danabot | 49771de8bcea44c22d54d1eebc9f05ff0d33f66355fbf9dd77e7e891cd062bcc

Resubmissions

18-07-2023 15:57

230718-td1q7acf9x 9

11-02-2021 08:01

210211-3ehsn6jste 10

Analysis

max time kernel
137s
max time network
112s
platform
windows10_x64
resource
win10v20201028
submitted
11-02-2021 08:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ea25629f3eaf190ab7d1f6d1b1540f2c.exe
Size

5.3MB
MD5

ea25629f3eaf190ab7d1f6d1b1540f2c
SHA1

aba0b98a67e9ea8e32243cef25eff02a84cfddbc
SHA256

49771de8bcea44c22d54d1eebc9f05ff0d33f66355fbf9dd77e7e891cd062bcc
SHA512

8b1469e27827215fff58160666740bf2edb002c8180def2fe58cb87d1606f60d25df29d7efa5e84dbb896deee36861328b8c70496ec8f95257da3337656b61d9

Score

10^/10

danabot 3 banker discovery evasion spyware stealer trojan

Malware Config

Extracted

Family

danabot

Version

1765

Botnet

192.236.192.241:443

134.119.186.199:443

172.93.201.39:443

104.168.156.222:443

Attributes

embedded_hash
82C66843DE542BC5CB88F713DE39B52B

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 2948 created 4364 2948 WerFault.exe kbndukxqye.exe
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Blocklisted process makes network request 6 IoCs

Processes:

WScript.exeRUNDLL32.EXE

flow pid process

33 836 WScript.exe
35 836 WScript.exe
37 836 WScript.exe
39 836 WScript.exe
40 3896 RUNDLL32.EXE
41 3896 RUNDLL32.EXE
Executes dropped EXE 5 IoCs

Processes:

4_ico.exe6_ico.exevpn_ico.exeSmartClock.exekbndukxqye.exe

pid process

4112 4_ico.exe
4120 6_ico.exe
64 vpn_ico.exe
576 SmartClock.exe
4364 kbndukxqye.exe

description	pid	process	target process
PID 2948 created 4364	2948	WerFault.exe	kbndukxqye.exe

flow	pid	process
33	836	WScript.exe
35	836	WScript.exe
37	836	WScript.exe
39	836	WScript.exe
40	3896	RUNDLL32.EXE
41	3896	RUNDLL32.EXE

pid	process
4112	4_ico.exe
4120	6_ico.exe
64	vpn_ico.exe
576	SmartClock.exe
4364	kbndukxqye.exe

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SmartClock.exe6_ico.exe4_ico.exevpn_ico.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	SmartClock.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	6_ico.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	6_ico.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	4_ico.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	4_ico.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	vpn_ico.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	vpn_ico.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SmartClock.exe

Drops startup file 1 IoCs

Processes:

4_ico.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk 4_ico.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk	4_ico.exe

Identifies Wine through registry keys 2 TTPs 4 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

vpn_ico.exeSmartClock.exe4_ico.exe6_ico.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Wine	vpn_ico.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Wine	SmartClock.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Wine	4_ico.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Wine	6_ico.exe

Loads dropped DLL 3 IoCs

Processes:

ea25629f3eaf190ab7d1f6d1b1540f2c.exerundll32.exeRUNDLL32.EXE

pid process

4636 ea25629f3eaf190ab7d1f6d1b1540f2c.exe
1976 rundll32.exe
3896 RUNDLL32.EXE
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

8 ip-api.com
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

6_ico.exe4_ico.exevpn_ico.exeSmartClock.exe

pid process

4120 6_ico.exe
4112 4_ico.exe
64 vpn_ico.exe
576 SmartClock.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2948 4364 WerFault.exe kbndukxqye.exe

pid	process
4636	ea25629f3eaf190ab7d1f6d1b1540f2c.exe
1976	rundll32.exe
3896	RUNDLL32.EXE

flow	ioc
8	ip-api.com

pid	pid_target	process	target process
2948	4364	WerFault.exe	kbndukxqye.exe

Checks processor information in registry 2 TTPs 28 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RUNDLL32.EXEvpn_ico.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	vpn_ico.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	vpn_ico.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	RUNDLL32.EXE

Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

4416 timeout.exe
2592 timeout.exe
Modifies registry class 1 IoCs

Processes:

vpn_ico.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings vpn_ico.exe

pid	process
4416	timeout.exe
2592	timeout.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings	vpn_ico.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	WScript.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

