danabot | 6fa6caea53a25606c7e2991d370927d98bf3df093e77a0cea8816c30194afda0

Analysis

max time kernel
136s
max time network
143s
platform
windows10_x64
resource
win10v20210408
submitted
22-07-2021 06:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

434c4d6383148ec2d1e98e455ff2629b.exe
Size

1.1MB
MD5

434c4d6383148ec2d1e98e455ff2629b
SHA1

4fe3f1549a9ef0d6c1ff611a1a4f88cf17c8d8cb
SHA256

6fa6caea53a25606c7e2991d370927d98bf3df093e77a0cea8816c30194afda0
SHA512

3e83e7d70f3634418a8c1a950b43587104f6ba0213a2f49e95ab72f7e740030d3d1568b66a5938c47250daed961ea31c3a65094bc95db7d6de1c13ae36fe33ed

Score

10^/10

danabot 4 banker discovery spyware stealer trojan

Malware Config

Extracted

Family

danabot

Version

1987

Botnet

142.11.244.124:443

142.11.206.50:443

Attributes

embedded_hash
6AD9FE4F9E491E785665E0D144F61DAB

rsa_privkey.plain

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Blocklisted process makes network request 6 IoCs

Processes:

WScript.exerundll32.exeRUNDLL32.EXE

flow pid process

32 3168 WScript.exe
34 3168 WScript.exe
36 3168 WScript.exe
38 3168 WScript.exe
41 1848 rundll32.exe
42 856 RUNDLL32.EXE
Downloads MZ/PE file
Executes dropped EXE 6 IoCs

Processes:

4.exevpn.exeLucca.exe.comLucca.exe.comSmartClock.exeqwvbaegb.exe

pid process

3796 4.exe
3888 vpn.exe
936 Lucca.exe.com
648 Lucca.exe.com
1164 SmartClock.exe
3200 qwvbaegb.exe
Drops startup file 1 IoCs

Processes:

4.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk 4.exe
Loads dropped DLL 3 IoCs

Processes:

434c4d6383148ec2d1e98e455ff2629b.exerundll32.exeRUNDLL32.EXE

pid process

752 434c4d6383148ec2d1e98e455ff2629b.exe
1848 rundll32.exe
856 RUNDLL32.EXE
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

16 ip-api.com

flow	pid	process
32	3168	WScript.exe
34	3168	WScript.exe
36	3168	WScript.exe
38	3168	WScript.exe
41	1848	rundll32.exe
42	856	RUNDLL32.EXE

pid	process
3796	4.exe
3888	vpn.exe
936	Lucca.exe.com
648	Lucca.exe.com
1164	SmartClock.exe
3200	qwvbaegb.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk	4.exe

pid	process
752	434c4d6383148ec2d1e98e455ff2629b.exe
1848	rundll32.exe
856	RUNDLL32.EXE

flow	ioc
16	ip-api.com

Drops file in Program Files directory 4 IoCs

Processes:

434c4d6383148ec2d1e98e455ff2629b.exerundll32.exe

description	ioc	process
File created	C:\Program Files (x86)\foler\olader\acppage.dll	434c4d6383148ec2d1e98e455ff2629b.exe
File created	C:\Program Files (x86)\foler\olader\adprovider.dll	434c4d6383148ec2d1e98e455ff2629b.exe
File created	C:\Program Files (x86)\foler\olader\acledit.dll	434c4d6383148ec2d1e98e455ff2629b.exe
File created	C:\PROGRA~3\Jvgzbfh.tmp	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 26 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RUNDLL32.EXELucca.exe.com

description	ioc	process
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Lucca.exe.com
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Lucca.exe.com
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	RUNDLL32.EXE

Modifies registry class 1 IoCs

Processes:

Lucca.exe.com

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings Lucca.exe.com

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	Lucca.exe.com

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

WScript.exeRUNDLL32.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\C71EACF8AB7857F5F2DAC00ACB3E4659BDF1465D	RUNDLL32.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\C71EACF8AB7857F5F2DAC00ACB3E4659BDF1465D\Blob = 030000000100000014000000c71eacf8ab7857f5f2dac00acb3e4659bdf1465d2000000001000000620200003082025e308201c7a00302010202081878a8fd2493b616300d06092a864886f70d01010b050030513128302606035504030c1f486f337473706f7420322e3020547275737420526f6f74204341202d20303331183016060355040a0c0f57464120486f7473706f7420322e30310b3009060355040613025553301e170d3139303732333038333735335a170d3233303732323038333735335a30513128302606035504030c1f486f337473706f7420322e3020547275737420526f6f74204341202d20303331183016060355040a0c0f57464120486f7473706f7420322e30310b300906035504061302555330819f300d06092a864886f70d010101050003818d0030818902818100a84c762830d21c487b7bd174b0f1e61c9780d556c8ad2db25a442cd87f8d6b174d64155cfec506bd282410615fbd9daf9ef8f9bf8cec0b828319d16393de72190278317de843c8a76b63cced80888a13227031da6a2bb510af6f26b694a31f7f3acdb16967ecfc5238b9f4b3698c51a87fa18cac6194090d2f51f5a3f1eb50990203010001a33f303d300f0603551d130101ff040530030101ff302a0603551d1104233021821f486f337473706f7420322e3020547275737420526f6f74204341202d203033300d06092a864886f70d01010b0500038181001ac8f101a20809f7e807a850f00b0d81b19faf14bdb9fc7a921dfde6e268fc4b3aad113068f5683ffa65c3600241261255b521d806ac204b42eee2e68d73d2a44532bd7da780649c811dcc82a2d18d0e06f8324582db852b991d462e4e9c1330b9b8d4655d60803c34b88fa619a723310760c9abc9dc42a29fbc75b9a19fc903	RUNDLL32.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3052 PING.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

SmartClock.exe

pid process

1164 SmartClock.exe

pid	process
3052	PING.EXE

pid	process
1164	SmartClock.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

RUNDLL32.EXEpowershell.exepowershell.exe

pid	process
856	RUNDLL32.EXE
856	RUNDLL32.EXE
856	RUNDLL32.EXE
856	RUNDLL32.EXE
856	RUNDLL32.EXE
856	RUNDLL32.EXE
1756	powershell.exe
1756	powershell.exe
1756	powershell.exe
856	RUNDLL32.EXE
856	RUNDLL32.EXE
1128	powershell.exe
1128	powershell.exe
1128	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

RUNDLL32.EXEpowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 856 RUNDLL32.EXE
Token: SeDebugPrivilege 1756 powershell.exe
Token: SeDebugPrivilege 1128 powershell.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

RUNDLL32.EXE

pid process

856 RUNDLL32.EXE

description	pid	process
Token: SeDebugPrivilege	856	RUNDLL32.EXE
Token: SeDebugPrivilege	1756	powershell.exe
Token: SeDebugPrivilege	1128	powershell.exe

Suspicious use of WriteProcessMemory 57 IoCs

Processes:

434c4d6383148ec2d1e98e455ff2629b.exevpn.execmd.execmd.exeLucca.exe.com4.exeLucca.exe.comqwvbaegb.exerundll32.exeRUNDLL32.EXEpowershell.exe

