqd.exe	rundll32.exe
PID 3872 wrote to memory of 3672	3872	cmd.exe	timeout.exe
PID 3872 wrote to memory of 3672	3872	cmd.exe	timeout.exe
PID 3872 wrote to memory of 3672	3872	cmd.exe	timeout.exe
PID 3928 wrote to memory of 3164	3928	cmd.exe	timeout.exe
PID 3928 wrote to memory of 3164	3928	cmd.exe	timeout.exe
PID 3928 wrote to memory of 3164	3928	cmd.exe	timeout.exe
PID 208 wrote to memory of 2912	208	rundll32.exe	RUNDLL32.EXE
PID 208 wrote to memory of 2912	208	rundll32.exe	RUNDLL32.EXE
PID 208 wrote to memory of 2912	208	rundll32.exe	RUNDLL32.EXE
PID 2912 wrote to memory of 3176	2912	RUNDLL32.EXE	powershell.exe
PID 2912 wrote to memory of 3176	2912	RUNDLL32.EXE	powershell.exe
PID 2912 wrote to memory of 3176	2912	RUNDLL32.EXE	powershell.exe
PID 2912 wrote to memory of 1188	2912	RUNDLL32.EXE	powershell.exe
PID 2912 wrote to memory of 1188	2912	RUNDLL32.EXE	powershell.exe
PID 2912 wrote to memory of 1188	2912	RUNDLL32.EXE	powershell.exe
PID 3696 wrote to memory of 4172	3696	vpn_ico.exe	WScript.exe
PID 3696 wrote to memory of 4172	3696	vpn_ico.exe	WScript.exe
PID 3696 wrote to memory of 4172	3696	vpn_ico.exe	WScript.exe
PID 1188 wrote to memory of 4260	1188	powershell.exe	nslookup.exe
PID 1188 wrote to memory of 4260	1188	powershell.exe	nslookup.exe
PID 1188 wrote to memory of 4260	1188	powershell.exe	nslookup.exe
PID 2912 wrote to memory of 4304	2912	RUNDLL32.EXE	schtasks.exe
PID 2912 wrote to memory of 4304	2912	RUNDLL32.EXE	schtasks.exe
PID 2912 wrote to memory of 4304	2912	RUNDLL32.EXE	schtasks.exe
PID 2912 wrote to memory of 4516	2912	RUNDLL32.EXE	schtasks.exe
PID 2912 wrote to memory of 4516	2912	RUNDLL32.EXE	schtasks.exe
PID 2912 wrote to memory of 4516	2912	RUNDLL32.EXE	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\nq8qKG6gEK7T9JHBQ7UA.exe
"C:\Users\Admin\AppData\Local\Temp\nq8qKG6gEK7T9JHBQ7UA.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:740

C:\Users\Admin\AppData\Local\Temp\New Feature\4_ico.exe
"C:\Users\Admin\AppData\Local\Temp\New Feature\4_ico.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Drops startup file
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4092

C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
PID:4056

C:\Users\Admin\AppData\Local\Temp\New Feature\6_ico.exe
"C:\Users\Admin\AppData\Local\Temp\New Feature\6_ico.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1820

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\xmdhrxr & timeout 2 & del /f /q "C:\Users\Admin\AppData\Local\Temp\New Feature\6_ico.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:3872

C:\Windows\SysWOW64\timeout.exe
timeout 2
4⤵
- Delays execution with timeout.exe
PID:3672

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\xmdhrxr & timeout 2 & del /f /q "C:\Users\Admin\AppData\Local\Temp\New Feature\6_ico.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:3928

C:\Windows\SysWOW64\timeout.exe
timeout 2
4⤵
- Delays execution with timeout.exe
PID:3164

C:\Users\Admin\AppData\Local\Temp\New Feature\vpn_ico.exe
"C:\Users\Admin\AppData\Local\Temp\New Feature\vpn_ico.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3696

