danabot | f8ead10cd80934a84d94736726e5f3c2098731df934e5e0765bfedf1cd153201

Analysis

max time kernel
150s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
24-10-2022 23:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

F8EAD10CD80934A84D94736726E5F3C2098731DF934E5.exe
Size

214KB
MD5

844d904358f1104737af49ac21057a8a
SHA1

64c86013126bea19c0ae68d583b5bb749039b49d
SHA256

f8ead10cd80934a84d94736726e5f3c2098731df934e5e0765bfedf1cd153201
SHA512

e23e033812d6cb40ca0562be2996418140eae46eb97d379a675ebad6a0232b3aeb7df0f817825eb60994a06ae812a47c683b1110be0fbd792c591c303a2a0ae1
SSDEEP

3072:MGkikefG32ZvztHTe+tDZnzpPbnbv5C8hZb4/FA001jqsxkgaBChcpZa9uD6VdyX:Ip32Jzl6+tDJpzo8jrzigafwVf

Score

10^/10

danabot smokeloader vidar 937 backdoor banker discovery spyware stealer trojan

Malware Config

Extracted

Family

danabot

Attributes

embedded_hash
569235DCA8F16ED8310BBACCB674F896
type
loader

Extracted

Family

vidar

Version

55.2

Botnet

937

https://t.me/slivetalks

https://c.im/@xinibin420

Attributes

profile_id
937

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/368-133-0x0000000000BE0000-0x0000000000BE9000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

88 2448 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

4DC2.exeC600.exe

pid process

2160 4DC2.exe
4416 C600.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

C600.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C600.exe
Loads dropped DLL 3 IoCs

Processes:

C600.exe

pid process

4416 C600.exe
4416 C600.exe
4416 C600.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

4DC2.exe

description pid process target process

PID 2160 set thread context of 2448 2160 4DC2.exe rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	pid	process
88	2448	rundll32.exe

pid	process
2160	4DC2.exe
4416	C600.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	C600.exe

pid	process
4416	C600.exe
4416	C600.exe
4416	C600.exe

description	pid	process	target process
PID 2160 set thread context of 2448	2160	4DC2.exe	rundll32.exe

Program crash 11 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2212	4416	WerFault.exe	C600.exe
3484	2160	WerFault.exe	4DC2.exe
3792	2160	WerFault.exe	4DC2.exe
4964	2160	WerFault.exe	4DC2.exe
4272	2160	WerFault.exe	4DC2.exe
2140	2160	WerFault.exe	4DC2.exe
4308	2160	WerFault.exe	4DC2.exe
3036	2160	WerFault.exe	4DC2.exe
1748	2160	WerFault.exe	4DC2.exe
3604	2160	WerFault.exe	4DC2.exe
4056	2160	WerFault.exe	4DC2.exe

Checks SCSI registry key(s) 3 TTPs 39 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exeF8EAD10CD80934A84D94736726E5F3C2098731DF934E5.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	F8EAD10CD80934A84D94736726E5F3C2098731DF934E5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	F8EAD10CD80934A84D94736726E5F3C2098731DF934E5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	F8EAD10CD80934A84D94736726E5F3C2098731DF934E5.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	svchost.exe

Checks processor information in registry 2 TTPs 48 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

4DC2.exerundll32.exeC600.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	4DC2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	4DC2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	C600.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	4DC2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	4DC2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	4DC2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	4DC2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	4DC2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	4DC2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	4DC2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	4DC2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	4DC2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	4DC2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	4DC2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	4DC2.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	4DC2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	4DC2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	4DC2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	C600.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	4DC2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	4DC2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	4DC2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	4DC2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	4DC2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	4DC2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	4DC2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	4DC2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	4DC2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	4DC2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4108 timeout.exe

pid	process
4108	timeout.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Toolbar
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

Modifies registry class 21 IoCs

Processes:

OpenWith.exe4DC2.exerundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	4DC2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

pid process

2724

pid	process
2724

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

F8EAD10CD80934A84D94736726E5F3C2098731DF934E5.exe

pid	process
368	F8EAD10CD80934A84D94736726E5F3C2098731DF934E5.exe
368	F8EAD10CD80934A84D94736726E5F3C2098731DF934E5.exe
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2724
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

