danabot | afad70661bb540b1a19bc2ce76ccbad746ec46e4702b05cd09318ef65828a180

Analysis

max time kernel
162s
max time network
172s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
13-10-2022 13:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

218KB
MD5

86db39b4cafa85b6adea5c9eba98cec6
SHA1

22059c8e98bff14f07180992716ffd242ed0dae8
SHA256

afad70661bb540b1a19bc2ce76ccbad746ec46e4702b05cd09318ef65828a180
SHA512

de000aa6ae0fe379a83549e833b91a77760a9c4203b62972c89b1e33e6aa5f76895a65b35f5e8c874bc6348121f399397639326c299c02fb82904d4fc49cc591
SSDEEP

3072:z00pudPr9P9szcLrNsXnIrBf+VgHpbY6qHFm0bDhqzOSt8mCO:zEOcLpsXIrK6qlXqzTjC

Score

10^/10

danabot djvu erbium smokeloader backdoor banker collection discovery persistence ransomware stealer trojan vmprotect

Malware Config

Extracted

Family

djvu

http://winnlinne.com/lancer/get.php

Attributes

extension
.powz
offline_id
tHl9RvVtHhFQisMomKMdXzz2soNLhV0cuok85it1
payload_url
http://rgyui.top/dl/build2.exe

http://winnlinne.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-oTIha7SI4s Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0581Jhyjd

rsa_pubkey.plain

Extracted

Family

danabot

Attributes

embedded_hash
56951C922035D696BFCE443750496462
type
loader

Extracted

Family

erbium

http://77.73.133.53/cloud/index.php

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Detected Djvu ransomware 5 IoCs

resource	yara_rule
behavioral2/memory/2136-154-0x00000000024B0000-0x00000000025CB000-memory.dmp	family_djvu
behavioral2/memory/2384-174-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2384-177-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2384-179-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2384-187-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Detects Smokeloader packer 3 IoCs

resource	yara_rule
behavioral2/memory/2296-133-0x0000000000830000-0x0000000000839000-memory.dmp	family_smokeloader
behavioral2/memory/3624-144-0x00000000006F0000-0x00000000006F9000-memory.dmp	family_smokeloader
behavioral2/memory/2788-162-0x0000000002050000-0x0000000002059000-memory.dmp	family_smokeloader

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Erbium
Erbium is an infostealer written in C++ and first seen in July 2022.
stealer erbium
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file

Executes dropped EXE 15 IoCs

pid	Process
2136	C64E.exe
3624	C8B1.exe
404	D489.exe
3008	E042.exe
2788	E5E1.exe
2540	EA08.exe
3068	EF0A.exe
2384	C64E.exe
1944	3A0E.exe
4424	42E9.exe
760	48E5.exe
1836	5663.exe
2280	6171.exe
2920	6990.exe
1888	6FEA.exe

VMProtect packed file 6 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/files/0x0007000000022f6d-151.dat	vmprotect
behavioral2/files/0x0007000000022f6d-152.dat	vmprotect
behavioral2/memory/3008-164-0x0000000140000000-0x000000014060F000-memory.dmp	vmprotect
behavioral2/files/0x0007000000022f70-170.dat	vmprotect
behavioral2/files/0x0007000000022f70-169.dat	vmprotect
behavioral2/memory/3068-171-0x0000000140000000-0x000000014060F000-memory.dmp	vmprotect

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	C64E.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	48E5.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
94236	icacls.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\cba75721-6a8d-4ddf-a1c8-f80c41bcf2a1\\C64E.exe\" --AutoStart"	C64E.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
102	api.2ip.ua
114	api.2ip.ua

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2136 set thread context of 2384	2136	C64E.exe	91
PID 1888 set thread context of 101096	1888	6FEA.exe	121

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 6 IoCs

pid	pid_target	Process	procid_target
101184	404	WerFault.exe	86
101236	404	WerFault.exe	86
101284	404	WerFault.exe	86
101316	404	WerFault.exe	86
101352	404	WerFault.exe	86
96640	404	WerFault.exe	86

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	C8B1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	E5E1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	E5E1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	EA08.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	EA08.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	C8B1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	E5E1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	EA08.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	C8B1.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2296	file.exe
2296	file.exe
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3060	Process not Found

Suspicious behavior: MapViewOfSection 26 IoCs

pid	Process
2296	file.exe
3624	C8B1.exe
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
2788	E5E1.exe
2540	EA08.exe
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found
3060	Process not Found

