danabot | c98b385fbe81a0170835d5ece1bb8a32fb93a7b98961fcd093416f6b3e8a1385

Analysis

max time kernel
86s
max time network
124s
platform
windows10_x64
resource
win10-en-20210920
submitted
19-10-2021 20:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

95ba729a585e05067d55b624c9253986.exe
Size

6.1MB
MD5

95ba729a585e05067d55b624c9253986
SHA1

d22767b650d3a5f809fc3aca26f59cbcb5919c0b
SHA256

c98b385fbe81a0170835d5ece1bb8a32fb93a7b98961fcd093416f6b3e8a1385
SHA512

3777587e1ca246df901dbf7fdc6cf6349fb8d729ad36f061e743433a7666e1cc5f13f734e765d5c36f663a79125dc7bf2e4eebe892ed22880ceeccf170ad47b8

Score

10^/10

danabot 4 banker discovery evasion themida trojan

Malware Config

Extracted

Family

danabot

192.119.110.73:443

192.236.147.159:443

192.210.222.88:443

Attributes

embedded_hash
F4711E27D559B4AEB1A081A1EB0AC465
type
loader

rsa_pubkey.plain

rsa_privkey.plain

Extracted

Family

danabot

Version

2052

Botnet

192.119.110.73:443

192.236.147.159:443

192.210.222.88:443

Attributes

embedded_hash
F4711E27D559B4AEB1A081A1EB0AC465
type
main

rsa_privkey.plain

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 10 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\BIOWLW~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\BIOWLW~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\BIOWLW~1.DLL	DanabotLoader2021
behavioral2/memory/1212-148-0x0000000000BC0000-0x0000000000D26000-memory.dmp	DanabotLoader2021
behavioral2/memory/2552-156-0x0000000000C10000-0x0000000000D76000-memory.dmp	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\BIOWLW~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\BIOWLW~1.DLL	DanabotLoader2021
behavioral2/memory/960-166-0x0000000000C20000-0x0000000000D86000-memory.dmp	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\BIOWLW~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\BIOWLW~1.DLL	DanabotLoader2021

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Blocklisted process makes network request 6 IoCs

Processes:

WScript.exerundll32.exe

flow pid process

35 2872 WScript.exe
37 2872 WScript.exe
39 2872 WScript.exe
41 2872 WScript.exe
43 2872 WScript.exe
46 1212 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

foulervp.exegiliak.exeIntelRapid.exebiowlwvbigg.exe

pid process

3372 foulervp.exe
1220 giliak.exe
1296 IntelRapid.exe
3496 biowlwvbigg.exe

flow	pid	process
35	2872	WScript.exe
37	2872	WScript.exe
39	2872	WScript.exe
41	2872	WScript.exe
43	2872	WScript.exe
46	1212	rundll32.exe

pid	process
3372	foulervp.exe
1220	giliak.exe
1296	IntelRapid.exe
3496	biowlwvbigg.exe

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

giliak.exefoulervp.exeIntelRapid.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	giliak.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	giliak.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	foulervp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	foulervp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	IntelRapid.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	IntelRapid.exe

Drops startup file 1 IoCs

Processes:

giliak.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IntelRapid.lnk giliak.exe
Loads dropped DLL 5 IoCs

Processes:

95ba729a585e05067d55b624c9253986.exerundll32.exeRUNDLL32.EXE

pid process

2436 95ba729a585e05067d55b624c9253986.exe
1212 rundll32.exe
1212 rundll32.exe
2552 RUNDLL32.EXE
2552 RUNDLL32.EXE

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IntelRapid.lnk	giliak.exe

pid	process
2436	95ba729a585e05067d55b624c9253986.exe
1212	rundll32.exe
1212	rundll32.exe
2552	RUNDLL32.EXE
2552	RUNDLL32.EXE

