cryptbot | 5ae264a5e12c7eb4d1ff850aba54812c279b9a6eaceb66635db25adaf05b9c09

Analysis

max time kernel
145s
max time network
157s
platform
windows10_x64
resource
win10v20210410
submitted
27-05-2021 18:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5ae264a5e12c7eb4d1ff850aba54812c279b9a6eaceb6.exe
Size

731KB
MD5

e260d16f617dde31e0e98a8aa85ffb51
SHA1

4b7e5a4d7f7d5652c3a410736c91629ac4bd9560
SHA256

5ae264a5e12c7eb4d1ff850aba54812c279b9a6eaceb66635db25adaf05b9c09
SHA512

5d07d13344ab7cd9dc2913d37f32172c62c48ce1cbde9a4206056748e1b74090bd96971fef8ade76efcf5a3584591ce72b23e666d4ceef09de8a0a45f424acec

Score

10^/10

cryptbot danabot 3 banker discovery spyware stealer trojan

Malware Config

Extracted

Family

cryptbot

geopgb32.top

morzax03.top

Attributes

payload_url
http://rogyqs04.top/download.php?file=lv.exe

Extracted

Family

danabot

Version

1827

Botnet

184.95.51.183:443

184.95.51.175:443

192.210.198.12:443

184.95.51.180:443

Attributes

embedded_hash
AEF96B4D339B580ABB737F203C2D0F52

rsa_pubkey.plain

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

CryptBot Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3992-115-0x0000000000400000-0x00000000004E5000-memory.dmp	family_cryptbot
behavioral2/memory/3992-114-0x0000000002160000-0x0000000002241000-memory.dmp	family_cryptbot

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Blocklisted process makes network request 5 IoCs

Processes:

RUNDLL32.EXEWScript.exe

flow pid process

50 3160 RUNDLL32.EXE
60 2868 WScript.exe
62 2868 WScript.exe
64 2868 WScript.exe
66 2868 WScript.exe
Downloads MZ/PE file
Executes dropped EXE 8 IoCs

Processes:

NgrsyLjG.exevpn.exe4.exeAvete.exe.comAvete.exe.comSmartClock.exeAvete.exe.combppjfdgmynfj.exe

pid process

2208 NgrsyLjG.exe
684 vpn.exe
3332 4.exe
2732 Avete.exe.com
184 Avete.exe.com
4064 SmartClock.exe
3464 Avete.exe.com
3932 bppjfdgmynfj.exe
Drops startup file 1 IoCs

Processes:

4.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk 4.exe
Loads dropped DLL 3 IoCs

Processes:

NgrsyLjG.exerundll32.exeRUNDLL32.EXE

pid process

2208 NgrsyLjG.exe
2920 rundll32.exe
3160 RUNDLL32.EXE
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

35 ip-api.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

Avete.exe.com

description pid process target process

PID 184 set thread context of 3464 184 Avete.exe.com Avete.exe.com

flow	pid	process
50	3160	RUNDLL32.EXE
60	2868	WScript.exe
62	2868	WScript.exe
64	2868	WScript.exe
66	2868	WScript.exe

pid	process
2208	NgrsyLjG.exe
684	vpn.exe
3332	4.exe
2732	Avete.exe.com
184	Avete.exe.com
4064	SmartClock.exe
3464	Avete.exe.com
3932	bppjfdgmynfj.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk	4.exe

pid	process
2208	NgrsyLjG.exe
2920	rundll32.exe
3160	RUNDLL32.EXE

flow	ioc
35	ip-api.com

description	pid	process	target process
PID 184 set thread context of 3464	184	Avete.exe.com	Avete.exe.com

Drops file in Program Files directory 3 IoCs

Processes:

NgrsyLjG.exe

description	ioc	process
File created	C:\Program Files (x86)\foler\olader\acppage.dll	NgrsyLjG.exe
File created	C:\Program Files (x86)\foler\olader\adprovider.dll	NgrsyLjG.exe
File created	C:\Program Files (x86)\foler\olader\acledit.dll	NgrsyLjG.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5ae264a5e12c7eb4d1ff850aba54812c279b9a6eaceb6.exeAvete.exe.comRUNDLL32.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	5ae264a5e12c7eb4d1ff850aba54812c279b9a6eaceb6.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Avete.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Avete.exe.com
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	5ae264a5e12c7eb4d1ff850aba54812c279b9a6eaceb6.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2296 timeout.exe
Modifies registry class 1 IoCs

