danabot | 6c94ef12be12667362545a64c325e125ba3647e58276faa93c663432f07d1ab0

Resubmissions

20-03-2021 14:00

210320-n9nmylwvyx 10

Analysis

max time kernel
149s
max time network
148s
platform
windows7_x64
resource
win7v20201028
submitted
20-03-2021 14:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

vpn.exe
Size

1.1MB
MD5

025b474dae9f402be5568f96426fe1ec
SHA1

c586839de389951b5048272ebe40b33902db40eb
SHA256

6c94ef12be12667362545a64c325e125ba3647e58276faa93c663432f07d1ab0
SHA512

b2f604f248f960e6a01ea3065545fa53bb43f17ef5b9077732d481acafdfb367b9ddc97beb618a067d843c7ffa9280d480b0f493f0b94d864f354e1e130100bd

Score

10^/10

danabot banker discovery spyware stealer trojan

Malware Config

Extracted

Family

danabot

Version

1765

192.236.146.203:443

192.161.48.5:443

23.106.123.117:443

193.34.167.88:443

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Blocklisted process makes network request 5 IoCs

Processes:

WScript.exeRUNDLL32.EXE

flow pid process

23 876 WScript.exe
24 912 RUNDLL32.EXE
25 912 RUNDLL32.EXE
26 912 RUNDLL32.EXE
27 912 RUNDLL32.EXE
Executes dropped EXE 3 IoCs

Processes:

Sei.exe.comSei.exe.comcfckaqamcpxe.exe

pid process

300 Sei.exe.com
1120 Sei.exe.com
1080 cfckaqamcpxe.exe

flow	pid	process
23	876	WScript.exe
24	912	RUNDLL32.EXE
25	912	RUNDLL32.EXE
26	912	RUNDLL32.EXE
27	912	RUNDLL32.EXE

pid	process
300	Sei.exe.com
1120	Sei.exe.com
1080	cfckaqamcpxe.exe

Loads dropped DLL 11 IoCs

Processes:

cmd.exeSei.exe.comrundll32.exeRUNDLL32.EXE

pid	process
1192	cmd.exe
1120	Sei.exe.com
1120	Sei.exe.com
1192	rundll32.exe
1192	rundll32.exe
1192	rundll32.exe
1192	rundll32.exe
912	RUNDLL32.EXE
912	RUNDLL32.EXE
912	RUNDLL32.EXE
912	RUNDLL32.EXE

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 3 IoCs

Processes:

RUNDLL32.EXE

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\8DDKLDOL\desktop.ini	RUNDLL32.EXE
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F6QQJELO\desktop.ini	RUNDLL32.EXE
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	RUNDLL32.EXE

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

7 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	ioc
7	ip-api.com

Checks processor information in registry 2 TTPs 26 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RUNDLL32.EXESei.exe.com

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Signature	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	RUNDLL32.EXE
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform ID	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform ID	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Sei.exe.com
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Sei.exe.com
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

WScript.exeSei.exe.com

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Sei.exe.com
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Sei.exe.com
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Sei.exe.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	WScript.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

784 PING.EXE
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

rundll32.exeRUNDLL32.EXE

description pid process

Token: SeDebugPrivilege 1192 rundll32.exe
Token: SeDebugPrivilege 912 RUNDLL32.EXE

pid	process
784	PING.EXE

description	pid	process
Token: SeDebugPrivilege	1192	rundll32.exe
Token: SeDebugPrivilege	912	RUNDLL32.EXE

