danabot | 5ae829af19623394beedd713e57223f23f48463195eb3ff0251be90d5a18f9f9

Analysis

max time kernel
147s
max time network
147s
platform
windows10_x64
resource
win10v20210410
submitted
24-07-2021 18:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

lv (1).exe
Size

1.4MB
MD5

1ca90b66b79df8576c3d35bfad0f33fa
SHA1

17291f5b80496efc656a489c340d8856eec27ee3
SHA256

5ae829af19623394beedd713e57223f23f48463195eb3ff0251be90d5a18f9f9
SHA512

9b9d171fac852ed1b52a20f09df0d8d7c8dc0d7e2e170028ddf531d552421e43150884e11b32725785c1f4cc6bbae3f17aead2a7ab3296d0bccd2b28c20cbae9

Score

10^/10

danabot 4 banker discovery spyware stealer trojan

Malware Config

Extracted

Family

danabot

Version

1987

Botnet

142.11.244.124:443

142.11.206.50:443

Attributes

embedded_hash
6AD9FE4F9E491E785665E0D144F61DAB

rsa_privkey.plain

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Blocklisted process makes network request 6 IoCs

Processes:

WScript.exerundll32.exeRUNDLL32.EXE

flow pid process

31 4404 WScript.exe
33 4404 WScript.exe
35 4404 WScript.exe
37 4404 WScript.exe
40 4364 rundll32.exe
41 4520 RUNDLL32.EXE
Downloads MZ/PE file
Executes dropped EXE 6 IoCs

Processes:

vpn.exe4.exeViscere.exe.comSmartClock.exeViscere.exe.comqhnwbsfwvbx.exe

pid process

1852 vpn.exe
1952 4.exe
3604 Viscere.exe.com
2356 SmartClock.exe
3232 Viscere.exe.com
4284 qhnwbsfwvbx.exe
Drops startup file 1 IoCs

Processes:

4.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk 4.exe
Loads dropped DLL 3 IoCs

Processes:

lv (1).exerundll32.exeRUNDLL32.EXE

pid process

3224 lv (1).exe
4364 rundll32.exe
4520 RUNDLL32.EXE
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

15 ip-api.com

flow	pid	process
31	4404	WScript.exe
33	4404	WScript.exe
35	4404	WScript.exe
37	4404	WScript.exe
40	4364	rundll32.exe
41	4520	RUNDLL32.EXE

pid	process
1852	vpn.exe
1952	4.exe
3604	Viscere.exe.com
2356	SmartClock.exe
3232	Viscere.exe.com
4284	qhnwbsfwvbx.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk	4.exe

pid	process
3224	lv (1).exe
4364	rundll32.exe
4520	RUNDLL32.EXE

flow	ioc
15	ip-api.com

Drops file in Program Files directory 4 IoCs

Processes:

rundll32.exelv (1).exe

description	ioc	process
File created	C:\PROGRA~3\Jvgzbfh.tmp	rundll32.exe
File created	C:\Program Files (x86)\foler\olader\acppage.dll	lv (1).exe
File created	C:\Program Files (x86)\foler\olader\adprovider.dll	lv (1).exe
File created	C:\Program Files (x86)\foler\olader\acledit.dll	lv (1).exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 26 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RUNDLL32.EXEViscere.exe.com

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Viscere.exe.com
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Viscere.exe.com
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	RUNDLL32.EXE
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	RUNDLL32.EXE

Modifies registry class 1 IoCs

Processes:

Viscere.exe.com

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings Viscere.exe.com

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings	Viscere.exe.com

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

WScript.exeRUNDLL32.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\2762A5433B6F9394D002EE197C88599DCDBE6AC9	RUNDLL32.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\2762A5433B6F9394D002EE197C88599DCDBE6AC9\Blob = 0300000001000000140000002762a5433b6f9394d002ee197c88599dcdbe6ac920000000010000007d02000030820279308201e2a00302010202087abb9dc3297e8b5d300d06092a864886f70d01010b050030623121301f06035504030c1844693067694365727420476c6f62616c20526f6f7420473231193017060355040b0c107777772e64696769636572742e636f6d31153013060355040a0c0c446967694365727420496e63310b3009060355040613025553301e170d3139303732353138303834325a170d3233303732343138303834325a30623121301f06035504030c1844693067694365727420476c6f62616c20526f6f7420473231193017060355040b0c107777772e64696769636572742e636f6d31153013060355040a0c0c446967694365727420496e63310b300906035504061302555330819f300d06092a864886f70d010101050003818d0030818902818100e1c8ddd61166d0ccab669b4331410688cb30d1b4b5dc6bc428ca7853ba6d2235449c5719b47cf6a2d0f77d146528475d65d37b3e751c9ab19ca314dee9de402021a7129ec70b9c40407137c7cbb0def962a95864f026514446ad89d309a65093525bee598b6575d43d4ad286789a0d88ece60c66832bbb7127092aee29a60ca90203010001a3383036300f0603551d130101ff040530030101ff30230603551d11041c301a821844693067694365727420476c6f62616c20526f6f74204732300d06092a864886f70d01010b050003818100cfa17e542cab475178b7780f524a73445997b18016a0a07fdc804df6a07063c246b4164f49c5d93231dc8efe52dd7cfd983aca6903b4b4ae94a69968bedb85f659c236a0592ed3da575a8debb3ec38a56ca955bbdf7aec46419bc397e27683464795ef43f964538af03f2cdd8c8f17ad78234a99279bd24bc7528e04249cc10b	RUNDLL32.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4060 PING.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

SmartClock.exe

pid process

2356 SmartClock.exe

pid	process
4060	PING.EXE

pid	process
2356	SmartClock.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

RUNDLL32.EXEpowershell.exepowershell.exe

pid	process
4520	RUNDLL32.EXE
4520	RUNDLL32.EXE
4520	RUNDLL32.EXE
4520	RUNDLL32.EXE
4520	RUNDLL32.EXE
4520	RUNDLL32.EXE
4644	powershell.exe
4644	powershell.exe
4644	powershell.exe
4520	RUNDLL32.EXE
4520	RUNDLL32.EXE
4936	powershell.exe
4936	powershell.exe
4936	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

RUNDLL32.EXEpowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 4520 RUNDLL32.EXE
Token: SeDebugPrivilege 4644 powershell.exe
Token: SeDebugPrivilege 4936 powershell.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

RUNDLL32.EXE

pid process

4520 RUNDLL32.EXE

description	pid	process
Token: SeDebugPrivilege	4520	RUNDLL32.EXE
Token: SeDebugPrivilege	4644	powershell.exe
Token: SeDebugPrivilege	4936	powershell.exe

Suspicious use of WriteProcessMemory 57 IoCs

Processes:

lv (1).exevpn.execmd.execmd.exe4.exeViscere.exe.comViscere.exe.comqhnwbsfwvbx.exerundll32.exeRUNDLL32.EXEpowershell.exe

