danabot | e3d5b6d0c39c747762c25d021c7a8aedaa7a30beb9af9187d15aea7178ea9758

Analysis

max time kernel
121s
max time network
182s
platform
windows10_x64
resource
win10-en-20210920
submitted
21-10-2021 21:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e3d5b6d0c39c747762c25d021c7a8aedaa7a30beb9af9187d15aea7178ea9758.exe
Size

6.1MB
MD5

63c6959237b662401a9f78e799d34db1
SHA1

688bd3512930d53cb565468d86941884858c2b52
SHA256

e3d5b6d0c39c747762c25d021c7a8aedaa7a30beb9af9187d15aea7178ea9758
SHA512

5d905e409449b3f9cf3622b371340f19772a7ed7624bef784521c32b5e9c6242bbbd3b4e0ffc7ce01a88ed6410685312533dc4d1c5723289e29e6edb8bfe3ee1

Score

10^/10

danabot 4 banker discovery evasion themida trojan

Malware Config

Extracted

Family

danabot

192.119.110.73:443

192.236.147.159:443

192.210.222.88:443

Attributes

embedded_hash
F4711E27D559B4AEB1A081A1EB0AC465
type
loader

rsa_pubkey.plain

rsa_privkey.plain

Extracted

Family

danabot

Version

2052

Botnet

192.119.110.73:443

192.236.147.159:443

192.210.222.88:443

Attributes

embedded_hash
F4711E27D559B4AEB1A081A1EB0AC465
type
main

rsa_privkey.plain

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 7 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RBYYUW~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\RBYYUW~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\RBYYUW~1.DLL	DanabotLoader2021
behavioral1/memory/4004-151-0x0000000004030000-0x0000000004194000-memory.dmp	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\RBYYUW~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\RBYYUW~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\RBYYUW~1.DLL	DanabotLoader2021

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Blocklisted process makes network request 5 IoCs

Processes:

WScript.exerundll32.exe

flow pid process

36 2320 WScript.exe
38 2320 WScript.exe
40 2320 WScript.exe
42 2320 WScript.exe
45 4004 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

undirk.exeyoicksvp.exeIntelRapid.exerbyyuwarntir.exe

pid process

2316 undirk.exe
664 yoicksvp.exe
628 IntelRapid.exe
1060 rbyyuwarntir.exe

flow	pid	process
36	2320	WScript.exe
38	2320	WScript.exe
40	2320	WScript.exe
42	2320	WScript.exe
45	4004	rundll32.exe

pid	process
2316	undirk.exe
664	yoicksvp.exe
628	IntelRapid.exe
1060	rbyyuwarntir.exe

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

IntelRapid.exeundirk.exeyoicksvp.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	IntelRapid.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	undirk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	undirk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	yoicksvp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	yoicksvp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	IntelRapid.exe

Drops startup file 1 IoCs

Processes:

undirk.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IntelRapid.lnk undirk.exe
Loads dropped DLL 5 IoCs

Processes:

e3d5b6d0c39c747762c25d021c7a8aedaa7a30beb9af9187d15aea7178ea9758.exerundll32.exeRUNDLL32.EXE

pid process

1340 e3d5b6d0c39c747762c25d021c7a8aedaa7a30beb9af9187d15aea7178ea9758.exe
4004 rundll32.exe
4004 rundll32.exe
3228 RUNDLL32.EXE
3228 RUNDLL32.EXE

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IntelRapid.lnk	undirk.exe

pid	process
1340	e3d5b6d0c39c747762c25d021c7a8aedaa7a30beb9af9187d15aea7178ea9758.exe
4004	rundll32.exe
4004	rundll32.exe
3228	RUNDLL32.EXE
3228	RUNDLL32.EXE