SmartClock.exe

pid process

576 SmartClock.exe

pid	process
576	SmartClock.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

6_ico.exe4_ico.exevpn_ico.exeSmartClock.exeWerFault.exepowershell.exeRUNDLL32.EXEpowershell.exe

pid	process
4120	6_ico.exe
4120	6_ico.exe
4112	4_ico.exe
4112	4_ico.exe
64	vpn_ico.exe
64	vpn_ico.exe
576	SmartClock.exe
576	SmartClock.exe
2948	WerFault.exe
2948	WerFault.exe
2948	WerFault.exe
2948	WerFault.exe
2948	WerFault.exe
2948	WerFault.exe
2948	WerFault.exe
2948	WerFault.exe
2948	WerFault.exe
2948	WerFault.exe
2948	WerFault.exe
2948	WerFault.exe
2948	WerFault.exe
2948	WerFault.exe
2948	WerFault.exe
2948	WerFault.exe
4960	powershell.exe
4960	powershell.exe
4960	powershell.exe
3896	RUNDLL32.EXE
3896	RUNDLL32.EXE
2068	powershell.exe
2068	powershell.exe
2068	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

rundll32.exeWerFault.exeRUNDLL32.EXEpowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1976	rundll32.exe
Token: SeRestorePrivilege	2948	WerFault.exe
Token: SeBackupPrivilege	2948	WerFault.exe
Token: SeDebugPrivilege	2948	WerFault.exe
Token: SeDebugPrivilege	3896	RUNDLL32.EXE
Token: SeDebugPrivilege	4960	powershell.exe
Token: SeDebugPrivilege	2068	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

RUNDLL32.EXE

pid process

3896 RUNDLL32.EXE

pid	process
3896	RUNDLL32.EXE

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

ea25629f3eaf190ab7d1f6d1b1540f2c.exe4_ico.exevpn_ico.exe6_ico.execmd.execmd.exekbndukxqye.exerundll32.exeRUNDLL32.EXEpowershell.exe