Themida packer 16 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\effort\foulervp.exe	themida
C:\Users\Admin\AppData\Local\Temp\effort\foulervp.exe	themida
C:\Users\Admin\AppData\Local\Temp\effort\giliak.exe	themida
C:\Users\Admin\AppData\Local\Temp\effort\giliak.exe	themida
behavioral2/memory/1220-122-0x00007FF7574A0000-0x00007FF757DBD000-memory.dmp	themida
behavioral2/memory/1220-123-0x00007FF7574A0000-0x00007FF757DBD000-memory.dmp	themida
behavioral2/memory/3372-124-0x0000000001320000-0x00000000019F2000-memory.dmp	themida
behavioral2/memory/3372-126-0x0000000001320000-0x00000000019F2000-memory.dmp	themida
behavioral2/memory/1220-125-0x00007FF7574A0000-0x00007FF757DBD000-memory.dmp	themida
behavioral2/memory/3372-128-0x0000000001320000-0x00000000019F2000-memory.dmp	themida
behavioral2/memory/3372-129-0x0000000001320000-0x00000000019F2000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe	themida
C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe	themida
behavioral2/memory/1296-133-0x00007FF69F2A0000-0x00007FF69FBBD000-memory.dmp	themida
behavioral2/memory/1296-134-0x00007FF69F2A0000-0x00007FF69FBBD000-memory.dmp	themida
behavioral2/memory/1296-135-0x00007FF69F2A0000-0x00007FF69FBBD000-memory.dmp	themida

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

giliak.exefoulervp.exeIntelRapid.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	giliak.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	foulervp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	IntelRapid.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

8 ip-api.com
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

giliak.exefoulervp.exeIntelRapid.exe

pid process

1220 giliak.exe
3372 foulervp.exe
1296 IntelRapid.exe

flow	ioc
8	ip-api.com

pid	process
1220	giliak.exe
3372	foulervp.exe
1296	IntelRapid.exe

Drops file in Program Files directory 4 IoCs

Processes:

95ba729a585e05067d55b624c9253986.exerundll32.exe

description	ioc	process
File created	C:\Program Files (x86)\foler\olader\acledit.dll	95ba729a585e05067d55b624c9253986.exe
File created	C:\PROGRA~3\zohplghndapsm.tmp	rundll32.exe
File created	C:\Program Files (x86)\foler\olader\acppage.dll	95ba729a585e05067d55b624c9253986.exe
File created	C:\Program Files (x86)\foler\olader\adprovider.dll	95ba729a585e05067d55b624c9253986.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 24 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RUNDLL32.EXEfoulervp.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	foulervp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	foulervp.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	RUNDLL32.EXE

Modifies registry class 1 IoCs

Processes:

foulervp.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings foulervp.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings	foulervp.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	WScript.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

IntelRapid.exe

pid process

1296 IntelRapid.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

foulervp.exe

pid process

3372 foulervp.exe
3372 foulervp.exe

pid	process
1296	IntelRapid.exe

pid	process
3372	foulervp.exe
3372	foulervp.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

95ba729a585e05067d55b624c9253986.exegiliak.exefoulervp.exebiowlwvbigg.exerundll32.exe

description	pid	process	target process
PID 2436 wrote to memory of 3372	2436	95ba729a585e05067d55b624c9253986.exe	foulervp.exe
PID 2436 wrote to memory of 3372	2436	95ba729a585e05067d55b624c9253986.exe	foulervp.exe
PID 2436 wrote to memory of 3372	2436	95ba729a585e05067d55b624c9253986.exe	foulervp.exe
PID 2436 wrote to memory of 1220	2436	95ba729a585e05067d55b624c9253986.exe	giliak.exe
PID 2436 wrote to memory of 1220	2436	95ba729a585e05067d55b624c9253986.exe	giliak.exe
PID 1220 wrote to memory of 1296	1220	giliak.exe	IntelRapid.exe
PID 1220 wrote to memory of 1296	1220	giliak.exe	IntelRapid.exe
PID 3372 wrote to memory of 3496	3372	foulervp.exe	biowlwvbigg.exe
PID 3372 wrote to memory of 3496	3372	foulervp.exe	biowlwvbigg.exe
PID 3372 wrote to memory of 3496	3372	foulervp.exe	biowlwvbigg.exe
PID 3372 wrote to memory of 3672	3372	foulervp.exe	WScript.exe
PID 3372 wrote to memory of 3672	3372	foulervp.exe	WScript.exe
PID 3372 wrote to memory of 3672	3372	foulervp.exe	WScript.exe
PID 3496 wrote to memory of 1212	3496	biowlwvbigg.exe	rundll32.exe
PID 3496 wrote to memory of 1212	3496	biowlwvbigg.exe	rundll32.exe
PID 3496 wrote to memory of 1212	3496	biowlwvbigg.exe	rundll32.exe
PID 3372 wrote to memory of 2872	3372	foulervp.exe	WScript.exe
PID 3372 wrote to memory of 2872	3372	foulervp.exe	WScript.exe
PID 3372 wrote to memory of 2872	3372	foulervp.exe	WScript.exe
PID 1212 wrote to memory of 2552	1212	rundll32.exe	RUNDLL32.EXE
PID 1212 wrote to memory of 2552	1212	rundll32.exe	RUNDLL32.EXE
PID 1212 wrote to memory of 2552	1212	rundll32.exe	RUNDLL32.EXE