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

vpn.execmd.execmd.exeSei.exe.comSei.exe.comcfckaqamcpxe.exerundll32.exe

description	pid	process	target process
PID 1152 wrote to memory of 1452	1152	vpn.exe	cmd.exe
PID 1152 wrote to memory of 1452	1152	vpn.exe	cmd.exe
PID 1152 wrote to memory of 1452	1152	vpn.exe	cmd.exe
PID 1152 wrote to memory of 1452	1152	vpn.exe	cmd.exe
PID 1452 wrote to memory of 1192	1452	cmd.exe	cmd.exe
PID 1452 wrote to memory of 1192	1452	cmd.exe	cmd.exe
PID 1452 wrote to memory of 1192	1452	cmd.exe	cmd.exe
PID 1452 wrote to memory of 1192	1452	cmd.exe	cmd.exe
PID 1192 wrote to memory of 1444	1192	cmd.exe	findstr.exe
PID 1192 wrote to memory of 1444	1192	cmd.exe	findstr.exe
PID 1192 wrote to memory of 1444	1192	cmd.exe	findstr.exe
PID 1192 wrote to memory of 1444	1192	cmd.exe	findstr.exe
PID 1192 wrote to memory of 300	1192	cmd.exe	Sei.exe.com
PID 1192 wrote to memory of 300	1192	cmd.exe	Sei.exe.com
PID 1192 wrote to memory of 300	1192	cmd.exe	Sei.exe.com
PID 1192 wrote to memory of 300	1192	cmd.exe	Sei.exe.com
PID 1192 wrote to memory of 784	1192	cmd.exe	PING.EXE
PID 1192 wrote to memory of 784	1192	cmd.exe	PING.EXE
PID 1192 wrote to memory of 784	1192	cmd.exe	PING.EXE
PID 1192 wrote to memory of 784	1192	cmd.exe	PING.EXE
PID 300 wrote to memory of 1120	300	Sei.exe.com	Sei.exe.com
PID 300 wrote to memory of 1120	300	Sei.exe.com	Sei.exe.com
PID 300 wrote to memory of 1120	300	Sei.exe.com	Sei.exe.com
PID 300 wrote to memory of 1120	300	Sei.exe.com	Sei.exe.com
PID 1120 wrote to memory of 1080	1120	Sei.exe.com	cfckaqamcpxe.exe
PID 1120 wrote to memory of 1080	1120	Sei.exe.com	cfckaqamcpxe.exe
PID 1120 wrote to memory of 1080	1120	Sei.exe.com	cfckaqamcpxe.exe
PID 1120 wrote to memory of 1080	1120	Sei.exe.com	cfckaqamcpxe.exe
PID 1120 wrote to memory of 1616	1120	Sei.exe.com	WScript.exe
PID 1120 wrote to memory of 1616	1120	Sei.exe.com	WScript.exe
PID 1120 wrote to memory of 1616	1120	Sei.exe.com	WScript.exe
PID 1120 wrote to memory of 1616	1120	Sei.exe.com	WScript.exe
PID 1120 wrote to memory of 876	1120	Sei.exe.com	WScript.exe
PID 1120 wrote to memory of 876	1120	Sei.exe.com	WScript.exe
PID 1120 wrote to memory of 876	1120	Sei.exe.com	WScript.exe
PID 1120 wrote to memory of 876	1120	Sei.exe.com	WScript.exe
PID 1080 wrote to memory of 1192	1080	cfckaqamcpxe.exe	rundll32.exe
PID 1080 wrote to memory of 1192	1080	cfckaqamcpxe.exe	rundll32.exe
PID 1080 wrote to memory of 1192	1080	cfckaqamcpxe.exe	rundll32.exe
PID 1080 wrote to memory of 1192	1080	cfckaqamcpxe.exe	rundll32.exe
PID 1080 wrote to memory of 1192	1080	cfckaqamcpxe.exe	rundll32.exe
PID 1080 wrote to memory of 1192	1080	cfckaqamcpxe.exe	rundll32.exe
PID 1080 wrote to memory of 1192	1080	cfckaqamcpxe.exe	rundll32.exe
PID 1192 wrote to memory of 912	1192	rundll32.exe	RUNDLL32.EXE
PID 1192 wrote to memory of 912	1192	rundll32.exe	RUNDLL32.EXE
PID 1192 wrote to memory of 912	1192	rundll32.exe	RUNDLL32.EXE
PID 1192 wrote to memory of 912	1192	rundll32.exe	RUNDLL32.EXE
PID 1192 wrote to memory of 912	1192	rundll32.exe	RUNDLL32.EXE
PID 1192 wrote to memory of 912	1192	rundll32.exe	RUNDLL32.EXE
PID 1192 wrote to memory of 912	1192	rundll32.exe	RUNDLL32.EXE