Processes:

Avete.exe.com

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings Avete.exe.com

pid	process
2296	timeout.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings	Avete.exe.com

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	WScript.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2464 PING.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

SmartClock.exe

pid process

4064 SmartClock.exe

pid	process
2464	PING.EXE

pid	process
4064	SmartClock.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exeRUNDLL32.EXEpowershell.exe

pid	process
1244	powershell.exe
1244	powershell.exe
1244	powershell.exe
3160	RUNDLL32.EXE
3160	RUNDLL32.EXE
2456	powershell.exe
2456	powershell.exe
2456	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

rundll32.exeRUNDLL32.EXEpowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2920	rundll32.exe
Token: SeDebugPrivilege	3160	RUNDLL32.EXE
Token: SeDebugPrivilege	1244	powershell.exe
Token: SeDebugPrivilege	2456	powershell.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

5ae264a5e12c7eb4d1ff850aba54812c279b9a6eaceb6.exeRUNDLL32.EXE

pid process

3992 5ae264a5e12c7eb4d1ff850aba54812c279b9a6eaceb6.exe
3992 5ae264a5e12c7eb4d1ff850aba54812c279b9a6eaceb6.exe
3160 RUNDLL32.EXE

pid	process
3992	5ae264a5e12c7eb4d1ff850aba54812c279b9a6eaceb6.exe
3992	5ae264a5e12c7eb4d1ff850aba54812c279b9a6eaceb6.exe
3160	RUNDLL32.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

5ae264a5e12c7eb4d1ff850aba54812c279b9a6eaceb6.execmd.exeNgrsyLjG.exevpn.execmd.execmd.execmd.exeAvete.exe.com4.exeAvete.exe.comAvete.exe.combppjfdgmynfj.exerundll32.exeRUNDLL32.EXE