description	pid	process	target process
PID 3224 wrote to memory of 1852	3224	lv (1).exe	vpn.exe
PID 3224 wrote to memory of 1852	3224	lv (1).exe	vpn.exe
PID 3224 wrote to memory of 1852	3224	lv (1).exe	vpn.exe
PID 3224 wrote to memory of 1952	3224	lv (1).exe	4.exe
PID 3224 wrote to memory of 1952	3224	lv (1).exe	4.exe
PID 3224 wrote to memory of 1952	3224	lv (1).exe	4.exe
PID 1852 wrote to memory of 528	1852	vpn.exe	cmd.exe
PID 1852 wrote to memory of 528	1852	vpn.exe	cmd.exe
PID 1852 wrote to memory of 528	1852	vpn.exe	cmd.exe
PID 528 wrote to memory of 3404	528	cmd.exe	cmd.exe
PID 528 wrote to memory of 3404	528	cmd.exe	cmd.exe
PID 528 wrote to memory of 3404	528	cmd.exe	cmd.exe
PID 3404 wrote to memory of 3360	3404	cmd.exe	findstr.exe
PID 3404 wrote to memory of 3360	3404	cmd.exe	findstr.exe
PID 3404 wrote to memory of 3360	3404	cmd.exe	findstr.exe
PID 3404 wrote to memory of 3604	3404	cmd.exe	Viscere.exe.com
PID 3404 wrote to memory of 3604	3404	cmd.exe	Viscere.exe.com
PID 3404 wrote to memory of 3604	3404	cmd.exe	Viscere.exe.com
PID 3404 wrote to memory of 4060	3404	cmd.exe	PING.EXE
PID 3404 wrote to memory of 4060	3404	cmd.exe	PING.EXE
PID 3404 wrote to memory of 4060	3404	cmd.exe	PING.EXE
PID 1952 wrote to memory of 2356	1952	4.exe	SmartClock.exe
PID 1952 wrote to memory of 2356	1952	4.exe	SmartClock.exe
PID 1952 wrote to memory of 2356	1952	4.exe	SmartClock.exe
PID 3604 wrote to memory of 3232	3604	Viscere.exe.com	Viscere.exe.com
PID 3604 wrote to memory of 3232	3604	Viscere.exe.com	Viscere.exe.com
PID 3604 wrote to memory of 3232	3604	Viscere.exe.com	Viscere.exe.com
PID 3232 wrote to memory of 4284	3232	Viscere.exe.com	qhnwbsfwvbx.exe
PID 3232 wrote to memory of 4284	3232	Viscere.exe.com	qhnwbsfwvbx.exe
PID 3232 wrote to memory of 4284	3232	Viscere.exe.com	qhnwbsfwvbx.exe
PID 3232 wrote to memory of 4316	3232	Viscere.exe.com	WScript.exe
PID 3232 wrote to memory of 4316	3232	Viscere.exe.com	WScript.exe
PID 3232 wrote to memory of 4316	3232	Viscere.exe.com	WScript.exe
PID 4284 wrote to memory of 4364	4284	qhnwbsfwvbx.exe	rundll32.exe
PID 4284 wrote to memory of 4364	4284	qhnwbsfwvbx.exe	rundll32.exe
PID 4284 wrote to memory of 4364	4284	qhnwbsfwvbx.exe	rundll32.exe
PID 3232 wrote to memory of 4404	3232	Viscere.exe.com	WScript.exe
PID 3232 wrote to memory of 4404	3232	Viscere.exe.com	WScript.exe
PID 3232 wrote to memory of 4404	3232	Viscere.exe.com	WScript.exe
PID 4364 wrote to memory of 4520	4364	rundll32.exe	RUNDLL32.EXE
PID 4364 wrote to memory of 4520	4364	rundll32.exe	RUNDLL32.EXE
PID 4364 wrote to memory of 4520	4364	rundll32.exe	RUNDLL32.EXE
PID 4520 wrote to memory of 4644	4520	RUNDLL32.EXE	powershell.exe
PID 4520 wrote to memory of 4644	4520	RUNDLL32.EXE	powershell.exe
PID 4520 wrote to memory of 4644	4520	RUNDLL32.EXE	powershell.exe
PID 4520 wrote to memory of 4936	4520	RUNDLL32.EXE	powershell.exe
PID 4520 wrote to memory of 4936	4520	RUNDLL32.EXE	powershell.exe
PID 4520 wrote to memory of 4936	4520	RUNDLL32.EXE	powershell.exe
PID 4936 wrote to memory of 4128	4936	powershell.exe	nslookup.exe
PID 4936 wrote to memory of 4128	4936	powershell.exe	nslookup.exe
PID 4936 wrote to memory of 4128	4936	powershell.exe	nslookup.exe
PID 4520 wrote to memory of 4148	4520	RUNDLL32.EXE	schtasks.exe
PID 4520 wrote to memory of 4148	4520	RUNDLL32.EXE	schtasks.exe
PID 4520 wrote to memory of 4148	4520	RUNDLL32.EXE	schtasks.exe
PID 4520 wrote to memory of 4184	4520	RUNDLL32.EXE	schtasks.exe
PID 4520 wrote to memory of 4184	4520	RUNDLL32.EXE	schtasks.exe
PID 4520 wrote to memory of 4184	4520	RUNDLL32.EXE	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\lv (1).exe
"C:\Users\Admin\AppData\Local\Temp\lv (1).exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3224