C:\Users\Admin\AppData\Local\Temp\jubhtpeaqd.exe
"C:\Users\Admin\AppData\Local\Temp\jubhtpeaqd.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2252

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\JUBHTP~1.DLL,Z C:\Users\Admin\AppData\Local\Temp\JUBHTP~1.EXE
4⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:208

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\JUBHTP~1.DLL,cRhZfI3Q
5⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2912

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpB646.tmp.ps1"
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3176

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpDCEA.tmp.ps1"
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1188

C:\Windows\SysWOW64\nslookup.exe
"C:\Windows\system32\nslookup.exe" -type=any localhost
7⤵
PID:4260

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
6⤵
PID:4304

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
6⤵
PID:4516

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\xpsghlnj.vbs"
3⤵
PID:4064

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ixiishe.vbs"
3⤵
- Blocklisted process makes network request
- Modifies system certificate store
PID:4172

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\xmdhrxr\46173476.txt
MD5
f187457b42e72a48d52cbf58b589cc60

SHA1
3ff4f9ca3b78c4d1c965d664f5a4f7108cb2e9dc

SHA256
3faeafe9d7c58b15ba04561d1fbb700b9c53d3c80e8f94c0e836088afb50374f

SHA512
93c420dac08de668c53f2eb81ebef6e84e600f4217507ad2ee556b798d732c809baa94783b64a33a2ecad32185cb3926537daaa029a71d218ec55eef577c7aa2

Download Submit
C:\ProgramData\xmdhrxr\8372422.txt
MD5
4a6e899492f64bff18ba4a9c4dfb0fff

SHA1
3f706240d14584ca6d64f9bda98613819fe39378

SHA256
5c101c0e1cae8c8980d501aac750a43233cb617d99b59b3913497790c29b85cf

SHA512
0a052e9f6d01f404d92ab2835e76d520a119b3b338411fc2ad7dc1dc58c141b171003f7a3078bca7088310f2830e6d8e1d06b50b2c5053188494761aebaaebe6

Download Submit
C:\ProgramData\xmdhrxr\Files\_INFOR~1.TXT
MD5
c34a41c9fa74e5952d888b16829aa44f

SHA1
5cede3294d280f6c3a40eb2f7afc1e7a6abfefdb

SHA256
cf47cd2d2be93167ad2efddab042eb171b5373e534c3e7a823abf5d2334cb32f

SHA512
720840817c731daf291ea670ba91dca16f9160eb291450c99da4e1fece4fe38324121015c8ad90a3930632f34a9526e47df2cd3c19e6a7c09f11e6aaeace0a14

Download Submit
C:\ProgramData\xmdhrxr\NL_202~1.ZIP
MD5
ea73097ca1d1393e7b549ae0008c4617

SHA1
0b75c2e294cfb789a27a198c96093147dca93574

SHA256
804dbb1ff605ccfa9ed31d4ffaef8364ecf6ad1e8715f905c9fd6269006bd860

SHA512
2e3699d1598197bf30a946405178723eaf049f63b6ec32a3be2a03f07e7fc048f19a95cebf9780a6a2bea4630965f7b8e45d83f0290f488dbce94a87ef89d3c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
47eebe401625bbc55e75dbfb72e9e89a

SHA1
db3b2135942d2532c59b9788253638eb77e5995e

SHA256
f1cd56000c44bbdb6880b5b133731f493fe8cba8198c5a861da6ae7b489ed0c3

SHA512
590b149863d58be346e7927c28501375cc570858d2f156d234b03d68b86c5c0667a1038e2b6f6639172bf95638ca9f7c70f45270951abbcdf43b1be853b81d56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
7645fe4063ec06c8ea247ab808810e76

SHA1
0700e149ad36f25aeb44528acc95755e17de9977

SHA256
5c612f9636327dda7c2eb9afa3a49316b30bd85a2a85d206b94c7821b3aa35cf

SHA512
d5c56f263867c76355a1dd102f83cbfd950ee01dbee3c6124cbb9c943d9ed2a0684b6ce2a1e441537b1b7368529e0fcc12d7eeb4d4005ee18764321035e0e6c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\JUBHTP~1.DLL
MD5
9cfd170023b9c5a31680f42b0033dfb2