description	pid	process	target process
PID 3992 wrote to memory of 3808	3992	5ae264a5e12c7eb4d1ff850aba54812c279b9a6eaceb6.exe	cmd.exe
PID 3992 wrote to memory of 3808	3992	5ae264a5e12c7eb4d1ff850aba54812c279b9a6eaceb6.exe	cmd.exe
PID 3992 wrote to memory of 3808	3992	5ae264a5e12c7eb4d1ff850aba54812c279b9a6eaceb6.exe	cmd.exe
PID 3808 wrote to memory of 2208	3808	cmd.exe	NgrsyLjG.exe
PID 3808 wrote to memory of 2208	3808	cmd.exe	NgrsyLjG.exe
PID 3808 wrote to memory of 2208	3808	cmd.exe	NgrsyLjG.exe
PID 2208 wrote to memory of 684	2208	NgrsyLjG.exe	vpn.exe
PID 2208 wrote to memory of 684	2208	NgrsyLjG.exe	vpn.exe
PID 2208 wrote to memory of 684	2208	NgrsyLjG.exe	vpn.exe
PID 2208 wrote to memory of 3332	2208	NgrsyLjG.exe	4.exe
PID 2208 wrote to memory of 3332	2208	NgrsyLjG.exe	4.exe
PID 2208 wrote to memory of 3332	2208	NgrsyLjG.exe	4.exe
PID 684 wrote to memory of 3152	684	vpn.exe	cmd.exe
PID 684 wrote to memory of 3152	684	vpn.exe	cmd.exe
PID 684 wrote to memory of 3152	684	vpn.exe	cmd.exe
PID 3152 wrote to memory of 1256	3152	cmd.exe	cmd.exe
PID 3152 wrote to memory of 1256	3152	cmd.exe	cmd.exe
PID 3152 wrote to memory of 1256	3152	cmd.exe	cmd.exe
PID 1256 wrote to memory of 3864	1256	cmd.exe	findstr.exe
PID 1256 wrote to memory of 3864	1256	cmd.exe	findstr.exe
PID 1256 wrote to memory of 3864	1256	cmd.exe	findstr.exe
PID 1256 wrote to memory of 2732	1256	cmd.exe	Avete.exe.com
PID 1256 wrote to memory of 2732	1256	cmd.exe	Avete.exe.com
PID 1256 wrote to memory of 2732	1256	cmd.exe	Avete.exe.com
PID 3992 wrote to memory of 3552	3992	5ae264a5e12c7eb4d1ff850aba54812c279b9a6eaceb6.exe	cmd.exe
PID 3992 wrote to memory of 3552	3992	5ae264a5e12c7eb4d1ff850aba54812c279b9a6eaceb6.exe	cmd.exe
PID 3992 wrote to memory of 3552	3992	5ae264a5e12c7eb4d1ff850aba54812c279b9a6eaceb6.exe	cmd.exe
PID 1256 wrote to memory of 2464	1256	cmd.exe	PING.EXE
PID 1256 wrote to memory of 2464	1256	cmd.exe	PING.EXE
PID 1256 wrote to memory of 2464	1256	cmd.exe	PING.EXE
PID 3552 wrote to memory of 2296	3552	cmd.exe	timeout.exe
PID 3552 wrote to memory of 2296	3552	cmd.exe	timeout.exe
PID 3552 wrote to memory of 2296	3552	cmd.exe	timeout.exe
PID 2732 wrote to memory of 184	2732	Avete.exe.com	Avete.exe.com
PID 2732 wrote to memory of 184	2732	Avete.exe.com	Avete.exe.com
PID 2732 wrote to memory of 184	2732	Avete.exe.com	Avete.exe.com
PID 3332 wrote to memory of 4064	3332	4.exe	SmartClock.exe
PID 3332 wrote to memory of 4064	3332	4.exe	SmartClock.exe
PID 3332 wrote to memory of 4064	3332	4.exe	SmartClock.exe
PID 184 wrote to memory of 3464	184	Avete.exe.com	Avete.exe.com
PID 184 wrote to memory of 3464	184	Avete.exe.com	Avete.exe.com
PID 184 wrote to memory of 3464	184	Avete.exe.com	Avete.exe.com
PID 184 wrote to memory of 3464	184	Avete.exe.com	Avete.exe.com
PID 184 wrote to memory of 3464	184	Avete.exe.com	Avete.exe.com
PID 3464 wrote to memory of 3932	3464	Avete.exe.com	bppjfdgmynfj.exe
PID 3464 wrote to memory of 3932	3464	Avete.exe.com	bppjfdgmynfj.exe
PID 3464 wrote to memory of 3932	3464	Avete.exe.com	bppjfdgmynfj.exe
PID 3464 wrote to memory of 932	3464	Avete.exe.com	WScript.exe
PID 3464 wrote to memory of 932	3464	Avete.exe.com	WScript.exe
PID 3464 wrote to memory of 932	3464	Avete.exe.com	WScript.exe
PID 3932 wrote to memory of 2920	3932	bppjfdgmynfj.exe	rundll32.exe
PID 3932 wrote to memory of 2920	3932	bppjfdgmynfj.exe	rundll32.exe
PID 3932 wrote to memory of 2920	3932	bppjfdgmynfj.exe	rundll32.exe
PID 2920 wrote to memory of 3160	2920	rundll32.exe	RUNDLL32.EXE
PID 2920 wrote to memory of 3160	2920	rundll32.exe	RUNDLL32.EXE
PID 2920 wrote to memory of 3160	2920	rundll32.exe	RUNDLL32.EXE
PID 3160 wrote to memory of 1244	3160	RUNDLL32.EXE	powershell.exe
PID 3160 wrote to memory of 1244	3160	RUNDLL32.EXE	powershell.exe
PID 3160 wrote to memory of 1244	3160	RUNDLL32.EXE	powershell.exe
PID 3464 wrote to memory of 2868	3464	Avete.exe.com	WScript.exe
PID 3464 wrote to memory of 2868	3464	Avete.exe.com	WScript.exe
PID 3464 wrote to memory of 2868	3464	Avete.exe.com	WScript.exe
PID 3160 wrote to memory of 2456	3160	RUNDLL32.EXE	powershell.exe
PID 3160 wrote to memory of 2456	3160	RUNDLL32.EXE	powershell.exe