C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe
"C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1852

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Neghi.avi
3⤵
- Suspicious use of WriteProcessMemory
PID:528

C:\Windows\SysWOW64\cmd.exe
cmd
4⤵
- Suspicious use of WriteProcessMemory
PID:3404

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^ANQaarciHearBnDUfKcqmVFZJqIeIPPtXEvFeHAcDrnaOSAwUzpipHPEiQIsczmRjhyWwYRHpZbvbhkRmGogFIVfPSbjZoZlDGu$" Naso.avi
5⤵
PID:3360

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Viscere.exe.com
Viscere.exe.com z
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3604

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Viscere.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Viscere.exe.com z
6⤵
- Executes dropped EXE
- Checks processor information in registry
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3232

C:\Users\Admin\AppData\Local\Temp\qhnwbsfwvbx.exe
"C:\Users\Admin\AppData\Local\Temp\qhnwbsfwvbx.exe"
7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4284

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\QHNWBS~1.TMP,S C:\Users\Admin\AppData\Local\Temp\QHNWBS~1.EXE
8⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4364

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\QHNWBS~1.TMP,r1NcT284RA==
9⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4520

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpD468.tmp.ps1"
10⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4644

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpE5CF.tmp.ps1"
10⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4936

C:\Windows\SysWOW64\nslookup.exe
"C:\Windows\system32\nslookup.exe" -type=any localhost
11⤵
PID:4128

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
10⤵
PID:4148

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
10⤵
PID:4184

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\sewqgfweyw.vbs"
7⤵
PID:4316

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fqvsstbismlv.vbs"
7⤵
- Blocklisted process makes network request
- Modifies system certificate store
PID:4404

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 30
5⤵
- Runs ping.exe
PID:4060

C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe
"C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:1952

C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
PID:2356

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Jvgzbfh.tmp
MD5
0833f9a0205db3fe05ca1b4d98478762

SHA1
c87138eb39028d249946be4fd905dbe8d5179dac

SHA256
22c8adbf42e60eb2d30177bdd3067ae69673f1a76550c229e9295a0e42800033

SHA512
c530c194ee966dbfeac9ad287b32d61d170b60201e9398c1aede887a503a2a963dea7b7324823f750b78280643c49b032dfedc5ad2c67eb6cd0e791a97e3839f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
47eebe401625bbc55e75dbfb72e9e89a

SHA1
db3b2135942d2532c59b9788253638eb77e5995e

SHA256
f1cd56000c44bbdb6880b5b133731f493fe8cba8198c5a861da6ae7b489ed0c3

SHA512
590b149863d58be346e7927c28501375cc570858d2f156d234b03d68b86c5c0667a1038e2b6f6639172bf95638ca9f7c70f45270951abbcdf43b1be853b81d56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
5590739c003a887a8a5c1f07904e2080

SHA1
8d9e5126ab51f71ed9587693a286ca8f6c865033

SHA256
e0861b6ed7921e17118a20e41c53e24ed5877536e133437dae20b8a99d3f5510

SHA512
df6f3d3048020bd58f16664258c472babb5af8f4b95e3dea1bb3c8e55aeab602c913bd4ac5007a2bb6a712ffc9c9ab9411deee89d0c6bf954965af78fe5353bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Convertira.avi
MD5
c05a30b650ace2b4b72914543296700c