description	pid	process	target process
PID 752 wrote to memory of 3796	752	434c4d6383148ec2d1e98e455ff2629b.exe	4.exe
PID 752 wrote to memory of 3796	752	434c4d6383148ec2d1e98e455ff2629b.exe	4.exe
PID 752 wrote to memory of 3796	752	434c4d6383148ec2d1e98e455ff2629b.exe	4.exe
PID 752 wrote to memory of 3888	752	434c4d6383148ec2d1e98e455ff2629b.exe	vpn.exe
PID 752 wrote to memory of 3888	752	434c4d6383148ec2d1e98e455ff2629b.exe	vpn.exe
PID 752 wrote to memory of 3888	752	434c4d6383148ec2d1e98e455ff2629b.exe	vpn.exe
PID 3888 wrote to memory of 2556	3888	vpn.exe	cmd.exe
PID 3888 wrote to memory of 2556	3888	vpn.exe	cmd.exe
PID 3888 wrote to memory of 2556	3888	vpn.exe	cmd.exe
PID 2556 wrote to memory of 1904	2556	cmd.exe	cmd.exe
PID 2556 wrote to memory of 1904	2556	cmd.exe	cmd.exe
PID 2556 wrote to memory of 1904	2556	cmd.exe	cmd.exe
PID 1904 wrote to memory of 2408	1904	cmd.exe	findstr.exe
PID 1904 wrote to memory of 2408	1904	cmd.exe	findstr.exe
PID 1904 wrote to memory of 2408	1904	cmd.exe	findstr.exe
PID 1904 wrote to memory of 936	1904	cmd.exe	Lucca.exe.com
PID 1904 wrote to memory of 936	1904	cmd.exe	Lucca.exe.com
PID 1904 wrote to memory of 936	1904	cmd.exe	Lucca.exe.com
PID 1904 wrote to memory of 3052	1904	cmd.exe	PING.EXE
PID 1904 wrote to memory of 3052	1904	cmd.exe	PING.EXE
PID 1904 wrote to memory of 3052	1904	cmd.exe	PING.EXE
PID 936 wrote to memory of 648	936	Lucca.exe.com	Lucca.exe.com
PID 936 wrote to memory of 648	936	Lucca.exe.com	Lucca.exe.com
PID 936 wrote to memory of 648	936	Lucca.exe.com	Lucca.exe.com
PID 3796 wrote to memory of 1164	3796	4.exe	SmartClock.exe
PID 3796 wrote to memory of 1164	3796	4.exe	SmartClock.exe
PID 3796 wrote to memory of 1164	3796	4.exe	SmartClock.exe
PID 648 wrote to memory of 3200	648	Lucca.exe.com	qwvbaegb.exe
PID 648 wrote to memory of 3200	648	Lucca.exe.com	qwvbaegb.exe
PID 648 wrote to memory of 3200	648	Lucca.exe.com	qwvbaegb.exe
PID 648 wrote to memory of 4016	648	Lucca.exe.com	WScript.exe
PID 648 wrote to memory of 4016	648	Lucca.exe.com	WScript.exe
PID 648 wrote to memory of 4016	648	Lucca.exe.com	WScript.exe
PID 3200 wrote to memory of 1848	3200	qwvbaegb.exe	rundll32.exe
PID 3200 wrote to memory of 1848	3200	qwvbaegb.exe	rundll32.exe
PID 3200 wrote to memory of 1848	3200	qwvbaegb.exe	rundll32.exe
PID 648 wrote to memory of 3168	648	Lucca.exe.com	WScript.exe
PID 648 wrote to memory of 3168	648	Lucca.exe.com	WScript.exe
PID 648 wrote to memory of 3168	648	Lucca.exe.com	WScript.exe
PID 1848 wrote to memory of 856	1848	rundll32.exe	RUNDLL32.EXE
PID 1848 wrote to memory of 856	1848	rundll32.exe	RUNDLL32.EXE
PID 1848 wrote to memory of 856	1848	rundll32.exe	RUNDLL32.EXE
PID 856 wrote to memory of 1756	856	RUNDLL32.EXE	powershell.exe
PID 856 wrote to memory of 1756	856	RUNDLL32.EXE	powershell.exe
PID 856 wrote to memory of 1756	856	RUNDLL32.EXE	powershell.exe
PID 856 wrote to memory of 1128	856	RUNDLL32.EXE	powershell.exe
PID 856 wrote to memory of 1128	856	RUNDLL32.EXE	powershell.exe
PID 856 wrote to memory of 1128	856	RUNDLL32.EXE	powershell.exe
PID 1128 wrote to memory of 2452	1128	powershell.exe	nslookup.exe
PID 1128 wrote to memory of 2452	1128	powershell.exe	nslookup.exe
PID 1128 wrote to memory of 2452	1128	powershell.exe	nslookup.exe
PID 856 wrote to memory of 3244	856	RUNDLL32.EXE	schtasks.exe
PID 856 wrote to memory of 3244	856	RUNDLL32.EXE	schtasks.exe
PID 856 wrote to memory of 3244	856	RUNDLL32.EXE	schtasks.exe
PID 856 wrote to memory of 1220	856	RUNDLL32.EXE	schtasks.exe
PID 856 wrote to memory of 1220	856	RUNDLL32.EXE	schtasks.exe
PID 856 wrote to memory of 1220	856	RUNDLL32.EXE	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\434c4d6383148ec2d1e98e455ff2629b.exe
"C:\Users\Admin\AppData\Local\Temp\434c4d6383148ec2d1e98e455ff2629b.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:752