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3060	Process not Found
Token: SeCreatePagefilePrivilege	3060	Process not Found
Token: SeShutdownPrivilege	3060	Process not Found
Token: SeCreatePagefilePrivilege	3060	Process not Found
Token: SeShutdownPrivilege	3060	Process not Found
Token: SeCreatePagefilePrivilege	3060	Process not Found
Token: SeShutdownPrivilege	3060	Process not Found
Token: SeCreatePagefilePrivilege	3060	Process not Found
Token: SeShutdownPrivilege	3060	Process not Found
Token: SeCreatePagefilePrivilege	3060	Process not Found
Token: SeShutdownPrivilege	3060	Process not Found
Token: SeCreatePagefilePrivilege	3060	Process not Found
Token: SeShutdownPrivilege	3060	Process not Found
Token: SeCreatePagefilePrivilege	3060	Process not Found
Token: SeShutdownPrivilege	3060	Process not Found
Token: SeCreatePagefilePrivilege	3060	Process not Found
Token: SeShutdownPrivilege	3060	Process not Found
Token: SeCreatePagefilePrivilege	3060	Process not Found
Token: SeShutdownPrivilege	3060	Process not Found
Token: SeCreatePagefilePrivilege	3060	Process not Found
Token: SeShutdownPrivilege	3060	Process not Found
Token: SeCreatePagefilePrivilege	3060	Process not Found
Token: SeShutdownPrivilege	3060	Process not Found
Token: SeCreatePagefilePrivilege	3060	Process not Found
Token: SeShutdownPrivilege	79312	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3060 wrote to memory of 2136	3060	Process not Found	83
PID 3060 wrote to memory of 2136	3060	Process not Found	83
PID 3060 wrote to memory of 2136	3060	Process not Found	83
PID 3060 wrote to memory of 3624	3060	Process not Found	84
PID 3060 wrote to memory of 3624	3060	Process not Found	84
PID 3060 wrote to memory of 3624	3060	Process not Found	84
PID 3060 wrote to memory of 404	3060	Process not Found	86
PID 3060 wrote to memory of 404	3060	Process not Found	86
PID 3060 wrote to memory of 404	3060	Process not Found	86
PID 3060 wrote to memory of 3008	3060	Process not Found	87
PID 3060 wrote to memory of 3008	3060	Process not Found	87
PID 3060 wrote to memory of 2788	3060	Process not Found	88
PID 3060 wrote to memory of 2788	3060	Process not Found	88
PID 3060 wrote to memory of 2788	3060	Process not Found	88
PID 3060 wrote to memory of 2540	3060	Process not Found	89
PID 3060 wrote to memory of 2540	3060	Process not Found	89
PID 3060 wrote to memory of 2540	3060	Process not Found	89
PID 3060 wrote to memory of 3068	3060	Process not Found	90
PID 3060 wrote to memory of 3068	3060	Process not Found	90
PID 2136 wrote to memory of 2384	2136	C64E.exe	91
PID 2136 wrote to memory of 2384	2136	C64E.exe	91
PID 2136 wrote to memory of 2384	2136	C64E.exe	91
PID 2136 wrote to memory of 2384	2136	C64E.exe	91
PID 2136 wrote to memory of 2384	2136	C64E.exe	91
PID 2136 wrote to memory of 2384	2136	C64E.exe	91
PID 2136 wrote to memory of 2384	2136	C64E.exe	91
PID 2136 wrote to memory of 2384	2136	C64E.exe	91
PID 2136 wrote to memory of 2384	2136	C64E.exe	91
PID 2136 wrote to memory of 2384	2136	C64E.exe	91
PID 3060 wrote to memory of 2816	3060	Process not Found	92
PID 3060 wrote to memory of 2816	3060	Process not Found	92
PID 3060 wrote to memory of 2816	3060	Process not Found	92
PID 3060 wrote to memory of 2816	3060	Process not Found	92
PID 3060 wrote to memory of 1992	3060	Process not Found	93
PID 3060 wrote to memory of 1992	3060	Process not Found	93
PID 3060 wrote to memory of 1992	3060	Process not Found	93
PID 3060 wrote to memory of 1944	3060	Process not Found	97
PID 3060 wrote to memory of 1944	3060	Process not Found	97
PID 3060 wrote to memory of 1944	3060	Process not Found	97
PID 3060 wrote to memory of 4424	3060	Process not Found	98
PID 3060 wrote to memory of 4424	3060	Process not Found	98
PID 3060 wrote to memory of 4424	3060	Process not Found	98
PID 3060 wrote to memory of 760	3060	Process not Found	99
PID 3060 wrote to memory of 760	3060	Process not Found	99
PID 3060 wrote to memory of 760	3060	Process not Found	99
PID 3060 wrote to memory of 1836	3060	Process not Found	100
PID 3060 wrote to memory of 1836	3060	Process not Found	100
PID 3060 wrote to memory of 1836	3060	Process not Found	100
PID 3060 wrote to memory of 2280	3060	Process not Found	101
PID 3060 wrote to memory of 2280	3060	Process not Found	101
PID 3060 wrote to memory of 2280	3060	Process not Found	101
PID 3060 wrote to memory of 2920	3060	Process not Found	104
PID 3060 wrote to memory of 2920	3060	Process not Found	104
PID 3060 wrote to memory of 2920	3060	Process not Found	104
PID 3060 wrote to memory of 1888	3060	Process not Found	106
PID 3060 wrote to memory of 1888	3060	Process not Found	106
PID 3060 wrote to memory of 1888	3060	Process not Found	106
PID 3060 wrote to memory of 3920	3060	Process not Found	107
PID 3060 wrote to memory of 3920	3060	Process not Found	107
PID 3060 wrote to memory of 3920	3060	Process not Found	107
PID 3060 wrote to memory of 3920	3060	Process not Found	107
PID 3060 wrote to memory of 14000	3060	Process not Found	108
PID 3060 wrote to memory of 14000	3060	Process not Found	108
PID 3060 wrote to memory of 14000	3060	Process not Found	108