description	pid	process	target process
PID 4636 wrote to memory of 4112	4636	ea25629f3eaf190ab7d1f6d1b1540f2c.exe	4_ico.exe
PID 4636 wrote to memory of 4112	4636	ea25629f3eaf190ab7d1f6d1b1540f2c.exe	4_ico.exe
PID 4636 wrote to memory of 4112	4636	ea25629f3eaf190ab7d1f6d1b1540f2c.exe	4_ico.exe
PID 4636 wrote to memory of 4120	4636	ea25629f3eaf190ab7d1f6d1b1540f2c.exe	6_ico.exe
PID 4636 wrote to memory of 4120	4636	ea25629f3eaf190ab7d1f6d1b1540f2c.exe	6_ico.exe
PID 4636 wrote to memory of 4120	4636	ea25629f3eaf190ab7d1f6d1b1540f2c.exe	6_ico.exe
PID 4636 wrote to memory of 64	4636	ea25629f3eaf190ab7d1f6d1b1540f2c.exe	vpn_ico.exe
PID 4636 wrote to memory of 64	4636	ea25629f3eaf190ab7d1f6d1b1540f2c.exe	vpn_ico.exe
PID 4636 wrote to memory of 64	4636	ea25629f3eaf190ab7d1f6d1b1540f2c.exe	vpn_ico.exe
PID 4112 wrote to memory of 576	4112	4_ico.exe	SmartClock.exe
PID 4112 wrote to memory of 576	4112	4_ico.exe	SmartClock.exe
PID 4112 wrote to memory of 576	4112	4_ico.exe	SmartClock.exe
PID 64 wrote to memory of 4364	64	vpn_ico.exe	kbndukxqye.exe
PID 64 wrote to memory of 4364	64	vpn_ico.exe	kbndukxqye.exe
PID 64 wrote to memory of 4364	64	vpn_ico.exe	kbndukxqye.exe
PID 4120 wrote to memory of 4332	4120	6_ico.exe	cmd.exe
PID 4120 wrote to memory of 4332	4120	6_ico.exe	cmd.exe
PID 4120 wrote to memory of 4332	4120	6_ico.exe	cmd.exe
PID 4332 wrote to memory of 4416	4332	cmd.exe	timeout.exe
PID 4332 wrote to memory of 4416	4332	cmd.exe	timeout.exe
PID 4332 wrote to memory of 4416	4332	cmd.exe	timeout.exe
PID 64 wrote to memory of 4408	64	vpn_ico.exe	WScript.exe
PID 64 wrote to memory of 4408	64	vpn_ico.exe	WScript.exe
PID 64 wrote to memory of 4408	64	vpn_ico.exe	WScript.exe
PID 4120 wrote to memory of 2496	4120	6_ico.exe	cmd.exe
PID 4120 wrote to memory of 2496	4120	6_ico.exe	cmd.exe
PID 4120 wrote to memory of 2496	4120	6_ico.exe	cmd.exe
PID 2496 wrote to memory of 2592	2496	cmd.exe	timeout.exe
PID 2496 wrote to memory of 2592	2496	cmd.exe	timeout.exe
PID 2496 wrote to memory of 2592	2496	cmd.exe	timeout.exe
PID 4364 wrote to memory of 1976	4364	kbndukxqye.exe	rundll32.exe
PID 4364 wrote to memory of 1976	4364	kbndukxqye.exe	rundll32.exe
PID 4364 wrote to memory of 1976	4364	kbndukxqye.exe	rundll32.exe
PID 1976 wrote to memory of 3896	1976	rundll32.exe	RUNDLL32.EXE
PID 1976 wrote to memory of 3896	1976	rundll32.exe	RUNDLL32.EXE
PID 1976 wrote to memory of 3896	1976	rundll32.exe	RUNDLL32.EXE
PID 3896 wrote to memory of 4960	3896	RUNDLL32.EXE	powershell.exe
PID 3896 wrote to memory of 4960	3896	RUNDLL32.EXE	powershell.exe
PID 3896 wrote to memory of 4960	3896	RUNDLL32.EXE	powershell.exe
PID 3896 wrote to memory of 2068	3896	RUNDLL32.EXE	powershell.exe
PID 3896 wrote to memory of 2068	3896	RUNDLL32.EXE	powershell.exe
PID 3896 wrote to memory of 2068	3896	RUNDLL32.EXE	powershell.exe
PID 2068 wrote to memory of 3700	2068	powershell.exe	nslookup.exe
PID 2068 wrote to memory of 3700	2068	powershell.exe	nslookup.exe
PID 2068 wrote to memory of 3700	2068	powershell.exe	nslookup.exe
PID 3896 wrote to memory of 4180	3896	RUNDLL32.EXE	schtasks.exe
PID 3896 wrote to memory of 4180	3896	RUNDLL32.EXE	schtasks.exe
PID 3896 wrote to memory of 4180	3896	RUNDLL32.EXE	schtasks.exe
PID 3896 wrote to memory of 2116	3896	RUNDLL32.EXE	schtasks.exe
PID 3896 wrote to memory of 2116	3896	RUNDLL32.EXE	schtasks.exe
PID 3896 wrote to memory of 2116	3896	RUNDLL32.EXE	schtasks.exe
PID 64 wrote to memory of 836	64	vpn_ico.exe	WScript.exe
PID 64 wrote to memory of 836	64	vpn_ico.exe	WScript.exe
PID 64 wrote to memory of 836	64	vpn_ico.exe	WScript.exe

C:\Users\Admin\AppData\Local\Temp\ea25629f3eaf190ab7d1f6d1b1540f2c.exe
"C:\Users\Admin\AppData\Local\Temp\ea25629f3eaf190ab7d1f6d1b1540f2c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4636

C:\Users\Admin\AppData\Local\Temp\New Feature\4_ico.exe
"C:\Users\Admin\AppData\Local\Temp\New Feature\4_ico.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Drops startup file
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4112

C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
PID:576

C:\Users\Admin\AppData\Local\Temp\New Feature\6_ico.exe
"C:\Users\Admin\AppData\Local\Temp\New Feature\6_ico.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4120

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\enicvwqxclqml & timeout 2 & del /f /q "C:\Users\Admin\AppData\Local\Temp\New Feature\6_ico.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:4332

C:\Windows\SysWOW64\timeout.exe
timeout 2
4⤵
- Delays execution with timeout.exe
PID:4416

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\enicvwqxclqml & timeout 2 & del /f /q "C:\Users\Admin\AppData\Local\Temp\New Feature\6_ico.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:2496

C:\Windows\SysWOW64\timeout.exe
timeout 2
4⤵
- Delays execution with timeout.exe
PID:2592

C:\Users\Admin\AppData\Local\Temp\New Feature\vpn_ico.exe
"C:\Users\Admin\AppData\Local\Temp\New Feature\vpn_ico.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:64