Themida packer 16 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\lizard\undirk.exe	themida
C:\Users\Admin\AppData\Local\Temp\lizard\undirk.exe	themida
behavioral1/memory/2316-122-0x00007FF622BE0000-0x00007FF623567000-memory.dmp	themida
behavioral1/memory/2316-123-0x00007FF622BE0000-0x00007FF623567000-memory.dmp	themida
behavioral1/memory/2316-124-0x00007FF622BE0000-0x00007FF623567000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\lizard\yoicksvp.exe	themida
C:\Users\Admin\AppData\Local\Temp\lizard\yoicksvp.exe	themida
C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe	themida
C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe	themida
behavioral1/memory/664-131-0x0000000001280000-0x00000000018E4000-memory.dmp	themida
behavioral1/memory/664-133-0x0000000001280000-0x00000000018E4000-memory.dmp	themida
behavioral1/memory/628-132-0x00007FF6B17C0000-0x00007FF6B2147000-memory.dmp	themida
behavioral1/memory/664-136-0x0000000001280000-0x00000000018E4000-memory.dmp	themida
behavioral1/memory/628-135-0x00007FF6B17C0000-0x00007FF6B2147000-memory.dmp	themida
behavioral1/memory/664-137-0x0000000001280000-0x00000000018E4000-memory.dmp	themida
behavioral1/memory/628-138-0x00007FF6B17C0000-0x00007FF6B2147000-memory.dmp	themida

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

undirk.exeyoicksvp.exeIntelRapid.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	undirk.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	yoicksvp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	IntelRapid.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

9 ip-api.com
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

undirk.exeyoicksvp.exeIntelRapid.exe

pid process

2316 undirk.exe
664 yoicksvp.exe
628 IntelRapid.exe

flow	ioc
9	ip-api.com

pid	process
2316	undirk.exe
664	yoicksvp.exe
628	IntelRapid.exe

Drops file in Program Files directory 4 IoCs

Processes:

e3d5b6d0c39c747762c25d021c7a8aedaa7a30beb9af9187d15aea7178ea9758.exerundll32.exe

description	ioc	process
File created	C:\Program Files (x86)\foler\olader\acppage.dll	e3d5b6d0c39c747762c25d021c7a8aedaa7a30beb9af9187d15aea7178ea9758.exe
File created	C:\Program Files (x86)\foler\olader\adprovider.dll	e3d5b6d0c39c747762c25d021c7a8aedaa7a30beb9af9187d15aea7178ea9758.exe
File created	C:\Program Files (x86)\foler\olader\acledit.dll	e3d5b6d0c39c747762c25d021c7a8aedaa7a30beb9af9187d15aea7178ea9758.exe
File created	C:\PROGRA~3\zohplghndapsm.tmp	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

684 1288 WerFault.exe RUNDLL32.EXE

pid	pid_target	process	target process
684	1288	WerFault.exe	RUNDLL32.EXE

Checks processor information in registry 2 TTPs 25 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RUNDLL32.EXEyoicksvp.exe

description	ioc	process
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	yoicksvp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	yoicksvp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	RUNDLL32.EXE

Modifies registry class 1 IoCs

Processes:

yoicksvp.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings yoicksvp.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings	yoicksvp.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	WScript.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

IntelRapid.exe

pid process

628 IntelRapid.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

yoicksvp.exe

pid process

664 yoicksvp.exe
664 yoicksvp.exe

pid	process
628	IntelRapid.exe

pid	process
664	yoicksvp.exe
664	yoicksvp.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

e3d5b6d0c39c747762c25d021c7a8aedaa7a30beb9af9187d15aea7178ea9758.exeundirk.exeyoicksvp.exerbyyuwarntir.exerundll32.exe

description	pid	process	target process
PID 1340 wrote to memory of 2316	1340	e3d5b6d0c39c747762c25d021c7a8aedaa7a30beb9af9187d15aea7178ea9758.exe	undirk.exe
PID 1340 wrote to memory of 2316	1340	e3d5b6d0c39c747762c25d021c7a8aedaa7a30beb9af9187d15aea7178ea9758.exe	undirk.exe
PID 1340 wrote to memory of 664	1340	e3d5b6d0c39c747762c25d021c7a8aedaa7a30beb9af9187d15aea7178ea9758.exe	yoicksvp.exe
PID 1340 wrote to memory of 664	1340	e3d5b6d0c39c747762c25d021c7a8aedaa7a30beb9af9187d15aea7178ea9758.exe	yoicksvp.exe
PID 1340 wrote to memory of 664	1340	e3d5b6d0c39c747762c25d021c7a8aedaa7a30beb9af9187d15aea7178ea9758.exe	yoicksvp.exe
PID 2316 wrote to memory of 628	2316	undirk.exe	IntelRapid.exe
PID 2316 wrote to memory of 628	2316	undirk.exe	IntelRapid.exe
PID 664 wrote to memory of 1060	664	yoicksvp.exe	rbyyuwarntir.exe
PID 664 wrote to memory of 1060	664	yoicksvp.exe	rbyyuwarntir.exe
PID 664 wrote to memory of 1060	664	yoicksvp.exe	rbyyuwarntir.exe
PID 664 wrote to memory of 2752	664	yoicksvp.exe	WScript.exe
PID 664 wrote to memory of 2752	664	yoicksvp.exe	WScript.exe
PID 664 wrote to memory of 2752	664	yoicksvp.exe	WScript.exe
PID 1060 wrote to memory of 4004	1060	rbyyuwarntir.exe	rundll32.exe
PID 1060 wrote to memory of 4004	1060	rbyyuwarntir.exe	rundll32.exe
PID 1060 wrote to memory of 4004	1060	rbyyuwarntir.exe	rundll32.exe
PID 664 wrote to memory of 2320	664	yoicksvp.exe	WScript.exe
PID 664 wrote to memory of 2320	664	yoicksvp.exe	WScript.exe
PID 664 wrote to memory of 2320	664	yoicksvp.exe	WScript.exe
PID 4004 wrote to memory of 3228	4004	rundll32.exe	RUNDLL32.EXE
PID 4004 wrote to memory of 3228	4004	rundll32.exe	RUNDLL32.EXE
PID 4004 wrote to memory of 3228	4004	rundll32.exe	RUNDLL32.EXE