C:\Users\Admin\AppData\Local\Temp\95ba729a585e05067d55b624c9253986.exe
"C:\Users\Admin\AppData\Local\Temp\95ba729a585e05067d55b624c9253986.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2436

C:\Users\Admin\AppData\Local\Temp\effort\foulervp.exe
"C:\Users\Admin\AppData\Local\Temp\effort\foulervp.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3372

C:\Users\Admin\AppData\Local\Temp\biowlwvbigg.exe
"C:\Users\Admin\AppData\Local\Temp\biowlwvbigg.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3496

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\BIOWLW~1.DLL,s C:\Users\Admin\AppData\Local\Temp\BIOWLW~1.EXE
4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1212

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\BIOWLW~1.DLL,WRJHWA==
5⤵
- Loads dropped DLL
- Checks processor information in registry
PID:2552

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\BIOWLW~1.DLL
6⤵
PID:1720

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\BIOWLW~1.DLL,nlxB
6⤵
PID:960

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\system32\shell32.dll,#61 19638
7⤵
PID:2188

C:\Windows\system32\ctfmon.exe
ctfmon.exe
8⤵
PID:360

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpD07.tmp.ps1"
6⤵
PID:1092

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp5741.tmp.ps1"
6⤵
PID:4056

C:\Windows\SysWOW64\nslookup.exe
"C:\Windows\system32\nslookup.exe" -type=any localhost
7⤵
PID:2740

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
6⤵
PID:924

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
6⤵
PID:1664

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\xuxgjemrigao.vbs"
3⤵
PID:3672

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fgftxocacr.vbs"
3⤵
- Blocklisted process makes network request
- Modifies system certificate store
PID:2872

C:\Users\Admin\AppData\Local\Temp\effort\giliak.exe
"C:\Users\Admin\AppData\Local\Temp\effort\giliak.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Drops startup file
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:1220

C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe
"C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
PID:1296

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\zohplghndapsm.tmp
MD5
2def7e89943100cf26d70ef373b1260e

SHA1
d90f028ae9ac9f8edc26445639752acbcacc70e7

SHA256
178020d76bd88c4681056aeb6a693e8db6afe0f6283466c687c0ca0d04ed1549

SHA512
a65902089d46d2dcaca02caa028cc288e287de7a315ab631c532cf8c584850c2c896d3e8820ff338ab86e177b79d828c4fe1c8606e690477714a1afd65750624

Download Submit
C:\PROGRA~3\zohplghndapsm.tmp
MD5
52e82d6f1b74a61568d0395bf7b0a897

SHA1
f251bbf2178522476fe0aae0649430a074573c31

SHA256
8f038565d9e967a3ec965756243f384782150937420c34aadea5a4ea5e350dc7

SHA512
2c2ba47ef4f8c285107087ee4c12723d5a2536b0ffdaded8d047275d28385e1e1aea08f9b6fc7988df2f8479988ff8181017e720034d34db66ddad0b90352462

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
f7a808b5711f58fb4f85476c1bb24ac3

SHA1
fbdf9670d622e8fc3446ad4f53fbbd83016f03d1

SHA256
de4aadfe00c4cf41434a12450cdc69d37cb2d9cec951b074c3b5e7bfce9e94ec

SHA512
866848d13e999e6a1a79d77c33adb642d78d0a11adee293fca411b4ed5f7bf85324f90b3031148a66ac10dccc577d3c2a7c1ab6ed4237360de9911c27516a5af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
5aeee8fc506416da2c3f5271e98f5eb1

