danabot | b911d8dc00380696ca821a1ef90a5aede46ddc20ee7e459e4edc8583108ad34e

Analysis

max time kernel
151s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25-10-2022 10:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b911d8dc00380696ca821a1ef90a5aede46ddc20ee7e459e4edc8583108ad34e.exe
Size

243KB
MD5

e8b18e3aa941a9eccdd8a2b2f86b611c
SHA1

41a186b412a0f796baae314a4479890453fc46d1
SHA256

b911d8dc00380696ca821a1ef90a5aede46ddc20ee7e459e4edc8583108ad34e
SHA512

a7cbe8fcd2874784ac967a251830a2335e4b32eebf48686477c9655f6387652672e0aed7c351fbdf06d8ced10a59186be0b5bc5581df943f2a73141654aa3ee1
SSDEEP

3072:/XrbPdMLPg6lVKmdX5Ov6VNJ8z/4I30Vjn89r1e9kqdcNC7E1p3Koah4M7WMpij:vndMLnKmerw+1MG6cdWmPI2

Score

10^/10

danabot smokeloader vidar 937 backdoor banker discovery spyware stealer trojan

Malware Config

Extracted

Family

danabot

49.0.50.0:57

51.0.52.0:0

53.0.54.0:1200

55.0.56.0:65535

Attributes

embedded_hash
569235DCA8F16ED8310BBACCB674F896
type
loader

Extracted

Family

vidar

Version

55.2

Botnet

937

https://t.me/slivetalks

https://c.im/@xinibin420

Attributes

profile_id
937

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/5060-133-0x00000000001F0000-0x00000000001F9000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

79 5096 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

5F37.exeF54E.exefaurute

pid process

880 5F37.exe
2252 F54E.exe
2152 faurute
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

F54E.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation F54E.exe
Loads dropped DLL 3 IoCs

Processes:

F54E.exe

pid process

2252 F54E.exe
2252 F54E.exe
2252 F54E.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

5F37.exe

description pid process target process

PID 880 set thread context of 5096 880 5F37.exe rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4252 2252 WerFault.exe F54E.exe

flow	pid	process
79	5096	rundll32.exe

pid	process
880	5F37.exe
2252	F54E.exe
2152	faurute

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	F54E.exe

pid	process
2252	F54E.exe
2252	F54E.exe
2252	F54E.exe

description	pid	process	target process
PID 880 set thread context of 5096	880	5F37.exe	rundll32.exe

pid	pid_target	process	target process
4252	2252	WerFault.exe	F54E.exe

Checks SCSI registry key(s) 3 TTPs 42 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exefauruteb911d8dc00380696ca821a1ef90a5aede46ddc20ee7e459e4edc8583108ad34e.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	svchost.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	faurute
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	b911d8dc00380696ca821a1ef90a5aede46ddc20ee7e459e4edc8583108ad34e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	b911d8dc00380696ca821a1ef90a5aede46ddc20ee7e459e4edc8583108ad34e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	svchost.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	faurute
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	b911d8dc00380696ca821a1ef90a5aede46ddc20ee7e459e4edc8583108ad34e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	faurute
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe

Checks processor information in registry 2 TTPs 48 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5F37.exerundll32.exeF54E.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	5F37.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	5F37.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	5F37.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	5F37.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	5F37.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	F54E.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	F54E.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	5F37.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	5F37.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	5F37.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	5F37.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	5F37.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	5F37.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	5F37.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	5F37.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	5F37.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	5F37.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	5F37.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	5F37.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	5F37.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	5F37.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	5F37.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	5F37.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	5F37.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	5F37.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	5F37.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	5F37.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	5F37.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3936 timeout.exe

pid	process
3936	timeout.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Toolbar

Modifies registry class 21 IoCs

Processes:

OpenWith.exe5F37.exerundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	5F37.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

pid process

3032

pid	process
3032

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

b911d8dc00380696ca821a1ef90a5aede46ddc20ee7e459e4edc8583108ad34e.exe

pid	process
5060	b911d8dc00380696ca821a1ef90a5aede46ddc20ee7e459e4edc8583108ad34e.exe
5060	b911d8dc00380696ca821a1ef90a5aede46ddc20ee7e459e4edc8583108ad34e.exe
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3032
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

b911d8dc00380696ca821a1ef90a5aede46ddc20ee7e459e4edc8583108ad34e.exefaurute

pid process

5060 b911d8dc00380696ca821a1ef90a5aede46ddc20ee7e459e4edc8583108ad34e.exe
2152 faurute

pid	process
3032

Suspicious use of AdjustPrivilegeToken 29 IoCs

Processes:

svchost.exe

description	pid	process
Token: SeShutdownPrivilege	3428	svchost.exe
Token: SeShutdownPrivilege	3428	svchost.exe
Token: SeCreatePagefilePrivilege	3428	svchost.exe
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

rundll32.exe

pid process

5096 rundll32.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

OpenWith.exe

pid process

2568 OpenWith.exe
3032
3032

pid	process
5096	rundll32.exe

pid	process
2568	OpenWith.exe
3032
3032

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

5F37.exeF54E.execmd.exe

description	pid	process	target process
PID 3032 wrote to memory of 880	3032		5F37.exe
PID 3032 wrote to memory of 880	3032		5F37.exe
PID 3032 wrote to memory of 880	3032		5F37.exe
PID 880 wrote to memory of 2372	880	5F37.exe	agentactivationruntimestarter.exe
PID 880 wrote to memory of 2372	880	5F37.exe	agentactivationruntimestarter.exe
PID 880 wrote to memory of 2372	880	5F37.exe	agentactivationruntimestarter.exe
PID 3032 wrote to memory of 2252	3032		F54E.exe
PID 3032 wrote to memory of 2252	3032		F54E.exe
PID 3032 wrote to memory of 2252	3032		F54E.exe
PID 2252 wrote to memory of 1272	2252	F54E.exe	cmd.exe
PID 2252 wrote to memory of 1272	2252	F54E.exe	cmd.exe
PID 2252 wrote to memory of 1272	2252	F54E.exe	cmd.exe
PID 1272 wrote to memory of 3936	1272	cmd.exe	timeout.exe
PID 1272 wrote to memory of 3936	1272	cmd.exe	timeout.exe
PID 1272 wrote to memory of 3936	1272	cmd.exe	timeout.exe
PID 880 wrote to memory of 5096	880	5F37.exe	rundll32.exe
PID 880 wrote to memory of 5096	880	5F37.exe	rundll32.exe
PID 880 wrote to memory of 5096	880	5F37.exe	rundll32.exe
PID 880 wrote to memory of 5096	880	5F37.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\b911d8dc00380696ca821a1ef90a5aede46ddc20ee7e459e4edc8583108ad34e.exe
"C:\Users\Admin\AppData\Local\Temp\b911d8dc00380696ca821a1ef90a5aede46ddc20ee7e459e4edc8583108ad34e.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:5060

C:\Users\Admin\AppData\Local\Temp\5F37.exe
C:\Users\Admin\AppData\Local\Temp\5F37.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:880

C:\Windows\SysWOW64\agentactivationruntimestarter.exe
C:\Windows\system32\agentactivationruntimestarter.exe
2⤵
PID:2372

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
2⤵
- Blocklisted process makes network request
- Checks processor information in registry
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:5096

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k AarSvcGroup -p -s AarSvc
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3428

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x418 0x4fc
1⤵
PID:4684

C:\Users\Admin\AppData\Local\Temp\F54E.exe
C:\Users\Admin\AppData\Local\Temp\F54E.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2252

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\F54E.exe" & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:1272

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
3⤵
- Delays execution with timeout.exe
PID:3936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2252 -s 1600
2⤵
- Program crash
PID:4252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2252 -ip 2252
1⤵
PID:1896

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2568

C:\Users\Admin\AppData\Roaming\faurute
C:\Users\Admin\AppData\Roaming\faurute
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2152

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mozglue.dll
Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll
Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\ProgramData\sqlite3.dll
Filesize
1.1MB

MD5
1f44d4d3087c2b202cf9c90ee9d04b0f

SHA1
106a3ebc9e39ab6ddb3ff987efb6527c956f192d

SHA256
4841020c8bd06b08fde6e44cbe2e2ab33439e1c8368e936ec5b00dc0584f7260

SHA512
b614c72a3c1ce681ebffa628e29aa50275cc80ca9267380960c5198ea4d0a3f2df6cfb7275491d220bad72f14fc94e6656501e9a061d102fb11e00cfda2beb45