C:\Users\Admin\AppData\Local\Temp\e3d5b6d0c39c747762c25d021c7a8aedaa7a30beb9af9187d15aea7178ea9758.exe
"C:\Users\Admin\AppData\Local\Temp\e3d5b6d0c39c747762c25d021c7a8aedaa7a30beb9af9187d15aea7178ea9758.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1340

C:\Users\Admin\AppData\Local\Temp\lizard\undirk.exe
"C:\Users\Admin\AppData\Local\Temp\lizard\undirk.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Drops startup file
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2316

C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe
"C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
PID:628

C:\Users\Admin\AppData\Local\Temp\lizard\yoicksvp.exe
"C:\Users\Admin\AppData\Local\Temp\lizard\yoicksvp.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:664

C:\Users\Admin\AppData\Local\Temp\rbyyuwarntir.exe
"C:\Users\Admin\AppData\Local\Temp\rbyyuwarntir.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1060

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\RBYYUW~1.DLL,s C:\Users\Admin\AppData\Local\Temp\RBYYUW~1.EXE
4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4004

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\RBYYUW~1.DLL,PA8tY0ExNG4=
5⤵
- Loads dropped DLL
- Checks processor information in registry
PID:3228

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\RBYYUW~1.DLL
6⤵
PID:1524

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\RBYYUW~1.DLL,oVFPQzY=
6⤵
PID:1288

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\system32\shell32.dll,#61 19638
7⤵
PID:3176

C:\Windows\system32\ctfmon.exe
ctfmon.exe
8⤵
PID:2384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1288 -s 768
7⤵
- Program crash
PID:684

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\58cfb4a6.dll,Start
6⤵
PID:2204

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpAB2B.tmp.ps1"
6⤵
PID:3604

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpEFA9.tmp.ps1"
6⤵
PID:60

C:\Windows\SysWOW64\nslookup.exe
"C:\Windows\system32\nslookup.exe" -type=any localhost
7⤵
PID:608

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
6⤵
PID:1652

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
6⤵
PID:3476

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\hcyctrfcan.vbs"
3⤵
PID:2752

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\jcuyhekgltei.vbs"
3⤵
- Blocklisted process makes network request
- Modifies system certificate store
PID:2320

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\zohplghndapsm.tmp
MD5
cc7b51f2745be38b334e5dec23fefd0d

SHA1
0a01679efb5a5981f16579d73febcc57913e8f4b

SHA256
480550fb7338209050380646ba0067d85f176982fea1da881885be32b03ab204

SHA512
672f91dcc1d6cb447cd2e96a78c93eaeeda1e19749c3eaa41286c5ead54733698cac2a726b2c43bf1d16118b6036c90873ee2f7791e6e591d8469d9c467fa1f7

Download Submit
C:\PROGRA~3\zohplghndapsm.tmp
MD5
cc7b51f2745be38b334e5dec23fefd0d

SHA1
0a01679efb5a5981f16579d73febcc57913e8f4b

SHA256
480550fb7338209050380646ba0067d85f176982fea1da881885be32b03ab204

SHA512
672f91dcc1d6cb447cd2e96a78c93eaeeda1e19749c3eaa41286c5ead54733698cac2a726b2c43bf1d16118b6036c90873ee2f7791e6e591d8469d9c467fa1f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
47eebe401625bbc55e75dbfb72e9e89a

