danabot | d3467bceb27c8533c1a904b34437aa2fd03963be8085f668a961b113feb75c5c

Analysis

max time kernel
146s
max time network
149s
platform
windows10_x64
resource
win10v20210410
submitted
25-07-2021 08:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab97379430925c314d088393a8b39e15.exe
Size

1.1MB
MD5

ab97379430925c314d088393a8b39e15
SHA1

f6f67f43bedd372da5cfcb18dae42e7139d25c04
SHA256

d3467bceb27c8533c1a904b34437aa2fd03963be8085f668a961b113feb75c5c
SHA512

63b82abdf1db7c0ef80dd2cce925f2aafb0ed7d55931b35ea8f244153b5e027c689623024f114d13bcb31d189e6a8ddcec289f7a2cac9f8c4b2e38cd67c2922d

Score

10^/10

danabot 4 banker discovery persistence spyware stealer trojan

Malware Config

Extracted

Family

danabot

Version

1987

Botnet

142.11.244.124:443

142.11.206.50:443

Attributes

embedded_hash
6AD9FE4F9E491E785665E0D144F61DAB

rsa_privkey.plain

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Blocklisted process makes network request 6 IoCs

Processes:

WScript.exerundll32.exeRUNDLL32.EXE

flow pid process

32 408 WScript.exe
34 408 WScript.exe
36 408 WScript.exe
38 408 WScript.exe
41 1524 rundll32.exe
42 2148 RUNDLL32.EXE
Downloads MZ/PE file
Executes dropped EXE 6 IoCs

Processes:

4.exevpn.exeSorridente.exe.comSorridente.exe.comSmartClock.exelxqykkjlff.exe

pid process

1444 4.exe
1584 vpn.exe
3700 Sorridente.exe.com
3692 Sorridente.exe.com
4016 SmartClock.exe
2628 lxqykkjlff.exe
Drops startup file 1 IoCs

Processes:

4.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk 4.exe
Loads dropped DLL 3 IoCs

Processes:

ab97379430925c314d088393a8b39e15.exerundll32.exeRUNDLL32.EXE

pid process

3972 ab97379430925c314d088393a8b39e15.exe
1524 rundll32.exe
2148 RUNDLL32.EXE
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

flow	pid	process
32	408	WScript.exe
34	408	WScript.exe
36	408	WScript.exe
38	408	WScript.exe
41	1524	rundll32.exe
42	2148	RUNDLL32.EXE

pid	process
1444	4.exe
1584	vpn.exe
3700	Sorridente.exe.com
3692	Sorridente.exe.com
4016	SmartClock.exe
2628	lxqykkjlff.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk	4.exe

pid	process
3972	ab97379430925c314d088393a8b39e15.exe
1524	rundll32.exe
2148	RUNDLL32.EXE

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

vpn.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	vpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	vpn.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

16 ip-api.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

RUNDLL32.EXE

description pid process target process

PID 2148 set thread context of 2692 2148 RUNDLL32.EXE rundll32.exe

flow	ioc
16	ip-api.com

description	pid	process	target process
PID 2148 set thread context of 2692	2148	RUNDLL32.EXE	rundll32.exe

Drops file in Program Files directory 4 IoCs

Processes:

rundll32.exeab97379430925c314d088393a8b39e15.exe

description	ioc	process
File created	C:\PROGRA~3\Jvgzbfh.tmp	rundll32.exe
File created	C:\Program Files (x86)\foler\olader\acppage.dll	ab97379430925c314d088393a8b39e15.exe
File created	C:\Program Files (x86)\foler\olader\adprovider.dll	ab97379430925c314d088393a8b39e15.exe
File created	C:\Program Files (x86)\foler\olader\acledit.dll	ab97379430925c314d088393a8b39e15.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 29 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RUNDLL32.EXESorridente.exe.com

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	RUNDLL32.EXE
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Sorridente.exe.com
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Sorridente.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	RUNDLL32.EXE

Modifies registry class 1 IoCs

Processes:

Sorridente.exe.com

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings Sorridente.exe.com

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings	Sorridente.exe.com

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

WScript.exeRUNDLL32.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\593788CA1AA4AC0352A734408D7A00675FA2ACF8	RUNDLL32.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\593788CA1AA4AC0352A734408D7A00675FA2ACF8\Blob = 030000000100000014000000593788ca1aa4ac0352a734408d7a00675fa2acf82000000001000000b3020000308202af30820218a00302010202085b5bed3e1933e634300d06092a864886f70d01010b050030743133303106035504030c2a4d693463726f736f667420526f6f7420436572746966696361746520417574686f726974792032303131311e301c060355040a0c154d6963726f736f667420436f72706f726174696f6e310b30090603550406130255533110300e06035504070c075265646d6f6e64301e170d3139303732363038303831395a170d3233303732353038303831395a30743133303106035504030c2a4d693463726f736f667420526f6f7420436572746966696361746520417574686f726974792032303131311e301c060355040a0c154d6963726f736f667420436f72706f726174696f6e310b30090603550406130255533110300e06035504070c075265646d6f6e6430819f300d06092a864886f70d010101050003818d0030818902818100c6069aee3718c7cbdf95551cdba654e4b829a097ed47fdd59cd23fb863d3923ff1e96f01504a130a6a5a8c187269f0e98d994e637c771cbd10872e944911688c21abb384520f1e320e0a3b13ef333b8e49021a6cea764f04bb7c93719060b4a6a5cac5a2cfff7a66a4ade96c750d389f03a8e25c006f222dd8efae91b61559230203010001a34a3048300f0603551d130101ff040530030101ff30350603551d11042e302c822a4d693463726f736f667420526f6f7420436572746966696361746520417574686f726974792032303131300d06092a864886f70d01010b050003818100430909958cb2491ab0b5242831d810f139373b5f6207fcca6d16d18721b1d6dbed5fb845f1461cd02caa4f9003a37f046a936de3b20ec062624c5239da5e372f52c26110e9548eeee94bd02f2c5c45bf32ef342744eab5bce1b2df906fc9aff95e7e597da98ac252035beb5eb8eb6ca9f34cb52ffd60d746d2306b1dfde90dd2	RUNDLL32.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2644 PING.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

SmartClock.exe

pid process

4016 SmartClock.exe

pid	process
2644	PING.EXE

pid	process
4016	SmartClock.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

RUNDLL32.EXEpowershell.exepowershell.exe

pid	process
2148	RUNDLL32.EXE
2148	RUNDLL32.EXE
2148	RUNDLL32.EXE
2148	RUNDLL32.EXE
2148	RUNDLL32.EXE
2148	RUNDLL32.EXE
2148	RUNDLL32.EXE
2148	RUNDLL32.EXE
2084	powershell.exe
2084	powershell.exe
2084	powershell.exe
2148	RUNDLL32.EXE
2148	RUNDLL32.EXE
3616	powershell.exe
3616	powershell.exe
3616	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

RUNDLL32.EXEpowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2148 RUNDLL32.EXE
Token: SeDebugPrivilege 2084 powershell.exe
Token: SeDebugPrivilege 3616 powershell.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

RUNDLL32.EXE

pid process

2148 RUNDLL32.EXE

description	pid	process
Token: SeDebugPrivilege	2148	RUNDLL32.EXE
Token: SeDebugPrivilege	2084	powershell.exe
Token: SeDebugPrivilege	3616	powershell.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

ab97379430925c314d088393a8b39e15.exevpn.execmd.execmd.exeSorridente.exe.com4.exeSorridente.exe.comlxqykkjlff.exerundll32.exeRUNDLL32.EXEpowershell.exe