C:\Users\Admin\AppData\Local\Temp\vpn.exe
"C:\Users\Admin\AppData\Local\Temp\vpn.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1152

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c CmD < Muto.ppsx
2⤵
- Suspicious use of WriteProcessMemory
PID:1452

C:\Windows\SysWOW64\cmd.exe
CmD
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1192

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^vajPQtXXzHEBktaqYJxMbcgAtBjRfvlcZbbEMXGsnfobkQPlvBBmZopqrMKgSuHXbpCNGOhwerhihRghLexOUKcRgbAqjsmaIkZegeDIgAvVUwNjbvCPLTrMOLnp$" Settala.ppsx
4⤵
PID:1444

C:\Users\Admin\AppData\Roaming\WGUAWTcGiA\Sei.exe.com
Sei.exe.com R
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:300

C:\Users\Admin\AppData\Roaming\WGUAWTcGiA\Sei.exe.com
C:\Users\Admin\AppData\Roaming\WGUAWTcGiA\Sei.exe.com R
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1120

C:\Users\Admin\AppData\Local\Temp\cfckaqamcpxe.exe
"C:\Users\Admin\AppData\Local\Temp\cfckaqamcpxe.exe"
6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1080

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\CFCKAQ~1.DLL,Z C:\Users\Admin\AppData\Local\Temp\CFCKAQ~1.EXE
7⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1192

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\CFCKAQ~1.DLL,XFIKTJ8=
8⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops desktop.ini file(s)
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:912

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\vlvyqcnhisjo.vbs"
6⤵
PID:1616

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\oquprulr.vbs"
6⤵
- Blocklisted process makes network request
- Modifies system certificate store
PID:876

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 30
4⤵
- Runs ping.exe
PID:784

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
MD5
b63eb2568d0b7558d1c9f0b67ec8406e

SHA1
ff2099aceb959ded8054e22e92791481f8415acb

SHA256
5dd0d417d323f8989ef8bb77347977a3b507d31a805dc05bd3ee0a0a4f4c02d8

SHA512
296a2936ef9f0bbffb61d18637b3eb708de24dc033dfe83b9a98c30eabeeba6ff0687184a194a1fd55e732c45041c1f95cc049c6c3eb394998d379baba7c7937

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5EE9003E3DC4134E8CF26DC55FD926FA
MD5
8f7b603e746e4cbe1ea09d21b3b5691b

SHA1
6d412f5e38710c70472e326a5af314c7908709a0

SHA256
fd486c32c6aa9bcb6aa028c03c2b4b6b0e13b88fcf90d38788f7620c8a53fae8

SHA512
f9606513716073b3c2d20b9b8b4067f9306b51a8966bea7d9057dd85b37b875ea7cb42b03822b3d7280be0900512e5031a18c245dbbb984575fc76af130d5487

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
MD5
61a03d15cf62612f50b74867090dbe79

SHA1
15228f34067b4b107e917bebaf17cc7c3c1280a8

SHA256
f9e23dc21553daa34c6eb778cd262831e466ce794f4bea48150e8d70d3e6af6d

SHA512
5fece89ccbbf994e4f1e3ef89a502f25a72f359d445c034682758d26f01d9f3aa20a43010b9a87f2687da7ba201476922aa46d4906d442d56eb59b2b881259d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
1af85805af0d70f3bfb55ebebec82f96

SHA1
c7e9a36e08617e78fca06639596f3fa294f504d2

SHA256
6883f304bace5a47ac9924cb9caca2c0de34b829b16c69ab0352c599aa5acefa

SHA512
12b9d94093cfab3ae30e38eba7f3f7f30d1cfce5c20c8d2cd1bb638197256f7a4c460c9667c3e0aa0869f73a8591517ba462f47c385363d3fad5dfd062c78f8e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
MD5
60102f7f518dce8c6e36ece471f8ad1b