SHA1
db3b2135942d2532c59b9788253638eb77e5995e

SHA256
f1cd56000c44bbdb6880b5b133731f493fe8cba8198c5a861da6ae7b489ed0c3

SHA512
590b149863d58be346e7927c28501375cc570858d2f156d234b03d68b86c5c0667a1038e2b6f6639172bf95638ca9f7c70f45270951abbcdf43b1be853b81d56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
58fb527d12b9bac95e59fdd1200e1453

SHA1
c1d6c50cb87c209dce0c490570a8c2dcb68acbb5

SHA256
fdfbe8cb1c126a1e0aaba6b4f15e0e32e8638686f72409c5e4750f5afd4d8e11

SHA512
c83a1ae6332cce6452514435b7b85c30e61afe44fcf6d4671d33d3672d7dfae3509ba694eaadc5d2b766bfb67f062517b31a76e1a1e5b4bb8b6cdc85d0b8f186

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
fe39fd9f3a1d47f778a0c8f0f254e4c4

SHA1
2b1e81729dffb839d0ca49c3979448ced620956f

SHA256
7431ad4c18a03c5f28379320d910035c8a226c5b8e1caa988c6d92fdb7efc0f5

SHA512
caabc447947be7d71d461e610817298c133f1e396e2fae22d789dec1af351fe2f7b9801747835f183ce4ea4438d29852751b7ebb8722bfc465e3dc8c7caf6fe1

Download Submit
C:\Users\Admin\AppData\Local\Temp\58cfb4a6.dll
MD5
5951f0afa96cda14623b4cce74d58cca

SHA1
ad4a21bd28a3065037b1ea40fab4d7c4d7549fde

SHA256
8b64b8bfd9e36cc40c273deccd4301a6c2ab44df03b976530c1bc517d7220bce

SHA512
b098f302ad3446edafa5d9914f4697cbf7731b7c2ae31bc513de532115d7c672bec17e810d153eb0dbaae5b5782c1ac55351377231f7aa6502a3d9c223d55071

Download Submit
C:\Users\Admin\AppData\Local\Temp\RBYYUW~1.DLL
MD5
7921b9aa1d757d5029538927d2ea0cf7

SHA1
65d3ee2e70124be3a9f8e61bca248e473589802d

SHA256
b5fe1cdad0cf4f53d41209a8ab92102947daf9e4b3cdb314d4a6e2610f491fe7

SHA512
c65032095ec4ea437c24c41ba6d4dd01d6a009d990aba6e759fcd9cf87ea4dd2370836db0377d7d69f41902d4efec9fbfd5948786628f52a232447d84692eab7

Download Submit
C:\Users\Admin\AppData\Local\Temp\hcyctrfcan.vbs
MD5
bbf5fad61b2b2be8d3cc3b34074cf55c

SHA1
5b7907c6797e6e5e26c4953a3e6ee8bd8956f782

SHA256
a3526fd9df8d9ee8f893cd195649744aeef5491a3130f8ff0e99a9448d696d2d

SHA512
02e3025a824385e1b5f094109f4f486d2a4f551636cd40347ca95075af7a4a5191cd608d125a73263cd55db535a806aeaa8f9e8fdb5b313c883af9608499d1a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jcuyhekgltei.vbs
MD5
4972924c9322bc32be96bb2f9923e5ed

SHA1
3568c0c7594b3df6ec81c0a8fbf2b1e04ae7afe6

SHA256
c01d098252ef3532c26bb71a6bc820c0c977b941d6090e5ed294ca33a79e809d

SHA512
bb7201f06860b60f293495888d433526f9f3e3d71343ed18b63976a2538fa4b688d27f083da2f2b7f16c1f1aa3224b2ca136f5a0ddf264a8f3b2ca81fea5a321

Download Submit
C:\Users\Admin\AppData\Local\Temp\lizard\undirk.exe
MD5
202dc043812831e9b306adbfafc2e536

SHA1
c8a49139042291b0c92af1fee36b0c5102b2f626

SHA256
9ba7f0102bb108d023be94985cdf4f3ed80e5e260e4dda531a212cecce0d1d39

SHA512
57344c9ef3b5ba67d4ffc32f19852a3f31168fde2a4fdd4e0d644a93dfb8d0eb9203dac586364d9b8083dfe025c117a7c557226bd0f4bd8e20fcdbf316421bf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\lizard\undirk.exe
MD5
202dc043812831e9b306adbfafc2e536