SHA1
4fbffbd5558d362d2d623af47ddcb8bb07dac855

SHA256
d65a4c58a74160e8966181044cdbb8b14f27d531b1d17c2acea3df6bab6b2610

SHA512
46c6d4f0f172b01db8007e35360dc769decae43bc5574c87328bb9590aebdb4165f923b5c9a47a77185c8a07732d4c8f71700891210baad05d7a8332a8998965

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
f4abd515b28d47fce6d53c0d3a6a43e1

SHA1
f739ffd6ea1f71ece85df8747a3ea7522f8f637e

SHA256
aaee00e733715425d879faa0af2383993f3f01a7e2b94f98781788bd25ff8dab

SHA512
64dd971557dcb4188865d965ba252c7ba0d574371f21010f07464f48e22a907ae9ccb4f1c0dd9de0ee84c66160aff8bf10069a6bb79cde05ee56ecf6da6c711d

Download Submit
C:\Users\Admin\AppData\Local\Temp\BIOWLW~1.DLL
MD5
0411e7677c16e186afb8ef0b4e47e773

SHA1
6b927a4fd32eb1e6d551d2912d85b1051db78da3

SHA256
0f83704637f3238b950b6be9c7661e064e1eb2e3e13949423b9e66ea677ec3af

SHA512
945738fb07820984e455f1bf34e50add63a3fc98c4da227f6c7cf0b634b33e50ca84d9ee3aee2da47f57d7b6b1c48167714dbf7c1d72d1ab1971bf74d2dc6a1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\biowlwvbigg.exe
MD5
327a36ee6b5fb3e95d975ee9f622ad5a

SHA1
28dd1e62967fafd0116ebc93e26d57a844a36bef

SHA256
fddab57903d8f025b87ab7dd7aa0b86e7813fbb712baf9bbad8a900fd11ceea3

SHA512
652ed545a42858bcf2a4396ac3d274d9a624e0a915193b8f6049f957d707ded2015eae58b13dc54ab79818fefef87604a02b5a8a7090b003a2403bb03d1f6cac

Download Submit
C:\Users\Admin\AppData\Local\Temp\biowlwvbigg.exe
MD5
327a36ee6b5fb3e95d975ee9f622ad5a

SHA1
28dd1e62967fafd0116ebc93e26d57a844a36bef

SHA256
fddab57903d8f025b87ab7dd7aa0b86e7813fbb712baf9bbad8a900fd11ceea3

SHA512
652ed545a42858bcf2a4396ac3d274d9a624e0a915193b8f6049f957d707ded2015eae58b13dc54ab79818fefef87604a02b5a8a7090b003a2403bb03d1f6cac

Download Submit
C:\Users\Admin\AppData\Local\Temp\effort\foulervp.exe
MD5
cdb73573c8178486d14bd96c016b3704

SHA1
3d8f95f8746b3b2531eb572189318a7156922ac3

SHA256
3d073c7abee0fd8b6c23f451e1c124fda27982e39ddc1312dcb10792e8d0f997

SHA512
79bdded5729e8f20ea41063a43af5a2df4e3298dfc9f427b8d24ab8d36b555bb2198c8d7e5828a51c798de9ebd284e2357d9500c43d0da0a62ad1d0b1549dfe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\effort\foulervp.exe
MD5
cdb73573c8178486d14bd96c016b3704

SHA1
3d8f95f8746b3b2531eb572189318a7156922ac3

SHA256
3d073c7abee0fd8b6c23f451e1c124fda27982e39ddc1312dcb10792e8d0f997

SHA512
79bdded5729e8f20ea41063a43af5a2df4e3298dfc9f427b8d24ab8d36b555bb2198c8d7e5828a51c798de9ebd284e2357d9500c43d0da0a62ad1d0b1549dfe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\effort\giliak.exe
MD5
e8897ec6f7b1f25e825b8ea21cd6956f