Download Submit
C:\Users\Admin\AppData\Local\Temp\5F37.exe
Filesize
8.4MB

MD5
182b2fd847f91f5a381ce332366b9c8f

SHA1
0df2d790667dd74ce9964839f5b10b4c5a7c1442

SHA256
118452cc645ee44bc6fba61d70dff92f7297a28bee2849cd10b133e685ed8704

SHA512
7139a94b89e147e5b2051f823842d5e09f1134993430a96b491a197c31a073a34f8d72e94fe7160c464bf01775e7d157378bd381ca0bf0950488438409ee53da

Download Submit
C:\Users\Admin\AppData\Local\Temp\5F37.exe
Filesize
8.4MB

MD5
182b2fd847f91f5a381ce332366b9c8f

SHA1
0df2d790667dd74ce9964839f5b10b4c5a7c1442

SHA256
118452cc645ee44bc6fba61d70dff92f7297a28bee2849cd10b133e685ed8704

SHA512
7139a94b89e147e5b2051f823842d5e09f1134993430a96b491a197c31a073a34f8d72e94fe7160c464bf01775e7d157378bd381ca0bf0950488438409ee53da

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdobeSFX.log
Filesize
1KB

MD5
bb547dd45ea43ede6061995b4501b67c

SHA1
2f33b48ae90b11c5e940ae0f30c298d5d01f78be

SHA256
1e468f7498982fd02504ba0511bc09256fdfc7d9157b732f46b621148304c34c

SHA512
103c72ab5634ad1db1b45770b21582468524920ada0b6dcdbc0b979d851adb0af2ed4ff8d014427bf61182b0e0758eefe8739c8d1c01717f96e11d238d7605f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\F54E.exe
Filesize
318KB

MD5
e58c70e8e2cde5c7aee3975db0a2e559

SHA1
4c88ba2a9c7cd614c74fdb34d17ee5d82fc6a4fe

SHA256
2a929266c1c731452ab4171a4c6cb980d6c84a6cc81e2bec5b1dacec075113bf

SHA512
b4a49e871630b96e94833ca794c2982e96ceb03052fcfbe58e7b3c7e2868a5d2f837f0ed8173bef0b22ba38be28ec22584fabd0d199b0706ae71b9481880adf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\F54E.exe
Filesize
318KB

MD5
e58c70e8e2cde5c7aee3975db0a2e559

SHA1
4c88ba2a9c7cd614c74fdb34d17ee5d82fc6a4fe

SHA256
2a929266c1c731452ab4171a4c6cb980d6c84a6cc81e2bec5b1dacec075113bf

SHA512
b4a49e871630b96e94833ca794c2982e96ceb03052fcfbe58e7b3c7e2868a5d2f837f0ed8173bef0b22ba38be28ec22584fabd0d199b0706ae71b9481880adf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20220812_194409742.html
Filesize
93KB

MD5
71758797ae7914b1227d0b34c30c0797

SHA1
f63e17acdd4f8ed417c476a19742547291408963

SHA256
62bfa55487dface1cb7989308d91488315e79714153a4e40e1c14d4ca7a4a1c2

SHA512
98be11d1d910ad96ca12c39262e0be6ce451baebb2ceb0cc559762906e4993bdfaf7bdf3cb38eb67e055c9778560fe686fe155b39f8afc4a9d70880c14e9a829

Download Submit
C:\Users\Admin\AppData\Local\Temp\Syhidsduo.tmp
Filesize
3.3MB

MD5
13d0ff809f24a408728fd6fe00241020

SHA1
fde8484da982eceb86cf6959460ffc4ce33271a9

SHA256
db9190e9eb5298547a3d266f298ec1e7ede0426841da9512f2827f1e7c027520

SHA512
38dd1c523eb9f5aa1c3da0e95f4064f22fc191ce8cea20803c5f60fcbc40d83f5c3545529863ca18f4e65b3ea7a8eddc247ae0db11c6ffa70af560998611e768

Download Submit
C:\Users\Admin\AppData\Local\Temp\aaf06a67-45af-44d3-bf33-5212b4da62fa.tmp
Filesize
23KB