C:\Users\Admin\AppData\Local\Temp\5ae264a5e12c7eb4d1ff850aba54812c279b9a6eaceb6.exe
"C:\Users\Admin\AppData\Local\Temp\5ae264a5e12c7eb4d1ff850aba54812c279b9a6eaceb6.exe"
1⤵
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3992
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\NgrsyLjG.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3808
- - C:\Users\Admin\AppData\Local\Temp\NgrsyLjG.exe
    "C:\Users\Admin\AppData\Local\Temp\NgrsyLjG.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:2208
  - - C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe
      "C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:684
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Windows\system32\cmd < Popolato.msi
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3152
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1256
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /R "^apGTrfWcJxtQXwJcHnegENItTWMlQlOditReXbpZWHNIdBqeVcudrbHFABquCMEnGOJSpGbpgeaWZZOsVKfctbjJbjCvbevl$" Animatrici.msi
        7⤵
        
        PID:3864
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Avete.exe.com
        
        Avete.exe.com g
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2732
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Avete.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Avete.exe.com g
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:184
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Avete.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Avete.exe.com
        9⤵
        Executes dropped EXE
        Checks processor information in registry
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3464
        
        C:\Users\Admin\AppData\Local\Temp\bppjfdgmynfj.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bppjfdgmynfj.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3932
        
        C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\BPPJFD~1.DLL,Z C:\Users\Admin\AppData\Local\Temp\BPPJFD~1.EXE
        11⤵
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2920
        
        C:\Windows\SysWOW64\RUNDLL32.EXE
        
        C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\BPPJFD~1.DLL,EhEBfI0=
        12⤵
        Blocklisted process makes network request
        Loads dropped DLL
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:3160
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpCA84.tmp.ps1"
        13⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1244
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpDD24.tmp.ps1"
        13⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2456
        
        C:\Windows\SysWOW64\nslookup.exe
        
        "C:\Windows\system32\nslookup.exe" -type=any localhost
        14⤵
        
        PID:500
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
        13⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
        13⤵
        
        PID:652
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\jxdbjpe.vbs"
        10⤵
        
        PID:932
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\onqccoywk.vbs"
        10⤵
        Blocklisted process makes network request
        Modifies system certificate store
        
        PID:2868
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 30
        7⤵
        Runs ping.exe
        
        PID:2464
  - - C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe
      "C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe"
      4⤵
      Executes dropped EXE
      Drops startup file
      Suspicious use of WriteProcessMemory
      PID:3332
    - - C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
        
        "C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: AddClipboardFormatListener
        
        PID:4064
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\KxVRXJIJ & timeout 3 & del /f /q "C:\Users\Admin\AppData\Local\Temp\5ae264a5e12c7eb4d1ff850aba54812c279b9a6eaceb6.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3552
- - C:\Windows\SysWOW64\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:2296

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5
47eebe401625bbc55e75dbfb72e9e89a

SHA1
db3b2135942d2532c59b9788253638eb77e5995e

SHA256
f1cd56000c44bbdb6880b5b133731f493fe8cba8198c5a861da6ae7b489ed0c3

SHA512
590b149863d58be346e7927c28501375cc570858d2f156d234b03d68b86c5c0667a1038e2b6f6639172bf95638ca9f7c70f45270951abbcdf43b1be853b81d56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
97f4ad168fcdb6a5aaa401ba2bb58770

SHA1
10264f898faf99435d70346d618cc9e4a9448a1d

SHA256
bae6c186374c8ad42cddac16a470849a012f23b20a3b6c493c48e08736fa12d1

SHA512
edf785bd840f49219ec9fb17e0ee613fa92ba09195c8c003b7e457bd2156cb5c739d90887be35b2f8838ddd4eb9c2edc436328bf443e48bc1e402ed1f6b62111

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Animatrici.msi

MD5
05662040f84c6978b1573b8918c9bfe9

SHA1
2db25e84049310ca201479e2bdf79f75fb5ace1f

SHA256
890bac38eea04e02ef3523f0c5104592933aab56dceb6aeeb10fa664342516c5

SHA512
2d2d115a93e55106d0c043be76bc2df6033bdacc59d0d4a9b39a0230fa1be71bddf12ce06b7ec26e2f1677cc582b21b1dbfa294511e20fc1f888dbce93f2b977

