danabot | 2873f7c2119b8d916aa916e1c9138835b0ab18937e24f1e94f9f5949a1b64177

Analysis

max time kernel
150s
max time network
145s
platform
windows10_x64
resource
win10v20210408
submitted
26-07-2021 13:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

37ef42e0b21d765a7a2fa3e29a934d4b.exe
Size

1.1MB
MD5

37ef42e0b21d765a7a2fa3e29a934d4b
SHA1

c10d179ded62764b0428e57e3a053097d7d57f2d
SHA256

2873f7c2119b8d916aa916e1c9138835b0ab18937e24f1e94f9f5949a1b64177
SHA512

e006ddc0adaf282688fb3b47c3f58399205702ecb08bd25784e1945cf887e9860807a27bda2724b823a0869c7dad4714ede3a71f1dd44f164b3288f98014490c

Score

10^/10

danabot 4 banker discovery persistence spyware stealer trojan

Malware Config

Extracted

Family

danabot

Version

1987

Botnet

142.11.244.124:443

142.11.206.50:443

Attributes

embedded_hash
6AD9FE4F9E491E785665E0D144F61DAB

rsa_privkey.plain

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Blocklisted process makes network request 6 IoCs

Processes:

WScript.exerundll32.exeRUNDLL32.EXE

flow pid process

31 2052 WScript.exe
33 2052 WScript.exe
35 2052 WScript.exe
37 2052 WScript.exe
40 3760 rundll32.exe
41 8 RUNDLL32.EXE
Downloads MZ/PE file
Executes dropped EXE 6 IoCs

Processes:

vpn.exe4.exeSorridente.exe.comSorridente.exe.comSmartClock.exehckwfuhyqb.exe

pid process

1552 vpn.exe
1928 4.exe
3960 Sorridente.exe.com
3936 Sorridente.exe.com
1248 SmartClock.exe
2788 hckwfuhyqb.exe
Drops startup file 1 IoCs

Processes:

4.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk 4.exe
Loads dropped DLL 5 IoCs

Processes:

37ef42e0b21d765a7a2fa3e29a934d4b.exerundll32.exeRUNDLL32.EXE

pid process

568 37ef42e0b21d765a7a2fa3e29a934d4b.exe
3760 rundll32.exe
3760 rundll32.exe
8 RUNDLL32.EXE
8 RUNDLL32.EXE
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

flow	pid	process
31	2052	WScript.exe
33	2052	WScript.exe
35	2052	WScript.exe
37	2052	WScript.exe
40	3760	rundll32.exe
41	8	RUNDLL32.EXE

pid	process
1552	vpn.exe
1928	4.exe
3960	Sorridente.exe.com
3936	Sorridente.exe.com
1248	SmartClock.exe
2788	hckwfuhyqb.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk	4.exe

pid	process
568	37ef42e0b21d765a7a2fa3e29a934d4b.exe
3760	rundll32.exe
3760	rundll32.exe
8	RUNDLL32.EXE
8	RUNDLL32.EXE

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

vpn.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	vpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	vpn.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

15 ip-api.com

flow	ioc
15	ip-api.com

Drops file in Program Files directory 4 IoCs

Processes:

37ef42e0b21d765a7a2fa3e29a934d4b.exerundll32.exe

description	ioc	process
File created	C:\Program Files (x86)\foler\olader\acledit.dll	37ef42e0b21d765a7a2fa3e29a934d4b.exe
File created	C:\PROGRA~3\Jvgzbfh.tmp	rundll32.exe
File created	C:\Program Files (x86)\foler\olader\acppage.dll	37ef42e0b21d765a7a2fa3e29a934d4b.exe
File created	C:\Program Files (x86)\foler\olader\adprovider.dll	37ef42e0b21d765a7a2fa3e29a934d4b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 26 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RUNDLL32.EXESorridente.exe.com

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	RUNDLL32.EXE
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Sorridente.exe.com
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Sorridente.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RUNDLL32.EXE

Modifies registry class 1 IoCs

Processes:

Sorridente.exe.com

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings Sorridente.exe.com

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	Sorridente.exe.com

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

RUNDLL32.EXEWScript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\4F0A0E6317DD1D278185F0B1442C3DED68956327	RUNDLL32.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\4F0A0E6317DD1D278185F0B1442C3DED68956327\Blob = 0300000001000000140000004f0a0e6317dd1d278185f0b1442c3ded6895632720000000010000009e0200003082029a30820203a00302010202087e1d488b1faa1590300d06092a864886f70d01010b0500306d312c302a06035504030c234469316769436572742048696768204173737572616e636520455620526f6f7420434131193017060355040b0c107777772e64696769636572742e636f6d31153013060355040a0c0c446967694365727420496e63310b3009060355040613025553301e170d3139303732373136303335305a170d3233303732363136303335305a306d312c302a06035504030c234469316769436572742048696768204173737572616e636520455620526f6f7420434131193017060355040b0c107777772e64696769636572742e636f6d31153013060355040a0c0c446967694365727420496e63310b300906035504061302555330819f300d06092a864886f70d010101050003818d0030818902818100ad7ff59b55bcbd84794d4eed0e5746578c6783aedc0f2a2e98e08ee0fa938213f543cd8cbb416402ca03ef64dbc46a25d0f63977e4624a7e9fd29e1152a0b166ebc97162ff71ff8cc8610fb8a69845311d83c326782ee015a5370beb2b1db4488655184edc4925d244b11d82c50d7f7a9f50a965bae95f869694d9b7bf14c1150203010001a3433041300f0603551d130101ff040530030101ff302e0603551d110427302582234469316769436572742048696768204173737572616e636520455620526f6f74204341300d06092a864886f70d01010b05000381810013bf946ab11ade72ba8708007061ec820c8cfb0af2365521623682f0ac2baa51646603ea517a0e958ab875395bb8b5d909e158a0119a916fe42b680b1789da467d2fabdbfa0cb5fa23696b9649cf05ab30b3aa227bb27d46341fedb6d5d75fb88cc8ba483fca617e3b9e4837c6f9b5dee2e6681e8e1a9708116ca7dcb69cd73e	RUNDLL32.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	WScript.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1964 PING.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

SmartClock.exe

pid process

1248 SmartClock.exe

pid	process
1964	PING.EXE

pid	process
1248	SmartClock.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

RUNDLL32.EXEpowershell.exepowershell.exe

pid	process
8	RUNDLL32.EXE
8	RUNDLL32.EXE
8	RUNDLL32.EXE
8	RUNDLL32.EXE
8	RUNDLL32.EXE
8	RUNDLL32.EXE
4032	powershell.exe
4032	powershell.exe
4032	powershell.exe
8	RUNDLL32.EXE
8	RUNDLL32.EXE
3144	powershell.exe
3144	powershell.exe
3144	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

RUNDLL32.EXEpowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 8 RUNDLL32.EXE
Token: SeDebugPrivilege 4032 powershell.exe
Token: SeDebugPrivilege 3144 powershell.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

RUNDLL32.EXE

pid process

8 RUNDLL32.EXE

description	pid	process
Token: SeDebugPrivilege	8	RUNDLL32.EXE
Token: SeDebugPrivilege	4032	powershell.exe
Token: SeDebugPrivilege	3144	powershell.exe

Suspicious use of WriteProcessMemory 60 IoCs

Processes:

37ef42e0b21d765a7a2fa3e29a934d4b.exevpn.execmd.execmd.exeSorridente.exe.com4.exeSorridente.exe.comhckwfuhyqb.exerundll32.exeRUNDLL32.EXEpowershell.exe