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2296

C:\Users\Admin\AppData\Local\Temp\C64E.exe
C:\Users\Admin\AppData\Local\Temp\C64E.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Users\Admin\AppData\Local\Temp\C64E.exe
  C:\Users\Admin\AppData\Local\Temp\C64E.exe
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Adds Run key to start application
  PID:2384
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Users\Admin\AppData\Local\cba75721-6a8d-4ddf-a1c8-f80c41bcf2a1" /deny *S-1-1-0:(OI)(CI)(DE,DC)
    3⤵
    - Modifies file permissions
    PID:94236

C:\Users\Admin\AppData\Local\Temp\C8B1.exe
C:\Users\Admin\AppData\Local\Temp\C8B1.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3624

C:\Users\Admin\AppData\Local\Temp\D489.exe
C:\Users\Admin\AppData\Local\Temp\D489.exe
1⤵
- Executes dropped EXE
PID:404
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 404 -s 580
  2⤵
  - Program crash
  PID:101184
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 404 -s 628
  2⤵
  - Program crash
  PID:101236
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 404 -s 784
  2⤵
  - Program crash
  PID:101284
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 404 -s 808
  2⤵
  - Program crash
  PID:101316
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 404 -s 888
  2⤵
  - Program crash
  PID:101352
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic os get Caption
  2⤵
  PID:1764
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 404 -s 1340
  2⤵
  - Program crash
  PID:96640

C:\Users\Admin\AppData\Local\Temp\E042.exe
C:\Users\Admin\AppData\Local\Temp\E042.exe
1⤵
- Executes dropped EXE
PID:3008

C:\Users\Admin\AppData\Local\Temp\E5E1.exe
C:\Users\Admin\AppData\Local\Temp\E5E1.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2788

C:\Users\Admin\AppData\Local\Temp\EA08.exe
C:\Users\Admin\AppData\Local\Temp\EA08.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2540

C:\Users\Admin\AppData\Local\Temp\EF0A.exe
C:\Users\Admin\AppData\Local\Temp\EF0A.exe
1⤵
- Executes dropped EXE
PID:3068

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:2816

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1992

C:\Users\Admin\AppData\Local\Temp\3A0E.exe
C:\Users\Admin\AppData\Local\Temp\3A0E.exe
1⤵
- Executes dropped EXE
PID:1944

C:\Users\Admin\AppData\Local\Temp\42E9.exe
C:\Users\Admin\AppData\Local\Temp\42E9.exe
1⤵
- Executes dropped EXE
PID:4424

C:\Users\Admin\AppData\Local\Temp\48E5.exe
C:\Users\Admin\AppData\Local\Temp\48E5.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
PID:760

C:\Users\Admin\AppData\Local\Temp\5663.exe
C:\Users\Admin\AppData\Local\Temp\5663.exe
1⤵
- Executes dropped EXE
PID:1836

C:\Users\Admin\AppData\Local\Temp\6171.exe
C:\Users\Admin\AppData\Local\Temp\6171.exe
1⤵
- Executes dropped EXE
PID:2280

C:\Users\Admin\AppData\Local\Temp\6990.exe
C:\Users\Admin\AppData\Local\Temp\6990.exe
1⤵
- Executes dropped EXE
PID:2920
- C:\Windows\SysWOW64\agentactivationruntimestarter.exe
  C:\Windows\system32\agentactivationruntimestarter.exe
  2⤵
  PID:20236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 404 -ip 404
1⤵
PID:5084

C:\Users\Admin\AppData\Local\Temp\6FEA.exe
C:\Users\Admin\AppData\Local\Temp\6FEA.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1888
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:101096

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3920

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:14000

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:33068

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:48208

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:62032

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:73056

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k AarSvcGroup -p -s AarSvc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:79312

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:80892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 404 -ip 404
1⤵
PID:81068

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:87360

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:94220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 404 -ip 404
1⤵
PID:96640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 404 -ip 404
1⤵
PID:101220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 404 -ip 404
1⤵
PID:101264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 404 -ip 404
1⤵
PID:101300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 404 -ip 404
1⤵
PID:101336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 404 -ip 404
1⤵
PID:100876