C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe
"C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:3796

C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
PID:1164

C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe
"C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3888

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Miele.mpeg
3⤵
- Suspicious use of WriteProcessMemory
PID:2556

C:\Windows\SysWOW64\cmd.exe
cmd
4⤵
- Suspicious use of WriteProcessMemory
PID:1904

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^nuJmDolyOEafNkCbidgtyicKjPeDQxxFworNyycSxwBitdTxqUhgYpwdKZhOuHfxlNgFoOseVcKtGhFWVICViyHRu$" Gioco.mpeg
5⤵
PID:2408

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Lucca.exe.com
Lucca.exe.com e
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:936

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Lucca.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Lucca.exe.com e
6⤵
- Executes dropped EXE
- Checks processor information in registry
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:648

C:\Users\Admin\AppData\Local\Temp\qwvbaegb.exe
"C:\Users\Admin\AppData\Local\Temp\qwvbaegb.exe"
7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3200

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\QWVBAE~1.TMP,S C:\Users\Admin\AppData\Local\Temp\qwvbaegb.exe
8⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1848

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\QWVBAE~1.TMP,RAg8
9⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:856

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp7125.tmp.ps1"
10⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1756

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp9190.tmp.ps1"
10⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1128

C:\Windows\SysWOW64\nslookup.exe
"C:\Windows\system32\nslookup.exe" -type=any localhost
11⤵
PID:2452

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
10⤵
PID:3244

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
10⤵
PID:1220

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bbadkyvtcpnv.vbs"
7⤵
PID:4016

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\hougrlptmbk.vbs"
7⤵
- Blocklisted process makes network request
- Modifies system certificate store
PID:3168

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 30
5⤵
- Runs ping.exe
PID:3052

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Jvgzbfh.tmp
MD5
41c486d5eeef5e53f81e5e6f298d2e9b

SHA1
2ca09f905be740d3289b41e11646e9450e50a330

SHA256
070116928d1e038dfc77a2ddfc94390e705c1f9838a213773dbeba2f15276e50

SHA512
4318876030b15e96823edc5af8e0633e0e6e50dd96d2b7a27421a55e140ac70af9a767afaf2a1d506515f3f0bcdc372cab9cdbac589e2b6461124bf344e7323b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
47eebe401625bbc55e75dbfb72e9e89a

SHA1
db3b2135942d2532c59b9788253638eb77e5995e

SHA256
f1cd56000c44bbdb6880b5b133731f493fe8cba8198c5a861da6ae7b489ed0c3

SHA512
590b149863d58be346e7927c28501375cc570858d2f156d234b03d68b86c5c0667a1038e2b6f6639172bf95638ca9f7c70f45270951abbcdf43b1be853b81d56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
245487229053fcb8956e9ec4f4e20225

SHA1
5b47b30902569bca8c21a29ec5c3628c562ec604

SHA256
0656856d7fd7a6904c730fbc5e422038047b398beda153a3e140c4b43f51b54f

SHA512
c19c913c358576845275adbd6354a14978c060de9b7982a4702aac7fcdf501d027c751b689de0a3c0b07459ef679db36bb25e3e751436d5a3f75ee14a7fe0563

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esitanza.mpeg
MD5
427c6ebcc433964a24b02173f29f50a2