description	pid	process	target process
PID 568 wrote to memory of 1552	568	37ef42e0b21d765a7a2fa3e29a934d4b.exe	vpn.exe
PID 568 wrote to memory of 1552	568	37ef42e0b21d765a7a2fa3e29a934d4b.exe	vpn.exe
PID 568 wrote to memory of 1552	568	37ef42e0b21d765a7a2fa3e29a934d4b.exe	vpn.exe
PID 568 wrote to memory of 1928	568	37ef42e0b21d765a7a2fa3e29a934d4b.exe	4.exe
PID 568 wrote to memory of 1928	568	37ef42e0b21d765a7a2fa3e29a934d4b.exe	4.exe
PID 568 wrote to memory of 1928	568	37ef42e0b21d765a7a2fa3e29a934d4b.exe	4.exe
PID 1552 wrote to memory of 2780	1552	vpn.exe	cmd.exe
PID 1552 wrote to memory of 2780	1552	vpn.exe	cmd.exe
PID 1552 wrote to memory of 2780	1552	vpn.exe	cmd.exe
PID 1552 wrote to memory of 3688	1552	vpn.exe	cmd.exe
PID 1552 wrote to memory of 3688	1552	vpn.exe	cmd.exe
PID 1552 wrote to memory of 3688	1552	vpn.exe	cmd.exe
PID 3688 wrote to memory of 2848	3688	cmd.exe	cmd.exe
PID 3688 wrote to memory of 2848	3688	cmd.exe	cmd.exe
PID 3688 wrote to memory of 2848	3688	cmd.exe	cmd.exe
PID 2848 wrote to memory of 3172	2848	cmd.exe	findstr.exe
PID 2848 wrote to memory of 3172	2848	cmd.exe	findstr.exe
PID 2848 wrote to memory of 3172	2848	cmd.exe	findstr.exe
PID 2848 wrote to memory of 3960	2848	cmd.exe	Sorridente.exe.com
PID 2848 wrote to memory of 3960	2848	cmd.exe	Sorridente.exe.com
PID 2848 wrote to memory of 3960	2848	cmd.exe	Sorridente.exe.com
PID 2848 wrote to memory of 1964	2848	cmd.exe	PING.EXE
PID 2848 wrote to memory of 1964	2848	cmd.exe	PING.EXE
PID 2848 wrote to memory of 1964	2848	cmd.exe	PING.EXE
PID 3960 wrote to memory of 3936	3960	Sorridente.exe.com	Sorridente.exe.com
PID 3960 wrote to memory of 3936	3960	Sorridente.exe.com	Sorridente.exe.com
PID 3960 wrote to memory of 3936	3960	Sorridente.exe.com	Sorridente.exe.com
PID 1928 wrote to memory of 1248	1928	4.exe	SmartClock.exe
PID 1928 wrote to memory of 1248	1928	4.exe	SmartClock.exe
PID 1928 wrote to memory of 1248	1928	4.exe	SmartClock.exe
PID 3936 wrote to memory of 2788	3936	Sorridente.exe.com	hckwfuhyqb.exe
PID 3936 wrote to memory of 2788	3936	Sorridente.exe.com	hckwfuhyqb.exe
PID 3936 wrote to memory of 2788	3936	Sorridente.exe.com	hckwfuhyqb.exe
PID 3936 wrote to memory of 2724	3936	Sorridente.exe.com	WScript.exe
PID 3936 wrote to memory of 2724	3936	Sorridente.exe.com	WScript.exe
PID 3936 wrote to memory of 2724	3936	Sorridente.exe.com	WScript.exe
PID 2788 wrote to memory of 3760	2788	hckwfuhyqb.exe	rundll32.exe
PID 2788 wrote to memory of 3760	2788	hckwfuhyqb.exe	rundll32.exe
PID 2788 wrote to memory of 3760	2788	hckwfuhyqb.exe	rundll32.exe
PID 3936 wrote to memory of 2052	3936	Sorridente.exe.com	WScript.exe
PID 3936 wrote to memory of 2052	3936	Sorridente.exe.com	WScript.exe
PID 3936 wrote to memory of 2052	3936	Sorridente.exe.com	WScript.exe
PID 3760 wrote to memory of 8	3760	rundll32.exe	RUNDLL32.EXE
PID 3760 wrote to memory of 8	3760	rundll32.exe	RUNDLL32.EXE
PID 3760 wrote to memory of 8	3760	rundll32.exe	RUNDLL32.EXE
PID 8 wrote to memory of 4032	8	RUNDLL32.EXE	powershell.exe
PID 8 wrote to memory of 4032	8	RUNDLL32.EXE	powershell.exe
PID 8 wrote to memory of 4032	8	RUNDLL32.EXE	powershell.exe
PID 8 wrote to memory of 3144	8	RUNDLL32.EXE	powershell.exe
PID 8 wrote to memory of 3144	8	RUNDLL32.EXE	powershell.exe
PID 8 wrote to memory of 3144	8	RUNDLL32.EXE	powershell.exe
PID 3144 wrote to memory of 2052	3144	powershell.exe	nslookup.exe
PID 3144 wrote to memory of 2052	3144	powershell.exe	nslookup.exe
PID 3144 wrote to memory of 2052	3144	powershell.exe	nslookup.exe
PID 8 wrote to memory of 988	8	RUNDLL32.EXE	schtasks.exe
PID 8 wrote to memory of 988	8	RUNDLL32.EXE	schtasks.exe
PID 8 wrote to memory of 988	8	RUNDLL32.EXE	schtasks.exe
PID 8 wrote to memory of 2380	8	RUNDLL32.EXE	schtasks.exe
PID 8 wrote to memory of 2380	8	RUNDLL32.EXE	schtasks.exe
PID 8 wrote to memory of 2380	8	RUNDLL32.EXE	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\37ef42e0b21d765a7a2fa3e29a934d4b.exe
"C:\Users\Admin\AppData\Local\Temp\37ef42e0b21d765a7a2fa3e29a934d4b.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:568