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Avete.exe.com

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Avete.exe.com

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Avete.exe.com

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Avete.exe.com

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Natura.msi

MD5
a0f77117dfd482cfab50370ff8c52f3d

SHA1
4accd8fc11c64da5a6032f85205d88478e0f9f1b

SHA256
4e2b62f5d56008fb31c8693ae69e947db7ced29d6032cdde32ed45ffb3e68cca

SHA512
2e839c00651d80a97c44b2d2699f27f47ba2b6ee53da4bf1e16a98847046208ac4a0ae043223e216e892cf52663ac1d6db2634236ec4261e10df6c34a7fa76f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Orrore.msi

MD5
71f4e596fa97c1a729edfb7ad171e7c6

SHA1
2a48c9bfb68c1b53578e43cf6a297e225ca0f56f

SHA256
1b7022f4f3c8e6a5bc2b96d4217d9c5854bc1f8a08cea4478e8929bf4abf0730

SHA512
6d45fd60c7fa9d8638b4e5c251cd5cf2f78d951fe35abf3b14ed7c9557cf489e8ec93b2c328cfbd4b21e739a73cf0f933b22566a5a5bd4f5a76e37c438645277

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Popolato.msi

MD5
ec0e7d726900d1c66748fac4cf819e07

SHA1
2ff03096e941c739eb6e2c2749f0ed83ee3f4320

SHA256
fec318488e4ba6388a8712272229161341e304fcf7de746fc5188ec37867c7d8

SHA512
4e0fc896f31d79f89d54022e4c525aae0249bb4ec2d6e7f2ab7efcf82981e35c7a760b074075c6217dbdffbf20eb739da4dfc01523b1ce8e063794a6b35532e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\g

MD5
71f4e596fa97c1a729edfb7ad171e7c6

SHA1
2a48c9bfb68c1b53578e43cf6a297e225ca0f56f

SHA256
1b7022f4f3c8e6a5bc2b96d4217d9c5854bc1f8a08cea4478e8929bf4abf0730

SHA512
6d45fd60c7fa9d8638b4e5c251cd5cf2f78d951fe35abf3b14ed7c9557cf489e8ec93b2c328cfbd4b21e739a73cf0f933b22566a5a5bd4f5a76e37c438645277

Download Submit
C:\Users\Admin\AppData\Local\Temp\BPPJFD~1.DLL

MD5
7ac078a4c0a0c82464f31418b512cad7

SHA1
edafdb4391106484521c3a76890690ee525a9d68

SHA256
8c8d6d7a1c6ce3ae445a85b32aac61eef74d00effcaaac0379d33cd299008418

SHA512
e5c6cff838a20a0130ed42b170fdd0fcca3491dd65ffb4ced4612b8c8598b3083172f3218a5471c22ffdd6189f748c22e6c7b9417a775344b04956fa2e141507

Download Submit
C:\Users\Admin\AppData\Local\Temp\KxVRXJIJ\JEYEPX~1.ZIP

MD5
a91152dfc04d692573dbd2e54764509f

SHA1
85b4ae89a2e568d3706f0ca6805322afb025e32d

SHA256
2ace3cfca838727e25319da74a600f607fafa60603a7cf89f885dfcd169c4fd9

SHA512
5494e3ee1cbbd31d38f48142e436c7d98e4e4cd885e265d488238a02d6841f27c1e94937839c453a02e9905caaf758339094a8e792948bc28cee9201d6df443e

Download Submit
C:\Users\Admin\AppData\Local\Temp\KxVRXJIJ\QPZTXL~1.ZIP

MD5
040cdd4ed3cf0b68b5605b46b9996baf

SHA1
1625949b6c0cbe4c0873172bdebaae47cd4a6521

SHA256
312cac98e665349007610a18d90bf184ea358ff38ff7fc8b2cbb3e270032ad61

SHA512
9a2e5e8748df7e0a1fbbff031999b97bb7999cc75c3020e7ce5f184e0f2010e1f4a8722445524a39b5ba0d6bd0afab198be1e78abf643b707ca782b35690208b