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3A0E.exe

Filesize
765KB

MD5
9af942cf03275f61b93da646449bc6fe

SHA1
557f937bf55544e758cd36487c94cf2f4493cb84

SHA256
875eccaa590c18b89561163845b65876b09d5206204696c6a3d6ed1821881006

SHA512
dafb9865f4a1cc61edea6e8b110450c0638857d7ec02dfe5560c0f89599738f95023a39753544e7bb44cf27a74ad3826280e19af79507f7aace5f033076d68c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\3A0E.exe

Filesize
765KB

MD5
9af942cf03275f61b93da646449bc6fe

SHA1
557f937bf55544e758cd36487c94cf2f4493cb84

SHA256
875eccaa590c18b89561163845b65876b09d5206204696c6a3d6ed1821881006

SHA512
dafb9865f4a1cc61edea6e8b110450c0638857d7ec02dfe5560c0f89599738f95023a39753544e7bb44cf27a74ad3826280e19af79507f7aace5f033076d68c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\42E9.exe

Filesize
702KB

MD5
8164181f88e99299c79630dcc323dc0b

SHA1
b5a772bcf28443b581eec3a44b3ae2dd10977fbd

SHA256
d36e565d9c9097fc6d2df5c8c4ce65e94f05b4a91eae6841d00ed0589425d087

SHA512
163a2b29f7b0a907092a6ae671239e7752dc98483145a2f93d573db3b35459a97db456d730769624fdc500ccd70e8a76158b699a2e556d009cd41c9a8d449cc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\42E9.exe

Filesize
702KB

MD5
8164181f88e99299c79630dcc323dc0b

SHA1
b5a772bcf28443b581eec3a44b3ae2dd10977fbd

SHA256
d36e565d9c9097fc6d2df5c8c4ce65e94f05b4a91eae6841d00ed0589425d087

SHA512
163a2b29f7b0a907092a6ae671239e7752dc98483145a2f93d573db3b35459a97db456d730769624fdc500ccd70e8a76158b699a2e556d009cd41c9a8d449cc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\48E5.exe

Filesize
342KB

MD5
83f6e420d0e55de0ef78910c864a8714

SHA1
020f77d3c008f1485252cba174108dadc4756b24

SHA256
ad1195a0d6ba108b68f30c3cece596edbee351a36407a9b4fbd0b1f6cc61726b

SHA512
43c18bbd04b0b1b40730aba03a1b6ec5eab83162d273c4ce7bde7919733406c22f528762f7d4f9c1b3928af6a4ebb01f70141c687a09fbb659efb031d7eb0485

Download Submit
C:\Users\Admin\AppData\Local\Temp\48E5.exe

Filesize
342KB

MD5
83f6e420d0e55de0ef78910c864a8714

SHA1
020f77d3c008f1485252cba174108dadc4756b24

SHA256
ad1195a0d6ba108b68f30c3cece596edbee351a36407a9b4fbd0b1f6cc61726b

SHA512
43c18bbd04b0b1b40730aba03a1b6ec5eab83162d273c4ce7bde7919733406c22f528762f7d4f9c1b3928af6a4ebb01f70141c687a09fbb659efb031d7eb0485

Download Submit
C:\Users\Admin\AppData\Local\Temp\5663.exe

Filesize
702KB

MD5
498579907d3441c04b99f3c29f7b80af

SHA1
ec410af62d37384bbb2ca2765aefb3003cda5a2c

SHA256
d07c840cc53aef447ca1910afc8b76cb3c3391bdc9c56e9583caef226f439f46

SHA512
22353bd5c29fbcc8eb7a782407b0af1e6fcbbebc2b5f033ed82c8b07106dd3047e16d2cc5cd7a9e967c7ebf7f88b3e026840863312312124c0b5fded22597065

Download Submit
C:\Users\Admin\AppData\Local\Temp\5663.exe

Filesize
702KB

MD5
498579907d3441c04b99f3c29f7b80af

SHA1
ec410af62d37384bbb2ca2765aefb3003cda5a2c

SHA256
d07c840cc53aef447ca1910afc8b76cb3c3391bdc9c56e9583caef226f439f46

SHA512
22353bd5c29fbcc8eb7a782407b0af1e6fcbbebc2b5f033ed82c8b07106dd3047e16d2cc5cd7a9e967c7ebf7f88b3e026840863312312124c0b5fded22597065

Download Submit
C:\Users\Admin\AppData\Local\Temp\6171.exe

Filesize
720KB

MD5
6a4b0bf0bd9f496ee1398e702dcb25e1

SHA1
bb020b724fc67dc818ae7a2f354fb268ed42f706

SHA256
0103856c001d654207c4496b55b06921f5ed3818450a624464c5062b7668abb5

SHA512
c09b4adf6f8fbb3718ec18aefba052e52179594ecfc6b08daede38815c03fa8ed3ca3b8de0fb4ec9acafb10f40ae835ba7f364e1c5876ae18aaf6291b444f4e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\6171.exe