C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe
"C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1552

C:\Windows\SysWOW64\cmd.exe
cmd /c YJktxkgm
3⤵
PID:2780

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Sfinge.vsdm
3⤵
- Suspicious use of WriteProcessMemory
PID:3688

C:\Windows\SysWOW64\cmd.exe
cmd
4⤵
- Suspicious use of WriteProcessMemory
PID:2848

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^XvFshFVovrUIndZSFBxxytnrIUNDETWbxfrjHpPpZeHGABxnUuWmzuATXBIzSaECibhojMlvLkxevSDiAfIbXvrhOlfyAvsHntnrhkkoWANoMbvyXATDKiFKzqz$" Vorrei.vsdm
5⤵
PID:3172

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sorridente.exe.com
Sorridente.exe.com E
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3960

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sorridente.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sorridente.exe.com E
6⤵
- Executes dropped EXE
- Checks processor information in registry
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3936

C:\Users\Admin\AppData\Local\Temp\hckwfuhyqb.exe
"C:\Users\Admin\AppData\Local\Temp\hckwfuhyqb.exe"
7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2788

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\HCKWFU~1.TMP,S C:\Users\Admin\AppData\Local\Temp\HCKWFU~1.EXE
8⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3760

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\HCKWFU~1.TMP,ckwmODVWYjU=
9⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:8

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp42F1.tmp.ps1"
10⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4032

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp5C76.tmp.ps1"
10⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3144

C:\Windows\SysWOW64\nslookup.exe
"C:\Windows\system32\nslookup.exe" -type=any localhost
11⤵
PID:2052

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
10⤵
PID:988

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
10⤵
PID:2380

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\jkjkper.vbs"
7⤵
PID:2724

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\xnflnyauk.vbs"
7⤵
- Blocklisted process makes network request
- Modifies system certificate store
PID:2052

C:\Windows\SysWOW64\PING.EXE
ping GFBFPSXA -n 30
5⤵
- Runs ping.exe
PID:1964

C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe
"C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:1928

C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
PID:1248

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Jvgzbfh.tmp
MD5
034a5adea7756ce2e126b7e48369b271

SHA1
0a6e131bc81c3eb2155c69ae67166368a1dd5fec

SHA256
64c3b884e65baffb79d7edd50137b75dccb273d8061b793e36a3aa3f22bb3842

SHA512
5e318fa7438c0e02caa191022fa8d20b246b753d47d893c8e0c0934384021d76fafe939164ad5e07b8e1e037cf8e4640f2c3f0b55718db7610192f44d9bc28a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
47eebe401625bbc55e75dbfb72e9e89a

SHA1
db3b2135942d2532c59b9788253638eb77e5995e

SHA256
f1cd56000c44bbdb6880b5b133731f493fe8cba8198c5a861da6ae7b489ed0c3

SHA512
590b149863d58be346e7927c28501375cc570858d2f156d234b03d68b86c5c0667a1038e2b6f6639172bf95638ca9f7c70f45270951abbcdf43b1be853b81d56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
b60df1a34fea0bfbef1c24f54eae7289

SHA1
a90177fcf89fe2bd98ac3a45339c34a5967ddd3a

SHA256
b738630b11ecd196fcae485ed1238344fff520d51af5c48a9161b2cddf162bd4

SHA512
84cff687fe87a83a69bba91e1574d406bec850dbfee5c3dbc09851d5ecf3150cd97552d32952322cbff80c884daba26e37f456fffb69ba5ae572bb8be867f003