SHA1
c8a49139042291b0c92af1fee36b0c5102b2f626

SHA256
9ba7f0102bb108d023be94985cdf4f3ed80e5e260e4dda531a212cecce0d1d39

SHA512
57344c9ef3b5ba67d4ffc32f19852a3f31168fde2a4fdd4e0d644a93dfb8d0eb9203dac586364d9b8083dfe025c117a7c557226bd0f4bd8e20fcdbf316421bf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\lizard\yoicksvp.exe
MD5
4456a0ad06e8801583ffde598d485c06

SHA1
e650d544876b5eaf36f796876dd0e593dcc733a2

SHA256
93bcaad9df41e2b94537d8f74fca47676bf736fc77626d3ec5296177503c9937

SHA512
22d1e2693c6913032a53bf1a3a0642e828afe56c80c46e2fb9fb739fa644ee8c30238387e6b9d4374860ba2b63ebb34d433dd902b229235ca4ac86c80d8e7db3

Download Submit
C:\Users\Admin\AppData\Local\Temp\lizard\yoicksvp.exe
MD5
4456a0ad06e8801583ffde598d485c06

SHA1
e650d544876b5eaf36f796876dd0e593dcc733a2

SHA256
93bcaad9df41e2b94537d8f74fca47676bf736fc77626d3ec5296177503c9937

SHA512
22d1e2693c6913032a53bf1a3a0642e828afe56c80c46e2fb9fb739fa644ee8c30238387e6b9d4374860ba2b63ebb34d433dd902b229235ca4ac86c80d8e7db3

Download Submit
C:\Users\Admin\AppData\Local\Temp\rbyyuwarntir.exe
MD5
24ca51b618666a5a044fcd3692f12c29

SHA1
8071b7e9e41602ce1e9b8b2d674a2f85c3fd007d

SHA256
db3cffa16f2e8436dc53c4418072f1b0c80f94966b9c01e204808dc1857aa8bb

SHA512
67044870ef92e5eeaa40e1a1ec9ff9e4f23b123383bf7a26692c29a2c079b843b6091fff4f4672c585dbb4175675aea1b42dc3df5f36fa1bea064949fea06523

Download Submit
C:\Users\Admin\AppData\Local\Temp\rbyyuwarntir.exe
MD5
24ca51b618666a5a044fcd3692f12c29

SHA1
8071b7e9e41602ce1e9b8b2d674a2f85c3fd007d

SHA256
db3cffa16f2e8436dc53c4418072f1b0c80f94966b9c01e204808dc1857aa8bb

SHA512
67044870ef92e5eeaa40e1a1ec9ff9e4f23b123383bf7a26692c29a2c079b843b6091fff4f4672c585dbb4175675aea1b42dc3df5f36fa1bea064949fea06523

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAB2B.tmp.ps1
MD5
64dd6d860a155af1f77b5eeae835a32e

SHA1
f30b914ee2cc6b875c94de0b977ae713685e978c

SHA256
bbd226970ba0948b2cc01141e47bbcce2d710744bf11b0f6b7ecf5ee22c26db0

SHA512
8fa3f901c9e47bb592d88b46f4ba82cbb8911021ab6af0ef630f9dc2edb3026a434cd9ac55ecaae16a7d7180062ae2c8cb77c5603046323ea738644c63e20f73

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAB2C.tmp
MD5
c416c12d1b2b1da8c8655e393b544362

SHA1
fb1a43cd8e1c556c2d25f361f42a21293c29e447

SHA256
0600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046

SHA512
cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEFA9.tmp.ps1
MD5
549a6434cb37566bf814e6028163977e

SHA1
923719535996fc4db982ee1a2bec3ce521840cc9

SHA256
2a2173706e68c73df52eb2d10c020b055118abed38067cff5593d30f39512d90

SHA512
8059bd0de907f3dd74c59c39eb7a195c1d0edee1e6618257f8710c2e71f91d211d3aec60fcaa11d655965fa706681d9f8a4921bb03454000874ea28f196e2a65

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEFAA.tmp
MD5
1860260b2697808b80802352fe324782

