danabot | 687ba3d4b1f5fe4137ccdc7c63260de238c06631685d0679b942b4dd77f65a0c

Analysis

max time kernel
151s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
19/10/2022, 17:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

229KB
MD5

efd81670221815c45ad8f9da43337855
SHA1

ece37b1c448d7015fe1b55f2a8903df34a384b7a
SHA256

687ba3d4b1f5fe4137ccdc7c63260de238c06631685d0679b942b4dd77f65a0c
SHA512

f5d92a241e06b245dbfa57ecab8a617060219a1ce43f2432e8528257bf51e1c2dca761ecf6edd4905bb28bab4b56698a039dfb9d1e9564f83d761a2b3bb3e7d5
SSDEEP

3072:+h2VDwyAQHtrdUvFb4LrcBYxWQ8G6FgZoVI+UA4JEfdnq5QwP5iGUPKk:+hELHv4GLroYxR7oVU/Jwdne5oPK

Score

10^/10

danabot smokeloader backdoor banker spyware stealer trojan

Malware Config

Extracted

Family

danabot

192.236.233.188:443

192.119.70.159:443

23.106.124.171:443

213.227.155.103:443

49.0.50.0:57

51.0.52.0:0

53.0.54.0:1200

55.0.56.0:65535

Attributes

embedded_hash
56951C922035D696BFCE443750496462
type
loader

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Detects Smokeloader packer 1 IoCs

resource	yara_rule
behavioral2/memory/4880-133-0x00000000005E0000-0x00000000005E9000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Blocklisted process makes network request 2 IoCs

flow	pid	Process
66	5080	rundll32.exe
69	1152	rundll32.exe

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
4540	4C3.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	rundll32.exe
File opened (read-only)	\??\H:	rundll32.exe
File opened (read-only)	\??\O:	rundll32.exe
File opened (read-only)	\??\Q:	rundll32.exe
File opened (read-only)	\??\V:	rundll32.exe
File opened (read-only)	\??\Z:	rundll32.exe
File opened (read-only)	\??\X:	rundll32.exe
File opened (read-only)	\??\Y:	rundll32.exe
File opened (read-only)	\??\A:	rundll32.exe
File opened (read-only)	\??\B:	rundll32.exe
File opened (read-only)	\??\F:	rundll32.exe
File opened (read-only)	\??\J:	rundll32.exe
File opened (read-only)	\??\L:	rundll32.exe
File opened (read-only)	\??\N:	rundll32.exe
File opened (read-only)	\??\G:	rundll32.exe
File opened (read-only)	\??\R:	rundll32.exe
File opened (read-only)	\??\S:	rundll32.exe
File opened (read-only)	\??\T:	rundll32.exe
File opened (read-only)	\??\U:	rundll32.exe
File opened (read-only)	\??\W:	rundll32.exe
File opened (read-only)	\??\I:	rundll32.exe
File opened (read-only)	\??\K:	rundll32.exe
File opened (read-only)	\??\M:	rundll32.exe
File opened (read-only)	\??\P:	rundll32.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4540 set thread context of 1152	4540	4C3.exe	104

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\pref\autoconfig.js	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\io.txt	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\en.ttt	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe.sig	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\fonts\TwemojiMozilla.ttf	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\AccessibleHandler.dll	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ca.txt	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.VisualElementsManifest.xml	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\application.ini	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-core-file-l2-1-0.dll	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-string-l1-1-0.dll	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
1248	4540	WerFault.exe	90
4732	4540	WerFault.exe	90
1612	4540	WerFault.exe	90
3716	4540	WerFault.exe	90

Checks SCSI registry key(s) 3 TTPs 39 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	svchost.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	svchost.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe

Checks processor information in registry 2 TTPs 41 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	4C3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	4C3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	4C3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	4C3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	4C3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	4C3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	4C3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	4C3.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	4C3.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	4C3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	4C3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	4C3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	4C3.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	4C3.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	4C3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	4C3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	4C3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	4C3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	4C3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	4C3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	4C3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	4C3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	4C3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	4C3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	4C3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	4C3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Toolbar	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Process not Found

Modifies registry class 19 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	Process not Found