Download Submit
C:\Users\Admin\AppData\Local\Temp\HCKWFU~1.TMP
MD5
4aa41aaf04e35d03f880708db1cd5407

SHA1
28594223d6718c61918f0f667cb6a70add3906e4

SHA256
604dce77259862fab9ef6a93b9c0eb1992821967b98d7ab1f0d141593025e16c

SHA512
1bd6a2cb83cdf60db26240bd292124fce39f85cf48c95dab35f43c00010d94ad764bc6becc92a243e0c2048cec3f521c3b8c2b6fe9b86387a8785ab9385e04a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\E
MD5
4c5c7f3e7362720b4241f8efbb2be752

SHA1
be23ecf084cbf60b0f7bab86701cff9dfb1c2760

SHA256
c7b5fdd83644097869d2979a3827a210bed48967bbc56e3e64d6f88d0ae26ed3

SHA512
2c3fdadb53319b6e64274b2d34026818539d227af86caa1440edd5b85e5158ce34489e6361590ff2ec6137da089b717d2c1010c2bee3bdb9f97a1ead68469e76

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Pensato.vsdm
MD5
4c5e138f22c752587d27c5047f1c9adc

SHA1
64549847c05c5a08e2c66fc5591a5b1103714bd2

SHA256
e260b4bb610bb0ddfa0889f497430539bd85a7928fc37002114e87091f2ead62

SHA512
8c00eb836c230ae57465b1cde318c3d441327853d1685066fe91caa2ad7fef3c3be9cda549f5bb753e2fea5a41f798fec3d22075589144365b95eb9f64ad1011

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Poi.vsdm
MD5
4c5c7f3e7362720b4241f8efbb2be752

SHA1
be23ecf084cbf60b0f7bab86701cff9dfb1c2760

SHA256
c7b5fdd83644097869d2979a3827a210bed48967bbc56e3e64d6f88d0ae26ed3

SHA512
2c3fdadb53319b6e64274b2d34026818539d227af86caa1440edd5b85e5158ce34489e6361590ff2ec6137da089b717d2c1010c2bee3bdb9f97a1ead68469e76

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sfinge.vsdm
MD5
2330ab365da0a8cf6c766b2c38b3704b

SHA1
faded741162dc8c18b2fdb870b07d956ffb1558b

SHA256
61342f8e9ea670d0d3f73273288ee0d67a10e0560e6a455cbf8d585a4119ec11

SHA512
d3acac95e7fbbd47f5c45cde0737fdea200e4aa97f1e4fdad0d8e8b41b2c163e71798656eafe42338f018ca0d8507739841e5f39603e3d556ca452c46e72ded3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sorridente.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sorridente.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sorridente.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vorrei.vsdm
MD5
88b40e7263e5a4a08f6e097581a400ad

SHA1
67fdbd36361a85edb562fd1dbb9227916a4a09c4

SHA256
4f36363fb3bc37dc1fb6af3f450f509f47e201285b4815ef2e9bbba540fdf2fc

SHA512
edf8da6848baf6f5e939be35bd7e27f3b2939b519b6d9c8388f6d5af68920c46b3c90a13a91041b0bd0b65b121ddda6554f10f387fd03655d7c9d7652e7ee51f

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe
MD5
b3d504274b6b8a4be14d05ea2bd60a71

SHA1
772fe30c89748ce4282bf35c20ba7cc0c46c39d6

SHA256
1634be2ee33a2b486483ca00dcc612f9a475147315c9f3cb0421327799b1bc57

SHA512
fe7348f3298f5e45bf8adc7e728e9e7d2421b03f6da51a5d69b5fa011d23cfb599b18a37e039c24ccac419ec4adfb03d1058d1df664864744910039f2c256552

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe
MD5
b3d504274b6b8a4be14d05ea2bd60a71

SHA1
772fe30c89748ce4282bf35c20ba7cc0c46c39d6

SHA256
1634be2ee33a2b486483ca00dcc612f9a475147315c9f3cb0421327799b1bc57

SHA512
fe7348f3298f5e45bf8adc7e728e9e7d2421b03f6da51a5d69b5fa011d23cfb599b18a37e039c24ccac419ec4adfb03d1058d1df664864744910039f2c256552

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe
MD5
51aebb77c703d0ee1f9246828af5105f