F8EAD10CD80934A84D94736726E5F3C2098731DF934E5.exe

pid process

368 F8EAD10CD80934A84D94736726E5F3C2098731DF934E5.exe

pid	process
2724

Suspicious use of AdjustPrivilegeToken 43 IoCs

Processes:

svchost.exe

description	pid	process
Token: SeShutdownPrivilege	4624	svchost.exe
Token: SeShutdownPrivilege	4624	svchost.exe
Token: SeCreatePagefilePrivilege	4624	svchost.exe
Token: SeShutdownPrivilege	2724
Token: SeCreatePagefilePrivilege	2724
Token: SeShutdownPrivilege	2724
Token: SeCreatePagefilePrivilege	2724
Token: SeShutdownPrivilege	2724
Token: SeCreatePagefilePrivilege	2724
Token: SeShutdownPrivilege	2724
Token: SeCreatePagefilePrivilege	2724
Token: SeShutdownPrivilege	2724
Token: SeCreatePagefilePrivilege	2724
Token: SeShutdownPrivilege	2724
Token: SeCreatePagefilePrivilege	2724
Token: SeShutdownPrivilege	2724
Token: SeCreatePagefilePrivilege	2724
Token: SeShutdownPrivilege	2724
Token: SeCreatePagefilePrivilege	2724
Token: SeShutdownPrivilege	2724
Token: SeCreatePagefilePrivilege	2724
Token: SeShutdownPrivilege	2724
Token: SeCreatePagefilePrivilege	2724
Token: SeShutdownPrivilege	2724
Token: SeCreatePagefilePrivilege	2724
Token: SeShutdownPrivilege	2724
Token: SeCreatePagefilePrivilege	2724
Token: SeShutdownPrivilege	2724
Token: SeCreatePagefilePrivilege	2724
Token: SeShutdownPrivilege	2724
Token: SeCreatePagefilePrivilege	2724
Token: SeShutdownPrivilege	2724
Token: SeCreatePagefilePrivilege	2724
Token: SeShutdownPrivilege	2724
Token: SeCreatePagefilePrivilege	2724
Token: SeShutdownPrivilege	2724
Token: SeCreatePagefilePrivilege	2724
Token: SeShutdownPrivilege	2724
Token: SeCreatePagefilePrivilege	2724
Token: SeShutdownPrivilege	2724
Token: SeCreatePagefilePrivilege	2724
Token: SeShutdownPrivilege	2724
Token: SeCreatePagefilePrivilege	2724

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

rundll32.exe

pid process

2448 rundll32.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

OpenWith.exe

pid process

3108 OpenWith.exe
2724
2724

pid	process
2448	rundll32.exe

pid	process
3108	OpenWith.exe
2724
2724

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

4DC2.exeC600.execmd.exe

description	pid	process	target process
PID 2724 wrote to memory of 2160	2724		4DC2.exe
PID 2724 wrote to memory of 2160	2724		4DC2.exe
PID 2724 wrote to memory of 2160	2724		4DC2.exe
PID 2160 wrote to memory of 4684	2160	4DC2.exe	agentactivationruntimestarter.exe
PID 2160 wrote to memory of 4684	2160	4DC2.exe	agentactivationruntimestarter.exe
PID 2160 wrote to memory of 4684	2160	4DC2.exe	agentactivationruntimestarter.exe
PID 2724 wrote to memory of 4416	2724		C600.exe
PID 2724 wrote to memory of 4416	2724		C600.exe
PID 2724 wrote to memory of 4416	2724		C600.exe
PID 4416 wrote to memory of 4392	4416	C600.exe	cmd.exe
PID 4416 wrote to memory of 4392	4416	C600.exe	cmd.exe
PID 4416 wrote to memory of 4392	4416	C600.exe	cmd.exe
PID 4392 wrote to memory of 4108	4392	cmd.exe	timeout.exe
PID 4392 wrote to memory of 4108	4392	cmd.exe	timeout.exe
PID 4392 wrote to memory of 4108	4392	cmd.exe	timeout.exe
PID 2160 wrote to memory of 2448	2160	4DC2.exe	rundll32.exe
PID 2160 wrote to memory of 2448	2160	4DC2.exe	rundll32.exe
PID 2160 wrote to memory of 2448	2160	4DC2.exe	rundll32.exe
PID 2160 wrote to memory of 2448	2160	4DC2.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\F8EAD10CD80934A84D94736726E5F3C2098731DF934E5.exe
"C:\Users\Admin\AppData\Local\Temp\F8EAD10CD80934A84D94736726E5F3C2098731DF934E5.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:368