SHA1
f07b4cb6a8133d8dd942fc285d63cb3ce5a1ed6b

SHA256
0c4bb6ae7726faa47aef8459bcf37bf9ca16f0b93fd52790932adaf7845d1fb1

SHA512
d9fd458e2fe871e93199d7f3783133ded898d824024d9525e8c9af2af31892b13f3fb147d3bfda7dfd7659b7072f5cd1d6c3ebfe2dbf5893afd00e59a96aa94f

Download Submit
C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe
MD5
202dc043812831e9b306adbfafc2e536

SHA1
c8a49139042291b0c92af1fee36b0c5102b2f626

SHA256
9ba7f0102bb108d023be94985cdf4f3ed80e5e260e4dda531a212cecce0d1d39

SHA512
57344c9ef3b5ba67d4ffc32f19852a3f31168fde2a4fdd4e0d644a93dfb8d0eb9203dac586364d9b8083dfe025c117a7c557226bd0f4bd8e20fcdbf316421bf2

Download Submit
C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe
MD5
202dc043812831e9b306adbfafc2e536

SHA1
c8a49139042291b0c92af1fee36b0c5102b2f626

SHA256
9ba7f0102bb108d023be94985cdf4f3ed80e5e260e4dda531a212cecce0d1d39

SHA512
57344c9ef3b5ba67d4ffc32f19852a3f31168fde2a4fdd4e0d644a93dfb8d0eb9203dac586364d9b8083dfe025c117a7c557226bd0f4bd8e20fcdbf316421bf2

Download Submit
\Users\Admin\AppData\Local\Temp\58cfb4a6.dll
MD5
5951f0afa96cda14623b4cce74d58cca

SHA1
ad4a21bd28a3065037b1ea40fab4d7c4d7549fde

SHA256
8b64b8bfd9e36cc40c273deccd4301a6c2ab44df03b976530c1bc517d7220bce

SHA512
b098f302ad3446edafa5d9914f4697cbf7731b7c2ae31bc513de532115d7c672bec17e810d153eb0dbaae5b5782c1ac55351377231f7aa6502a3d9c223d55071

Download Submit
\Users\Admin\AppData\Local\Temp\RBYYUW~1.DLL
MD5
7921b9aa1d757d5029538927d2ea0cf7

SHA1
65d3ee2e70124be3a9f8e61bca248e473589802d

SHA256
b5fe1cdad0cf4f53d41209a8ab92102947daf9e4b3cdb314d4a6e2610f491fe7

SHA512
c65032095ec4ea437c24c41ba6d4dd01d6a009d990aba6e759fcd9cf87ea4dd2370836db0377d7d69f41902d4efec9fbfd5948786628f52a232447d84692eab7

Download Submit
\Users\Admin\AppData\Local\Temp\RBYYUW~1.DLL
MD5
7921b9aa1d757d5029538927d2ea0cf7

SHA1
65d3ee2e70124be3a9f8e61bca248e473589802d

SHA256
b5fe1cdad0cf4f53d41209a8ab92102947daf9e4b3cdb314d4a6e2610f491fe7

SHA512
c65032095ec4ea437c24c41ba6d4dd01d6a009d990aba6e759fcd9cf87ea4dd2370836db0377d7d69f41902d4efec9fbfd5948786628f52a232447d84692eab7

Download Submit
\Users\Admin\AppData\Local\Temp\RBYYUW~1.DLL
MD5
7921b9aa1d757d5029538927d2ea0cf7

SHA1
65d3ee2e70124be3a9f8e61bca248e473589802d

SHA256
b5fe1cdad0cf4f53d41209a8ab92102947daf9e4b3cdb314d4a6e2610f491fe7

SHA512
c65032095ec4ea437c24c41ba6d4dd01d6a009d990aba6e759fcd9cf87ea4dd2370836db0377d7d69f41902d4efec9fbfd5948786628f52a232447d84692eab7

Download Submit
\Users\Admin\AppData\Local\Temp\RBYYUW~1.DLL
MD5
7921b9aa1d757d5029538927d2ea0cf7

SHA1
65d3ee2e70124be3a9f8e61bca248e473589802d

SHA256
b5fe1cdad0cf4f53d41209a8ab92102947daf9e4b3cdb314d4a6e2610f491fe7

SHA512
c65032095ec4ea437c24c41ba6d4dd01d6a009d990aba6e759fcd9cf87ea4dd2370836db0377d7d69f41902d4efec9fbfd5948786628f52a232447d84692eab7