Filesize
720KB

MD5
6a4b0bf0bd9f496ee1398e702dcb25e1

SHA1
bb020b724fc67dc818ae7a2f354fb268ed42f706

SHA256
0103856c001d654207c4496b55b06921f5ed3818450a624464c5062b7668abb5

SHA512
c09b4adf6f8fbb3718ec18aefba052e52179594ecfc6b08daede38815c03fa8ed3ca3b8de0fb4ec9acafb10f40ae835ba7f364e1c5876ae18aaf6291b444f4e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\6990.exe

Filesize
1.3MB

MD5
d8503dc90fc5ba5268bb217ed7ce4130

SHA1
14fe192cb7d3e0c64af5a7aa9637a6778bd87e1f

SHA256
78851671c1b3c98496241ac34743a36eeba5b3b469c6ac6f2cc33a4d455fb5ce

SHA512
18fa876b47c8e018753d102cac7bdb0015b9290b97536c24405bd9e55ebd1b83a9543f6ebd3ac86e106bca1233227b88024e415c8d983632f55ebf2b3f146b7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\6990.exe

Filesize
1.3MB

MD5
d8503dc90fc5ba5268bb217ed7ce4130

SHA1
14fe192cb7d3e0c64af5a7aa9637a6778bd87e1f

SHA256
78851671c1b3c98496241ac34743a36eeba5b3b469c6ac6f2cc33a4d455fb5ce

SHA512
18fa876b47c8e018753d102cac7bdb0015b9290b97536c24405bd9e55ebd1b83a9543f6ebd3ac86e106bca1233227b88024e415c8d983632f55ebf2b3f146b7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\6FEA.exe

Filesize
2.4MB

MD5
523b07c6aada4b29320b90fdc08d8d3e

SHA1
f1b4bbb0975e0f20fb384e2b36f5bd1db788f5bc

SHA256
38ee1f4dda91f74b6ddcfed011128d5337c493a32e71d98a7d1dc5559f68a8dc

SHA512
7ca2d0d577d6069c7acb5e0e92fc32dfa8ea4a4bebcc867fa0b90f8f8d2c26bb9d9b511f1ff165a05bfed23cd0ce1827156b05f49486d0f4a0673865ebcb347e

Download Submit
C:\Users\Admin\AppData\Local\Temp\6FEA.exe

Filesize
2.4MB

MD5
523b07c6aada4b29320b90fdc08d8d3e

SHA1
f1b4bbb0975e0f20fb384e2b36f5bd1db788f5bc

SHA256
38ee1f4dda91f74b6ddcfed011128d5337c493a32e71d98a7d1dc5559f68a8dc

SHA512
7ca2d0d577d6069c7acb5e0e92fc32dfa8ea4a4bebcc867fa0b90f8f8d2c26bb9d9b511f1ff165a05bfed23cd0ce1827156b05f49486d0f4a0673865ebcb347e

Download Submit
C:\Users\Admin\AppData\Local\Temp\C64E.exe

Filesize
820KB

MD5
3fd2bbeeef907e2943ff4e2f6fb24e9a

SHA1
e403f202f605fdf9f928c135e55d32ee8757a4fb

SHA256
f1c33f28e91670ea07c5d3d0e0f4b974d98d2a80a193b8b5d5d4883188ee3470

SHA512
3cda6adc672ea4e02303fdd357a3eea203f19135b0b88ba9ae7650c47819d0376f98c5ac4fea7e1083ec42c00b3eb449b843fba31146e15e5d5e69561f24b4df

Download Submit
C:\Users\Admin\AppData\Local\Temp\C64E.exe

Filesize
820KB

MD5
3fd2bbeeef907e2943ff4e2f6fb24e9a

SHA1
e403f202f605fdf9f928c135e55d32ee8757a4fb

SHA256
f1c33f28e91670ea07c5d3d0e0f4b974d98d2a80a193b8b5d5d4883188ee3470

SHA512
3cda6adc672ea4e02303fdd357a3eea203f19135b0b88ba9ae7650c47819d0376f98c5ac4fea7e1083ec42c00b3eb449b843fba31146e15e5d5e69561f24b4df

Download Submit
C:\Users\Admin\AppData\Local\Temp\C64E.exe

Filesize
820KB

MD5
3fd2bbeeef907e2943ff4e2f6fb24e9a

SHA1
e403f202f605fdf9f928c135e55d32ee8757a4fb

SHA256
f1c33f28e91670ea07c5d3d0e0f4b974d98d2a80a193b8b5d5d4883188ee3470

SHA512
3cda6adc672ea4e02303fdd357a3eea203f19135b0b88ba9ae7650c47819d0376f98c5ac4fea7e1083ec42c00b3eb449b843fba31146e15e5d5e69561f24b4df

Download Submit
C:\Users\Admin\AppData\Local\Temp\C8B1.exe

Filesize
218KB

MD5
0884795ea17c14358c64a43c5a0c3696

SHA1
39d1a021987f709624b4d8ae14040a83ff9e1d13

SHA256
e6f46018f4baa4cf74d2f366733f9bce6d53ef4f844e4036b9837a0059b2e402

SHA512
093d845b5b35e9591d36ff316646f40184202360b65c529fdc3747c07476a4876edad31154a0e699c7b2a6d82922c72888066b3068bc8b3778a09fbb0e07251e