C:\Users\Admin\AppData\Local\Temp\4DC2.exe
C:\Users\Admin\AppData\Local\Temp\4DC2.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2160

C:\Windows\SysWOW64\agentactivationruntimestarter.exe
C:\Windows\system32\agentactivationruntimestarter.exe
2⤵
PID:4684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2160 -s 652
2⤵
- Program crash
PID:3484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2160 -s 968
2⤵
- Program crash
PID:3792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2160 -s 1000
2⤵
- Program crash
PID:4964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2160 -s 1124
2⤵
- Program crash
PID:4272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2160 -s 996
2⤵
- Program crash
PID:2140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2160 -s 996
2⤵
- Program crash
PID:4308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2160 -s 1160
2⤵
- Program crash
PID:3036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2160 -s 1296
2⤵
- Program crash
PID:1748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2160 -s 1068
2⤵
- Program crash
PID:3604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2160 -s 1448
2⤵
- Program crash
PID:4056

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
2⤵
- Blocklisted process makes network request
- Checks processor information in registry
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:2448

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k AarSvcGroup -p -s AarSvc
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4624

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2d8 0x308
1⤵
PID:1400

C:\Users\Admin\AppData\Local\Temp\C600.exe
C:\Users\Admin\AppData\Local\Temp\C600.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:4416

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\C600.exe" & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:4392

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
3⤵
- Delays execution with timeout.exe
PID:4108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4416 -s 1988
2⤵
- Program crash
PID:2212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4416 -ip 4416
1⤵
PID:1280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2160 -ip 2160
1⤵
PID:4196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2160 -ip 2160
1⤵
PID:3800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2160 -ip 2160
1⤵
PID:3532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2160 -ip 2160
1⤵
PID:3040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2160 -ip 2160
1⤵
PID:4384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2160 -ip 2160
1⤵
PID:2716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2160 -ip 2160
1⤵
PID:4016

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2160 -ip 2160
1⤵
PID:2760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2160 -ip 2160
1⤵
PID:4216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2160 -ip 2160
1⤵
PID:2576

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mozglue.dll
Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll
Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\ProgramData\sqlite3.dll
Filesize
1.1MB

MD5
1f44d4d3087c2b202cf9c90ee9d04b0f

SHA1
106a3ebc9e39ab6ddb3ff987efb6527c956f192d

SHA256
4841020c8bd06b08fde6e44cbe2e2ab33439e1c8368e936ec5b00dc0584f7260

SHA512
b614c72a3c1ce681ebffa628e29aa50275cc80ca9267380960c5198ea4d0a3f2df6cfb7275491d220bad72f14fc94e6656501e9a061d102fb11e00cfda2beb45

Download Submit
C:\Users\Admin\AppData\Local\Temp\4DC2.exe
Filesize
8.4MB

MD5
1f5a4d782148000437eca485f0c96f84

SHA1
bfd998befaf9835200fb42f16d3016fb5391ef23

SHA256
aa91dd8b42fa14bad304ac23a78b5ae726fc5824e14f5f89ed13601b8ea00596

SHA512
698160dc4c5dce49f18893c5fc8fbb2e88f963426fbd6e87cc518e82a0aca31d26362d4e1377ba0e7afd20b6fa24f2eddd7adf4dd1793b2e616055abacd0bde8

Download Submit
C:\Users\Admin\AppData\Local\Temp\4DC2.exe
Filesize
8.4MB

MD5
1f5a4d782148000437eca485f0c96f84

SHA1
bfd998befaf9835200fb42f16d3016fb5391ef23

SHA256
aa91dd8b42fa14bad304ac23a78b5ae726fc5824e14f5f89ed13601b8ea00596

SHA512
698160dc4c5dce49f18893c5fc8fbb2e88f963426fbd6e87cc518e82a0aca31d26362d4e1377ba0e7afd20b6fa24f2eddd7adf4dd1793b2e616055abacd0bde8