C:\Users\Admin\AppData\Local\Temp\kbndukxqye.exe
"C:\Users\Admin\AppData\Local\Temp\kbndukxqye.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4364

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\KBNDUK~1.DLL,Z C:\Users\Admin\AppData\Local\Temp\KBNDUK~1.EXE
4⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1976

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\KBNDUK~1.DLL,ZFMRfI0=
5⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3896

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp8F07.tmp.ps1"
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4960

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpA56F.tmp.ps1"
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2068

C:\Windows\SysWOW64\nslookup.exe
"C:\Windows\system32\nslookup.exe" -type=any localhost
7⤵
PID:3700

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
6⤵
PID:4180

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
6⤵
PID:2116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4364 -s 544
4⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2948

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\iysroucwikhd.vbs"
3⤵
PID:4408

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\gpimqyve.vbs"
3⤵
- Blocklisted process makes network request
- Modifies system certificate store
PID:836

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\enicvwqxclqml\46173476.txt
MD5
016719da662249135ea93f607d6b6dde

SHA1
777263284fe0b9c25bdb141805d56ea276576f9c

SHA256
a77788e3d11f18396b96bbdfa9cb70a53a4d2c14693721682b8502495c047c12

SHA512
185a0b68daf90f812f91b18caf5fbf66d82306cc6e4009fa3b4ff66c92710afc5960ee30d2e15d80ff33c4fea342bf735e71e583ae4f624a7cb501cbf936aaec

Download Submit
C:\ProgramData\enicvwqxclqml\8372422.txt
MD5
ae5044b0d999aebf4ebe23cf70e2b915

SHA1
0e5246e7eafbb8011ba75c344a95204a72d505cb

SHA256
3dc9a0d906a8b59bb6cb2bc6caabb1a6fd61e96343a770aac9c97e0981fc140d

SHA512
53b390a2c03fe1d8a2c806035b34ab4efc9ae38790392e00a89c251abc8f56c8ca7f82f088ed8f5c09e8c0dd2df816a46e4ae5c8a09729a41c3c16c7755196d4

Download Submit
C:\ProgramData\enicvwqxclqml\Files\_INFOR~1.TXT
MD5
c325724c2ea37b55a1cb436df0e5793b

SHA1
0ac9c3df7f4e4721a45eb269083c8fade9e97d1d

SHA256
1e8447ebf8f0b1ac5fc23d090ea05eaccca01389a6d5bbd33260bdfe4341dbcc

SHA512
164e7d9e87eb8bf26632b982df74f144bb91a8cebd4722d531af107d470a1720483ff69a37bd1dcbc7cef93107c01f9a04bbe83deb8da7cf084b6703ec96c18a

Download Submit
C:\ProgramData\enicvwqxclqml\NL_202~1.ZIP
MD5
175b674c4a8f58030b0d2943e2e355a4

SHA1
58676c82845367d6882c7df65ddb5af3c1a00b0b

SHA256
d602b7a36e60e3500bda3c8c5c059f52cea6dea1839f3ac7b1c68df7e9e5f1e2

SHA512
aac957d715b7e4bdfc529a093c3452fd19fb9b84dd42431049b41e17920e5589e2b3eb3d0f5c7d808f4ef5f91ac30b253bedffbca5d514d962a4a8cc4643011a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
47eebe401625bbc55e75dbfb72e9e89a

SHA1
db3b2135942d2532c59b9788253638eb77e5995e

SHA256
f1cd56000c44bbdb6880b5b133731f493fe8cba8198c5a861da6ae7b489ed0c3

SHA512
590b149863d58be346e7927c28501375cc570858d2f156d234b03d68b86c5c0667a1038e2b6f6639172bf95638ca9f7c70f45270951abbcdf43b1be853b81d56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
efdd1ed75ef1fd911ceac4a73bd381d0

SHA1
affbe925805482f3242202c847d1113a1253ecb0

SHA256
34011e820f9e2597443800206526865e5dcf902abda2c32004b89c6d374d7d6f

SHA512
148e9111410b35607e091c543c4fe8539738896449d44f265bbe9883bf69c2ca18585f6ba4addf4bbf30edc723d1133ece82c73d18b8af15f1b589d395121ed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\KBNDUK~1.DLL
MD5
aa9800a9bd0520591464786cf65e76a5