SHA1
5ead0ad80504f2f31e7904ad6571ce49eb54012e

SHA256
a102ecc8a282b034e32c210ff5683c2a9ec3a2c96cada418efabea45432ab06c

SHA512
e3f3497e4afc9987c96d8d2cc593d04c472702619c3a8d21bf567edea4745af3e3d489f35a9d7bf3cc314e980ae8b9cb681ee4e22461ee167951516619b4589f

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\4_ico.exe
MD5
6e9d14c9187fb1869e51e58178c56861

SHA1
a0242ac96256fb01411887f3363975e10683a360

SHA256
4dd499523c7d5f5a9c991ad76415fc39976bb85c7f2c9373e7f6c18a6e1f9e5f

SHA512
b8d2574c8dd8c341119b81be9596bc303f470b60689d3d58586688c0d3f00dc2353cbaf814e3d2b3607d323640b990c0c2c257692d6a36b68d6ae39eb38e9d36

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\4_ico.exe
MD5
6e9d14c9187fb1869e51e58178c56861

SHA1
a0242ac96256fb01411887f3363975e10683a360

SHA256
4dd499523c7d5f5a9c991ad76415fc39976bb85c7f2c9373e7f6c18a6e1f9e5f

SHA512
b8d2574c8dd8c341119b81be9596bc303f470b60689d3d58586688c0d3f00dc2353cbaf814e3d2b3607d323640b990c0c2c257692d6a36b68d6ae39eb38e9d36

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\6_ico.exe
MD5
cc4916c1226b78a470b52bd9315cc46f

SHA1
1ce2f4ace97619e92d91e6f7c0e22eaf8f1310dd

SHA256
d58ec00e24058755535991ca488ad7cbd3861cdd20f4b8e63c0f2ccacb015877

SHA512
e29e093492704c4be4a2d8c8c5093669ee70e6bfe53298dba9d091ba65752cafa49fa573290576844a71da0383ca9524e013dd3edd15ecc3f873673a5e450a98

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\6_ico.exe
MD5
cc4916c1226b78a470b52bd9315cc46f

SHA1
1ce2f4ace97619e92d91e6f7c0e22eaf8f1310dd

SHA256
d58ec00e24058755535991ca488ad7cbd3861cdd20f4b8e63c0f2ccacb015877

SHA512
e29e093492704c4be4a2d8c8c5093669ee70e6bfe53298dba9d091ba65752cafa49fa573290576844a71da0383ca9524e013dd3edd15ecc3f873673a5e450a98

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\vpn_ico.exe
MD5
8ebcc333600643e15d4ecc5aafa91c46

SHA1
0163674b83c0bb101b9254a4df60db29d309ede0

SHA256
548157c1856d774465b757553b567c3292686c874b83e1f3e2cb8e63787a6382

SHA512
c25ebddc0e3a4e9f64dd3ff52fd5d3e7c5fb073e965e489252e9e92a9ce95335cf637149606c82527b88170ee3a4338ce18cf34e0c509eb3da6279e1109199a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\vpn_ico.exe
MD5
8ebcc333600643e15d4ecc5aafa91c46

SHA1
0163674b83c0bb101b9254a4df60db29d309ede0

SHA256
548157c1856d774465b757553b567c3292686c874b83e1f3e2cb8e63787a6382

SHA512
c25ebddc0e3a4e9f64dd3ff52fd5d3e7c5fb073e965e489252e9e92a9ce95335cf637149606c82527b88170ee3a4338ce18cf34e0c509eb3da6279e1109199a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ixiishe.vbs
MD5
d210fd3c63bf6d40591fc89c31b416f9