Download Submit
C:\Users\Admin\AppData\Local\Temp\KxVRXJIJ\_Files\_INFOR~1.TXT

MD5
72f2746a086d79c0a7abb2d49116b0b7

SHA1
c54fc9526ad5eeda300097280d11db7067ef6093

SHA256
4b3004f7446fb29e740aec2f7b4acdbdb0d2ee1a7d7eaf3034d14556f1636b55

SHA512
00dfcecd8f99e6d7dcb794de2b892f61bc4dcdbe334c6073752c92f0cc86922584199652e3bfb0ac4e6d6a864a9f94bff40e852b63673b48ee7f11e398773291

Download Submit
C:\Users\Admin\AppData\Local\Temp\KxVRXJIJ\_Files\_SCREE~1.JPE

MD5
37955e1af37f36b175c0cdeca7ffa32c

SHA1
7407b1f5f59b7fb185df3336d3a5a714784b265f

SHA256
5001c743256d6d40bbdbd4305011790a43d7332940b2063aa18f04ab93fd66b2

SHA512
d4281644cc88a0f4f50c7415627433376c6024629cdc7c155fea60f6ca9e42f60244af79ba3c31430eb1c30f462a45b6a2a2b9a652467925452cc9f038b2a918

Download Submit
C:\Users\Admin\AppData\Local\Temp\KxVRXJIJ\files_\SCREEN~1.JPG

MD5
37955e1af37f36b175c0cdeca7ffa32c

SHA1
7407b1f5f59b7fb185df3336d3a5a714784b265f

SHA256
5001c743256d6d40bbdbd4305011790a43d7332940b2063aa18f04ab93fd66b2

SHA512
d4281644cc88a0f4f50c7415627433376c6024629cdc7c155fea60f6ca9e42f60244af79ba3c31430eb1c30f462a45b6a2a2b9a652467925452cc9f038b2a918

Download Submit
C:\Users\Admin\AppData\Local\Temp\KxVRXJIJ\files_\SYSTEM~1.TXT

MD5
f226d90502f6e67b5d8f0c7c121639da

SHA1
4fb263937f6b8cd19fce30fad53884a2c44c6923

SHA256
bc42118641586c7e8df082aadea5fd371640b2d171ab96f35533d4e541d6dfc4

SHA512
3bffae2c584a621bcfb06e8d5e4bf19ac94b589b3ee4955d4c0b9ffd8dbf42b9a4b860db40a861ed04a235cb56a0eb8b2424f27ddca4a49214d2dab3b9f50092

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe

MD5
e91ac3549fe840cc9d8b51f4873b196b

SHA1
51fc1f52925996a0f81efb4ff69fab0fae2a2931

SHA256
8e4113dc5f285dfd9bd8316642024a7c1d454f41cde5fdffa867476b3d7d2437

SHA512
13b0de194dfba02c68c516377e1c71ba13bba00b23d25420a1cefb5993fd6ddbe699de2e9c98d2468b0be164bbbbf73e28a908828ffa7ed0ef9e270cb4c799df

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe

MD5
e91ac3549fe840cc9d8b51f4873b196b

SHA1
51fc1f52925996a0f81efb4ff69fab0fae2a2931

SHA256
8e4113dc5f285dfd9bd8316642024a7c1d454f41cde5fdffa867476b3d7d2437

SHA512
13b0de194dfba02c68c516377e1c71ba13bba00b23d25420a1cefb5993fd6ddbe699de2e9c98d2468b0be164bbbbf73e28a908828ffa7ed0ef9e270cb4c799df

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe

MD5
8e87d62f82e58aaa88f162afdcee6708

SHA1
985094b53e18255b2411a8d5945204aba1bdb9bb

SHA256
8d5c862a782a7b1c5847824240ed03da672a8519d1618b521414aee226d76a19

SHA512
188ac14200cab2e1d8546bf62a1051c6a909a63ee90d2ad7d69a886736e226eedcd90f4ab85631077a61b821d2c85532bd3a8d8a9cda24b19700a62e45918b74