description	pid	process	target process
PID 3972 wrote to memory of 1444	3972	ab97379430925c314d088393a8b39e15.exe	4.exe
PID 3972 wrote to memory of 1444	3972	ab97379430925c314d088393a8b39e15.exe	4.exe
PID 3972 wrote to memory of 1444	3972	ab97379430925c314d088393a8b39e15.exe	4.exe
PID 3972 wrote to memory of 1584	3972	ab97379430925c314d088393a8b39e15.exe	vpn.exe
PID 3972 wrote to memory of 1584	3972	ab97379430925c314d088393a8b39e15.exe	vpn.exe
PID 3972 wrote to memory of 1584	3972	ab97379430925c314d088393a8b39e15.exe	vpn.exe
PID 1584 wrote to memory of 2360	1584	vpn.exe	cmd.exe
PID 1584 wrote to memory of 2360	1584	vpn.exe	cmd.exe
PID 1584 wrote to memory of 2360	1584	vpn.exe	cmd.exe
PID 1584 wrote to memory of 2632	1584	vpn.exe	cmd.exe
PID 1584 wrote to memory of 2632	1584	vpn.exe	cmd.exe
PID 1584 wrote to memory of 2632	1584	vpn.exe	cmd.exe
PID 2632 wrote to memory of 3516	2632	cmd.exe	cmd.exe
PID 2632 wrote to memory of 3516	2632	cmd.exe	cmd.exe
PID 2632 wrote to memory of 3516	2632	cmd.exe	cmd.exe
PID 3516 wrote to memory of 200	3516	cmd.exe	findstr.exe
PID 3516 wrote to memory of 200	3516	cmd.exe	findstr.exe
PID 3516 wrote to memory of 200	3516	cmd.exe	findstr.exe
PID 3516 wrote to memory of 3700	3516	cmd.exe	Sorridente.exe.com
PID 3516 wrote to memory of 3700	3516	cmd.exe	Sorridente.exe.com
PID 3516 wrote to memory of 3700	3516	cmd.exe	Sorridente.exe.com
PID 3516 wrote to memory of 2644	3516	cmd.exe	PING.EXE
PID 3516 wrote to memory of 2644	3516	cmd.exe	PING.EXE
PID 3516 wrote to memory of 2644	3516	cmd.exe	PING.EXE
PID 3700 wrote to memory of 3692	3700	Sorridente.exe.com	Sorridente.exe.com
PID 3700 wrote to memory of 3692	3700	Sorridente.exe.com	Sorridente.exe.com
PID 3700 wrote to memory of 3692	3700	Sorridente.exe.com	Sorridente.exe.com
PID 1444 wrote to memory of 4016	1444	4.exe	SmartClock.exe
PID 1444 wrote to memory of 4016	1444	4.exe	SmartClock.exe
PID 1444 wrote to memory of 4016	1444	4.exe	SmartClock.exe
PID 3692 wrote to memory of 2628	3692	Sorridente.exe.com	lxqykkjlff.exe
PID 3692 wrote to memory of 2628	3692	Sorridente.exe.com	lxqykkjlff.exe
PID 3692 wrote to memory of 2628	3692	Sorridente.exe.com	lxqykkjlff.exe
PID 3692 wrote to memory of 2680	3692	Sorridente.exe.com	WScript.exe
PID 3692 wrote to memory of 2680	3692	Sorridente.exe.com	WScript.exe
PID 3692 wrote to memory of 2680	3692	Sorridente.exe.com	WScript.exe
PID 2628 wrote to memory of 1524	2628	lxqykkjlff.exe	rundll32.exe
PID 2628 wrote to memory of 1524	2628	lxqykkjlff.exe	rundll32.exe
PID 2628 wrote to memory of 1524	2628	lxqykkjlff.exe	rundll32.exe
PID 3692 wrote to memory of 408	3692	Sorridente.exe.com	WScript.exe
PID 3692 wrote to memory of 408	3692	Sorridente.exe.com	WScript.exe
PID 3692 wrote to memory of 408	3692	Sorridente.exe.com	WScript.exe
PID 1524 wrote to memory of 2148	1524	rundll32.exe	RUNDLL32.EXE
PID 1524 wrote to memory of 2148	1524	rundll32.exe	RUNDLL32.EXE
PID 1524 wrote to memory of 2148	1524	rundll32.exe	RUNDLL32.EXE
PID 2148 wrote to memory of 2692	2148	RUNDLL32.EXE	rundll32.exe
PID 2148 wrote to memory of 2692	2148	RUNDLL32.EXE	rundll32.exe
PID 2148 wrote to memory of 2692	2148	RUNDLL32.EXE	rundll32.exe
PID 2148 wrote to memory of 2084	2148	RUNDLL32.EXE	powershell.exe
PID 2148 wrote to memory of 2084	2148	RUNDLL32.EXE	powershell.exe
PID 2148 wrote to memory of 2084	2148	RUNDLL32.EXE	powershell.exe
PID 2148 wrote to memory of 3616	2148	RUNDLL32.EXE	powershell.exe
PID 2148 wrote to memory of 3616	2148	RUNDLL32.EXE	powershell.exe
PID 2148 wrote to memory of 3616	2148	RUNDLL32.EXE	powershell.exe
PID 3616 wrote to memory of 2140	3616	powershell.exe	nslookup.exe
PID 3616 wrote to memory of 2140	3616	powershell.exe	nslookup.exe
PID 3616 wrote to memory of 2140	3616	powershell.exe	nslookup.exe
PID 2148 wrote to memory of 3620	2148	RUNDLL32.EXE	schtasks.exe
PID 2148 wrote to memory of 3620	2148	RUNDLL32.EXE	schtasks.exe
PID 2148 wrote to memory of 3620	2148	RUNDLL32.EXE	schtasks.exe
PID 2148 wrote to memory of 1872	2148	RUNDLL32.EXE	schtasks.exe
PID 2148 wrote to memory of 1872	2148	RUNDLL32.EXE	schtasks.exe
PID 2148 wrote to memory of 1872	2148	RUNDLL32.EXE	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\ab97379430925c314d088393a8b39e15.exe
"C:\Users\Admin\AppData\Local\Temp\ab97379430925c314d088393a8b39e15.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3972