SHA1
8d99cd9f94f102a174a153f002a48a202c9cf086

SHA256
73ce8f59b6e5236e39d061984ad5d9dae9e30ce0f57947485852eff2510011e3

SHA512
e9cd8901cd47e006e271401e51cfcd4f8bc807a50685a6a1e632e2b7aa4dfe4936a2cdaf96798151229e24ca0b99c32ef9238793058ddc26af698524b7694d76

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Gioco.mpeg
MD5
3a0ff91c269582c1d565af0dc43bb90c

SHA1
2e30abe0a8ce9d88d30970045699bbe60f21f1bc

SHA256
db2812a7b23090ba287410fae0afcbee1b8bb53dcd1ce7c342005093c8cfbb2f

SHA512
9b14c7fb67fe331ca6dd0d445f9c449198c16939b08d53587005b70200db9f9d17d69ec65b18c84cfba4e51b1e53e72d72ddbd7c72db988cfffcffc3669ef1b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Lucca.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Lucca.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Lucca.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Miele.mpeg
MD5
2855e5e33ce8a671af83d926edc50ca5

SHA1
abaa3f3dbd2e7015a16c86061b5ed50e9d9fdfe6

SHA256
4b47193fc4658debb1e8e9020ffc5242870c2d7a11fbf9dd401d5746baf390dd

SHA512
6dcc5a75d4bc5bef801cc396eaaa66c6920aedec66a0b48d68d7382856f181043c2d0cbb11a560926160f1fdfa342c37b517f2faf5118601365efd61206cd6b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Tue.mpeg
MD5
35b7b68ab0c10c09e68774cde98bd3f8

SHA1
4254c30bc7ca8972eb0889c62a114e9ae7db2242

SHA256
683e8ee070649cf1bb12c9259b5d1f557ef8e465ddb91b7c5c53db00c6ecabbc

SHA512
92fab930fcd0106644e09337995a019ab5f6df0bbe9fde2411714321c877df5fba331d40a4d55504c3bfba75fff041127755e7ef204bdd335bca96543c7368c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\e
MD5
427c6ebcc433964a24b02173f29f50a2

SHA1
8d99cd9f94f102a174a153f002a48a202c9cf086

SHA256
73ce8f59b6e5236e39d061984ad5d9dae9e30ce0f57947485852eff2510011e3

SHA512
e9cd8901cd47e006e271401e51cfcd4f8bc807a50685a6a1e632e2b7aa4dfe4936a2cdaf96798151229e24ca0b99c32ef9238793058ddc26af698524b7694d76

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe
MD5
31b5d8e5ed683cc81b9bc86bb0e52cbf

SHA1
0e67c2ea30a6eea520ae7090103b40bf993912be

SHA256
210cf285b5e19e67f752e3cc68ceaf6a46bee8d554af6882a03bbb4723472c55

SHA512
4dbea8a629cad21b874a28d00061abff1a26cd4db4949cf0a7662a052a1270eab04b68eaf97e1bd724ead4a2722d27f933c0e6c8b57250a7e8f3cd5bd63be2fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe
MD5
31b5d8e5ed683cc81b9bc86bb0e52cbf

SHA1
0e67c2ea30a6eea520ae7090103b40bf993912be

SHA256
210cf285b5e19e67f752e3cc68ceaf6a46bee8d554af6882a03bbb4723472c55

SHA512
4dbea8a629cad21b874a28d00061abff1a26cd4db4949cf0a7662a052a1270eab04b68eaf97e1bd724ead4a2722d27f933c0e6c8b57250a7e8f3cd5bd63be2fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe
MD5
3e7e5920c63db4bb2e6ca27233a2dca2

SHA1
09dbb68babcda244a6ce0e36943493e9666dc9e4

SHA256
13b85b6a099f6744e182089650c5fd877331e8ca23c36f0df14587f8c05b48aa

SHA512
4ff2ea42da2b4cc7d76a8a4035bdf704475397b2462cd3ab9b75fb01d567f9774570d0922510f9c200b57cdeb46217102ad81990253379ef82c43c64a401117c

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe
MD5
3e7e5920c63db4bb2e6ca27233a2dca2