SHA1
54939a977b0c4484772b2ceaa7f665c3fbfa918b

SHA256
8be982c5be3b9e3f4b7200425c32ceaf7cbc11c9a0751184a0110155f878bf93

SHA512
4e94f07697729edc9f4a9a9567b92b2545905e2399131809cbd64b440e3831af0cd4c350540f035d31c0e0a81a29148b8d75c20e87360c5749daf325a676d94f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Naso.avi
MD5
a4a1a85e0674bbc7f9a1857c0eaee8fd

SHA1
649f0c4701a792bcdf72a716642b74b43b1208b3

SHA256
d7b6fd607898b2e7ce9811a25d853fe6321fc002bf557b36a07b4f35b0eff5e1

SHA512
7d65487441e736c247e146ff1543bf4857349964938f1cc2777b82c980e468de32c4da95b56a8a925b1934121910eb90206ed666fcd8e04625c357be4c5b6c79

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Neghi.avi
MD5
55c0d8f58f1fb8a46454dddcc48e3717

SHA1
8ff3a654f40693fc81f9af66640d7ef9a8e0a09b

SHA256
453f4cb90e3855c5a878bd2ccc0a335cc057450185bd5e6210817a0ebf57a574

SHA512
8760f57bff8f060caa8210f6004bdadd2550c5c5c3fa258c4436e63c9763610a925c523bf3f0450bf65ae6a231de8d3e25bd3b9cf9d9ba0dc18271b0362ff8ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Pulsare.avi
MD5
70c58e6763625265378b34f8e2b06c42

SHA1
466bbbee26771d8c683cb2627494186d6d3a6e3a

SHA256
d0afabb8ea4157962940f102146b9cd73d925ef83df787fe1944af10134cb212

SHA512
aefddb7a6fb1294727d38433d480abf2cbff4eedd6d357a8c5336069b29a0bfa8a902922a42ade0e196a83c2a045358bb7c5b225fb850a3b9f242284a6791f74

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Viscere.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Viscere.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Viscere.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\z
MD5
c05a30b650ace2b4b72914543296700c

SHA1
54939a977b0c4484772b2ceaa7f665c3fbfa918b

SHA256
8be982c5be3b9e3f4b7200425c32ceaf7cbc11c9a0751184a0110155f878bf93

SHA512
4e94f07697729edc9f4a9a9567b92b2545905e2399131809cbd64b440e3831af0cd4c350540f035d31c0e0a81a29148b8d75c20e87360c5749daf325a676d94f

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe
MD5
9c5699289a1a5a3cfbca9bbd4afd0c6c

SHA1
bbd6d5e48c86b6f3461c9f7b286a0b310865093f

SHA256
f3269e8fd2d5ac2487eaf31217814b8bbf3d33d3383b1d76dd594a2503fd1700

SHA512
b4ff64e9f4b0f36387b72a067c94fdbd949fff4d346e1eb9ad138774b7711015b864c33f860832eb5ba77826a54daba48283f728487a0dd05cefed95980ee2be

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe
MD5
9c5699289a1a5a3cfbca9bbd4afd0c6c

SHA1
bbd6d5e48c86b6f3461c9f7b286a0b310865093f

SHA256
f3269e8fd2d5ac2487eaf31217814b8bbf3d33d3383b1d76dd594a2503fd1700

SHA512
b4ff64e9f4b0f36387b72a067c94fdbd949fff4d346e1eb9ad138774b7711015b864c33f860832eb5ba77826a54daba48283f728487a0dd05cefed95980ee2be

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe
MD5
29b9e814ee33caf130223b113d874521

SHA1
02360054dcb01ff0f9d17d49e2352f158fb3b6be

SHA256
5f1aab2b3cc81883ab4c0d8cbf4932be10833af04c182110c542b7cfc9a2254e

SHA512
6778f368d082c69ed455af057d5d34164ce2a7449857f5b39ab78cb6658bcda55fd6da41a04df291b80076f8b37d0aa81d89f2dde2562a84016fcbabf610620a

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe
MD5
29b9e814ee33caf130223b113d874521