SHA1
928893889644364634b84f3229229e969946d2bc

SHA256
065c5a9e33fa51d88a71baa2e887f2ee74eec2d508534c7eea4d4176d88fc9ab

SHA512
ed7ee0d56b2142e890bc7c781c22399e23ec18e549c80325868588b03cb0c5e25d0a815e8226a1dc1e7d9f151705a9ae3c9809e72601fe3a2a919e7631d02f32

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5EE9003E3DC4134E8CF26DC55FD926FA
MD5
060727d4c59a412b7feabedcbdfd008c

SHA1
b52e236e8d6926c2de8d56e693773c47df28e8e5

SHA256
a5dfb55811ca484426e88b225175fe931e87bc06f5c1489adf3b98017115b174

SHA512
d6ddcf886e077e5f3a278f390958b026c5192713b731fd1d8b277b5470e4b351ffb46ccf4398c42a48a6c7112eb7957ab73043d8ad35364cfe89271ae9c5722b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
4ee5ce9743a33035c9c09c561e0f6938

SHA1
4ac77649840fd5fd951d9e2a62e3db0918b5e132

SHA256
63459c8784592e3015171a812341bce032446194e2248fc6d98a0d164c77bc5f

SHA512
ed0dca73ef28d5362aac88a3454a09c9bd51baf51dc8e6a5929c12a2d56d8daa5b61c7bbf80137527453a0cf90dc6c9ed0c4e725c751cad3b08e30bf26b1006b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
d71e39e6e95c41b9e0a86b477a6c157a

SHA1
da00d48bc58c51555209b8355808e6c4a7504124

SHA256
c118fecda553ded0f5513d07755a0b56a819bbd04210fd1c23b07f6a5ee671d8

SHA512
3500b6647e7cbac7e676ed6e31c077b13c1d3d7920f1619f120c873f68aa726be75f111b34c4ad1edae933f7db6a14afe731b006752eb31864720607e371a3fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\CFCKAQ~1.DLL
MD5
6d20b73025d0d08e19b6451226532970

SHA1
2ab325bf27ec3feeecec3518e8b8e2860899075f

SHA256
c90441668e8b16f5f60f21ac51a91fb2a808216a49a5369e82be63d96f4ea007

SHA512
5247b2139f4f06f646c472f6f4bb925846064c29c0f7fd654f9ebdb23aa0e1db0bb04c7ef1c76695c66f31b3ac9fa5902bc4d4f62f9383ff37271ec0f39d225f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CFCKAQ~1.EXE
MD5
5794875a894c319563b8fe923f0063a2

SHA1
d8ffeef5315fd61df3e9cda4c1446b7b7e24f765

SHA256
55a488e69b8d887aaf0bd9cdaad7314c42ef387174a9a09be3e5724c1b8da07c

SHA512
029622b22d8584ad860aafd236c381fbd9be6b9b67e28635e164bd71326a2ff6014ff18f6c18126dc1be42f9befbc9adf7f853c98556f2fe1e7e578003076d3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cfckaqamcpxe.exe
MD5
5794875a894c319563b8fe923f0063a2

SHA1
d8ffeef5315fd61df3e9cda4c1446b7b7e24f765

SHA256
55a488e69b8d887aaf0bd9cdaad7314c42ef387174a9a09be3e5724c1b8da07c

SHA512
029622b22d8584ad860aafd236c381fbd9be6b9b67e28635e164bd71326a2ff6014ff18f6c18126dc1be42f9befbc9adf7f853c98556f2fe1e7e578003076d3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\oquprulr.vbs
MD5
e3533a390791fc090977581b0c9c9ac9

SHA1
5ee65a16cbb3f26f45a7ec157638204f54c68dce

SHA256
79652f816c43de10c7d52c11259eae070a2c99b2f1abe045581b4d47c3593980

SHA512
e3bd73df4ac49be737857e56d09f391c068d89b3f4c993bcb1663e3134ff03c59bb559a730291210202f64858f87f697a7c09f26e6b1ecf87cd11a1d857db3d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\vlvyqcnhisjo.vbs
MD5
58995335e21e208965a8faa414bb1b84