SHA1
aa5853c9fd6cbaa2dbfc0d72595657bf037ac373

SHA256
6bdeeed4478140576e6d44228e0066f8fc0d7cd544c49ceaa144598953c5f654

SHA512
e3e6c7defd9872911a3799a9d5c6eda3fffafe2a836b7a2caa360529b1c3acbc516f21ee6beba4b1a8ffe662b439ca61d1ed6075ec3ea87fb7f77bc5609a52f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\effort\giliak.exe
MD5
e8897ec6f7b1f25e825b8ea21cd6956f

SHA1
aa5853c9fd6cbaa2dbfc0d72595657bf037ac373

SHA256
6bdeeed4478140576e6d44228e0066f8fc0d7cd544c49ceaa144598953c5f654

SHA512
e3e6c7defd9872911a3799a9d5c6eda3fffafe2a836b7a2caa360529b1c3acbc516f21ee6beba4b1a8ffe662b439ca61d1ed6075ec3ea87fb7f77bc5609a52f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\fgftxocacr.vbs
MD5
5edd9862851b91d55754333ff4a3a5cd

SHA1
9a2fec603d44498c4a5ca90aadead29bfcd24881

SHA256
74de6167cf9721d538374753140555a1b52d6790290ad053076c461735507085

SHA512
64530e9d4d4660aef9a952a063c9ddbf047b28636112c7aa6b83bad24a47aef649cedf24c339d3099e2b0656f7a5cc41233f45e54a0a13b0c469780554ba033f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5741.tmp.ps1
MD5
cba95bf1b6ac9195e9b586c2ef79e1ae

SHA1
d3b89b532bcedcf8cdc73112f7b17bc6c72ce6d9

SHA256
befb6d6fb69fac93268346ae1ef61749d9ed0409cbcce39a62f204df18de2197

SHA512
d190475c524c07331c473beddf6a9cefc8887d46486b0b9683ac249512b91170fce75da73c425dc551699ae5ad9f10d6c478ab9280e3722a2d23675a5cb0af27

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5742.tmp
MD5
1860260b2697808b80802352fe324782

SHA1
f07b4cb6a8133d8dd942fc285d63cb3ce5a1ed6b

SHA256
0c4bb6ae7726faa47aef8459bcf37bf9ca16f0b93fd52790932adaf7845d1fb1

SHA512
d9fd458e2fe871e93199d7f3783133ded898d824024d9525e8c9af2af31892b13f3fb147d3bfda7dfd7659b7072f5cd1d6c3ebfe2dbf5893afd00e59a96aa94f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD07.tmp.ps1
MD5
76f603e6d45af3b08672037507d890a4

SHA1
e337595d0f7568c7559d10e01d8a3883c22eec18

SHA256
4214b094ccc726412ee3b4cc23975f1e2e91359f61c0ff12af66e378d8fea6a2

SHA512
5c62d70ef1e540485415b3f1cb78ed6c8078152be34d672009c490699c08c0b9d4b2fccf9710b34f35ae768cb8c10275586831ad89cfd9abf57791892bc7d2d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD08.tmp
MD5
c416c12d1b2b1da8c8655e393b544362

SHA1
fb1a43cd8e1c556c2d25f361f42a21293c29e447

SHA256
0600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046

SHA512
cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c

Download Submit
C:\Users\Admin\AppData\Local\Temp\xuxgjemrigao.vbs
MD5
4ffb316c8302bda868d4e27dca2858f4

SHA1
8e800d4825b61559a6e73b3375ba4cae20a1c63d

SHA256
e3c6d9bf697e738ab5d6e4220c7789b43b98d50d0ef87f99c1093323d881a06a

SHA512
4d7a92dfac73787076a15bef42d09500665ca91bd5eadddaaf9b0575ad7146c31825dc1d4fbebd1a28e4de3660b58ceba29c6392c32fe2d92f874cd947f50469

Download Submit
C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe
MD5
e8897ec6f7b1f25e825b8ea21cd6956f

SHA1
aa5853c9fd6cbaa2dbfc0d72595657bf037ac373

SHA256
6bdeeed4478140576e6d44228e0066f8fc0d7cd544c49ceaa144598953c5f654

SHA512
e3e6c7defd9872911a3799a9d5c6eda3fffafe2a836b7a2caa360529b1c3acbc516f21ee6beba4b1a8ffe662b439ca61d1ed6075ec3ea87fb7f77bc5609a52f4