SHA1
d8064a8440306138f322fae280775ea3cb547e21

SHA256
070bb9d32df319bc8441ddc94f138adb660b52a5334ad4cceb019c9068b9b2f9

SHA512
5356e55d0a6d44934d13f4631222db35257a4109ca371797603fdc8df178a6316a910733d55abc941cb2915e6db8d1cf3296e28a33a05471905963923ed07f21

Download Submit
C:\Users\Admin\AppData\Local\Temp\jubhtpeaqd.exe
MD5
43c5ab93ab23c9b017654bef5ef15b17

SHA1
8f0a7142ad66367a00a22eea5da886df7fd1092e

SHA256
0af85ed788c094288aac95d885c946987cdc690937750e0ec6db15a889297923

SHA512
5d6abf3393a540794b1b51106896be902e9d353f0023752249780b9626c7bcf92cc7f2b9b87722f7428884d90d3b067e8f3d53604e7411862e3d5d8798a61241

Download Submit
C:\Users\Admin\AppData\Local\Temp\jubhtpeaqd.exe
MD5
43c5ab93ab23c9b017654bef5ef15b17

SHA1
8f0a7142ad66367a00a22eea5da886df7fd1092e

SHA256
0af85ed788c094288aac95d885c946987cdc690937750e0ec6db15a889297923

SHA512
5d6abf3393a540794b1b51106896be902e9d353f0023752249780b9626c7bcf92cc7f2b9b87722f7428884d90d3b067e8f3d53604e7411862e3d5d8798a61241

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB646.tmp.ps1
MD5
a4fcbe2ca16a0e683bb6cf9062c99132

SHA1
cd4d7d4742acf670ded2186e23cac8cc0ddbf098

SHA256
b1f18dbda400651f06517af7c162264e6e9d66bb25441d2178d8ba775fb1b8ab

SHA512
cc7d666cb52f99fb3408c1d1fba96776abbbb60bb4f2f056a5510b470d61339f6d8ce84ee31cee405fbdc9a59eb33a7c0161ee1272eb457d1d56f363d56fd426

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB647.tmp
MD5
c416c12d1b2b1da8c8655e393b544362

SHA1
fb1a43cd8e1c556c2d25f361f42a21293c29e447

SHA256
0600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046

SHA512
cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDCEA.tmp.ps1
MD5
444f09b45f0aea455fed3c7ec94e9273

SHA1
89d513135abd680c164b02a588594ec516c109d1

SHA256
76a1fd4e27da0615ffb4e805b0e2e0494d057f0b2320b7fbf497ec5046e7bf0e

SHA512
4089755dbd47c1f6027c07eb962484c6cb5a0f77eaa043ee00125769ff8c6edc983ffe9ce32322a4a392659428783f735cf32036342151abbe89c59af5e2f89a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDCEB.tmp
MD5
1860260b2697808b80802352fe324782

SHA1
f07b4cb6a8133d8dd942fc285d63cb3ce5a1ed6b

SHA256
0c4bb6ae7726faa47aef8459bcf37bf9ca16f0b93fd52790932adaf7845d1fb1

SHA512
d9fd458e2fe871e93199d7f3783133ded898d824024d9525e8c9af2af31892b13f3fb147d3bfda7dfd7659b7072f5cd1d6c3ebfe2dbf5893afd00e59a96aa94f

Download Submit
C:\Users\Admin\AppData\Local\Temp\xpsghlnj.vbs
MD5
b888f347c2dbe8012923763142dc2b5b

SHA1
d2e9b0d5265fbef6a00947399c3f705d4c4925b3

SHA256
429ef224d172ffeecb2dda0d9b12f385bb424ca773f764bf7b7316bb24bb0ece

SHA512
036680b8728a92e78a945fc6787612314d0b486bb43e5b85521bd1221539e848feac43a7233466dd1650005efabf2fe83c4909a603882a2e1d5b7879d2027a4c

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
6e9d14c9187fb1869e51e58178c56861