SHA1
057eb59a5520bfe58b8cd4b18b6b47ffef84eed5

SHA256
8b4ca0b4469cecc6cbce527c888180d270113d66bda3fdbd86a03ae2e434d85e

SHA512
7b8ec64a66d372514dd30dc6797bf08affe59fc9538d48e8fdb3f85d7ce6ae4e5b56aa1a62de99f9a205db5bd3b44effff6fa6222c86054d81f9e735f09623aa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\61D6K52E.txt
MD5
f40b45626283d51ab5f01212cc3f2074

SHA1
1d27b4a57771e0cc6ebe60333c40f35b428c4c20

SHA256
6d23c8959f4835020bd3a79ca7aaa71220298b3cb63a22f2e746ff00117aac58

SHA512
011669952e9268f769572bbb98da27950a9fc7fd7a6c32ac796c1cfddcba3ab4d08c67be19f0f6abb76ee6e476cbc39ec941320e04bca824150cf5531d4e48ca

Download Submit
C:\Users\Admin\AppData\Roaming\WGUAWTcGiA\Arrossendo.ppsx
MD5
6564b65095baeea2cb63bed24cc1850a

SHA1
b4b46e41da33d2e45b8682610bb889202596be78

SHA256
58822a2314d5fa32d323b67df0ffdc8854b73cc7d3e63d6c867b02ad1cb2de57

SHA512
814e0863874b874c8c225d4ba7d32e5395d59268df1c0f11a9bf6a4c70b0c3a21b82f8dd8da5e8a2c3a3b0e1942679680bc653e5db3e9f73f9eb5d334e33b555

Download Submit
C:\Users\Admin\AppData\Roaming\WGUAWTcGiA\Dov.ppsx
MD5
5c716b5c5a0f0acdee592e37de828747

SHA1
7bf8666655cc417adfc8603d42bccaedc9dd02d7

SHA256
9cb5ec6461309e5df60984802a0ac776c9998046367f4f5ac16a1b6677a75faf

SHA512
61ce4e30d06f3a8ee10dadda076c94eaab42cbd8268cd8add18083df4c426fac9ede98206717e92187f5ddb53c15c60313a0b40b32d3d42e00f902f2c94aa061

Download Submit
C:\Users\Admin\AppData\Roaming\WGUAWTcGiA\Muto.ppsx
MD5
be2686eaeb2ddb9aa58d46e3092f8a67

SHA1
b0d2f08593de8e4531007cbceeee213013ae1428

SHA256
f3e010e9cc18db185e2ad285334d0c37d453693c2ab1cd5dd3e48b7bc914e7b4

SHA512
3d6eacc7a8f1d74d47c75fd67bb50932715482510fdb493fc08192180ed629fc72cc1eee01410c655343c3cc35d9895d60882dca1419393518a259cad5952199

Download Submit
C:\Users\Admin\AppData\Roaming\WGUAWTcGiA\R
MD5
6564b65095baeea2cb63bed24cc1850a

SHA1
b4b46e41da33d2e45b8682610bb889202596be78

SHA256
58822a2314d5fa32d323b67df0ffdc8854b73cc7d3e63d6c867b02ad1cb2de57

SHA512
814e0863874b874c8c225d4ba7d32e5395d59268df1c0f11a9bf6a4c70b0c3a21b82f8dd8da5e8a2c3a3b0e1942679680bc653e5db3e9f73f9eb5d334e33b555

Download Submit
C:\Users\Admin\AppData\Roaming\WGUAWTcGiA\Sei.exe.com
MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
C:\Users\Admin\AppData\Roaming\WGUAWTcGiA\Sei.exe.com
MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
C:\Users\Admin\AppData\Roaming\WGUAWTcGiA\Settala.ppsx
MD5
db3c5fbd6832bcb620a393ad09a4d31c

SHA1
95ba32b54c8ab0e6df40af139d659e776ec6a6cb

SHA256
51dae8e5e7b84b5426cb6e4ee22f6d532783a566b1f7542df611b995ec281ee8

SHA512
f4526d330bea1eb7aa8e688936c3a2b6ac6e59e045e66c15f865011f5de604824b6811928f75d84c3f7ad95665556c6ad7ef984c1b2e02a0a12c238b6d0e4d54