SHA1
02360054dcb01ff0f9d17d49e2352f158fb3b6be

SHA256
5f1aab2b3cc81883ab4c0d8cbf4932be10833af04c182110c542b7cfc9a2254e

SHA512
6778f368d082c69ed455af057d5d34164ce2a7449857f5b39ab78cb6658bcda55fd6da41a04df291b80076f8b37d0aa81d89f2dde2562a84016fcbabf610620a

Download Submit
C:\Users\Admin\AppData\Local\Temp\QHNWBS~1.TMP
MD5
048c99a09fff8d58f078827119dfd652

SHA1
9d1dc7f2f4ab3a5273a21072c1121527d42de414

SHA256
d87d64d9c402d5e16db212cc7f8d3e28cc4f32d6cae922ee158ec979d352f6b5

SHA512
a4ffa0eb3bb24423dd27bbce753557ee3224850c3f350a05770440892f723f9a1bfb99897dce964de0fc26eddc79769b8134eb456cf022a86716301afbaa82d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\fqvsstbismlv.vbs
MD5
f07f4c339cd230b60932b12edd34dee3

SHA1
2724f4dbcdadc45353cdafcf170bb0e7c5c342d2

SHA256
8b3c638a3ad5b622f52e8234d39f931296fa5969743ac598faca9837ded2e6b8

SHA512
44aea3b41e2ff16616db4dcb2cba7695853c31af401e05886f7f5469e364382b39501763edd5dd504a7a29819ba4713b91470b406bf50bd07d1d77342641d697

Download Submit
C:\Users\Admin\AppData\Local\Temp\qhnwbsfwvbx.exe
MD5
cbaa6b69554effbf2b60f9829e50b717

SHA1
d1ec7b45777d4e0e02cc4f32ba0cc08010044617

SHA256
c203f54c9cb5f39279de31e42b4ecf80fea8005d77c03ff20b1cd7cccd0c0620

SHA512
9528072fcfb843cc81d63818e2637937d220e35c3eaaee6ea90df003f0228eb44693cf5c91ef8255720bffeede5b8f83038a5f255b73057ec0708b8a5e0819e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\qhnwbsfwvbx.exe
MD5
cbaa6b69554effbf2b60f9829e50b717

SHA1
d1ec7b45777d4e0e02cc4f32ba0cc08010044617

SHA256
c203f54c9cb5f39279de31e42b4ecf80fea8005d77c03ff20b1cd7cccd0c0620

SHA512
9528072fcfb843cc81d63818e2637937d220e35c3eaaee6ea90df003f0228eb44693cf5c91ef8255720bffeede5b8f83038a5f255b73057ec0708b8a5e0819e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\sewqgfweyw.vbs
MD5
e8057d9f1b87f5715f03cb148b3dc6e9

SHA1
4c2f6cc05c01655f98a672e512e8542f31712948

SHA256
531ececc726cfd1eb86784a170fc860b68e04922a376406c6cfca8e3abe8dd3b

SHA512
d8efebe977a5b9e12a55ea63a65c8e9ac4402b5b8904243c4cbc8cc0a4e9dce414bc9a77a90d7a628422db50e939cb66f87054aa001ed9afade0dac4b13c2f58

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD468.tmp.ps1
MD5
5caee8ba81c7d4072b1b32c2bd048014

SHA1
01b3a70187f42697a91ffc97e57ccd8ac5c02418

SHA256
7d69e0dece805f9ed9bd09a1c85bbd40f63a2ab557b38b2ff3123d2e493862fb

SHA512
5d0d248a775aa6a92abc42a91344b251eb3e076def4a9325d5ef8df3f7650c87be27c29221d6b42815289bd0382001ef4670ba1470f67c45562ae83e159dec48

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD469.tmp
MD5
c416c12d1b2b1da8c8655e393b544362

SHA1
fb1a43cd8e1c556c2d25f361f42a21293c29e447

SHA256
0600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046

SHA512
cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE5CF.tmp.ps1
MD5
04868a1dade761e7cfc7e47e852b2ab1