Download Submit
C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe
MD5
e8897ec6f7b1f25e825b8ea21cd6956f

SHA1
aa5853c9fd6cbaa2dbfc0d72595657bf037ac373

SHA256
6bdeeed4478140576e6d44228e0066f8fc0d7cd544c49ceaa144598953c5f654

SHA512
e3e6c7defd9872911a3799a9d5c6eda3fffafe2a836b7a2caa360529b1c3acbc516f21ee6beba4b1a8ffe662b439ca61d1ed6075ec3ea87fb7f77bc5609a52f4

Download Submit
\Users\Admin\AppData\Local\Temp\BIOWLW~1.DLL
MD5
0411e7677c16e186afb8ef0b4e47e773

SHA1
6b927a4fd32eb1e6d551d2912d85b1051db78da3

SHA256
0f83704637f3238b950b6be9c7661e064e1eb2e3e13949423b9e66ea677ec3af

SHA512
945738fb07820984e455f1bf34e50add63a3fc98c4da227f6c7cf0b634b33e50ca84d9ee3aee2da47f57d7b6b1c48167714dbf7c1d72d1ab1971bf74d2dc6a1f

Download Submit
\Users\Admin\AppData\Local\Temp\BIOWLW~1.DLL
MD5
0411e7677c16e186afb8ef0b4e47e773

SHA1
6b927a4fd32eb1e6d551d2912d85b1051db78da3

SHA256
0f83704637f3238b950b6be9c7661e064e1eb2e3e13949423b9e66ea677ec3af

SHA512
945738fb07820984e455f1bf34e50add63a3fc98c4da227f6c7cf0b634b33e50ca84d9ee3aee2da47f57d7b6b1c48167714dbf7c1d72d1ab1971bf74d2dc6a1f

Download Submit
\Users\Admin\AppData\Local\Temp\BIOWLW~1.DLL
MD5
0411e7677c16e186afb8ef0b4e47e773

SHA1
6b927a4fd32eb1e6d551d2912d85b1051db78da3

SHA256
0f83704637f3238b950b6be9c7661e064e1eb2e3e13949423b9e66ea677ec3af

SHA512
945738fb07820984e455f1bf34e50add63a3fc98c4da227f6c7cf0b634b33e50ca84d9ee3aee2da47f57d7b6b1c48167714dbf7c1d72d1ab1971bf74d2dc6a1f

Download Submit
\Users\Admin\AppData\Local\Temp\BIOWLW~1.DLL
MD5
0411e7677c16e186afb8ef0b4e47e773

SHA1
6b927a4fd32eb1e6d551d2912d85b1051db78da3

SHA256
0f83704637f3238b950b6be9c7661e064e1eb2e3e13949423b9e66ea677ec3af

SHA512
945738fb07820984e455f1bf34e50add63a3fc98c4da227f6c7cf0b634b33e50ca84d9ee3aee2da47f57d7b6b1c48167714dbf7c1d72d1ab1971bf74d2dc6a1f

Download Submit
\Users\Admin\AppData\Local\Temp\BIOWLW~1.DLL
MD5
0411e7677c16e186afb8ef0b4e47e773

SHA1
6b927a4fd32eb1e6d551d2912d85b1051db78da3

SHA256
0f83704637f3238b950b6be9c7661e064e1eb2e3e13949423b9e66ea677ec3af

SHA512
945738fb07820984e455f1bf34e50add63a3fc98c4da227f6c7cf0b634b33e50ca84d9ee3aee2da47f57d7b6b1c48167714dbf7c1d72d1ab1971bf74d2dc6a1f

Download Submit
\Users\Admin\AppData\Local\Temp\BIOWLW~1.DLL
MD5
0411e7677c16e186afb8ef0b4e47e773

SHA1
6b927a4fd32eb1e6d551d2912d85b1051db78da3

SHA256
0f83704637f3238b950b6be9c7661e064e1eb2e3e13949423b9e66ea677ec3af

SHA512
945738fb07820984e455f1bf34e50add63a3fc98c4da227f6c7cf0b634b33e50ca84d9ee3aee2da47f57d7b6b1c48167714dbf7c1d72d1ab1971bf74d2dc6a1f