C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe
"C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:1444

C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
PID:4016

C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe
"C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1584

C:\Windows\SysWOW64\cmd.exe
cmd /c YJktxkgm
3⤵
PID:2360

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Sfinge.vsdm
3⤵
- Suspicious use of WriteProcessMemory
PID:2632

C:\Windows\SysWOW64\cmd.exe
cmd
4⤵
- Suspicious use of WriteProcessMemory
PID:3516

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^XvFshFVovrUIndZSFBxxytnrIUNDETWbxfrjHpPpZeHGABxnUuWmzuATXBIzSaECibhojMlvLkxevSDiAfIbXvrhOlfyAvsHntnrhkkoWANoMbvyXATDKiFKzqz$" Vorrei.vsdm
5⤵
PID:200

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sorridente.exe.com
Sorridente.exe.com E
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3700

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sorridente.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sorridente.exe.com E
6⤵
- Executes dropped EXE
- Checks processor information in registry
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3692

C:\Users\Admin\AppData\Local\Temp\lxqykkjlff.exe
"C:\Users\Admin\AppData\Local\Temp\lxqykkjlff.exe"
7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2628

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\LXQYKK~1.TMP,S C:\Users\Admin\AppData\Local\Temp\LXQYKK~1.EXE
8⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1524

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\LXQYKK~1.TMP,cSBRc1g4eg==
9⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2148

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\system32\shell32.dll,#61 31801
10⤵
PID:2692

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpE540.tmp.ps1"
10⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2084

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpF782.tmp.ps1"
10⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3616

C:\Windows\SysWOW64\nslookup.exe
"C:\Windows\system32\nslookup.exe" -type=any localhost
11⤵
PID:2140

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
10⤵
PID:3620

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
10⤵
PID:1872

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\akmvuexwdix.vbs"
7⤵
PID:2680

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\wxhmndheibio.vbs"
7⤵
- Blocklisted process makes network request
- Modifies system certificate store
PID:408

C:\Windows\SysWOW64\PING.EXE
ping RJMQBVDN -n 30
5⤵
- Runs ping.exe
PID:2644

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Jvgzbfh.tmp
MD5
b2b4ed93d5effe209d9613e446f4bce3

SHA1
2ba57bce3da8428eb8b43e6e2ac2732d3f0ca0b6

SHA256
c33d4b03437068364751cee9c802c0639b471e555aa9c03a383c0385ecab1545

SHA512
0c0b1b4b339c2ecdb368d8f1d4078eabe27ffef5aff5ab0ba1c2fad2b3791b9132a6404c75cf1b5f4ad95185c9530049ebd7235d034a6602535285397fc7e080

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
47eebe401625bbc55e75dbfb72e9e89a

SHA1
db3b2135942d2532c59b9788253638eb77e5995e

SHA256
f1cd56000c44bbdb6880b5b133731f493fe8cba8198c5a861da6ae7b489ed0c3

SHA512
590b149863d58be346e7927c28501375cc570858d2f156d234b03d68b86c5c0667a1038e2b6f6639172bf95638ca9f7c70f45270951abbcdf43b1be853b81d56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
32b48b268aa42e05775f59de3515cb56