SHA1
a0242ac96256fb01411887f3363975e10683a360

SHA256
4dd499523c7d5f5a9c991ad76415fc39976bb85c7f2c9373e7f6c18a6e1f9e5f

SHA512
b8d2574c8dd8c341119b81be9596bc303f470b60689d3d58586688c0d3f00dc2353cbaf814e3d2b3607d323640b990c0c2c257692d6a36b68d6ae39eb38e9d36

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
6e9d14c9187fb1869e51e58178c56861

SHA1
a0242ac96256fb01411887f3363975e10683a360

SHA256
4dd499523c7d5f5a9c991ad76415fc39976bb85c7f2c9373e7f6c18a6e1f9e5f

SHA512
b8d2574c8dd8c341119b81be9596bc303f470b60689d3d58586688c0d3f00dc2353cbaf814e3d2b3607d323640b990c0c2c257692d6a36b68d6ae39eb38e9d36

Download Submit
\Users\Admin\AppData\Local\Temp\JUBHTP~1.DLL
MD5
9cfd170023b9c5a31680f42b0033dfb2

SHA1
5ead0ad80504f2f31e7904ad6571ce49eb54012e

SHA256
a102ecc8a282b034e32c210ff5683c2a9ec3a2c96cada418efabea45432ab06c

SHA512
e3f3497e4afc9987c96d8d2cc593d04c472702619c3a8d21bf567edea4745af3e3d489f35a9d7bf3cc314e980ae8b9cb681ee4e22461ee167951516619b4589f

Download Submit
\Users\Admin\AppData\Local\Temp\JUBHTP~1.DLL
MD5
9cfd170023b9c5a31680f42b0033dfb2

SHA1
5ead0ad80504f2f31e7904ad6571ce49eb54012e

SHA256
a102ecc8a282b034e32c210ff5683c2a9ec3a2c96cada418efabea45432ab06c

SHA512
e3f3497e4afc9987c96d8d2cc593d04c472702619c3a8d21bf567edea4745af3e3d489f35a9d7bf3cc314e980ae8b9cb681ee4e22461ee167951516619b4589f

Download Submit
\Users\Admin\AppData\Local\Temp\JUBHTP~1.DLL
MD5
9cfd170023b9c5a31680f42b0033dfb2

SHA1
5ead0ad80504f2f31e7904ad6571ce49eb54012e

SHA256
a102ecc8a282b034e32c210ff5683c2a9ec3a2c96cada418efabea45432ab06c

SHA512
e3f3497e4afc9987c96d8d2cc593d04c472702619c3a8d21bf567edea4745af3e3d489f35a9d7bf3cc314e980ae8b9cb681ee4e22461ee167951516619b4589f

Download Submit
\Users\Admin\AppData\Local\Temp\JUBHTP~1.DLL
MD5
9cfd170023b9c5a31680f42b0033dfb2

SHA1
5ead0ad80504f2f31e7904ad6571ce49eb54012e

SHA256
a102ecc8a282b034e32c210ff5683c2a9ec3a2c96cada418efabea45432ab06c

SHA512
e3f3497e4afc9987c96d8d2cc593d04c472702619c3a8d21bf567edea4745af3e3d489f35a9d7bf3cc314e980ae8b9cb681ee4e22461ee167951516619b4589f

Download Submit
\Users\Admin\AppData\Local\Temp\nsw7D45.tmp\UAC.dll
MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
memory/208-71-0x00000000046C1000-0x0000000004A7A000-memory.dmp