SHA1
c0f6df27ce0ea6888a08a913422546b7c3a815d9

SHA256
ba16eff206f2965a66540d1c4eb169267e26fbaad393224011fcd106ddbb0140

SHA512
b4edab2b916b5f0fd8d43099cba0a2bad495150fc33ad1ab54b7c855df41193205177f037ef5ad631de471b0be37f2618e8209b19a4200a9535da01b88f11219

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\4_ico.exe
MD5
bea35372b7da8bc6663015994535e855

SHA1
87b39aa9802a64a0398e052f54736ec5daf49d27

SHA256
994534a6126737ec86f435b56816d31404ce76ea887b8a435fbf095dcc72e7f5

SHA512
80a421efedf1fa971dd92b288dea1229d50f38daf26ffe7dbdbce88f2b229d02da6cffd8a7f0d568d5a24d9b4d8dde71ee91f3d92e18d03d96c1e6f9f21a657a

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\4_ico.exe
MD5
bea35372b7da8bc6663015994535e855

SHA1
87b39aa9802a64a0398e052f54736ec5daf49d27

SHA256
994534a6126737ec86f435b56816d31404ce76ea887b8a435fbf095dcc72e7f5

SHA512
80a421efedf1fa971dd92b288dea1229d50f38daf26ffe7dbdbce88f2b229d02da6cffd8a7f0d568d5a24d9b4d8dde71ee91f3d92e18d03d96c1e6f9f21a657a

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\6_ico.exe
MD5
a20fe0b8950570c79143f541ef61d714

SHA1
b91b7292d238bc7507bea696c5c25580afd40a99

SHA256
bd31814541d65a275e4e96189008251f22fbfeaba60f3b5fd46e5624c98c11ce

SHA512
7dd3be338a5d700b467e1d9aa6a21343f9dc424212f375c4f8568661172a9684e295e989a98b68be9586b9ad32aca80a74e51c2704e02a1dc12e6954c4471b1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\6_ico.exe
MD5
a20fe0b8950570c79143f541ef61d714

SHA1
b91b7292d238bc7507bea696c5c25580afd40a99

SHA256
bd31814541d65a275e4e96189008251f22fbfeaba60f3b5fd46e5624c98c11ce

SHA512
7dd3be338a5d700b467e1d9aa6a21343f9dc424212f375c4f8568661172a9684e295e989a98b68be9586b9ad32aca80a74e51c2704e02a1dc12e6954c4471b1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\vpn_ico.exe
MD5
a140cbecf85ff88fe843537c3f5d7efa

SHA1
70906dd2b46118ba5dc51c62cc7ba52eec903ca3

SHA256
1f476ab26daa09e512faaad16585d81a5a2215fdeb79bc6ea7c3f2781a617b56

SHA512
3a6cc71f60073783b1704ebe09dd90fbeeed3c2be198966094811df4e5fdd96e58544223bb005d379208e23e6e8409209ec1eadbc8759b31bc78d466a3eeb194

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\vpn_ico.exe
MD5
a140cbecf85ff88fe843537c3f5d7efa

SHA1
70906dd2b46118ba5dc51c62cc7ba52eec903ca3

SHA256
1f476ab26daa09e512faaad16585d81a5a2215fdeb79bc6ea7c3f2781a617b56

SHA512
3a6cc71f60073783b1704ebe09dd90fbeeed3c2be198966094811df4e5fdd96e58544223bb005d379208e23e6e8409209ec1eadbc8759b31bc78d466a3eeb194

Download Submit
C:\Users\Admin\AppData\Local\Temp\gpimqyve.vbs
MD5
0ec89ababe7ccbd7599238ea647b0614

SHA1
5bdc0a491e9a912a74a8f61b8942c4d53ed28f72

SHA256
e07c4832d0b8e42b1024e5509ac5b59873927c59ad1ae1464b2fe5b5b1d02124

SHA512
16fdbbb77f1b01f006d5c9e565d31dca499d5ec89fdfbdf83810bd0c852d362a6ad46b42557e6fdcad0b35843abb58c73c67dda8119617e2b1e9250297c1d5fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\iysroucwikhd.vbs
MD5
93d5169d4c356becfb5125cc861f2d62

SHA1
36b4df875a2a7bf278d5e18a6606bf056cb359c0

SHA256
f5f7a8a0524a3cce6dc157ba7679cc596ddda8dc484669156c2566cfd591de52

SHA512
8ef9bd72ff0d4449cf809de4d465e6473e724e46697d421da767f80905d3291a3347ec7ff758ed034e114ac619db41b245586a8c2dd26f02aefd5b66b06029f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\kbndukxqye.exe
MD5
1718d821b8a49648a69ed9142e23c5e6