Download Submit
\Users\Admin\AppData\Local\Temp\CFCKAQ~1.DLL
MD5
6d20b73025d0d08e19b6451226532970

SHA1
2ab325bf27ec3feeecec3518e8b8e2860899075f

SHA256
c90441668e8b16f5f60f21ac51a91fb2a808216a49a5369e82be63d96f4ea007

SHA512
5247b2139f4f06f646c472f6f4bb925846064c29c0f7fd654f9ebdb23aa0e1db0bb04c7ef1c76695c66f31b3ac9fa5902bc4d4f62f9383ff37271ec0f39d225f

Download Submit
\Users\Admin\AppData\Local\Temp\CFCKAQ~1.DLL
MD5
6d20b73025d0d08e19b6451226532970

SHA1
2ab325bf27ec3feeecec3518e8b8e2860899075f

SHA256
c90441668e8b16f5f60f21ac51a91fb2a808216a49a5369e82be63d96f4ea007

SHA512
5247b2139f4f06f646c472f6f4bb925846064c29c0f7fd654f9ebdb23aa0e1db0bb04c7ef1c76695c66f31b3ac9fa5902bc4d4f62f9383ff37271ec0f39d225f

Download Submit
\Users\Admin\AppData\Local\Temp\CFCKAQ~1.DLL
MD5
6d20b73025d0d08e19b6451226532970

SHA1
2ab325bf27ec3feeecec3518e8b8e2860899075f

SHA256
c90441668e8b16f5f60f21ac51a91fb2a808216a49a5369e82be63d96f4ea007

SHA512
5247b2139f4f06f646c472f6f4bb925846064c29c0f7fd654f9ebdb23aa0e1db0bb04c7ef1c76695c66f31b3ac9fa5902bc4d4f62f9383ff37271ec0f39d225f

Download Submit
\Users\Admin\AppData\Local\Temp\CFCKAQ~1.DLL
MD5
6d20b73025d0d08e19b6451226532970

SHA1
2ab325bf27ec3feeecec3518e8b8e2860899075f

SHA256
c90441668e8b16f5f60f21ac51a91fb2a808216a49a5369e82be63d96f4ea007

SHA512
5247b2139f4f06f646c472f6f4bb925846064c29c0f7fd654f9ebdb23aa0e1db0bb04c7ef1c76695c66f31b3ac9fa5902bc4d4f62f9383ff37271ec0f39d225f

Download Submit
\Users\Admin\AppData\Local\Temp\CFCKAQ~1.DLL
MD5
6d20b73025d0d08e19b6451226532970

SHA1
2ab325bf27ec3feeecec3518e8b8e2860899075f

SHA256
c90441668e8b16f5f60f21ac51a91fb2a808216a49a5369e82be63d96f4ea007

SHA512
5247b2139f4f06f646c472f6f4bb925846064c29c0f7fd654f9ebdb23aa0e1db0bb04c7ef1c76695c66f31b3ac9fa5902bc4d4f62f9383ff37271ec0f39d225f

Download Submit
\Users\Admin\AppData\Local\Temp\CFCKAQ~1.DLL
MD5
6d20b73025d0d08e19b6451226532970

SHA1
2ab325bf27ec3feeecec3518e8b8e2860899075f

SHA256
c90441668e8b16f5f60f21ac51a91fb2a808216a49a5369e82be63d96f4ea007

SHA512
5247b2139f4f06f646c472f6f4bb925846064c29c0f7fd654f9ebdb23aa0e1db0bb04c7ef1c76695c66f31b3ac9fa5902bc4d4f62f9383ff37271ec0f39d225f

Download Submit
\Users\Admin\AppData\Local\Temp\CFCKAQ~1.DLL
MD5
6d20b73025d0d08e19b6451226532970

SHA1
2ab325bf27ec3feeecec3518e8b8e2860899075f

SHA256
c90441668e8b16f5f60f21ac51a91fb2a808216a49a5369e82be63d96f4ea007

SHA512
5247b2139f4f06f646c472f6f4bb925846064c29c0f7fd654f9ebdb23aa0e1db0bb04c7ef1c76695c66f31b3ac9fa5902bc4d4f62f9383ff37271ec0f39d225f