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\31DD231FF4F31A147D58F6807BEF3636C14D012C\Blob = 03000000010000001400000031dd231ff4f31a147d58f6807bef3636c14d012c20000000010000009602000030820292308201fba00302010202080b9da92416b5bf1f300d06092a864886f70d01010b050030643136303406035504030c2d53796d616e74686320456e7465727072697365204d6f62696c6520526f6f7420666f72204d6963726f736f6674311d301b060355040a0c1453796d616e74656320436f72706f726174696f6e310b3009060355040613025553301e170d3230313031393137343430315a170d3234313031383137343430315a30643136303406035504030c2d53796d616e74686320456e7465727072697365204d6f62696c6520526f6f7420666f72204d6963726f736f6674311d301b060355040a0c1453796d616e74656320436f72706f726174696f6e310b300906035504061302555330819f300d06092a864886f70d010101050003818d0030818902818100eb0453ddc07429d3ce5ae052d04920612a81843b38206f99fd8ec0dfb2f4ad0ce42a8f6e36237395ae5ab4f70993590c79ca856a7289e3774afc5309957ae8f7e268584bc2e0ad32b5a6bd17d3ae497a8df2b52b4ac012be742d4eef1b327ac7ad23b162cd9e2b749e998b64df66992793f8600b5fc375e0e94535fe0e0751bd0203010001a34d304b300f0603551d130101ff040530030101ff30380603551d110431302f822d53796d616e74686320456e7465727072697365204d6f62696c6520526f6f7420666f72204d6963726f736f6674300d06092a864886f70d01010b050003818100c7f1398749cbe3c4bc1cf426963ef366705bc6c63dbeab5126690014c4ed82a7e0a393881870631c81f536d08ec2a69517283bfbe80beab30dc662bac4fe57a0511c474546663885338ae63443f9774539bb78b2e3dbfed71e03280400dd5ea24519041752c9309fe1a7ed20a2476c029eb7bcc33f64eb43c985295cd15ed14b	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\31DD231FF4F31A147D58F6807BEF3636C14D012C	rundll32.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2056	Process not Found

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4880	file.exe
4880	file.exe
2056	Process not Found
2056	Process not Found
2056	Process not Found
2056	Process not Found
2056	Process not Found
2056	Process not Found
2056	Process not Found
2056	Process not Found
2056	Process not Found
2056	Process not Found
2056	Process not Found
2056	Process not Found
2056	Process not Found
2056	Process not Found
2056	Process not Found
2056	Process not Found
2056	Process not Found
2056	Process not Found
2056	Process not Found
2056	Process not Found
2056	Process not Found
2056	Process not Found
2056	Process not Found
2056	Process not Found
2056	Process not Found
2056	Process not Found
2056	Process not Found
2056	Process not Found
2056	Process not Found
2056	Process not Found
2056	Process not Found
2056	Process not Found
2056	Process not Found
2056	Process not Found
2056	Process not Found
2056	Process not Found
2056	Process not Found
2056	Process not Found
2056	Process not Found
2056	Process not Found
2056	Process not Found
2056	Process not Found
2056	Process not Found
2056	Process not Found
2056	Process not Found
2056	Process not Found
2056	Process not Found
2056	Process not Found
2056	Process not Found
2056	Process not Found
2056	Process not Found
2056	Process not Found
2056	Process not Found
2056	Process not Found
2056	Process not Found
2056	Process not Found
2056	Process not Found
2056	Process not Found
2056	Process not Found
2056	Process not Found
2056	Process not Found
2056	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2056	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4880	file.exe