SHA1
9dc48c326cfc30717234da2ec3e45b3f4f6b0504

SHA256
33ffd1a8d8064708ce74822fbc1e03ed559ed24e1583fee0d765ad465250df03

SHA512
57a0ae7c099e69d575bc915f2a09f8998d61537b99564caf7a94bf4e5891dd5dedaa00a16a209534c05c946b54945b4f61b3dd43f352163873e13737d11b01cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\E
MD5
4c5c7f3e7362720b4241f8efbb2be752

SHA1
be23ecf084cbf60b0f7bab86701cff9dfb1c2760

SHA256
c7b5fdd83644097869d2979a3827a210bed48967bbc56e3e64d6f88d0ae26ed3

SHA512
2c3fdadb53319b6e64274b2d34026818539d227af86caa1440edd5b85e5158ce34489e6361590ff2ec6137da089b717d2c1010c2bee3bdb9f97a1ead68469e76

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Pensato.vsdm
MD5
4c5e138f22c752587d27c5047f1c9adc

SHA1
64549847c05c5a08e2c66fc5591a5b1103714bd2

SHA256
e260b4bb610bb0ddfa0889f497430539bd85a7928fc37002114e87091f2ead62

SHA512
8c00eb836c230ae57465b1cde318c3d441327853d1685066fe91caa2ad7fef3c3be9cda549f5bb753e2fea5a41f798fec3d22075589144365b95eb9f64ad1011

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Poi.vsdm
MD5
4c5c7f3e7362720b4241f8efbb2be752

SHA1
be23ecf084cbf60b0f7bab86701cff9dfb1c2760

SHA256
c7b5fdd83644097869d2979a3827a210bed48967bbc56e3e64d6f88d0ae26ed3

SHA512
2c3fdadb53319b6e64274b2d34026818539d227af86caa1440edd5b85e5158ce34489e6361590ff2ec6137da089b717d2c1010c2bee3bdb9f97a1ead68469e76

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sfinge.vsdm
MD5
2330ab365da0a8cf6c766b2c38b3704b

SHA1
faded741162dc8c18b2fdb870b07d956ffb1558b

SHA256
61342f8e9ea670d0d3f73273288ee0d67a10e0560e6a455cbf8d585a4119ec11

SHA512
d3acac95e7fbbd47f5c45cde0737fdea200e4aa97f1e4fdad0d8e8b41b2c163e71798656eafe42338f018ca0d8507739841e5f39603e3d556ca452c46e72ded3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sorridente.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sorridente.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sorridente.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vorrei.vsdm
MD5
88b40e7263e5a4a08f6e097581a400ad

SHA1
67fdbd36361a85edb562fd1dbb9227916a4a09c4

SHA256
4f36363fb3bc37dc1fb6af3f450f509f47e201285b4815ef2e9bbba540fdf2fc

SHA512
edf8da6848baf6f5e939be35bd7e27f3b2939b519b6d9c8388f6d5af68920c46b3c90a13a91041b0bd0b65b121ddda6554f10f387fd03655d7c9d7652e7ee51f

Download Submit
C:\Users\Admin\AppData\Local\Temp\LXQYKK~1.TMP
MD5
ee13cc90fabfc6ac9c4e8a00ed3805af

SHA1
b50098d0e99a9f0f88624e58701c1a9570e421ae

SHA256
3fde70aec3497bc38df7518fcf190ae5ebbdd8c85976c28a17f7a43eaac9e92b

SHA512
5d0523bb8753f9bb6043df3d3e62cb0e479581e48b41efd86bc2a2c99c98654f5fcf36aa3366fbf8c30739296269b5b48b1d4d81a364d862e540fe7204ed4537

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe
MD5
1fc6818cdb44bf2bc9b2c645aea6bcdb

SHA1
75555d6dab5ce575d99cd19d97748ef0e27d7858

SHA256
6cb2f66383a326920b7f66b41774e97731536ef7e469da80e2064d4aaddfaf42

SHA512
bed683d5ae1dc2524c3b8512e2abca4439dd1d2e9b6f0d9e0391618fc6a00259ebd30ab324bc9ff564f7eb33c2f73f778a675ab46f3e724117634164ca75143e