Filesize
3.7MB

Download
memory/208-76-0x0000000004B11000-0x0000000005172000-memory.dmp

Filesize
6.4MB

Download
memory/208-65-0x0000000000000000-mapping.dmp

Download
memory/1188-110-0x0000000006F52000-0x0000000006F53000-memory.dmp

Filesize
4KB

Download
memory/1188-111-0x00000000081C0000-0x00000000081C1000-memory.dmp

Filesize
4KB

Download
memory/1188-120-0x0000000006F53000-0x0000000006F54000-memory.dmp

Filesize
4KB

Download
memory/1188-109-0x0000000006F50000-0x0000000006F51000-memory.dmp

Filesize
4KB

Download
memory/1188-106-0x0000000007E10000-0x0000000007E11000-memory.dmp

Filesize
4KB

Download
memory/1188-98-0x0000000000000000-mapping.dmp

Download
memory/1188-100-0x0000000070D10000-0x00000000713FE000-memory.dmp

Filesize
6.9MB

Download
memory/1820-55-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/1820-38-0x0000000004D30000-0x0000000004D31000-memory.dmp

Filesize
4KB

Download
memory/1820-40-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/1820-48-0x0000000004D50000-0x0000000004D51000-memory.dmp

Filesize
4KB

Download
memory/1820-49-0x0000000004D10000-0x0000000004D11000-memory.dmp

Filesize
4KB

Download
memory/1820-15-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/1820-13-0x0000000004810000-0x0000000004811000-memory.dmp