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2056	Process not Found
Token: SeCreatePagefilePrivilege	2056	Process not Found
Token: SeShutdownPrivilege	2056	Process not Found
Token: SeCreatePagefilePrivilege	2056	Process not Found
Token: SeShutdownPrivilege	3988	svchost.exe
Token: SeShutdownPrivilege	3988	svchost.exe
Token: SeCreatePagefilePrivilege	3988	svchost.exe
Token: SeShutdownPrivilege	2056	Process not Found
Token: SeCreatePagefilePrivilege	2056	Process not Found
Token: SeShutdownPrivilege	2056	Process not Found
Token: SeCreatePagefilePrivilege	2056	Process not Found
Token: SeShutdownPrivilege	2056	Process not Found
Token: SeCreatePagefilePrivilege	2056	Process not Found
Token: SeShutdownPrivilege	2056	Process not Found
Token: SeCreatePagefilePrivilege	2056	Process not Found
Token: SeShutdownPrivilege	2056	Process not Found
Token: SeCreatePagefilePrivilege	2056	Process not Found
Token: SeShutdownPrivilege	2056	Process not Found
Token: SeCreatePagefilePrivilege	2056	Process not Found
Token: SeShutdownPrivilege	2056	Process not Found
Token: SeCreatePagefilePrivilege	2056	Process not Found
Token: SeShutdownPrivilege	2056	Process not Found
Token: SeCreatePagefilePrivilege	2056	Process not Found
Token: SeShutdownPrivilege	2056	Process not Found
Token: SeCreatePagefilePrivilege	2056	Process not Found
Token: SeShutdownPrivilege	2056	Process not Found
Token: SeCreatePagefilePrivilege	2056	Process not Found
Token: SeShutdownPrivilege	2056	Process not Found
Token: SeCreatePagefilePrivilege	2056	Process not Found
Token: SeShutdownPrivilege	2056	Process not Found
Token: SeCreatePagefilePrivilege	2056	Process not Found
Token: SeShutdownPrivilege	2056	Process not Found
Token: SeCreatePagefilePrivilege	2056	Process not Found
Token: SeShutdownPrivilege	2056	Process not Found
Token: SeCreatePagefilePrivilege	2056	Process not Found
Token: SeShutdownPrivilege	2056	Process not Found
Token: SeCreatePagefilePrivilege	2056	Process not Found
Token: SeShutdownPrivilege	2056	Process not Found
Token: SeCreatePagefilePrivilege	2056	Process not Found

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1152	rundll32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2056	Process not Found
2056	Process not Found

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2056 wrote to memory of 4540	2056	Process not Found	90
PID 2056 wrote to memory of 4540	2056	Process not Found	90
PID 2056 wrote to memory of 4540	2056	Process not Found	90
PID 4540 wrote to memory of 1300	4540	4C3.exe	91
PID 4540 wrote to memory of 1300	4540	4C3.exe	91
PID 4540 wrote to memory of 1300	4540	4C3.exe	91
PID 4540 wrote to memory of 5080	4540	4C3.exe	96
PID 4540 wrote to memory of 5080	4540	4C3.exe	96
PID 4540 wrote to memory of 5080	4540	4C3.exe	96
PID 4540 wrote to memory of 5080	4540	4C3.exe	96
PID 4540 wrote to memory of 5080	4540	4C3.exe	96
PID 4540 wrote to memory of 5080	4540	4C3.exe	96
PID 4540 wrote to memory of 5080	4540	4C3.exe	96
PID 4540 wrote to memory of 5080	4540	4C3.exe	96
PID 4540 wrote to memory of 5080	4540	4C3.exe	96
PID 4540 wrote to memory of 5080	4540	4C3.exe	96
PID 4540 wrote to memory of 5080	4540	4C3.exe	96
PID 4540 wrote to memory of 5080	4540	4C3.exe	96
PID 4540 wrote to memory of 5080	4540	4C3.exe	96
PID 4540 wrote to memory of 5080	4540	4C3.exe	96
PID 4540 wrote to memory of 5080	4540	4C3.exe	96
PID 4540 wrote to memory of 5080	4540	4C3.exe	96
PID 4540 wrote to memory of 5080	4540	4C3.exe	96
PID 4540 wrote to memory of 5080	4540	4C3.exe	96
PID 4540 wrote to memory of 5080	4540	4C3.exe	96
PID 4540 wrote to memory of 1152	4540	4C3.exe	104
PID 4540 wrote to memory of 1152	4540	4C3.exe	104
PID 4540 wrote to memory of 1152	4540	4C3.exe	104
PID 4540 wrote to memory of 1152	4540	4C3.exe	104

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4880

C:\Users\Admin\AppData\Local\Temp\4C3.exe
C:\Users\Admin\AppData\Local\Temp\4C3.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:4540
- C:\Windows\SysWOW64\agentactivationruntimestarter.exe
  C:\Windows\system32\agentactivationruntimestarter.exe
  2⤵
  PID:1300
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
  2⤵
  - Blocklisted process makes network request
  PID:5080
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 620
  2⤵
  - Program crash
  PID:1248
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 872
  2⤵
  - Program crash
  PID:4732
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 872
  2⤵
  - Program crash
  PID:1612
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
  2⤵
  - Blocklisted process makes network request
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Checks processor information in registry
  - Modifies registry class
  - Modifies system certificate store
  - Suspicious use of FindShellTrayWindow
  PID:1152
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 952
  2⤵
  - Program crash
  PID:3716