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe
MD5
1fc6818cdb44bf2bc9b2c645aea6bcdb

SHA1
75555d6dab5ce575d99cd19d97748ef0e27d7858

SHA256
6cb2f66383a326920b7f66b41774e97731536ef7e469da80e2064d4aaddfaf42

SHA512
bed683d5ae1dc2524c3b8512e2abca4439dd1d2e9b6f0d9e0391618fc6a00259ebd30ab324bc9ff564f7eb33c2f73f778a675ab46f3e724117634164ca75143e

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe
MD5
51aebb77c703d0ee1f9246828af5105f

SHA1
fe0710ab9e6663f2b76c5fe5ff76c9c9f7e741d2

SHA256
53f273aa3da76fc6b2f4293bf11b2c4695f0afd777ee7467b1f67af65b0b61ff

SHA512
d16449b33c43354bd082f9e37faf566f3a570445836227f104c99518c5ad8788ad5d5aa8db5e9fd0d7f9a2a48df381a6ec85a4fcba2f682a33295abaeff18012

Download Submit
C:\Users\Admin\AppData\Local\Temp\akmvuexwdix.vbs
MD5
f8e8e269e9011509a24eae66b25872e8

SHA1
a42fd5617a1857defb24fedf0e7d93ddb454180c

SHA256
7de04d5424baadcbc64d358afe719ccf01af4067772aed534b64c73749589412

SHA512
7de26c695057820d693091888b5a0ba3630d9e5040e9a9a518ccb84637f4b2b8aa4af1b5e284329bb22d6b9b1c3c852fa830006253993d96a3d144731ec1cdfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\lxqykkjlff.exe
MD5
1df80dc87cbf0939f1d693c02c538c78

SHA1
1bb689f77d4548f07cd39b41d91996bf60185eac

SHA256
2f13aeda87ac36d7d1ed671093fb1c713eebba7c3536ccf44486aad6ae679450

SHA512
dbba7852f6d11efdc1ac05dfd9ef2b21d9c4bc8d40f6a87db2dc31c790401d33957b4579a7f1a92b5222d9d2c79e6dc6ea101cfcabc4cf53b81aebf220440efe

Download Submit
C:\Users\Admin\AppData\Local\Temp\lxqykkjlff.exe
MD5
1df80dc87cbf0939f1d693c02c538c78

SHA1
1bb689f77d4548f07cd39b41d91996bf60185eac

SHA256
2f13aeda87ac36d7d1ed671093fb1c713eebba7c3536ccf44486aad6ae679450

SHA512
dbba7852f6d11efdc1ac05dfd9ef2b21d9c4bc8d40f6a87db2dc31c790401d33957b4579a7f1a92b5222d9d2c79e6dc6ea101cfcabc4cf53b81aebf220440efe

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE540.tmp.ps1
MD5
c0d556ab0c5a3f4aaf9e6a64c42319ed

SHA1
816ffeb4f1eddb06cc8163d71c80ff9fdf5ec5f6

SHA256
c487cf7b3112361240d28c0d47f900b014dc8b8d5c9c676c66401457a553a34a

SHA512
d40684586a6a711de1db6fb4d2ba4aa75d8b74ebd35747ae3412e42250d8a67ff86fc6f16557da3cf96523e83ce66808695b25d4ac636438513c866129263a3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE541.tmp
MD5
c416c12d1b2b1da8c8655e393b544362

SHA1
fb1a43cd8e1c556c2d25f361f42a21293c29e447

SHA256
0600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046

SHA512
cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF782.tmp.ps1
MD5
ccdbd2943b22e861413e72f38e068d0a

SHA1
44e4fef952e4e89b169a2f25bb8b948350e32b62

SHA256
f79dab23b58d8815ca88101f498e2c215a4b6bb7acd70e473f5a907cf604f51a

SHA512
397bcb4f5dd60d5bed4c099bef453fe9f67489345d30dba64105f9fc17a3c1e18c2b2d497dd28549477de09550feb4b793e1b38013b95a7556d4a5a680423ca2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF793.tmp
MD5
1860260b2697808b80802352fe324782