Filesize
4KB

Download
memory/1820-6-0x0000000000000000-mapping.dmp

Download
memory/2252-58-0x0000000003A70000-0x0000000003E4F000-memory.dmp

Filesize
3.9MB

Download
memory/2252-59-0x0000000000400000-0x00000000007EB000-memory.dmp

Filesize
3.9MB

Download
memory/2252-50-0x0000000000000000-mapping.dmp

Download
memory/2252-56-0x0000000003A70000-0x0000000003A71000-memory.dmp

Filesize
4KB

Download
memory/2912-72-0x0000000000000000-mapping.dmp

Download
memory/2912-77-0x0000000004A71000-0x00000000050D2000-memory.dmp

Filesize
6.4MB

Download
memory/2912-75-0x0000000004321000-0x00000000046DA000-memory.dmp

Filesize
3.7MB

Download
memory/3164-67-0x0000000000000000-mapping.dmp

Download
memory/3176-86-0x00000000073F0000-0x00000000073F1000-memory.dmp

Filesize
4KB

Download
memory/3176-81-0x0000000006D50000-0x0000000006D51000-memory.dmp

Filesize
4KB

Download
memory/3176-89-0x0000000007F00000-0x0000000007F01000-memory.dmp

Filesize
4KB

Download
memory/3176-88-0x00000000078D0000-0x00000000078D1000-memory.dmp

Filesize
4KB

Download
memory/3176-87-0x0000000007560000-0x0000000007561000-memory.dmp

Filesize
4KB

Download
memory/3176-92-0x0000000006880000-0x0000000006881000-memory.dmp

Filesize
4KB

Download
memory/3176-85-0x0000000007380000-0x0000000007381000-memory.dmp

Filesize
4KB

Download
memory/3176-84-0x0000000006C60000-0x0000000006C61000-memory.dmp

Filesize
4KB

Download
memory/3176-83-0x0000000004372000-0x0000000004373000-memory.dmp

Filesize
4KB

Download
memory/3176-97-0x0000000004373000-0x0000000004374000-memory.dmp

Filesize
4KB

Download
memory/3176-95-0x0000000007E70000-0x0000000007E71000-memory.dmp

Filesize
4KB

Download
memory/3176-94-0x0000000008A50000-0x0000000008A51000-memory.dmp

Filesize
4KB

Download
memory/3176-82-0x0000000004370000-0x0000000004371000-memory.dmp

Filesize
4KB

Download
memory/3176-90-0x0000000007CF0000-0x0000000007CF1000-memory.dmp

Filesize
4KB

Download
memory/3176-80-0x00000000041D0000-0x00000000041D1000-memory.dmp

Filesize
4KB

Download
memory/3176-93-0x00000000094C0000-0x00000000094C1000-memory.dmp

Filesize
4KB

Download
memory/3176-79-0x0000000071270000-0x000000007195E000-memory.dmp

Filesize
6.9MB

Download
memory/3176-78-0x0000000000000000-mapping.dmp

Download
memory/3672-66-0x0000000000000000-mapping.dmp

Download
memory/3696-19-0x0000000004C00000-0x0000000004C01000-memory.dmp

Filesize
4KB

Download
memory/3696-32-0x0000000005160000-0x0000000005161000-memory.dmp

Filesize
4KB

Download
memory/3696-37-0x0000000005170000-0x0000000005171000-memory.dmp

Filesize
4KB

Download
memory/3696-34-0x0000000005130000-0x0000000005131000-memory.dmp

Filesize
4KB

Download
memory/3696-31-0x0000000005140000-0x0000000005141000-memory.dmp

Filesize
4KB

Download
memory/3696-17-0x0000000005400000-0x0000000005401000-memory.dmp

Filesize
4KB

Download
memory/3696-33-0x0000000005150000-0x0000000005151000-memory.dmp

Filesize
4KB

Download
memory/3696-18-0x0000000004C00000-0x0000000004C01000-memory.dmp

Filesize
4KB

Download
memory/3696-16-0x0000000004C00000-0x0000000004C01000-memory.dmp

Filesize
4KB

Download
memory/3696-9-0x0000000000000000-mapping.dmp

Download
memory/3872-57-0x0000000000000000-mapping.dmp

Download
memory/3928-63-0x0000000000000000-mapping.dmp

Download
memory/4056-36-0x00000000056C0000-0x00000000056C1000-memory.dmp

Filesize
4KB

Download
memory/4056-20-0x0000000000000000-mapping.dmp

Download
memory/4056-35-0x0000000004EC0000-0x0000000004EC1000-memory.dmp

Filesize
4KB

Download
memory/4056-41-0x00000000053C0000-0x00000000053C1000-memory.dmp

Filesize
4KB

Download
memory/4056-42-0x00000000053D0000-0x00000000053D1000-memory.dmp

Filesize
4KB

Download
memory/4056-47-0x00000000053F0000-0x00000000053F1000-memory.dmp

Filesize
4KB

Download
memory/4056-43-0x00000000053B0000-0x00000000053B1000-memory.dmp

Filesize
4KB

Download
memory/4056-44-0x0000000005380000-0x0000000005381000-memory.dmp

Filesize
4KB

Download
memory/4056-46-0x00000000053E0000-0x00000000053E1000-memory.dmp

Filesize
4KB

Download
memory/4056-45-0x00000000053A0000-0x00000000053A1000-memory.dmp

Filesize
4KB

Download
memory/4064-53-0x0000000000000000-mapping.dmp

Download
memory/4092-27-0x0000000005200000-0x0000000005201000-memory.dmp

Filesize
4KB

Download
memory/4092-23-0x0000000077D14000-0x0000000077D15000-memory.dmp

Filesize
4KB

Download
memory/4092-25-0x0000000005210000-0x0000000005211000-memory.dmp

Filesize
4KB

Download
memory/4092-26-0x0000000005220000-0x0000000005221000-memory.dmp

Filesize
4KB

Download
memory/4092-28-0x00000000051D0000-0x00000000051D1000-memory.dmp

Filesize
4KB

Download
memory/4092-12-0x0000000004CC0000-0x0000000004CC1000-memory.dmp

Filesize
4KB

Download
memory/4092-14-0x00000000054C0000-0x00000000054C1000-memory.dmp

Filesize
4KB

Download
memory/4092-29-0x00000000051F0000-0x00000000051F1000-memory.dmp

Filesize
4KB

Download
memory/4092-3-0x0000000000000000-mapping.dmp

Download
memory/4172-113-0x0000000000000000-mapping.dmp

Download
memory/4260-118-0x0000000000000000-mapping.dmp

Download
memory/4304-121-0x0000000000000000-mapping.dmp

Download
memory/4516-122-0x0000000000000000-mapping.dmp

Download