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k AarSvcGroup -p -s AarSvc
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3988

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x51c 0x514
1⤵
PID:948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4540 -ip 4540
1⤵
PID:2176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4540 -ip 4540
1⤵
PID:3356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4540 -ip 4540
1⤵
PID:1512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4540 -ip 4540
1⤵
PID:4288

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4C3.exe

Filesize
1.3MB

MD5
9086c7e8a60b530d6fd90743102f2c40

SHA1
30ff489ef0285150f10e02b7c0d98ac9eb926e53

SHA256
0ea1ab2604f12064822e22e81183f68b671d6dd9ddfac5b8ec537949433db3b0

SHA512
a03a76658bf9cf8b897337c1d60baf075d8b28a8748c5b66e3bcea8e84752051b2b6d0761bc4a8efa1152eeaedac115cd529a52d9ad271d470c08f8d5752c396

Download Submit
C:\Users\Admin\AppData\Local\Temp\4C3.exe

Filesize
1.3MB

MD5
9086c7e8a60b530d6fd90743102f2c40

SHA1
30ff489ef0285150f10e02b7c0d98ac9eb926e53

SHA256
0ea1ab2604f12064822e22e81183f68b671d6dd9ddfac5b8ec537949433db3b0

SHA512
a03a76658bf9cf8b897337c1d60baf075d8b28a8748c5b66e3bcea8e84752051b2b6d0761bc4a8efa1152eeaedac115cd529a52d9ad271d470c08f8d5752c396

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sepawuaopqtypsq.tmp

Filesize
3.3MB

MD5
8b9c0f72deaf2ee06e7441209cbe4ffb

SHA1
34912f3c7f4285d85497c96e95c33e5d6a597c97

SHA256
1e7242ac7c025b87636e59c07e3601f1bbf5894ce0b23709405b6fefbca4dabe

SHA512
db8fb980b6331f494fea8dd4adf6d8724c9ad1a7a2048c6d91e49d9e81fc83700c1195854efc5dcbe2b3aef8d94b5f0ddd7ae8910f40b9cdab017e381f855cd7