Download Submit
\Users\Admin\AppData\Local\Temp\CFCKAQ~1.DLL
MD5
6d20b73025d0d08e19b6451226532970

SHA1
2ab325bf27ec3feeecec3518e8b8e2860899075f

SHA256
c90441668e8b16f5f60f21ac51a91fb2a808216a49a5369e82be63d96f4ea007

SHA512
5247b2139f4f06f646c472f6f4bb925846064c29c0f7fd654f9ebdb23aa0e1db0bb04c7ef1c76695c66f31b3ac9fa5902bc4d4f62f9383ff37271ec0f39d225f

Download Submit
\Users\Admin\AppData\Local\Temp\cfckaqamcpxe.exe
MD5
5794875a894c319563b8fe923f0063a2

SHA1
d8ffeef5315fd61df3e9cda4c1446b7b7e24f765

SHA256
55a488e69b8d887aaf0bd9cdaad7314c42ef387174a9a09be3e5724c1b8da07c

SHA512
029622b22d8584ad860aafd236c381fbd9be6b9b67e28635e164bd71326a2ff6014ff18f6c18126dc1be42f9befbc9adf7f853c98556f2fe1e7e578003076d3b

Download Submit
\Users\Admin\AppData\Local\Temp\cfckaqamcpxe.exe
MD5
5794875a894c319563b8fe923f0063a2

SHA1
d8ffeef5315fd61df3e9cda4c1446b7b7e24f765

SHA256
55a488e69b8d887aaf0bd9cdaad7314c42ef387174a9a09be3e5724c1b8da07c

SHA512
029622b22d8584ad860aafd236c381fbd9be6b9b67e28635e164bd71326a2ff6014ff18f6c18126dc1be42f9befbc9adf7f853c98556f2fe1e7e578003076d3b

Download Submit
\Users\Admin\AppData\Roaming\WGUAWTcGiA\Sei.exe.com
MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
memory/300-10-0x0000000000000000-mapping.dmp

Download
memory/784-12-0x0000000000000000-mapping.dmp

Download
memory/852-20-0x000007FEF6010000-0x000007FEF628A000-memory.dmp

Filesize
2.5MB

Download
memory/876-46-0x0000000002640000-0x0000000002644000-memory.dmp

Filesize
16KB

Download
memory/876-34-0x0000000000000000-mapping.dmp

Download
memory/912-65-0x00000000029F1000-0x0000000003052000-memory.dmp

Filesize
6.4MB

Download
memory/912-64-0x0000000074610000-0x00000000747B3000-memory.dmp

Filesize
1.6MB

Download
memory/912-56-0x0000000000000000-mapping.dmp

Download
memory/1080-33-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1080-23-0x0000000000000000-mapping.dmp

Download
memory/1080-28-0x00000000038C0000-0x00000000038D1000-memory.dmp

Filesize
68KB

Download
memory/1080-31-0x00000000038C0000-0x0000000003FB7000-memory.dmp

Filesize
7.0MB

Download
memory/1080-32-0x0000000000400000-0x0000000000B02000-memory.dmp

Filesize
7.0MB

Download
memory/1120-19-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/1120-15-0x0000000000000000-mapping.dmp

Download
memory/1152-2-0x00000000760C1000-0x00000000760C3000-memory.dmp

Filesize
8KB

Download
memory/1192-54-0x0000000074620000-0x00000000747C3000-memory.dmp

Filesize
1.6MB

Download
memory/1192-5-0x0000000000000000-mapping.dmp

Download
memory/1192-62-0x00000000028B1000-0x0000000002F12000-memory.dmp

Filesize
6.4MB

Download
memory/1192-63-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/1192-47-0x0000000000000000-mapping.dmp

Download
memory/1444-6-0x0000000000000000-mapping.dmp

Download
memory/1452-3-0x0000000000000000-mapping.dmp

Download
memory/1616-25-0x0000000000000000-mapping.dmp

Download
memory/1616-29-0x0000000002730000-0x0000000002734000-memory.dmp

Filesize
16KB

Download