SHA1
b8729a076496d18e45d9f2c6ab2252fba74100cb

SHA256
59fa511860dd43d06ca8386a0fd4326fcf4636ebb36ff704ab1be4a0da7b5e02

SHA512
1db562b91f17f1b62c7a94294fd18e687efabc312dbc91bc250e1be7bfca17f8e2471b0bf979abb8667a0275a8f3e098c4e08a21938abd3327d1669ada74b326

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE5D0.tmp
MD5
1860260b2697808b80802352fe324782

SHA1
f07b4cb6a8133d8dd942fc285d63cb3ce5a1ed6b

SHA256
0c4bb6ae7726faa47aef8459bcf37bf9ca16f0b93fd52790932adaf7845d1fb1

SHA512
d9fd458e2fe871e93199d7f3783133ded898d824024d9525e8c9af2af31892b13f3fb147d3bfda7dfd7659b7072f5cd1d6c3ebfe2dbf5893afd00e59a96aa94f

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
9c5699289a1a5a3cfbca9bbd4afd0c6c

SHA1
bbd6d5e48c86b6f3461c9f7b286a0b310865093f

SHA256
f3269e8fd2d5ac2487eaf31217814b8bbf3d33d3383b1d76dd594a2503fd1700

SHA512
b4ff64e9f4b0f36387b72a067c94fdbd949fff4d346e1eb9ad138774b7711015b864c33f860832eb5ba77826a54daba48283f728487a0dd05cefed95980ee2be

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
9c5699289a1a5a3cfbca9bbd4afd0c6c

SHA1
bbd6d5e48c86b6f3461c9f7b286a0b310865093f

SHA256
f3269e8fd2d5ac2487eaf31217814b8bbf3d33d3383b1d76dd594a2503fd1700

SHA512
b4ff64e9f4b0f36387b72a067c94fdbd949fff4d346e1eb9ad138774b7711015b864c33f860832eb5ba77826a54daba48283f728487a0dd05cefed95980ee2be

Download Submit
\Users\Admin\AppData\Local\Temp\QHNWBS~1.TMP
MD5
048c99a09fff8d58f078827119dfd652

SHA1
9d1dc7f2f4ab3a5273a21072c1121527d42de414

SHA256
d87d64d9c402d5e16db212cc7f8d3e28cc4f32d6cae922ee158ec979d352f6b5

SHA512
a4ffa0eb3bb24423dd27bbce753557ee3224850c3f350a05770440892f723f9a1bfb99897dce964de0fc26eddc79769b8134eb456cf022a86716301afbaa82d9

Download Submit
\Users\Admin\AppData\Local\Temp\QHNWBS~1.TMP
MD5
048c99a09fff8d58f078827119dfd652

SHA1
9d1dc7f2f4ab3a5273a21072c1121527d42de414

SHA256
d87d64d9c402d5e16db212cc7f8d3e28cc4f32d6cae922ee158ec979d352f6b5

SHA512
a4ffa0eb3bb24423dd27bbce753557ee3224850c3f350a05770440892f723f9a1bfb99897dce964de0fc26eddc79769b8134eb456cf022a86716301afbaa82d9

Download Submit
\Users\Admin\AppData\Local\Temp\nssEDB.tmp\UAC.dll
MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
memory/528-121-0x0000000000000000-mapping.dmp