SHA1
09dbb68babcda244a6ce0e36943493e9666dc9e4

SHA256
13b85b6a099f6744e182089650c5fd877331e8ca23c36f0df14587f8c05b48aa

SHA512
4ff2ea42da2b4cc7d76a8a4035bdf704475397b2462cd3ab9b75fb01d567f9774570d0922510f9c200b57cdeb46217102ad81990253379ef82c43c64a401117c

Download Submit
C:\Users\Admin\AppData\Local\Temp\QWVBAE~1.TMP
MD5
7386df2d975ef96ef522799851969ce6

SHA1
c8cf209f8ade0a9cbb2fb85d7c85249e72a414ae

SHA256
329288495b2c02eca00ae8d1c3f60131332e68bcd5aedba63f3f60807fb23ed3

SHA512
350221cb59e35c4e6c737d52dfb46c506dae0332f51763f371ac4ba5b064ec3d2f49b429aca6f492687aeb4aaa65a2b25885f4ec9f148e5e2ae235ab70262861

Download Submit
C:\Users\Admin\AppData\Local\Temp\bbadkyvtcpnv.vbs
MD5
b52338e634478d8e09589e5b9ab7ec1f

SHA1
29efae32c06d74ff6f3e0bd0330c382034fca786

SHA256
9a8c421ce86f8334480b94af8b447d2f9320584f76ce6126d8ae21d2fb7b5673

SHA512
34e45cecc66282cfca08d79715c2dff0c25dbe630d66df6542b5f499f8d37f7ce39ad86a6c4583e64bb091ca89389c6cae032d91293f5d621c1f3a94c1aebcc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\hougrlptmbk.vbs
MD5
2343f0f56c9d4ee879a90d4bab68c28e

SHA1
3ffcab229df5525f6472a1ddc7d097d018936127

SHA256
63deb1c937deee9e4a4c0695c35061902e2a0f4085ff9117b93166b5174e312a

SHA512
e2a2133c7c09ee88c3a5e2b1ee8a64ecf8e1ea7858987d770966c2c81e0fea708b618af5780fba13068aac8f2eb7fbd45249ed9e09c067f79aa433090e81ef72

Download Submit
C:\Users\Admin\AppData\Local\Temp\qwvbaegb.exe
MD5
52f6faca0532c27ff56d489fedfbe06f

SHA1
484bef833639d33a190899d7d78e78bf47199ab1

SHA256
7ede8f2954f1dd8de16087ee498117e51c1b7be094afaf879fe48f45dcab5c02

SHA512
7da1b2a60de69dbf1fa3f42f5293dea9dcbd5ece2c1f0e02ee6b4bd8185cf3ac7d2e2c654da163650676acf83e02115c0fd9c1fce6bb8a30dc02517a9be62c3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\qwvbaegb.exe
MD5
52f6faca0532c27ff56d489fedfbe06f

SHA1
484bef833639d33a190899d7d78e78bf47199ab1

SHA256
7ede8f2954f1dd8de16087ee498117e51c1b7be094afaf879fe48f45dcab5c02

SHA512
7da1b2a60de69dbf1fa3f42f5293dea9dcbd5ece2c1f0e02ee6b4bd8185cf3ac7d2e2c654da163650676acf83e02115c0fd9c1fce6bb8a30dc02517a9be62c3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7125.tmp.ps1
MD5
3c652f66e511abf49b9ee3b7edaf5b2f

SHA1
5f74d6dd9efe737787f5fa3699197689877cea69

SHA256
113198ed3bc656cfec1018e44a7812c01564c143212a0f27226908f6dd3c662c

SHA512
568ea52248f733a745a092ec18cdae41b5356d7e468c02a595df746b2a9de5a76271f29c85e6978c70ce58b8d716d2f5228ce2e4950747db2cd22c3d47874fdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7126.tmp
MD5
c416c12d1b2b1da8c8655e393b544362

SHA1
fb1a43cd8e1c556c2d25f361f42a21293c29e447

SHA256
0600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046

SHA512
cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9190.tmp.ps1
MD5
c05df059b13cec79179d2cee74ce8ee8