Download Submit
memory/1152-224-0x0000000003140000-0x0000000003C03000-memory.dmp

Filesize
10.8MB

Download
memory/1152-222-0x0000000003CD0000-0x0000000003E10000-memory.dmp

Filesize
1.2MB

Download
memory/1152-223-0x0000000003140000-0x0000000003C03000-memory.dmp

Filesize
10.8MB

Download
memory/1152-221-0x0000000003CD0000-0x0000000003E10000-memory.dmp

Filesize
1.2MB

Download
memory/1152-219-0x0000000003140000-0x0000000003C03000-memory.dmp

Filesize
10.8MB

Download
memory/1152-220-0x0000000000CA0000-0x0000000001644000-memory.dmp

Filesize
9.6MB

Download
memory/2056-182-0x0000000002D90000-0x0000000002DA0000-memory.dmp

Filesize
64KB

Download
memory/2056-188-0x0000000002DF0000-0x0000000002E00000-memory.dmp

Filesize
64KB

Download
memory/2056-148-0x0000000002D90000-0x0000000002DA0000-memory.dmp

Filesize
64KB

Download
memory/2056-149-0x0000000002D90000-0x0000000002DA0000-memory.dmp

Filesize
64KB

Download
memory/2056-150-0x0000000002D90000-0x0000000002DA0000-memory.dmp

Filesize
64KB

Download
memory/2056-151-0x0000000002D90000-0x0000000002DA0000-memory.dmp

Filesize
64KB

Download
memory/2056-152-0x0000000002D90000-0x0000000002DA0000-memory.dmp

Filesize
64KB

Download
memory/2056-153-0x0000000002DB0000-0x0000000002DC0000-memory.dmp

Filesize
64KB

Download
memory/2056-154-0x0000000002DD0000-0x0000000002DE0000-memory.dmp

Filesize
64KB

Download
memory/2056-155-0x0000000002DD0000-0x0000000002DE0000-memory.dmp

Filesize
64KB

Download
memory/2056-146-0x0000000002D90000-0x0000000002DA0000-memory.dmp

Filesize
64KB

Download
memory/2056-145-0x0000000002D90000-0x0000000002DA0000-memory.dmp

Filesize
64KB

Download
memory/2056-136-0x0000000002D90000-0x0000000002DA0000-memory.dmp

Filesize
64KB

Download
memory/2056-137-0x0000000002D90000-0x0000000002DA0000-memory.dmp

Filesize
64KB

Download
memory/2056-138-0x0000000002D90000-0x0000000002DA0000-memory.dmp

Filesize
64KB

Download
memory/2056-139-0x0000000002D90000-0x0000000002DA0000-memory.dmp

Filesize
64KB

Download
memory/2056-163-0x0000000002DD0000-0x0000000002DE0000-memory.dmp

Filesize
64KB

Download
memory/2056-164-0x0000000002DD0000-0x0000000002DE0000-memory.dmp

Filesize
64KB

Download
memory/2056-140-0x0000000002D90000-0x0000000002DA0000-memory.dmp

Filesize
64KB

Download
memory/2056-166-0x0000000002D90000-0x0000000002DA0000-memory.dmp

Filesize
64KB

Download
memory/2056-167-0x0000000002D90000-0x0000000002DA0000-memory.dmp

Filesize
64KB

Download
memory/2056-168-0x0000000002D90000-0x0000000002DA0000-memory.dmp

Filesize
64KB

Download
memory/2056-169-0x0000000002D90000-0x0000000002DA0000-memory.dmp

Filesize
64KB

Download
memory/2056-170-0x0000000002D90000-0x0000000002DA0000-memory.dmp

Filesize
64KB

Download
memory/2056-171-0x0000000002D90000-0x0000000002DA0000-memory.dmp

Filesize
64KB

Download
memory/2056-172-0x0000000002D90000-0x0000000002DA0000-memory.dmp

Filesize
64KB

Download
memory/2056-173-0x0000000002D90000-0x0000000002DA0000-memory.dmp

Filesize
64KB

Download
memory/2056-174-0x0000000002D90000-0x0000000002DA0000-memory.dmp

Filesize
64KB

Download
memory/2056-175-0x0000000002D90000-0x0000000002DA0000-memory.dmp

Filesize
64KB

Download
memory/2056-176-0x0000000002D90000-0x0000000002DA0000-memory.dmp

Filesize
64KB

Download
memory/2056-177-0x0000000002D90000-0x0000000002DA0000-memory.dmp

Filesize
64KB

Download
memory/2056-178-0x0000000002D90000-0x0000000002DA0000-memory.dmp

Filesize
64KB

Download
memory/2056-179-0x0000000002D90000-0x0000000002DA0000-memory.dmp

Filesize
64KB

Download
memory/2056-180-0x0000000002D90000-0x0000000002DA0000-memory.dmp

Filesize
64KB

Download
memory/2056-181-0x0000000002D90000-0x0000000002DA0000-memory.dmp

Filesize
64KB

Download
memory/2056-144-0x0000000002D90000-0x0000000002DA0000-memory.dmp

Filesize
64KB

Download
memory/2056-183-0x0000000002DA0000-0x0000000002DB0000-memory.dmp

Filesize
64KB

Download
memory/2056-184-0x0000000002DF0000-0x0000000002E00000-memory.dmp