SHA1
f07b4cb6a8133d8dd942fc285d63cb3ce5a1ed6b

SHA256
0c4bb6ae7726faa47aef8459bcf37bf9ca16f0b93fd52790932adaf7845d1fb1

SHA512
d9fd458e2fe871e93199d7f3783133ded898d824024d9525e8c9af2af31892b13f3fb147d3bfda7dfd7659b7072f5cd1d6c3ebfe2dbf5893afd00e59a96aa94f

Download Submit
C:\Users\Admin\AppData\Local\Temp\wxhmndheibio.vbs
MD5
246320ad2cb24db3c8cc79864a80a1d5

SHA1
c2cdf6ff74096d72e12acc7ec340a84cb85ec5d2

SHA256
f474599958b14b719345894fc7660f3b40414f01f8bf554ffa62978f2063dc44

SHA512
65caee14037220ac8b51bc812bee0da95d0c8ae6c282ae076230eff353ceb6f03ee842566d0341a72782218611c8569df2c6b2e75bd4e989537481022430bc3e

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
1fc6818cdb44bf2bc9b2c645aea6bcdb

SHA1
75555d6dab5ce575d99cd19d97748ef0e27d7858

SHA256
6cb2f66383a326920b7f66b41774e97731536ef7e469da80e2064d4aaddfaf42

SHA512
bed683d5ae1dc2524c3b8512e2abca4439dd1d2e9b6f0d9e0391618fc6a00259ebd30ab324bc9ff564f7eb33c2f73f778a675ab46f3e724117634164ca75143e

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
1fc6818cdb44bf2bc9b2c645aea6bcdb

SHA1
75555d6dab5ce575d99cd19d97748ef0e27d7858

SHA256
6cb2f66383a326920b7f66b41774e97731536ef7e469da80e2064d4aaddfaf42

SHA512
bed683d5ae1dc2524c3b8512e2abca4439dd1d2e9b6f0d9e0391618fc6a00259ebd30ab324bc9ff564f7eb33c2f73f778a675ab46f3e724117634164ca75143e

Download Submit
\Users\Admin\AppData\Local\Temp\LXQYKK~1.TMP
MD5
ee13cc90fabfc6ac9c4e8a00ed3805af

SHA1
b50098d0e99a9f0f88624e58701c1a9570e421ae

SHA256
3fde70aec3497bc38df7518fcf190ae5ebbdd8c85976c28a17f7a43eaac9e92b

SHA512
5d0523bb8753f9bb6043df3d3e62cb0e479581e48b41efd86bc2a2c99c98654f5fcf36aa3366fbf8c30739296269b5b48b1d4d81a364d862e540fe7204ed4537

Download Submit
\Users\Admin\AppData\Local\Temp\LXQYKK~1.TMP
MD5
ee13cc90fabfc6ac9c4e8a00ed3805af

SHA1
b50098d0e99a9f0f88624e58701c1a9570e421ae

SHA256
3fde70aec3497bc38df7518fcf190ae5ebbdd8c85976c28a17f7a43eaac9e92b

SHA512
5d0523bb8753f9bb6043df3d3e62cb0e479581e48b41efd86bc2a2c99c98654f5fcf36aa3366fbf8c30739296269b5b48b1d4d81a364d862e540fe7204ed4537

Download Submit
\Users\Admin\AppData\Local\Temp\nsf20AE.tmp\UAC.dll
MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
memory/200-124-0x0000000000000000-mapping.dmp

Download
memory/408-152-0x0000000000000000-mapping.dmp

Download
memory/1444-115-0x0000000000000000-mapping.dmp

Download
memory/1444-138-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1444-137-0x0000000001F70000-0x0000000001F96000-memory.dmp