SHA1
b8941645e5a657e49b36fa54e687d0c7a831a4dc

SHA256
6445b1dfa77c6ca8a974d88d3dac7aefd9aeecdf0dfa8a7f221426e4b7d51fe3

SHA512
bfce5499d907813234ba0ebeef0b61b45c31cf7979154eb36ae20d2e6fbfe24c5381d19e5d5fc9d451c08d375ba38bfe48d5fa34bbafefb04a1cfbb0c5973770

Download Submit
C:\Users\Admin\AppData\Local\Temp\kbndukxqye.exe
MD5
1718d821b8a49648a69ed9142e23c5e6

SHA1
b8941645e5a657e49b36fa54e687d0c7a831a4dc

SHA256
6445b1dfa77c6ca8a974d88d3dac7aefd9aeecdf0dfa8a7f221426e4b7d51fe3

SHA512
bfce5499d907813234ba0ebeef0b61b45c31cf7979154eb36ae20d2e6fbfe24c5381d19e5d5fc9d451c08d375ba38bfe48d5fa34bbafefb04a1cfbb0c5973770

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8F07.tmp.ps1
MD5
d02a1842baa3f4bc73b9e8de250ed60a

SHA1
a8c1c70d42db1c086ebccbe2cbf148f7eaaadb7f

SHA256
31964dca564c5d05f77cdf56922fd644c002698a964f2b148d57571bffbf3b99

SHA512
e08d2fb9f7099d436265b381ed977fa6aead142ccaa9f94941839e0951a7d863858076cf2c1d72ee6386e90f4295f772bbb2664a2b7a85de89e8b1b9934384b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8F08.tmp
MD5
c416c12d1b2b1da8c8655e393b544362

SHA1
fb1a43cd8e1c556c2d25f361f42a21293c29e447

SHA256
0600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046

SHA512
cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA56F.tmp.ps1
MD5
46b2f9d440277397a66821e8a54df599

SHA1
cdda69bd803a26f61e4806d1da790158392069aa

SHA256
61d91ae1f4d23b6bcc23b295794a91c57369610547ce7d1fec807d3149705ea7

SHA512
0045475eba1b8e2fff526909202765d90aa1f7753922fab112ab7d03c54b95c98d96ed5d90c10e59f05ab3b7e797bf1fcc6dc0cea97e060f3bbdb2047b41c0b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA570.tmp
MD5
1860260b2697808b80802352fe324782

SHA1
f07b4cb6a8133d8dd942fc285d63cb3ce5a1ed6b

SHA256
0c4bb6ae7726faa47aef8459bcf37bf9ca16f0b93fd52790932adaf7845d1fb1

SHA512
d9fd458e2fe871e93199d7f3783133ded898d824024d9525e8c9af2af31892b13f3fb147d3bfda7dfd7659b7072f5cd1d6c3ebfe2dbf5893afd00e59a96aa94f

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
bea35372b7da8bc6663015994535e855

SHA1
87b39aa9802a64a0398e052f54736ec5daf49d27

SHA256
994534a6126737ec86f435b56816d31404ce76ea887b8a435fbf095dcc72e7f5

SHA512
80a421efedf1fa971dd92b288dea1229d50f38daf26ffe7dbdbce88f2b229d02da6cffd8a7f0d568d5a24d9b4d8dde71ee91f3d92e18d03d96c1e6f9f21a657a

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
bea35372b7da8bc6663015994535e855

SHA1
87b39aa9802a64a0398e052f54736ec5daf49d27

SHA256
994534a6126737ec86f435b56816d31404ce76ea887b8a435fbf095dcc72e7f5

SHA512
80a421efedf1fa971dd92b288dea1229d50f38daf26ffe7dbdbce88f2b229d02da6cffd8a7f0d568d5a24d9b4d8dde71ee91f3d92e18d03d96c1e6f9f21a657a

Download Submit
\Users\Admin\AppData\Local\Temp\KBNDUK~1.DLL
MD5
aa9800a9bd0520591464786cf65e76a5

SHA1
c0f6df27ce0ea6888a08a913422546b7c3a815d9

SHA256
ba16eff206f2965a66540d1c4eb169267e26fbaad393224011fcd106ddbb0140

SHA512
b4edab2b916b5f0fd8d43099cba0a2bad495150fc33ad1ab54b7c855df41193205177f037ef5ad631de471b0be37f2618e8209b19a4200a9535da01b88f11219