SHA1
fe0710ab9e6663f2b76c5fe5ff76c9c9f7e741d2

SHA256
53f273aa3da76fc6b2f4293bf11b2c4695f0afd777ee7467b1f67af65b0b61ff

SHA512
d16449b33c43354bd082f9e37faf566f3a570445836227f104c99518c5ad8788ad5d5aa8db5e9fd0d7f9a2a48df381a6ec85a4fcba2f682a33295abaeff18012

Download Submit
C:\Users\Admin\AppData\Local\Temp\hckwfuhyqb.exe
MD5
e8a7947d1fe52e80325d5fe48cc592e3

SHA1
4cb0d29ae57b07fe527f32e063b830a602123ea0

SHA256
6a76f7c119d1da226f8410c10c998f7506a1095a06987443fc85f4b5818953f5

SHA512
f5c94123fcd17494f87e5b9c3a5976e418043ebbd4551d9f0accff46a6660611b5716799211de0b512cf3ff18dcf3fd19d0c9dd14a618cabf4e761d1f3635a82

Download Submit
C:\Users\Admin\AppData\Local\Temp\hckwfuhyqb.exe
MD5
e8a7947d1fe52e80325d5fe48cc592e3

SHA1
4cb0d29ae57b07fe527f32e063b830a602123ea0

SHA256
6a76f7c119d1da226f8410c10c998f7506a1095a06987443fc85f4b5818953f5

SHA512
f5c94123fcd17494f87e5b9c3a5976e418043ebbd4551d9f0accff46a6660611b5716799211de0b512cf3ff18dcf3fd19d0c9dd14a618cabf4e761d1f3635a82

Download Submit
C:\Users\Admin\AppData\Local\Temp\jkjkper.vbs
MD5
ccd42bd50a5da3219aac588140d20204

SHA1
ef300b918388230a752127b459073046683f6ebd

SHA256
ba4a6cebea4088696438c8e1ad07eda7c678a65a1e447999b8ed86874d5cfff3

SHA512
53ce16ba496820b472947604420ec66cd69fc8cbc69cefc18e8b40c74f86e141be63234f3df6b44e204ddd6dca379a20119a83d95ffb88fdf2a31e7905f6e3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp42F1.tmp.ps1
MD5
9a595b75709878acde88d4d48d5e7b02

SHA1
699dafa9db64bc612f4395ad1656495750ea9c19

SHA256
91b4d454fac26c7a9ab61824eb1c76b2d756287995da52bc13aad206687d52a9

SHA512
a76b631dd5a94bfcd5e5dde76b3a00ee3be1a02e6855fa5b89cc8c4ec51fdfe981e7935bdc714b36d709f10011aba654f6d58281ffab557675efea429c69ab8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp42F2.tmp
MD5
c416c12d1b2b1da8c8655e393b544362

SHA1
fb1a43cd8e1c556c2d25f361f42a21293c29e447

SHA256
0600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046

SHA512
cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5C76.tmp.ps1
MD5
ac8a5e5a40cc8b353fadcb4d3d7a8062

SHA1
aa687e98dcd20db3743b51a6a994e8a07f03f8f8

SHA256
8c8322cf49ce493099d3a8ef5e7edabddbf2c4daa6b5f7b3817272d876da3ff1

SHA512
d34d6d59fc32b84d0150e9df343cfed778db20b1306cc47e9b286fbd81e16dbad4b38ef3eda7119d9572e8d893b0113b9775594646aa6f60d37a4e45c0600077

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5C86.tmp
MD5
1860260b2697808b80802352fe324782

SHA1
f07b4cb6a8133d8dd942fc285d63cb3ce5a1ed6b

SHA256
0c4bb6ae7726faa47aef8459bcf37bf9ca16f0b93fd52790932adaf7845d1fb1

SHA512
d9fd458e2fe871e93199d7f3783133ded898d824024d9525e8c9af2af31892b13f3fb147d3bfda7dfd7659b7072f5cd1d6c3ebfe2dbf5893afd00e59a96aa94f

Download Submit
C:\Users\Admin\AppData\Local\Temp\xnflnyauk.vbs
MD5
c7d6b78ad35fd924380157a7b87b3237