Filesize
64KB

Download
memory/2056-185-0x0000000002DF0000-0x0000000002E00000-memory.dmp

Filesize
64KB

Download
memory/2056-186-0x0000000002DA0000-0x0000000002DB0000-memory.dmp

Filesize
64KB

Download
memory/2056-187-0x0000000002DF0000-0x0000000002E00000-memory.dmp

Filesize
64KB

Download
memory/2056-147-0x0000000002D90000-0x0000000002DA0000-memory.dmp

Filesize
64KB

Download
memory/2056-141-0x0000000002D90000-0x0000000002DA0000-memory.dmp

Filesize
64KB

Download
memory/2056-142-0x0000000002D90000-0x0000000002DA0000-memory.dmp

Filesize
64KB

Download
memory/2056-143-0x0000000002D90000-0x0000000002DA0000-memory.dmp

Filesize
64KB

Download
memory/4540-215-0x0000000003B40000-0x0000000003C80000-memory.dmp

Filesize
1.2MB

Download
memory/4540-217-0x0000000003B40000-0x0000000003C80000-memory.dmp

Filesize
1.2MB

Download
memory/4540-225-0x0000000002FB0000-0x0000000003A73000-memory.dmp

Filesize
10.8MB

Download
memory/4540-160-0x00000000009C9000-0x0000000000AE7000-memory.dmp

Filesize
1.1MB

Download
memory/4540-161-0x0000000002490000-0x0000000002752000-memory.dmp

Filesize
2.8MB

Download
memory/4540-162-0x0000000000400000-0x00000000006CE000-memory.dmp

Filesize
2.8MB

Download
memory/4540-165-0x0000000000400000-0x00000000006CE000-memory.dmp

Filesize
2.8MB

Download
memory/4540-189-0x0000000000400000-0x00000000006CE000-memory.dmp

Filesize
2.8MB

Download
memory/4540-208-0x0000000000400000-0x00000000006CE000-memory.dmp

Filesize
2.8MB

Download
memory/4540-216-0x0000000003B40000-0x0000000003C80000-memory.dmp

Filesize
1.2MB

Download
memory/4540-190-0x0000000000400000-0x00000000006CE000-memory.dmp

Filesize
2.8MB

Download
memory/4540-206-0x0000000002FB0000-0x0000000003A73000-memory.dmp

Filesize
10.8MB

Download
memory/4540-214-0x0000000003B40000-0x0000000003C80000-memory.dmp

Filesize
1.2MB

Download
memory/4540-213-0x0000000003B40000-0x0000000003C80000-memory.dmp

Filesize
1.2MB

Download
memory/4540-212-0x0000000003B40000-0x0000000003C80000-memory.dmp

Filesize
1.2MB

Download
memory/4540-211-0x0000000003B40000-0x0000000003C80000-memory.dmp

Filesize
1.2MB

Download
memory/4540-210-0x0000000003B40000-0x0000000003C80000-memory.dmp

Filesize
1.2MB

Download
memory/4540-209-0x0000000002FB0000-0x0000000003A73000-memory.dmp

Filesize
10.8MB

Download
memory/4540-207-0x0000000002FB0000-0x0000000003A73000-memory.dmp

Filesize
10.8MB

Download
memory/4880-133-0x00000000005E0000-0x00000000005E9000-memory.dmp

Filesize
36KB

Download
memory/4880-134-0x0000000000400000-0x0000000000597000-memory.dmp

Filesize
1.6MB

Download
memory/4880-135-0x0000000000400000-0x0000000000597000-memory.dmp

Filesize
1.6MB

Download
memory/4880-132-0x00000000007B3000-0x00000000007C4000-memory.dmp

Filesize
68KB

Download
memory/5080-199-0x0000000000D60000-0x0000000000D63000-memory.dmp

Filesize
12KB

Download
memory/5080-196-0x0000000000D30000-0x0000000000D33000-memory.dmp

Filesize
12KB

Download
memory/5080-201-0x0000000000D80000-0x0000000000D83000-memory.dmp

Filesize
12KB

Download
memory/5080-197-0x0000000000D40000-0x0000000000D43000-memory.dmp

Filesize
12KB

Download
memory/5080-202-0x0000000000D90000-0x0000000000D93000-memory.dmp

Filesize
12KB

Download
memory/5080-204-0x0000000000DA0000-0x0000000000DA3000-memory.dmp

Filesize
12KB

Download
memory/5080-198-0x0000000000D50000-0x0000000000D53000-memory.dmp

Filesize
12KB

Download
memory/5080-203-0x0000000000DA0000-0x0000000000DA3000-memory.dmp

Filesize
12KB

Download
memory/5080-195-0x0000000000D20000-0x0000000000D23000-memory.dmp

Filesize
12KB

Download
memory/5080-194-0x0000000000D10000-0x0000000000D13000-memory.dmp

Filesize
12KB

Download
memory/5080-193-0x0000000000D00000-0x0000000000D03000-memory.dmp

Filesize
12KB

Download
memory/5080-192-0x0000000000CF0000-0x0000000000CF3000-memory.dmp

Filesize
12KB

Download
memory/5080-200-0x0000000000D70000-0x0000000000D73000-memory.dmp

Filesize
12KB

Download