Download Submit
C:\Users\Admin\AppData\Local\Temp\C8B1.exe

Filesize
218KB

MD5
0884795ea17c14358c64a43c5a0c3696

SHA1
39d1a021987f709624b4d8ae14040a83ff9e1d13

SHA256
e6f46018f4baa4cf74d2f366733f9bce6d53ef4f844e4036b9837a0059b2e402

SHA512
093d845b5b35e9591d36ff316646f40184202360b65c529fdc3747c07476a4876edad31154a0e699c7b2a6d82922c72888066b3068bc8b3778a09fbb0e07251e

Download Submit
C:\Users\Admin\AppData\Local\Temp\D489.exe

Filesize
5.9MB

MD5
b8affd95fb341b6ac058aa89e4000f74

SHA1
190deef851d2ae3429149b9be380dd6a48eb59f1

SHA256
121e9133db572fd47cb25498de323c6289baa736b12d5043f6237e6d75935861

SHA512
03850f3e31c50240feda24d19a0d88d418179aad071e3bdf1626113eba5ac06e731f1b3de8da82795ea70a9e6bf58cc1e3fa33e34a56f75fb25ff11e41bf34ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\D489.exe

Filesize
5.9MB

MD5
b8affd95fb341b6ac058aa89e4000f74

SHA1
190deef851d2ae3429149b9be380dd6a48eb59f1

SHA256
121e9133db572fd47cb25498de323c6289baa736b12d5043f6237e6d75935861

SHA512
03850f3e31c50240feda24d19a0d88d418179aad071e3bdf1626113eba5ac06e731f1b3de8da82795ea70a9e6bf58cc1e3fa33e34a56f75fb25ff11e41bf34ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\E042.exe

Filesize
3.5MB

MD5
d4381f0a771033752684747eb4d55fc7

SHA1
5a87be21de6aa7275ec3b076dfcd72469b129dd7

SHA256
a8756585ef0e2e4e7479606e49a56e52c871c24b65c356b6b38f29cbae300ecc

SHA512
9869d894bd243b5e8d957190920c6764a5fa837d34bb5c7a1ae6e8b6bd8a194e056da9e9d38d516edff17b4a3b9707f77f2a0766cf8f00de50b142abae35bf10

Download Submit
C:\Users\Admin\AppData\Local\Temp\E042.exe

Filesize
3.5MB

MD5
d4381f0a771033752684747eb4d55fc7

SHA1
5a87be21de6aa7275ec3b076dfcd72469b129dd7

SHA256
a8756585ef0e2e4e7479606e49a56e52c871c24b65c356b6b38f29cbae300ecc

SHA512
9869d894bd243b5e8d957190920c6764a5fa837d34bb5c7a1ae6e8b6bd8a194e056da9e9d38d516edff17b4a3b9707f77f2a0766cf8f00de50b142abae35bf10

Download Submit
C:\Users\Admin\AppData\Local\Temp\E5E1.exe

Filesize
218KB

MD5
a08c1dc3a98e7c05bf70668a1a1d2050

SHA1
cca710b3ed9369d10b9ccd837ce818a5d27b5209

SHA256
71cb880a73d0cb7eb933a93be2b6bb9ee394a2cda1f0f5e882d5bfc83f4e0609

SHA512
7f3671f7e84afd9286b836464b02f0dc1264b04df9aa81f6d32c0272739c376f065e9ce03fa59072d304df12669976b99560110ca3f7265160233c91bcae825d

Download Submit
C:\Users\Admin\AppData\Local\Temp\E5E1.exe

Filesize
218KB

MD5
a08c1dc3a98e7c05bf70668a1a1d2050

SHA1
cca710b3ed9369d10b9ccd837ce818a5d27b5209

SHA256
71cb880a73d0cb7eb933a93be2b6bb9ee394a2cda1f0f5e882d5bfc83f4e0609

SHA512
7f3671f7e84afd9286b836464b02f0dc1264b04df9aa81f6d32c0272739c376f065e9ce03fa59072d304df12669976b99560110ca3f7265160233c91bcae825d

Download Submit
C:\Users\Admin\AppData\Local\Temp\EA08.exe

Filesize
295KB

MD5
9a1ac1f6d72e30c8e7577955cd6f39c0

SHA1
850e0ca8ad16b344e162a209cee1b4e88c090aeb

SHA256
565c7afc0803040a46cce3faafc2121df15315eb2ba98318b88152b03d36e98a

SHA512
60a12a4e7a8a0b375d7c5f9624ce10c2c06dc9dde1aa4876564af799647c1ddc4f292ce610ac36d916e80d4d8bbad3d2173d82ed3dff4bbd336d1029c3bc87e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\EA08.exe