Download Submit
\Users\Admin\AppData\Local\Temp\RBYYUW~1.DLL
MD5
7921b9aa1d757d5029538927d2ea0cf7

SHA1
65d3ee2e70124be3a9f8e61bca248e473589802d

SHA256
b5fe1cdad0cf4f53d41209a8ab92102947daf9e4b3cdb314d4a6e2610f491fe7

SHA512
c65032095ec4ea437c24c41ba6d4dd01d6a009d990aba6e759fcd9cf87ea4dd2370836db0377d7d69f41902d4efec9fbfd5948786628f52a232447d84692eab7

Download Submit
\Users\Admin\AppData\Local\Temp\nso2613.tmp\UAC.dll
MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
memory/60-376-0x0000000000000000-mapping.dmp

Download
memory/60-398-0x0000000006D72000-0x0000000006D73000-memory.dmp

Filesize
4KB

Download
memory/60-396-0x0000000006D70000-0x0000000006D71000-memory.dmp

Filesize
4KB

Download
memory/60-485-0x0000000006D73000-0x0000000006D74000-memory.dmp

Filesize
4KB

Download
memory/608-481-0x0000000000000000-mapping.dmp

Download
memory/628-138-0x00007FF6B17C0000-0x00007FF6B2147000-memory.dmp

Filesize
9.5MB

Download
memory/628-135-0x00007FF6B17C0000-0x00007FF6B2147000-memory.dmp

Filesize
9.5MB

Download
memory/628-132-0x00007FF6B17C0000-0x00007FF6B2147000-memory.dmp

Filesize
9.5MB

Download
memory/628-128-0x0000000000000000-mapping.dmp

Download
memory/664-131-0x0000000001280000-0x00000000018E4000-memory.dmp

Filesize
6.4MB

Download
memory/664-125-0x0000000000000000-mapping.dmp

Download
memory/664-133-0x0000000001280000-0x00000000018E4000-memory.dmp

Filesize
6.4MB

Download
memory/664-134-0x0000000077E30000-0x0000000077FBE000-memory.dmp

Filesize
1.6MB

Download
memory/664-136-0x0000000001280000-0x00000000018E4000-memory.dmp

Filesize
6.4MB

Download
memory/664-137-0x0000000001280000-0x00000000018E4000-memory.dmp

Filesize
6.4MB

Download
memory/1060-139-0x0000000000000000-mapping.dmp

Download
memory/1060-146-0x0000000000400000-0x0000000002FE8000-memory.dmp

Filesize
43.9MB

Download
memory/1060-144-0x0000000004C60000-0x0000000004D50000-memory.dmp

Filesize
960KB

Download
memory/1060-145-0x0000000004E50000-0x0000000004F57000-memory.dmp

Filesize
1.0MB

Download
memory/1288-189-0x0000000005F60000-0x00000000060A0000-memory.dmp

Filesize
1.2MB

Download
memory/1288-190-0x0000000005F60000-0x00000000060A0000-memory.dmp

Filesize
1.2MB

Download
memory/1288-166-0x0000000000000000-mapping.dmp

Download
memory/1288-185-0x0000000005F60000-0x00000000060A0000-memory.dmp

Filesize
1.2MB

Download
memory/1288-178-0x0000000005F60000-0x00000000060A0000-memory.dmp

Filesize
1.2MB

Download
memory/1288-171-0x0000000004EA1000-0x0000000005E85000-memory.dmp

Filesize
15.9MB

Download
memory/1288-188-0x00000000060E0000-0x00000000060E1000-memory.dmp

Filesize
4KB

Download
memory/1288-183-0x0000000005F60000-0x00000000060A0000-memory.dmp

Filesize
1.2MB

Download
memory/1288-174-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/1288-180-0x0000000005F60000-0x00000000060A0000-memory.dmp