SHA1
784230bcb6caf2cd20b2bdea06a3d44da6232c01

SHA256
d9e2fefb91e6f0830fab5eaa748fcad7dd229fe3e8e2421ae6039529c3f4bcfb

SHA512
b47f5ce5c67f2a0f5208e0d4cefd96507619914bd173504a162c697c593eb028d8751f8879000ec0f42073563832fd3fdf851a5603ed526c9ec955a46e447ca5

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
b3d504274b6b8a4be14d05ea2bd60a71

SHA1
772fe30c89748ce4282bf35c20ba7cc0c46c39d6

SHA256
1634be2ee33a2b486483ca00dcc612f9a475147315c9f3cb0421327799b1bc57

SHA512
fe7348f3298f5e45bf8adc7e728e9e7d2421b03f6da51a5d69b5fa011d23cfb599b18a37e039c24ccac419ec4adfb03d1058d1df664864744910039f2c256552

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
b3d504274b6b8a4be14d05ea2bd60a71

SHA1
772fe30c89748ce4282bf35c20ba7cc0c46c39d6

SHA256
1634be2ee33a2b486483ca00dcc612f9a475147315c9f3cb0421327799b1bc57

SHA512
fe7348f3298f5e45bf8adc7e728e9e7d2421b03f6da51a5d69b5fa011d23cfb599b18a37e039c24ccac419ec4adfb03d1058d1df664864744910039f2c256552

Download Submit
\Users\Admin\AppData\Local\Temp\HCKWFU~1.TMP
MD5
4aa41aaf04e35d03f880708db1cd5407

SHA1
28594223d6718c61918f0f667cb6a70add3906e4

SHA256
604dce77259862fab9ef6a93b9c0eb1992821967b98d7ab1f0d141593025e16c

SHA512
1bd6a2cb83cdf60db26240bd292124fce39f85cf48c95dab35f43c00010d94ad764bc6becc92a243e0c2048cec3f521c3b8c2b6fe9b86387a8785ab9385e04a6

Download Submit
\Users\Admin\AppData\Local\Temp\HCKWFU~1.TMP
MD5
4aa41aaf04e35d03f880708db1cd5407

SHA1
28594223d6718c61918f0f667cb6a70add3906e4

SHA256
604dce77259862fab9ef6a93b9c0eb1992821967b98d7ab1f0d141593025e16c

SHA512
1bd6a2cb83cdf60db26240bd292124fce39f85cf48c95dab35f43c00010d94ad764bc6becc92a243e0c2048cec3f521c3b8c2b6fe9b86387a8785ab9385e04a6

Download Submit
\Users\Admin\AppData\Local\Temp\HCKWFU~1.TMP
MD5
4aa41aaf04e35d03f880708db1cd5407

SHA1
28594223d6718c61918f0f667cb6a70add3906e4

SHA256
604dce77259862fab9ef6a93b9c0eb1992821967b98d7ab1f0d141593025e16c

SHA512
1bd6a2cb83cdf60db26240bd292124fce39f85cf48c95dab35f43c00010d94ad764bc6becc92a243e0c2048cec3f521c3b8c2b6fe9b86387a8785ab9385e04a6

Download Submit
\Users\Admin\AppData\Local\Temp\HCKWFU~1.TMP
MD5
4aa41aaf04e35d03f880708db1cd5407

SHA1
28594223d6718c61918f0f667cb6a70add3906e4

SHA256
604dce77259862fab9ef6a93b9c0eb1992821967b98d7ab1f0d141593025e16c

SHA512
1bd6a2cb83cdf60db26240bd292124fce39f85cf48c95dab35f43c00010d94ad764bc6becc92a243e0c2048cec3f521c3b8c2b6fe9b86387a8785ab9385e04a6

Download Submit
\Users\Admin\AppData\Local\Temp\nsr7074.tmp\UAC.dll
MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
memory/8-170-0x00000000049D0000-0x0000000005C66000-memory.dmp

Filesize
18.6MB

Download
memory/8-169-0x0000000005E80000-0x0000000005E81000-memory.dmp

Filesize
4KB

Download
memory/8-163-0x0000000000000000-mapping.dmp

Download
memory/8-166-0x00000000043F0000-0x000000000454E000-memory.dmp

Filesize
1.4MB

Download
memory/988-223-0x0000000000000000-mapping.dmp

Download
memory/1248-139-0x0000000002060000-0x0000000002086000-memory.dmp

Filesize
152KB

Download
memory/1248-136-0x0000000000000000-mapping.dmp

Download
memory/1248-140-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1552-115-0x0000000000000000-mapping.dmp