Download Submit
\Users\Admin\AppData\Local\Temp\KBNDUK~1.DLL
MD5
aa9800a9bd0520591464786cf65e76a5

SHA1
c0f6df27ce0ea6888a08a913422546b7c3a815d9

SHA256
ba16eff206f2965a66540d1c4eb169267e26fbaad393224011fcd106ddbb0140

SHA512
b4edab2b916b5f0fd8d43099cba0a2bad495150fc33ad1ab54b7c855df41193205177f037ef5ad631de471b0be37f2618e8209b19a4200a9535da01b88f11219

Download Submit
\Users\Admin\AppData\Local\Temp\nsb5664.tmp\UAC.dll
MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
memory/64-46-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

Filesize
4KB

Download
memory/64-7-0x0000000000000000-mapping.dmp

Download
memory/64-47-0x0000000004960000-0x0000000004961000-memory.dmp

Filesize
4KB

Download
memory/64-45-0x0000000004950000-0x0000000004951000-memory.dmp

Filesize
4KB

Download
memory/64-44-0x0000000004940000-0x0000000004941000-memory.dmp

Filesize
4KB

Download
memory/64-43-0x0000000004930000-0x0000000004931000-memory.dmp

Filesize
4KB

Download
memory/64-16-0x00000000044B0000-0x00000000044B1000-memory.dmp

Filesize
4KB

Download
memory/64-17-0x0000000004CB0000-0x0000000004CB1000-memory.dmp

Filesize
4KB

Download
memory/576-36-0x0000000005570000-0x0000000005571000-memory.dmp

Filesize
4KB

Download
memory/576-37-0x0000000005580000-0x0000000005581000-memory.dmp

Filesize
4KB

Download
memory/576-35-0x0000000005530000-0x0000000005531000-memory.dmp

Filesize
4KB

Download
memory/576-27-0x0000000005800000-0x0000000005801000-memory.dmp

Filesize
4KB

Download
memory/576-34-0x0000000005510000-0x0000000005511000-memory.dmp

Filesize
4KB

Download
memory/576-33-0x0000000005560000-0x0000000005561000-memory.dmp

Filesize
4KB

Download
memory/576-31-0x0000000005540000-0x0000000005541000-memory.dmp

Filesize
4KB

Download
memory/576-32-0x0000000005550000-0x0000000005551000-memory.dmp

Filesize
4KB

Download
memory/576-24-0x0000000005000000-0x0000000005001000-memory.dmp

Filesize
4KB

Download
memory/576-18-0x0000000000000000-mapping.dmp

Download
memory/836-120-0x0000000000000000-mapping.dmp

Download
memory/1976-65-0x0000000000000000-mapping.dmp

Download
memory/1976-75-0x0000000005351000-0x00000000059B2000-memory.dmp

Filesize
6.4MB

Download
memory/2068-107-0x0000000008320000-0x0000000008321000-memory.dmp

Filesize
4KB

Download
memory/2068-110-0x00000000087C0000-0x00000000087C1000-memory.dmp

Filesize
4KB

Download
memory/2068-118-0x0000000004F13000-0x0000000004F14000-memory.dmp

Filesize
4KB

Download
memory/2068-105-0x0000000004F12000-0x0000000004F13000-memory.dmp

Filesize
4KB

Download
memory/2068-104-0x0000000004F10000-0x0000000004F11000-memory.dmp

Filesize
4KB

Download
memory/2068-99-0x00000000704C0000-0x0000000070BAE000-memory.dmp

Filesize
6.9MB

Download
memory/2068-97-0x0000000000000000-mapping.dmp

Download
memory/2116-119-0x0000000000000000-mapping.dmp

Download
memory/2496-60-0x0000000000000000-mapping.dmp

Download
memory/2592-61-0x0000000000000000-mapping.dmp

Download
memory/2948-68-0x0000000004E80000-0x0000000004E81000-memory.dmp

Filesize
4KB

Download
memory/2948-69-0x0000000004E80000-0x0000000004E81000-memory.dmp

Filesize
4KB

Download
memory/3700-115-0x0000000000000000-mapping.dmp

Download
memory/3896-76-0x0000000004C51000-0x00000000052B2000-memory.dmp

Filesize
6.4MB

Download
memory/3896-72-0x0000000000000000-mapping.dmp

Download
memory/4112-28-0x00000000057A0000-0x00000000057A1000-memory.dmp

Filesize
4KB

Download