Download Submit
\Users\Admin\AppData\Local\Temp\nslAD68.tmp\UAC.dll
MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
memory/360-193-0x0000000000000000-mapping.dmp

Download
memory/924-480-0x0000000000000000-mapping.dmp

Download
memory/960-186-0x0000000001100000-0x0000000001240000-memory.dmp

Filesize
1.2MB

Download
memory/960-183-0x0000000001260000-0x0000000001261000-memory.dmp

Filesize
4KB

Download
memory/960-182-0x0000000001100000-0x0000000001240000-memory.dmp

Filesize
1.2MB

Download
memory/960-176-0x0000000001100000-0x0000000001240000-memory.dmp

Filesize
1.2MB

Download
memory/960-185-0x0000000001100000-0x0000000001240000-memory.dmp

Filesize
1.2MB

Download
memory/960-171-0x0000000001240000-0x0000000001241000-memory.dmp

Filesize
4KB

Download
memory/960-175-0x0000000001250000-0x0000000001251000-memory.dmp

Filesize
4KB

Download
memory/960-166-0x0000000000C20000-0x0000000000D86000-memory.dmp

Filesize
1.4MB

Download
memory/960-161-0x0000000000000000-mapping.dmp

Download
memory/960-179-0x0000000001100000-0x0000000001240000-memory.dmp

Filesize
1.2MB

Download
memory/960-177-0x0000000001100000-0x0000000001240000-memory.dmp

Filesize
1.2MB

Download
memory/1092-194-0x0000000000000000-mapping.dmp

Download
memory/1092-289-0x00000000067B3000-0x00000000067B4000-memory.dmp

Filesize
4KB

Download
memory/1092-196-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/1092-197-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/1092-201-0x00000000067B0000-0x00000000067B1000-memory.dmp