Filesize
152KB

Download
memory/1524-147-0x0000000000000000-mapping.dmp

Download
memory/1524-163-0x0000000005190000-0x0000000006426000-memory.dmp

Filesize
18.6MB

Download
memory/1584-118-0x0000000000000000-mapping.dmp

Download
memory/1872-231-0x0000000000000000-mapping.dmp

Download
memory/2084-202-0x0000000006F03000-0x0000000006F04000-memory.dmp

Filesize
4KB

Download
memory/2084-174-0x0000000000000000-mapping.dmp

Download
memory/2084-184-0x0000000007DE0000-0x0000000007DE1000-memory.dmp

Filesize
4KB

Download
memory/2084-199-0x00000000094F0000-0x00000000094F1000-memory.dmp

Filesize
4KB

Download
memory/2084-198-0x0000000009220000-0x0000000009221000-memory.dmp

Filesize
4KB

Download
memory/2084-197-0x0000000009C90000-0x0000000009C91000-memory.dmp

Filesize
4KB

Download
memory/2084-192-0x00000000085B0000-0x00000000085B1000-memory.dmp

Filesize
4KB

Download
memory/2084-190-0x00000000084C0000-0x00000000084C1000-memory.dmp

Filesize
4KB

Download
memory/2084-189-0x0000000008200000-0x0000000008201000-memory.dmp

Filesize
4KB

Download
memory/2084-185-0x0000000007E50000-0x0000000007E51000-memory.dmp

Filesize
4KB

Download
memory/2084-188-0x0000000007BB0000-0x0000000007BB1000-memory.dmp

Filesize
4KB

Download
memory/2084-187-0x0000000006F02000-0x0000000006F03000-memory.dmp

Filesize
4KB

Download
memory/2084-186-0x0000000006F00000-0x0000000006F01000-memory.dmp

Filesize
4KB

Download
memory/2084-180-0x00000000049C0000-0x00000000049C1000-memory.dmp

Filesize
4KB

Download
memory/2084-181-0x0000000007540000-0x0000000007541000-memory.dmp

Filesize
4KB

Download
memory/2084-182-0x0000000007410000-0x0000000007411000-memory.dmp

Filesize
4KB

Download
memory/2084-183-0x0000000007BE0000-0x0000000007BE1000-memory.dmp

Filesize
4KB

Download
memory/2140-226-0x0000000000000000-mapping.dmp

Download
memory/2148-175-0x00000000062C0000-0x00000000062C1000-memory.dmp

Filesize
4KB

Download
memory/2148-160-0x0000000000000000-mapping.dmp

Download
memory/2148-170-0x0000000004CF0000-0x0000000005F86000-memory.dmp

Filesize
18.6MB

Download
memory/2360-120-0x0000000000000000-mapping.dmp

Download
memory/2628-151-0x0000000000400000-0x0000000000546000-memory.dmp

Filesize
1.3MB

Download
memory/2628-150-0x00000000022E0000-0x00000000023E0000-memory.dmp

Filesize
1024KB

Download
memory/2628-142-0x0000000000000000-mapping.dmp

Download
memory/2632-121-0x0000000000000000-mapping.dmp

Download
memory/2644-130-0x0000000000000000-mapping.dmp

Download
memory/2680-145-0x0000000000000000-mapping.dmp

Download
memory/2692-177-0x000001A182C80000-0x000001A182E31000-memory.dmp

Filesize
1.7MB

Download
memory/2692-171-0x00007FF6E3B15FD0-mapping.dmp

Download
memory/2692-176-0x0000000000770000-0x0000000000910000-memory.dmp

Filesize
1.6MB

Download
memory/3516-123-0x0000000000000000-mapping.dmp

Download
memory/3616-218-0x0000000004C80000-0x0000000004C81000-memory.dmp

Filesize
4KB

Download
memory/3616-212-0x0000000008100000-0x0000000008101000-memory.dmp

Filesize
4KB

Download
memory/3616-203-0x0000000000000000-mapping.dmp

Download
memory/3616-215-0x0000000008590000-0x0000000008591000-memory.dmp

Filesize
4KB

Download
memory/3616-219-0x0000000004C82000-0x0000000004C83000-memory.dmp

Filesize
4KB

Download
memory/3616-229-0x0000000004C83000-0x0000000004C84000-memory.dmp

Filesize
4KB

Download
memory/3620-230-0x0000000000000000-mapping.dmp

Download
memory/3692-140-0x0000000000E20000-0x0000000000E21000-memory.dmp

Filesize
4KB

Download
memory/3692-131-0x0000000000000000-mapping.dmp

Download
memory/3700-127-0x0000000000000000-mapping.dmp

Download
memory/4016-139-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/4016-134-0x0000000000000000-mapping.dmp

Download