SHA1
aafb3f29583d6827c8d1e96393b10d08aa00605c

SHA256
f2d8beee55af53cffe14cc3c1a940a28a29bb9cc61b68a4dfe69feebb72d15e8

SHA512
f0c5f20bf95ab71b7e407d12f41a0656bfda22b9f2699cd7e0c51563cdb0a7e76686fdc68f40d98cb885e9f12f76617370f736e9b0f15c3e98e65c3552a91172

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp91A0.tmp
MD5
1860260b2697808b80802352fe324782

SHA1
f07b4cb6a8133d8dd942fc285d63cb3ce5a1ed6b

SHA256
0c4bb6ae7726faa47aef8459bcf37bf9ca16f0b93fd52790932adaf7845d1fb1

SHA512
d9fd458e2fe871e93199d7f3783133ded898d824024d9525e8c9af2af31892b13f3fb147d3bfda7dfd7659b7072f5cd1d6c3ebfe2dbf5893afd00e59a96aa94f

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
31b5d8e5ed683cc81b9bc86bb0e52cbf

SHA1
0e67c2ea30a6eea520ae7090103b40bf993912be

SHA256
210cf285b5e19e67f752e3cc68ceaf6a46bee8d554af6882a03bbb4723472c55

SHA512
4dbea8a629cad21b874a28d00061abff1a26cd4db4949cf0a7662a052a1270eab04b68eaf97e1bd724ead4a2722d27f933c0e6c8b57250a7e8f3cd5bd63be2fd

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
31b5d8e5ed683cc81b9bc86bb0e52cbf

SHA1
0e67c2ea30a6eea520ae7090103b40bf993912be

SHA256
210cf285b5e19e67f752e3cc68ceaf6a46bee8d554af6882a03bbb4723472c55

SHA512
4dbea8a629cad21b874a28d00061abff1a26cd4db4949cf0a7662a052a1270eab04b68eaf97e1bd724ead4a2722d27f933c0e6c8b57250a7e8f3cd5bd63be2fd

Download Submit
\Users\Admin\AppData\Local\Temp\QWVBAE~1.TMP
MD5
7386df2d975ef96ef522799851969ce6

SHA1
c8cf209f8ade0a9cbb2fb85d7c85249e72a414ae

SHA256
329288495b2c02eca00ae8d1c3f60131332e68bcd5aedba63f3f60807fb23ed3

SHA512
350221cb59e35c4e6c737d52dfb46c506dae0332f51763f371ac4ba5b064ec3d2f49b429aca6f492687aeb4aaa65a2b25885f4ec9f148e5e2ae235ab70262861

Download Submit
\Users\Admin\AppData\Local\Temp\QWVBAE~1.TMP
MD5
7386df2d975ef96ef522799851969ce6

SHA1
c8cf209f8ade0a9cbb2fb85d7c85249e72a414ae

SHA256
329288495b2c02eca00ae8d1c3f60131332e68bcd5aedba63f3f60807fb23ed3

SHA512
350221cb59e35c4e6c737d52dfb46c506dae0332f51763f371ac4ba5b064ec3d2f49b429aca6f492687aeb4aaa65a2b25885f4ec9f148e5e2ae235ab70262861

Download Submit
\Users\Admin\AppData\Local\Temp\nse9CF2.tmp\UAC.dll
MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
memory/648-141-0x0000000001700000-0x000000000184A000-memory.dmp