Filesize
4KB

Download
memory/1092-202-0x00000000067B2000-0x00000000067B3000-memory.dmp

Filesize
4KB

Download
memory/1212-151-0x0000000004701000-0x00000000056E5000-memory.dmp

Filesize
15.9MB

Download
memory/1212-152-0x00000000012A0000-0x00000000012A1000-memory.dmp

Filesize
4KB

Download
memory/1212-148-0x0000000000BC0000-0x0000000000D26000-memory.dmp

Filesize
1.4MB

Download
memory/1212-144-0x0000000000000000-mapping.dmp

Download
memory/1220-125-0x00007FF7574A0000-0x00007FF757DBD000-memory.dmp

Filesize
9.1MB

Download
memory/1220-123-0x00007FF7574A0000-0x00007FF757DBD000-memory.dmp

Filesize
9.1MB

Download
memory/1220-122-0x00007FF7574A0000-0x00007FF757DBD000-memory.dmp

Filesize
9.1MB

Download
memory/1220-119-0x0000000000000000-mapping.dmp

Download
memory/1296-135-0x00007FF69F2A0000-0x00007FF69FBBD000-memory.dmp

Filesize
9.1MB

Download
memory/1296-130-0x0000000000000000-mapping.dmp

Download
memory/1296-133-0x00007FF69F2A0000-0x00007FF69FBBD000-memory.dmp

Filesize
9.1MB

Download
memory/1296-134-0x00007FF69F2A0000-0x00007FF69FBBD000-memory.dmp

Filesize
9.1MB

Download
memory/1664-482-0x0000000000000000-mapping.dmp

Download
memory/1720-232-0x000000007EC20000-0x000000007EC21000-memory.dmp

Filesize
4KB

Download
memory/1720-162-0x0000000004800000-0x0000000004801000-memory.dmp

Filesize
4KB

Download
memory/1720-160-0x0000000000000000-mapping.dmp

Download
memory/1720-180-0x0000000007CB0000-0x0000000007CB1000-memory.dmp

Filesize
4KB

Download
memory/1720-181-0x0000000007B70000-0x0000000007B71000-memory.dmp

Filesize
4KB

Download
memory/1720-163-0x0000000004800000-0x0000000004801000-memory.dmp

Filesize
4KB

Download
memory/1720-184-0x0000000007D20000-0x0000000007D21000-memory.dmp

Filesize
4KB

Download
memory/1720-240-0x0000000006D33000-0x0000000006D34000-memory.dmp

Filesize
4KB

Download
memory/1720-174-0x0000000007AD0000-0x0000000007AD1000-memory.dmp

Filesize
4KB

Download
memory/1720-173-0x0000000006D32000-0x0000000006D33000-memory.dmp

Filesize
4KB

Download
memory/1720-172-0x0000000006D30000-0x0000000006D31000-memory.dmp

Filesize
4KB

Download
memory/1720-218-0x00000000091D0000-0x0000000009203000-memory.dmp

Filesize
204KB

Download
memory/1720-208-0x0000000004800000-0x0000000004801000-memory.dmp

Filesize
4KB

Download
memory/1720-203-0x0000000008440000-0x0000000008441000-memory.dmp

Filesize
4KB

Download
memory/1720-168-0x0000000004910000-0x0000000004911000-memory.dmp

Filesize
4KB

Download
memory/1720-195-0x0000000007C60000-0x0000000007C61000-memory.dmp

Filesize
4KB

Download
memory/1720-198-0x00000000085F0000-0x00000000085F1000-memory.dmp

Filesize
4KB

Download
memory/1720-169-0x0000000007370000-0x0000000007371000-memory.dmp

Filesize
4KB

Download
memory/2188-192-0x000002478FD90000-0x000002478FF42000-memory.dmp

Filesize
1.7MB

Download
memory/2188-191-0x00000000009B0000-0x0000000000B50000-memory.dmp

Filesize
1.6MB

Download
memory/2188-189-0x000002478FC30000-0x000002478FC32000-memory.dmp

Filesize
8KB

Download
memory/2188-190-0x000002478FC30000-0x000002478FC32000-memory.dmp

Filesize
8KB

Download
memory/2188-187-0x00007FF789195FD0-mapping.dmp

Download
memory/2552-153-0x0000000000000000-mapping.dmp

Download
memory/2552-158-0x0000000004A41000-0x0000000005A25000-memory.dmp

Filesize
15.9MB

Download
memory/2552-159-0x0000000000D90000-0x0000000000D91000-memory.dmp

Filesize
4KB

Download
memory/2552-156-0x0000000000C10000-0x0000000000D76000-memory.dmp

Filesize
1.4MB

Download
memory/2740-477-0x0000000000000000-mapping.dmp

Download
memory/2872-149-0x0000000000000000-mapping.dmp

Download
memory/3372-124-0x0000000001320000-0x00000000019F2000-memory.dmp

Filesize
6.8MB

Download
memory/3372-127-0x0000000077AB0000-0x0000000077C3E000-memory.dmp

Filesize
1.6MB

Download
memory/3372-116-0x0000000000000000-mapping.dmp

Download
memory/3372-128-0x0000000001320000-0x00000000019F2000-memory.dmp

Filesize
6.8MB

Download
memory/3372-126-0x0000000001320000-0x00000000019F2000-memory.dmp

Filesize
6.8MB

Download
memory/3372-129-0x0000000001320000-0x00000000019F2000-memory.dmp

Filesize
6.8MB

Download
memory/3496-142-0x0000000004E00000-0x0000000004F09000-memory.dmp

Filesize
1.0MB

Download
memory/3496-139-0x0000000004C03000-0x0000000004CF5000-memory.dmp

Filesize
968KB

Download
memory/3496-143-0x0000000000400000-0x0000000002FEB000-memory.dmp

Filesize
43.9MB

Download
memory/3496-136-0x0000000000000000-mapping.dmp

Download
memory/3672-140-0x0000000000000000-mapping.dmp

Download
memory/4056-423-0x0000000006C52000-0x0000000006C53000-memory.dmp

Filesize
4KB

Download
memory/4056-421-0x0000000006C50000-0x0000000006C51000-memory.dmp

Filesize
4KB

Download
memory/4056-481-0x0000000006C53000-0x0000000006C54000-memory.dmp

Filesize
4KB

Download
memory/4056-390-0x0000000000000000-mapping.dmp

Download