Filesize
1.2MB

Download
memory/1288-176-0x00000000060D0000-0x00000000060D1000-memory.dmp

Filesize
4KB

Download
memory/1524-170-0x00000000072F0000-0x00000000072F1000-memory.dmp

Filesize
4KB

Download
memory/1524-228-0x000000007F750000-0x000000007F751000-memory.dmp

Filesize
4KB

Download
memory/1524-177-0x0000000007140000-0x0000000007141000-memory.dmp

Filesize
4KB

Download
memory/1524-175-0x00000000070A0000-0x00000000070A1000-memory.dmp

Filesize
4KB

Download
memory/1524-181-0x0000000007B00000-0x0000000007B01000-memory.dmp

Filesize
4KB

Download
memory/1524-198-0x00000000071E0000-0x00000000071E1000-memory.dmp

Filesize
4KB

Download
memory/1524-172-0x0000000004760000-0x0000000004761000-memory.dmp

Filesize
4KB

Download
memory/1524-173-0x0000000004762000-0x0000000004763000-memory.dmp

Filesize
4KB

Download
memory/1524-169-0x0000000004630000-0x0000000004631000-memory.dmp

Filesize
4KB

Download
memory/1524-165-0x0000000000F30000-0x0000000000F31000-memory.dmp

Filesize
4KB

Download
memory/1524-164-0x0000000000F30000-0x0000000000F31000-memory.dmp

Filesize
4KB

Download
memory/1524-163-0x0000000000000000-mapping.dmp

Download
memory/1524-240-0x0000000004763000-0x0000000004764000-memory.dmp

Filesize
4KB

Download
memory/1524-199-0x0000000008330000-0x0000000008331000-memory.dmp

Filesize
4KB

Download
memory/1524-222-0x0000000008F40000-0x0000000008F73000-memory.dmp

Filesize
204KB

Download
memory/1524-211-0x0000000000F30000-0x0000000000F31000-memory.dmp

Filesize
4KB

Download
memory/1524-201-0x0000000008140000-0x0000000008141000-memory.dmp

Filesize
4KB

Download
memory/1524-179-0x0000000007220000-0x0000000007221000-memory.dmp

Filesize
4KB

Download
memory/1652-484-0x0000000000000000-mapping.dmp

Download
memory/2204-184-0x0000000000000000-mapping.dmp

Download
memory/2316-122-0x00007FF622BE0000-0x00007FF623567000-memory.dmp

Filesize
9.5MB

Download
memory/2316-123-0x00007FF622BE0000-0x00007FF623567000-memory.dmp

Filesize
9.5MB

Download
memory/2316-119-0x0000000000000000-mapping.dmp

Download
memory/2316-124-0x00007FF622BE0000-0x00007FF623567000-memory.dmp

Filesize
9.5MB

Download
memory/2320-152-0x0000000000000000-mapping.dmp

Download
memory/2384-195-0x0000000000000000-mapping.dmp

Download
memory/2752-142-0x0000000000000000-mapping.dmp

Download
memory/3176-197-0x00000243F27B0000-0x00000243F2962000-memory.dmp

Filesize
1.7MB

Download
memory/3176-196-0x0000000000510000-0x00000000006B0000-memory.dmp

Filesize
1.6MB

Download
memory/3176-193-0x00000243F26A0000-0x00000243F26A2000-memory.dmp

Filesize
8KB

Download
memory/3176-194-0x00000243F26A0000-0x00000243F26A2000-memory.dmp

Filesize
8KB

Download
memory/3176-191-0x00007FF6FB3E5FD0-mapping.dmp

Download
memory/3228-161-0x00000000045D1000-0x00000000055B5000-memory.dmp

Filesize
15.9MB

Download
memory/3228-156-0x0000000000000000-mapping.dmp

Download
memory/3228-162-0x00000000057D0000-0x00000000057D1000-memory.dmp

Filesize
4KB

Download
memory/3476-486-0x0000000000000000-mapping.dmp

Download
memory/3604-203-0x0000000000F00000-0x0000000000F01000-memory.dmp

Filesize
4KB

Download
memory/3604-303-0x00000000046D3000-0x00000000046D4000-memory.dmp

Filesize
4KB

Download
memory/3604-207-0x00000000046D2000-0x00000000046D3000-memory.dmp

Filesize
4KB

Download
memory/3604-206-0x00000000046D0000-0x00000000046D1000-memory.dmp

Filesize
4KB

Download
memory/3604-202-0x0000000000F00000-0x0000000000F01000-memory.dmp

Filesize
4KB

Download
memory/3604-200-0x0000000000000000-mapping.dmp

Download
memory/4004-151-0x0000000004030000-0x0000000004194000-memory.dmp

Filesize
1.4MB

Download
memory/4004-147-0x0000000000000000-mapping.dmp

Download
memory/4004-154-0x0000000004721000-0x0000000005705000-memory.dmp

Filesize
15.9MB

Download
memory/4004-155-0x00000000058E0000-0x00000000058E1000-memory.dmp

Filesize
4KB

Download