Filesize
295KB

MD5
9a1ac1f6d72e30c8e7577955cd6f39c0

SHA1
850e0ca8ad16b344e162a209cee1b4e88c090aeb

SHA256
565c7afc0803040a46cce3faafc2121df15315eb2ba98318b88152b03d36e98a

SHA512
60a12a4e7a8a0b375d7c5f9624ce10c2c06dc9dde1aa4876564af799647c1ddc4f292ce610ac36d916e80d4d8bbad3d2173d82ed3dff4bbd336d1029c3bc87e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\EF0A.exe

Filesize
3.5MB

MD5
d4381f0a771033752684747eb4d55fc7

SHA1
5a87be21de6aa7275ec3b076dfcd72469b129dd7

SHA256
a8756585ef0e2e4e7479606e49a56e52c871c24b65c356b6b38f29cbae300ecc

SHA512
9869d894bd243b5e8d957190920c6764a5fa837d34bb5c7a1ae6e8b6bd8a194e056da9e9d38d516edff17b4a3b9707f77f2a0766cf8f00de50b142abae35bf10

Download Submit
C:\Users\Admin\AppData\Local\Temp\EF0A.exe

Filesize
3.5MB

MD5
d4381f0a771033752684747eb4d55fc7

SHA1
5a87be21de6aa7275ec3b076dfcd72469b129dd7

SHA256
a8756585ef0e2e4e7479606e49a56e52c871c24b65c356b6b38f29cbae300ecc

SHA512
9869d894bd243b5e8d957190920c6764a5fa837d34bb5c7a1ae6e8b6bd8a194e056da9e9d38d516edff17b4a3b9707f77f2a0766cf8f00de50b142abae35bf10

Download Submit
C:\Users\Admin\AppData\Local\cba75721-6a8d-4ddf-a1c8-f80c41bcf2a1\C64E.exe

Filesize
820KB

MD5
3fd2bbeeef907e2943ff4e2f6fb24e9a

SHA1
e403f202f605fdf9f928c135e55d32ee8757a4fb

SHA256
f1c33f28e91670ea07c5d3d0e0f4b974d98d2a80a193b8b5d5d4883188ee3470

SHA512
3cda6adc672ea4e02303fdd357a3eea203f19135b0b88ba9ae7650c47819d0376f98c5ac4fea7e1083ec42c00b3eb449b843fba31146e15e5d5e69561f24b4df

Download Submit
memory/404-244-0x0000000000400000-0x00000000009F5000-memory.dmp

Filesize
6.0MB

Download
memory/404-211-0x0000000000400000-0x00000000009F5000-memory.dmp

Filesize
6.0MB

Download
memory/404-210-0x0000000003100000-0x000000000361F000-memory.dmp

Filesize
5.1MB

Download
memory/760-205-0x00000000020B0000-0x00000000020E7000-memory.dmp

Filesize
220KB

Download
memory/760-228-0x00000000005DE000-0x00000000005FB000-memory.dmp

Filesize
116KB

Download
memory/760-204-0x00000000005DE000-0x00000000005FB000-memory.dmp

Filesize
116KB

Download
memory/760-206-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1992-183-0x0000000000A20000-0x0000000000A27000-memory.dmp

Filesize
28KB

Download
memory/1992-184-0x0000000000A10000-0x0000000000A1C000-memory.dmp

Filesize
48KB

Download
memory/2136-153-0x0000000002310000-0x00000000023A1000-memory.dmp

Filesize
580KB

Download
memory/2136-154-0x00000000024B0000-0x00000000025CB000-memory.dmp

Filesize
1.1MB

Download
memory/2296-135-0x000000000087D000-0x000000000088E000-memory.dmp

Filesize
68KB

Download
memory/2296-132-0x000000000087D000-0x000000000088E000-memory.dmp

Filesize
68KB

Download
memory/2296-134-0x0000000000400000-0x0000000000594000-memory.dmp

Filesize
1.6MB

Download
memory/2296-133-0x0000000000830000-0x0000000000839000-memory.dmp

Filesize
36KB

Download
memory/2296-136-0x0000000000400000-0x0000000000594000-memory.dmp

Filesize
1.6MB

Download
memory/2384-174-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2384-177-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2384-179-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2384-187-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2540-185-0x000000000055E000-0x000000000056F000-memory.dmp

Filesize
68KB

Download
memory/2540-188-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2540-186-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2788-163-0x0000000000400000-0x0000000000594000-memory.dmp