memory/4112-30-0x00000000057C0000-0x00000000057C1000-memory.dmp

Filesize
4KB

Download
memory/4112-3-0x0000000000000000-mapping.dmp

Download
memory/4112-13-0x00000000052E0000-0x00000000052E1000-memory.dmp

Filesize
4KB

Download
memory/4112-15-0x0000000005AE0000-0x0000000005AE1000-memory.dmp

Filesize
4KB

Download
memory/4112-25-0x00000000057F0000-0x00000000057F1000-memory.dmp

Filesize
4KB

Download
memory/4112-26-0x00000000057D0000-0x00000000057D1000-memory.dmp

Filesize
4KB

Download
memory/4112-23-0x00000000057E0000-0x00000000057E1000-memory.dmp

Filesize
4KB

Download
memory/4120-21-0x0000000077CD4000-0x0000000077CD5000-memory.dmp

Filesize
4KB

Download
memory/4120-41-0x0000000004F00000-0x0000000004F01000-memory.dmp

Filesize
4KB

Download
memory/4120-6-0x0000000000000000-mapping.dmp

Download
memory/4120-39-0x0000000004F10000-0x0000000004F11000-memory.dmp

Filesize
4KB

Download
memory/4120-12-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/4120-38-0x0000000004F20000-0x0000000004F21000-memory.dmp

Filesize
4KB

Download
memory/4120-14-0x0000000005560000-0x0000000005561000-memory.dmp

Filesize
4KB

Download
memory/4120-40-0x0000000004F30000-0x0000000004F31000-memory.dmp

Filesize
4KB

Download
memory/4120-48-0x0000000004F40000-0x0000000004F41000-memory.dmp

Filesize
4KB

Download
memory/4180-117-0x0000000000000000-mapping.dmp

Download
memory/4332-52-0x0000000000000000-mapping.dmp

Download
memory/4364-63-0x0000000001420000-0x00000000017FF000-memory.dmp

Filesize
3.9MB

Download
memory/4364-62-0x0000000001420000-0x0000000001421000-memory.dmp

Filesize
4KB

Download
memory/4364-64-0x0000000000400000-0x00000000007EB000-memory.dmp

Filesize
3.9MB

Download
memory/4364-49-0x0000000000000000-mapping.dmp

Download
memory/4408-58-0x0000000000000000-mapping.dmp

Download
memory/4416-57-0x0000000000000000-mapping.dmp

Download
memory/4960-86-0x0000000007FA0000-0x0000000007FA1000-memory.dmp

Filesize
4KB

Download
memory/4960-92-0x0000000009E70000-0x0000000009E71000-memory.dmp

Filesize
4KB

Download
memory/4960-84-0x0000000007DC0000-0x0000000007DC1000-memory.dmp

Filesize
4KB

Download
memory/4960-83-0x0000000007C40000-0x0000000007C41000-memory.dmp

Filesize
4KB

Download
memory/4960-89-0x0000000008690000-0x0000000008691000-memory.dmp

Filesize
4KB

Download
memory/4960-88-0x0000000008800000-0x0000000008801000-memory.dmp

Filesize
4KB

Download
memory/4960-87-0x0000000007D90000-0x0000000007D91000-memory.dmp

Filesize
4KB

Download
memory/4960-94-0x0000000007250000-0x0000000007251000-memory.dmp

Filesize
4KB

Download
memory/4960-93-0x0000000009400000-0x0000000009401000-memory.dmp

Filesize
4KB

Download
memory/4960-96-0x0000000004C23000-0x0000000004C24000-memory.dmp

Filesize
4KB

Download
memory/4960-91-0x0000000007210000-0x0000000007211000-memory.dmp

Filesize
4KB

Download
memory/4960-82-0x0000000004C22000-0x0000000004C23000-memory.dmp

Filesize
4KB

Download
memory/4960-81-0x0000000004C20000-0x0000000004C21000-memory.dmp

Filesize
4KB

Download
memory/4960-80-0x00000000075E0000-0x00000000075E1000-memory.dmp

Filesize
4KB

Download
memory/4960-79-0x0000000004BB0000-0x0000000004BB1000-memory.dmp

Filesize
4KB

Download
memory/4960-78-0x0000000070A10000-0x00000000710FE000-memory.dmp

Filesize
6.9MB

Download
memory/4960-77-0x0000000000000000-mapping.dmp

Download
memory/4960-85-0x0000000007F30000-0x0000000007F31000-memory.dmp

Filesize
4KB

Download