MD5
7cd73270bd735f9fe77bc9278f9f2b8b

SHA1
b27a898970297c750fb7e4d70ad8f87c1e6c1739

SHA256
ee80340a02c0f96a3f9d01e635857d38d7b92444d6102ee29804f559f2eaa7f4

SHA512
1fe70455d4d8c0fbab9ef20cf85d0de55fea9f18499c653af5d234462aa5c45eaacceadab39e9be62dc548af4f710362dd34970e1d8a666bf09fe4101bf32077

Download Submit
C:\Users\Admin\AppData\Local\Temp\aria-debug-4844.log
Filesize
470B

MD5
467995413210c7391415743b595525c4

SHA1
f3ca1cf58a0e3285359840b39bcb30d49a7424d6

SHA256
cf0b731d7efcb55d5bf659817e88dcbb0aa3c6a0fe66d11ad965f1812eb3689e

SHA512
eb8987cd31907911197a818a84c790584c13a55d7a104afb542c066b66b0bd9d7c34b4fb07601bb6d31d9829d5d04eb3ad3947e7ea25c5915128ab96b9e42247

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI645A.txt
Filesize
11KB

MD5
7b873b39db7b02204b2619e7ad882462

SHA1
6277c99ed98c622c7fbc190669144ccb3744c4c4

SHA256
2814f20a867472a4137808b9695eec04264dddbb2e5e9d447fd0f46c4f303b96

SHA512
429213d5ea5f84bbbd25daecfee504bafca10606204fb53569475112ef969355f9c90eb33a9af7e63ac89adef1d3e2b0af0029eff12ed2b93d265f3f89793a78

Download Submit
C:\Users\Admin\AppData\Local\Temp\wct8A4A.tmp
Filesize
62KB

MD5
7185e716980842db27c3b3a88e1fe804

SHA1
e4615379cd4797629b4cc3da157f4d4a5412fb2b

SHA256
094754a618b102b7ad0800dd4c9c02c882cf2d1e7996ba864f422fa4312427e1

SHA512
dea331907f5f1de407ca07e24be7ad808fa43a0eef2d1b5009721f937ab2a8f77832e332d5ac3d9662e5b02ecaabbec0f4228af279fa6562be4dccb6c829246c

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log
Filesize
697B

MD5
16a993a13d195d20dca07319d0725671

SHA1
2642524456da144d2db89ea760fdd788461d74db

SHA256
4f17ddbb8ccc7da41e95a5f5bd1c4c7c99f7bf321cfdf67988e32591a4e375f2

SHA512
afaea880275fa137598f5bb676059966e5b3df29473ad978ae1e4e378b674d9e52cb79629a0be5399c02170306658a635d909efe8b82daa848328858d1cf0be0

Download Submit
C:\Users\Admin\AppData\Roaming\faurute
Filesize
243KB

MD5
e8b18e3aa941a9eccdd8a2b2f86b611c

SHA1
41a186b412a0f796baae314a4479890453fc46d1

SHA256
b911d8dc00380696ca821a1ef90a5aede46ddc20ee7e459e4edc8583108ad34e

SHA512
a7cbe8fcd2874784ac967a251830a2335e4b32eebf48686477c9655f6387652672e0aed7c351fbdf06d8ced10a59186be0b5bc5581df943f2a73141654aa3ee1

Download Submit
C:\Users\Admin\AppData\Roaming\faurute
Filesize
243KB

MD5
e8b18e3aa941a9eccdd8a2b2f86b611c

SHA1
41a186b412a0f796baae314a4479890453fc46d1

SHA256
b911d8dc00380696ca821a1ef90a5aede46ddc20ee7e459e4edc8583108ad34e

SHA512
a7cbe8fcd2874784ac967a251830a2335e4b32eebf48686477c9655f6387652672e0aed7c351fbdf06d8ced10a59186be0b5bc5581df943f2a73141654aa3ee1