Download
memory/1852-115-0x0000000000000000-mapping.dmp

Download
memory/1952-131-0x0000000002CA0000-0x0000000002DEA000-memory.dmp

Filesize
1.3MB

Download
memory/1952-118-0x0000000000000000-mapping.dmp

Download
memory/1952-132-0x0000000000400000-0x0000000002C91000-memory.dmp

Filesize
40.6MB

Download
memory/2356-140-0x0000000000400000-0x0000000002C91000-memory.dmp

Filesize
40.6MB

Download
memory/2356-139-0x00000000030E0000-0x0000000003106000-memory.dmp

Filesize
152KB

Download
memory/2356-133-0x0000000000000000-mapping.dmp

Download
memory/3232-141-0x00000000010D0000-0x00000000010D1000-memory.dmp

Filesize
4KB

Download
memory/3232-136-0x0000000000000000-mapping.dmp

Download
memory/3360-124-0x0000000000000000-mapping.dmp

Download
memory/3404-123-0x0000000000000000-mapping.dmp

Download
memory/3604-127-0x0000000000000000-mapping.dmp

Download
memory/4060-130-0x0000000000000000-mapping.dmp

Download
memory/4128-213-0x0000000000000000-mapping.dmp

Download
memory/4148-216-0x0000000000000000-mapping.dmp

Download
memory/4184-218-0x0000000000000000-mapping.dmp

Download
memory/4284-152-0x0000000000400000-0x0000000000986000-memory.dmp

Filesize
5.5MB

Download
memory/4284-143-0x0000000000000000-mapping.dmp

Download
memory/4284-151-0x00000000026E0000-0x00000000027DF000-memory.dmp

Filesize
1020KB

Download
memory/4316-146-0x0000000000000000-mapping.dmp

Download
memory/4364-148-0x0000000000000000-mapping.dmp

Download
memory/4364-160-0x0000000004FE0000-0x0000000006276000-memory.dmp

Filesize
18.6MB

Download
memory/4404-153-0x0000000000000000-mapping.dmp

Download
memory/4520-163-0x0000000004B70000-0x0000000005E06000-memory.dmp

Filesize
18.6MB

Download
memory/4520-157-0x0000000000000000-mapping.dmp

Download
memory/4644-174-0x0000000006FB2000-0x0000000006FB3000-memory.dmp

Filesize
4KB

Download
memory/4644-167-0x0000000004990000-0x0000000004991000-memory.dmp

Filesize
4KB

Download
memory/4644-177-0x0000000008550000-0x0000000008551000-memory.dmp

Filesize
4KB

Download
memory/4644-164-0x0000000000000000-mapping.dmp

Download
memory/4644-179-0x00000000085E0000-0x00000000085E1000-memory.dmp

Filesize
4KB

Download
memory/4644-184-0x0000000009C50000-0x0000000009C51000-memory.dmp

Filesize
4KB

Download
memory/4644-185-0x00000000091E0000-0x00000000091E1000-memory.dmp

Filesize
4KB

Download
memory/4644-186-0x0000000009280000-0x0000000009281000-memory.dmp

Filesize
4KB

Download
memory/4644-175-0x0000000007D40000-0x0000000007D41000-memory.dmp

Filesize
4KB

Download
memory/4644-189-0x0000000006FB3000-0x0000000006FB4000-memory.dmp

Filesize
4KB

Download
memory/4644-168-0x00000000075F0000-0x00000000075F1000-memory.dmp

Filesize
4KB

Download
memory/4644-176-0x0000000008450000-0x0000000008451000-memory.dmp

Filesize
4KB

Download
memory/4644-169-0x00000000073F0000-0x00000000073F1000-memory.dmp

Filesize
4KB

Download
memory/4644-173-0x0000000006FB0000-0x0000000006FB1000-memory.dmp

Filesize
4KB

Download
memory/4644-170-0x0000000007570000-0x0000000007571000-memory.dmp

Filesize
4KB

Download
memory/4644-171-0x0000000007490000-0x0000000007491000-memory.dmp

Filesize
4KB

Download
memory/4644-172-0x0000000007E20000-0x0000000007E21000-memory.dmp

Filesize
4KB

Download
memory/4936-204-0x00000000073D2000-0x00000000073D3000-memory.dmp

Filesize
4KB

Download
memory/4936-203-0x00000000073D0000-0x00000000073D1000-memory.dmp

Filesize
4KB

Download
memory/4936-202-0x0000000008800000-0x0000000008801000-memory.dmp

Filesize
4KB

Download
memory/4936-199-0x0000000008290000-0x0000000008291000-memory.dmp

Filesize
4KB

Download
memory/4936-217-0x00000000073D3000-0x00000000073D4000-memory.dmp

Filesize
4KB

Download
memory/4936-190-0x0000000000000000-mapping.dmp

Download