Download
memory/1928-134-0x0000000000480000-0x000000000052E000-memory.dmp

Filesize
696KB

Download
memory/1928-117-0x0000000000000000-mapping.dmp

Download
memory/1928-135-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1964-129-0x0000000000000000-mapping.dmp

Download
memory/2052-155-0x0000000000000000-mapping.dmp

Download
memory/2052-220-0x0000000000000000-mapping.dmp

Download
memory/2380-225-0x0000000000000000-mapping.dmp

Download
memory/2724-146-0x0000000000000000-mapping.dmp

Download
memory/2780-120-0x0000000000000000-mapping.dmp

Download
memory/2788-154-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/2788-153-0x0000000002320000-0x0000000002420000-memory.dmp

Filesize
1024KB

Download
memory/2788-143-0x0000000000000000-mapping.dmp

Download
memory/2848-123-0x0000000000000000-mapping.dmp

Download
memory/3144-209-0x00000000086C0000-0x00000000086C1000-memory.dmp

Filesize
4KB

Download
memory/3144-224-0x0000000007413000-0x0000000007414000-memory.dmp

Filesize
4KB

Download
memory/3144-197-0x0000000000000000-mapping.dmp

Download
memory/3144-206-0x00000000081F0000-0x00000000081F1000-memory.dmp

Filesize
4KB

Download
memory/3144-210-0x0000000007410000-0x0000000007411000-memory.dmp

Filesize
4KB

Download
memory/3144-211-0x0000000007412000-0x0000000007413000-memory.dmp

Filesize
4KB

Download
memory/3172-124-0x0000000000000000-mapping.dmp

Download
memory/3688-121-0x0000000000000000-mapping.dmp

Download
memory/3760-168-0x0000000004A20000-0x0000000005CB6000-memory.dmp

Filesize
18.6MB

Download
memory/3760-148-0x0000000000000000-mapping.dmp

Download
memory/3760-152-0x0000000000E60000-0x0000000000FBE000-memory.dmp

Filesize
1.4MB

Download
memory/3936-141-0x0000000001CF0000-0x0000000001CF1000-memory.dmp

Filesize
4KB

Download
memory/3936-131-0x0000000000000000-mapping.dmp

Download
memory/3960-127-0x0000000000000000-mapping.dmp

Download
memory/4032-179-0x0000000007D70000-0x0000000007D71000-memory.dmp

Filesize
4KB

Download
memory/4032-193-0x0000000007100000-0x0000000007101000-memory.dmp

Filesize
4KB

Download
memory/4032-192-0x0000000009280000-0x0000000009281000-memory.dmp

Filesize
4KB

Download
memory/4032-196-0x0000000004C83000-0x0000000004C84000-memory.dmp

Filesize
4KB

Download
memory/4032-191-0x0000000009D00000-0x0000000009D01000-memory.dmp

Filesize
4KB

Download
memory/4032-186-0x0000000008630000-0x0000000008631000-memory.dmp

Filesize
4KB

Download
memory/4032-184-0x0000000008500000-0x0000000008501000-memory.dmp

Filesize
4KB

Download
memory/4032-183-0x0000000008670000-0x0000000008671000-memory.dmp

Filesize
4KB

Download
memory/4032-182-0x0000000007620000-0x0000000007621000-memory.dmp

Filesize
4KB

Download
memory/4032-181-0x0000000007E10000-0x0000000007E11000-memory.dmp

Filesize
4KB

Download
memory/4032-180-0x0000000007520000-0x0000000007521000-memory.dmp

Filesize
4KB

Download
memory/4032-178-0x0000000004C82000-0x0000000004C83000-memory.dmp

Filesize
4KB

Download
memory/4032-177-0x0000000004C80000-0x0000000004C81000-memory.dmp

Filesize
4KB

Download
memory/4032-176-0x0000000007470000-0x0000000007471000-memory.dmp

Filesize
4KB

Download
memory/4032-175-0x0000000007640000-0x0000000007641000-memory.dmp

Filesize
4KB

Download
memory/4032-174-0x00000000049F0000-0x00000000049F1000-memory.dmp

Filesize
4KB

Download
memory/4032-171-0x0000000000000000-mapping.dmp

Download