Download Submit
memory/880-164-0x0000000007FE0000-0x0000000008120000-memory.dmp

Filesize
1.2MB

Download
memory/880-171-0x0000000007FE0000-0x0000000008120000-memory.dmp

Filesize
1.2MB

Download
memory/880-190-0x00000000072B0000-0x0000000007D62000-memory.dmp

Filesize
10.7MB

Download
memory/880-170-0x0000000007FE0000-0x0000000008120000-memory.dmp

Filesize
1.2MB

Download
memory/880-157-0x0000000000400000-0x0000000003451000-memory.dmp

Filesize
48.3MB

Download
memory/880-158-0x0000000000400000-0x0000000003451000-memory.dmp

Filesize
48.3MB

Download
memory/880-143-0x0000000000400000-0x0000000003451000-memory.dmp

Filesize
48.3MB

Download
memory/880-141-0x0000000005910000-0x00000000062E6000-memory.dmp

Filesize
9.8MB

Download
memory/880-161-0x00000000072B0000-0x0000000007D62000-memory.dmp

Filesize
10.7MB

Download
memory/880-162-0x00000000072B0000-0x0000000007D62000-memory.dmp

Filesize
10.7MB

Download
memory/880-163-0x00000000072B0000-0x0000000007D62000-memory.dmp

Filesize
10.7MB

Download
memory/880-142-0x0000000000400000-0x0000000003451000-memory.dmp

Filesize
48.3MB

Download
memory/880-165-0x0000000007FE0000-0x0000000008120000-memory.dmp

Filesize
1.2MB

Download
memory/880-166-0x0000000007FE0000-0x0000000008120000-memory.dmp

Filesize
1.2MB

Download
memory/880-167-0x0000000007FE0000-0x0000000008120000-memory.dmp

Filesize
1.2MB

Download
memory/880-168-0x0000000007FE0000-0x0000000008120000-memory.dmp

Filesize
1.2MB

Download
memory/880-169-0x0000000007FE0000-0x0000000008120000-memory.dmp

Filesize
1.2MB

Download
memory/880-185-0x0000000000400000-0x0000000003451000-memory.dmp

Filesize
48.3MB

Download
memory/880-136-0x0000000000000000-mapping.dmp

Download
memory/880-140-0x00000000037ED000-0x0000000004028000-memory.dmp

Filesize
8.2MB

Download
memory/1272-153-0x0000000000000000-mapping.dmp

Download
memory/2152-187-0x0000000000400000-0x0000000002C2A000-memory.dmp

Filesize
40.2MB

Download
memory/2152-186-0x0000000002F83000-0x0000000002F99000-memory.dmp

Filesize
88KB

Download
memory/2152-189-0x0000000000400000-0x0000000002C2A000-memory.dmp

Filesize
40.2MB

Download
memory/2252-149-0x0000000000400000-0x0000000002C3D000-memory.dmp

Filesize
40.2MB

Download
memory/2252-155-0x0000000002CF3000-0x0000000002D1F000-memory.dmp

Filesize
176KB

Download
memory/2252-156-0x0000000000400000-0x0000000002C3D000-memory.dmp

Filesize
40.2MB

Download
memory/2252-148-0x0000000002FB0000-0x0000000002FF9000-memory.dmp

Filesize
292KB

Download
memory/2252-147-0x0000000002CF3000-0x0000000002D1F000-memory.dmp

Filesize
176KB

Download
memory/2252-144-0x0000000000000000-mapping.dmp

Download
memory/2372-139-0x0000000000000000-mapping.dmp

Download
memory/3936-154-0x0000000000000000-mapping.dmp

Download
memory/5060-135-0x0000000000400000-0x0000000002C2A000-memory.dmp

Filesize
40.2MB

Download
memory/5060-134-0x0000000000400000-0x0000000002C2A000-memory.dmp

Filesize
40.2MB

Download
memory/5060-133-0x00000000001F0000-0x00000000001F9000-memory.dmp

Filesize
36KB

Download
memory/5060-132-0x0000000002E52000-0x0000000002E67000-memory.dmp

Filesize
84KB

Download
memory/5096-172-0x0000000000000000-mapping.dmp

Download
memory/5096-174-0x0000000003690000-0x0000000004142000-memory.dmp

Filesize
10.7MB

Download
memory/5096-173-0x0000000001200000-0x0000000001B92000-memory.dmp

Filesize
9.6MB

Download
memory/5096-188-0x0000000003690000-0x0000000004142000-memory.dmp

Filesize
10.7MB

Download
memory/5096-176-0x0000000004150000-0x0000000004290000-memory.dmp

Filesize
1.2MB

Download
memory/5096-175-0x0000000004150000-0x0000000004290000-memory.dmp

Filesize
1.2MB

Download