Filesize
1.6MB

Download
memory/2788-182-0x0000000000400000-0x0000000000594000-memory.dmp

Filesize
1.6MB

Download
memory/2788-161-0x00000000005DD000-0x00000000005EE000-memory.dmp

Filesize
68KB

Download
memory/2788-162-0x0000000002050000-0x0000000002059000-memory.dmp

Filesize
36KB

Download
memory/2816-200-0x0000000000F40000-0x0000000000FAB000-memory.dmp

Filesize
428KB

Download
memory/2816-190-0x0000000000F40000-0x0000000000FAB000-memory.dmp

Filesize
428KB

Download
memory/2816-189-0x0000000001200000-0x0000000001275000-memory.dmp

Filesize
468KB

Download
memory/2816-215-0x0000000000F40000-0x0000000000FAB000-memory.dmp

Filesize
428KB

Download
memory/2920-220-0x0000000000400000-0x00000000006CE000-memory.dmp

Filesize
2.8MB

Download
memory/2920-254-0x0000000000400000-0x00000000006CE000-memory.dmp

Filesize
2.8MB

Download
memory/2920-251-0x0000000002510000-0x00000000027D2000-memory.dmp

Filesize
2.8MB

Download
memory/2920-216-0x000000000236E000-0x000000000248C000-memory.dmp

Filesize
1.1MB

Download
memory/2920-217-0x0000000002510000-0x00000000027D2000-memory.dmp

Filesize
2.8MB

Download
memory/3008-164-0x0000000140000000-0x000000014060F000-memory.dmp

Filesize
6.1MB

Download
memory/3068-171-0x0000000140000000-0x000000014060F000-memory.dmp

Filesize
6.1MB

Download
memory/3624-145-0x0000000000400000-0x0000000000594000-memory.dmp

Filesize
1.6MB

Download
memory/3624-144-0x00000000006F0000-0x00000000006F9000-memory.dmp

Filesize
36KB

Download
memory/3624-143-0x000000000074D000-0x000000000075E000-memory.dmp

Filesize
68KB

Download
memory/3624-149-0x0000000000400000-0x0000000000594000-memory.dmp

Filesize
1.6MB

Download
memory/3920-259-0x0000000000FD0000-0x0000000000FD7000-memory.dmp

Filesize
28KB

Download
memory/3920-229-0x0000000000FD0000-0x0000000000FD7000-memory.dmp

Filesize
28KB

Download
memory/3920-230-0x0000000000FC0000-0x0000000000FCB000-memory.dmp

Filesize
44KB

Download
memory/14000-225-0x0000000000140000-0x0000000000149000-memory.dmp

Filesize
36KB

Download
memory/14000-255-0x0000000000140000-0x0000000000149000-memory.dmp

Filesize
36KB

Download
memory/14000-226-0x0000000000130000-0x000000000013F000-memory.dmp

Filesize
60KB

Download
memory/33068-268-0x0000000000F30000-0x0000000000F35000-memory.dmp

Filesize
20KB

Download
memory/33068-236-0x0000000000F30000-0x0000000000F35000-memory.dmp

Filesize
20KB

Download
memory/33068-237-0x0000000000F20000-0x0000000000F29000-memory.dmp

Filesize
36KB

Download
memory/48208-233-0x00000000009C0000-0x00000000009CC000-memory.dmp

Filesize
48KB

Download
memory/48208-266-0x00000000009D0000-0x00000000009D6000-memory.dmp

Filesize
24KB

Download
memory/48208-232-0x00000000009D0000-0x00000000009D6000-memory.dmp

Filesize
24KB

Download
memory/62032-240-0x0000000000F40000-0x0000000000F67000-memory.dmp

Filesize
156KB

Download
memory/62032-269-0x0000000000F70000-0x0000000000F92000-memory.dmp

Filesize
136KB

Download
memory/62032-239-0x0000000000F70000-0x0000000000F92000-memory.dmp

Filesize
136KB

Download
memory/73056-242-0x00000000004C0000-0x00000000004C9000-memory.dmp

Filesize
36KB

Download
memory/73056-241-0x00000000004D0000-0x00000000004D5000-memory.dmp

Filesize
20KB

Download
memory/80892-270-0x00000000012C0000-0x00000000012C6000-memory.dmp

Filesize
24KB

Download
memory/80892-246-0x00000000012B0000-0x00000000012BB000-memory.dmp

Filesize
44KB

Download
memory/80892-245-0x00000000012C0000-0x00000000012C6000-memory.dmp

Filesize
24KB

Download
memory/87360-271-0x0000000001080000-0x0000000001087000-memory.dmp

Filesize
28KB

Download
memory/87360-247-0x0000000001080000-0x0000000001087000-memory.dmp

Filesize
28KB

Download
memory/87360-248-0x0000000000DF0000-0x0000000000DFD000-memory.dmp

Filesize
52KB

Download
memory/94220-252-0x00000000001F0000-0x00000000001F8000-memory.dmp

Filesize
32KB

Download
memory/94220-272-0x00000000001F0000-0x00000000001F8000-memory.dmp

Filesize
32KB

Download
memory/94220-253-0x00000000001E0000-0x00000000001EB000-memory.dmp

Filesize
44KB

Download
memory/101096-267-0x0000000006110000-0x00000000063D4000-memory.dmp

Filesize
2.8MB

Download
memory/101096-265-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/101096-273-0x0000000006110000-0x00000000063D4000-memory.dmp

Filesize
2.8MB

Download
memory/101096-258-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download