Download Submit
C:\Users\Admin\AppData\Local\Temp\646a9946-d110-45e4-9694-7f4449423a86.tmp
Filesize
85KB

MD5
a5e8325a46bc84636d7db83520e57167

SHA1
4fd6f878b368fc76782805aec08d08e831357769

SHA256
43307d12c1ff7e50bec7e011cc421d07fa2b80c1f62ce25e1c3725cc7758f089

SHA512
507a692b67de06cc46a7019cd51d2e2b50419a2671d6125f890216f705e6f36424d7ab6b157d3b4bdf40103b1683169329d2d85813611ca179373fa7a1e3875d

Download Submit
C:\Users\Admin\AppData\Local\Temp\84c7bf32-db39-40e7-95b4-e9bdddb0a182.tmp
Filesize
242KB

MD5
541f52e24fe1ef9f8e12377a6ccae0c0

SHA1
189898bb2dcae7d5a6057bc2d98b8b450afaebb6

SHA256
81e3a4d43a73699e1b7781723f56b8717175c536685c5450122b30789464ad82

SHA512
d779d78a15c5efca51ebd6b96a7ccb6d718741bdf7d9a37f53b2eb4b98aa1a78bc4cfa57d6e763aab97276c8f9088940ac0476690d4d46023ff4bf52f3326c88

Download Submit
C:\Users\Admin\AppData\Local\Temp\C600.exe
Filesize
332KB

MD5
e75ec445beb33e400201791a3fba433d

SHA1
a2c29449d05c2a26077e45dfcb45e37ef7c638a8

SHA256
f16953dfb98fb54bde6e9410883839e228ee09aa0a09892ab56a5ddfc76e7a0e

SHA512
4efdb748bcaef9aa1ca5bc934d5797f692a7bbd974fc675318124a4bfce62e074fd32a3033a10057a5af5cc1b9d2c7d87de316c31bce0f5b7d61983f1f967134

Download Submit
C:\Users\Admin\AppData\Local\Temp\C600.exe
Filesize
332KB

MD5
e75ec445beb33e400201791a3fba433d

SHA1
a2c29449d05c2a26077e45dfcb45e37ef7c638a8

SHA256
f16953dfb98fb54bde6e9410883839e228ee09aa0a09892ab56a5ddfc76e7a0e

SHA512
4efdb748bcaef9aa1ca5bc934d5797f692a7bbd974fc675318124a4bfce62e074fd32a3033a10057a5af5cc1b9d2c7d87de316c31bce0f5b7d61983f1f967134

Download Submit
C:\Users\Admin\AppData\Local\Temp\Syhidsduo.tmp
Filesize
3.3MB

MD5
13d0ff809f24a408728fd6fe00241020

SHA1
fde8484da982eceb86cf6959460ffc4ce33271a9

SHA256
db9190e9eb5298547a3d266f298ec1e7ede0426841da9512f2827f1e7c027520

SHA512
38dd1c523eb9f5aa1c3da0e95f4064f22fc191ce8cea20803c5f60fcbc40d83f5c3545529863ca18f4e65b3ea7a8eddc247ae0db11c6ffa70af560998611e768

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log
Filesize
697B

MD5
fe4f6a24e5ab9d2d90051411307cf3a8

SHA1
a65b12b4d8e225eda13862b7ed6f30f56abb9569

SHA256
5ffbef5b65d7969e912ccdad478d225a1927480b6da0f6fa30156ca5eddb7ef5

SHA512
6e6159b5b13f21a2c13cffd92496d384aad7871fc2af079870b12068f9b646a785841b486c94993076cd25638ec8a0abb4aee5451d9602f05469e220f0747c0d