Filesize
1.3MB

Download
memory/648-131-0x0000000000000000-mapping.dmp

Download
memory/856-161-0x0000000000000000-mapping.dmp

Download
memory/856-169-0x0000000004D50000-0x0000000005FE6000-memory.dmp

Filesize
18.6MB

Download
memory/936-127-0x0000000000000000-mapping.dmp

Download
memory/1128-225-0x0000000004873000-0x0000000004874000-memory.dmp

Filesize
4KB

Download
memory/1128-211-0x0000000004870000-0x0000000004871000-memory.dmp

Filesize
4KB

Download
memory/1128-207-0x0000000007BC0000-0x0000000007BC1000-memory.dmp

Filesize
4KB

Download
memory/1128-198-0x0000000000000000-mapping.dmp

Download
memory/1128-210-0x0000000008080000-0x0000000008081000-memory.dmp

Filesize
4KB

Download
memory/1128-212-0x0000000004872000-0x0000000004873000-memory.dmp

Filesize
4KB

Download
memory/1164-135-0x0000000000000000-mapping.dmp

Download
memory/1164-139-0x0000000002B80000-0x0000000002CCA000-memory.dmp

Filesize
1.3MB

Download
memory/1164-140-0x0000000000400000-0x0000000002B7B000-memory.dmp

Filesize
39.5MB

Download
memory/1220-226-0x0000000000000000-mapping.dmp

Download
memory/1756-179-0x0000000007AD0000-0x0000000007AD1000-memory.dmp

Filesize
4KB

Download
memory/1756-193-0x00000000090B0000-0x00000000090B1000-memory.dmp

Filesize
4KB

Download
memory/1756-172-0x0000000000000000-mapping.dmp

Download
memory/1756-175-0x0000000006BB0000-0x0000000006BB1000-memory.dmp

Filesize
4KB

Download
memory/1756-176-0x00000000072C0000-0x00000000072C1000-memory.dmp

Filesize
4KB

Download
memory/1756-177-0x0000000006C80000-0x0000000006C81000-memory.dmp

Filesize
4KB

Download
memory/1756-178-0x0000000006C82000-0x0000000006C83000-memory.dmp

Filesize
4KB

Download
memory/1756-197-0x0000000006C83000-0x0000000006C84000-memory.dmp

Filesize
4KB

Download
memory/1756-180-0x0000000007960000-0x0000000007961000-memory.dmp

Filesize
4KB

Download
memory/1756-181-0x0000000007B00000-0x0000000007B01000-memory.dmp

Filesize
4KB

Download
memory/1756-182-0x0000000007C80000-0x0000000007C81000-memory.dmp

Filesize
4KB

Download
memory/1756-183-0x0000000008050000-0x0000000008051000-memory.dmp

Filesize
4KB

Download
memory/1756-184-0x0000000008570000-0x0000000008571000-memory.dmp

Filesize
4KB

Download
memory/1756-185-0x0000000008370000-0x0000000008371000-memory.dmp

Filesize
4KB

Download
memory/1756-194-0x0000000009350000-0x0000000009351000-memory.dmp

Filesize
4KB

Download
memory/1756-187-0x0000000006EA0000-0x0000000006EA1000-memory.dmp

Filesize
4KB

Download
memory/1756-192-0x0000000009B20000-0x0000000009B21000-memory.dmp

Filesize
4KB

Download
memory/1848-164-0x00000000051B0000-0x0000000006446000-memory.dmp

Filesize
18.6MB

Download
memory/1848-148-0x0000000000000000-mapping.dmp

Download
memory/1904-123-0x0000000000000000-mapping.dmp

Download
memory/2408-124-0x0000000000000000-mapping.dmp

Download
memory/2452-221-0x0000000000000000-mapping.dmp

Download
memory/2556-121-0x0000000000000000-mapping.dmp

Download
memory/3052-129-0x0000000000000000-mapping.dmp

Download
memory/3168-153-0x0000000000000000-mapping.dmp

Download
memory/3200-149-0x0000000004B30000-0x0000000004C30000-memory.dmp

Filesize
1024KB

Download
memory/3200-150-0x0000000000400000-0x0000000002C50000-memory.dmp

Filesize
40.3MB

Download
memory/3200-143-0x0000000000000000-mapping.dmp

Download
memory/3244-224-0x0000000000000000-mapping.dmp

Download
memory/3796-134-0x0000000002C00000-0x0000000002CAE000-memory.dmp

Filesize
696KB

Download
memory/3796-115-0x0000000000000000-mapping.dmp

Download
memory/3796-138-0x0000000000400000-0x0000000002B7B000-memory.dmp

Filesize
39.5MB

Download
memory/3888-118-0x0000000000000000-mapping.dmp

Download
memory/4016-146-0x0000000000000000-mapping.dmp

Download