Download Submit
memory/368-132-0x0000000000801000-0x000000000080F000-memory.dmp

Filesize
56KB

Download
memory/368-135-0x0000000000400000-0x000000000064F000-memory.dmp

Filesize
2.3MB

Download
memory/368-134-0x0000000000400000-0x000000000064F000-memory.dmp

Filesize
2.3MB

Download
memory/368-133-0x0000000000BE0000-0x0000000000BE9000-memory.dmp

Filesize
36KB

Download
memory/2160-158-0x0000000000400000-0x0000000000DE1000-memory.dmp

Filesize
9.9MB

Download
memory/2160-166-0x00000000059E0000-0x0000000005B20000-memory.dmp

Filesize
1.2MB

Download
memory/2160-183-0x0000000004DA0000-0x0000000005852000-memory.dmp

Filesize
10.7MB

Download
memory/2160-182-0x0000000000400000-0x0000000000DE1000-memory.dmp

Filesize
9.9MB

Download
memory/2160-181-0x0000000001283000-0x0000000001ABE000-memory.dmp

Filesize
8.2MB

Download
memory/2160-143-0x0000000000400000-0x0000000000DE1000-memory.dmp

Filesize
9.9MB

Download
memory/2160-136-0x0000000000000000-mapping.dmp

Download
memory/2160-140-0x0000000001283000-0x0000000001ABE000-memory.dmp

Filesize
8.2MB

Download
memory/2160-141-0x0000000003360000-0x0000000003D36000-memory.dmp

Filesize
9.8MB

Download
memory/2160-170-0x0000000000400000-0x0000000000DE1000-memory.dmp

Filesize
9.9MB

Download
memory/2160-157-0x0000000000400000-0x0000000000DE1000-memory.dmp

Filesize
9.9MB

Download
memory/2160-142-0x0000000000400000-0x0000000000DE1000-memory.dmp

Filesize
9.9MB

Download
memory/2160-159-0x0000000004DA0000-0x0000000005852000-memory.dmp

Filesize
10.7MB

Download
memory/2160-160-0x0000000004DA0000-0x0000000005852000-memory.dmp

Filesize
10.7MB

Download
memory/2160-161-0x00000000059E0000-0x0000000005B20000-memory.dmp

Filesize
1.2MB

Download
memory/2160-162-0x00000000059E0000-0x0000000005B20000-memory.dmp

Filesize
1.2MB

Download
memory/2160-163-0x00000000059E0000-0x0000000005B20000-memory.dmp

Filesize
1.2MB

Download
memory/2160-164-0x0000000004DA0000-0x0000000005852000-memory.dmp

Filesize
10.7MB

Download
memory/2160-165-0x00000000059E0000-0x0000000005B20000-memory.dmp

Filesize
1.2MB

Download
memory/2160-169-0x00000000059E0000-0x0000000005B20000-memory.dmp

Filesize
1.2MB

Download
memory/2160-167-0x00000000059E0000-0x0000000005B20000-memory.dmp

Filesize
1.2MB

Download
memory/2160-168-0x00000000059E0000-0x0000000005B20000-memory.dmp

Filesize
1.2MB

Download
memory/2448-180-0x0000000002DB0000-0x0000000003862000-memory.dmp

Filesize
10.7MB

Download
memory/2448-184-0x0000000002DB0000-0x0000000003862000-memory.dmp

Filesize
10.7MB

Download
memory/2448-171-0x0000000000000000-mapping.dmp

Download
memory/2448-172-0x0000000002DB0000-0x0000000003862000-memory.dmp

Filesize
10.7MB

Download
memory/2448-173-0x0000000003950000-0x0000000003A90000-memory.dmp

Filesize
1.2MB

Download
memory/2448-174-0x0000000003950000-0x0000000003A90000-memory.dmp

Filesize
1.2MB

Download
memory/2448-177-0x0000000000830000-0x00000000011C2000-memory.dmp

Filesize
9.6MB

Download
memory/4108-154-0x0000000000000000-mapping.dmp

Download
memory/4392-153-0x0000000000000000-mapping.dmp

Download
memory/4416-148-0x0000000000A40000-0x0000000000A89000-memory.dmp

Filesize
292KB

Download
memory/4416-155-0x0000000000853000-0x000000000087F000-memory.dmp

Filesize
176KB

Download
memory/4416-144-0x0000000000000000-mapping.dmp

Download
memory/4416-147-0x0000000000853000-0x000000000087F000-memory.dmp

Filesize
176KB

Download
memory/4416-149-0x0000000000400000-0x00000000005B1000-memory.dmp

Filesize
1.7MB

Download
memory/4416-156-0x0000000000400000-0x00000000005B1000-memory.dmp

Filesize
1.7MB

Download
memory/4684-139-0x0000000000000000-mapping.dmp

Download