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe

MD5
8e87d62f82e58aaa88f162afdcee6708

SHA1
985094b53e18255b2411a8d5945204aba1bdb9bb

SHA256
8d5c862a782a7b1c5847824240ed03da672a8519d1618b521414aee226d76a19

SHA512
188ac14200cab2e1d8546bf62a1051c6a909a63ee90d2ad7d69a886736e226eedcd90f4ab85631077a61b821d2c85532bd3a8d8a9cda24b19700a62e45918b74

Download Submit
C:\Users\Admin\AppData\Local\Temp\NgrsyLjG.exe

MD5
7da29afc32671f34340b2d6a77d78d8c

SHA1
6258a548dac3af7af0bafcfd3e5bf355152b326d

SHA256
146cd075847580f5e89e142e081923c316f80871627f47af9c913ce0a9096bc2

SHA512
ed497f29e5a3b850b4faad03de503a9a2ada7b25e2f55c2115cb29696635853d997906e399539ee55e017593ac36c472254e7b3158418d4498d8a2425cf34415

Download Submit
C:\Users\Admin\AppData\Local\Temp\NgrsyLjG.exe

MD5
7da29afc32671f34340b2d6a77d78d8c

SHA1
6258a548dac3af7af0bafcfd3e5bf355152b326d

SHA256
146cd075847580f5e89e142e081923c316f80871627f47af9c913ce0a9096bc2

SHA512
ed497f29e5a3b850b4faad03de503a9a2ada7b25e2f55c2115cb29696635853d997906e399539ee55e017593ac36c472254e7b3158418d4498d8a2425cf34415

Download Submit
C:\Users\Admin\AppData\Local\Temp\bppjfdgmynfj.exe

MD5
ad165f0bf3103c7e7dc72c6550111e88

SHA1
a74a0f3bfa4965073266da34c8795fdd4f743e84

SHA256
4d34fa5e98a0ad7ddf5604a31286b984c8e368a67b05f979dfd6c824481bbe5f

SHA512
8f635385be2e11ec7414156cf8d029502a3ab4baf27073b86bc1986b2c1f26338e03374f80411ad07432d7ea5a01cd50afc88b9ba598f41c502725b706002c99

Download Submit
C:\Users\Admin\AppData\Local\Temp\bppjfdgmynfj.exe

MD5
ad165f0bf3103c7e7dc72c6550111e88

SHA1
a74a0f3bfa4965073266da34c8795fdd4f743e84

SHA256
4d34fa5e98a0ad7ddf5604a31286b984c8e368a67b05f979dfd6c824481bbe5f

SHA512
8f635385be2e11ec7414156cf8d029502a3ab4baf27073b86bc1986b2c1f26338e03374f80411ad07432d7ea5a01cd50afc88b9ba598f41c502725b706002c99

Download Submit
C:\Users\Admin\AppData\Local\Temp\jxdbjpe.vbs

MD5
74929590508afdc4961fc0ba37131366

SHA1
2affc86e06ef172c2bfd44052da887ca1b164f22

SHA256
301328ef8c0be80e5c8c6621e95e71729b2c2f79a724d5240689d50bc48a26ec

SHA512
6735597eb02abe5fb523ac2db5b55de01de13ec1084285aca86ab8c2e97c88c9297381f378e1bc3bb2d5f79c6d653bf60e0a4eba945bfc9b7a9f1ee2ecf1de7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\onqccoywk.vbs

MD5
0fb0b53772fcd1ab42effe09873a9ec1

SHA1
50812e482da9871e91927b17565b85b7216b3fe5

SHA256
e237de588461cd745021970276eed058d6c4f02710c6d9a0b314ebb13967c1ae

SHA512
8c30b77c1ba6cb1ea2fd075f4ff47e425233ad96c6b8f10e244c58e05d007368317b95b95d3035d79e66c418badada432f7e58526c8849cfab3faff713be7d1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCA84.tmp.ps1

MD5
5021e21b3bd8389e1a312621c83c0afe

SHA1
9b401e65528ba0b139e8f82c6e71ccc76687ca3f

SHA256
2d5cf5f51f086500a1dcb94b788ce204c73161ad9083b2951d4a2e55c400229e

SHA512
7a89e78b3eb2b92247b3be3fa182ca4b5cd880d6678e42b9a56df4861f5fe5d5c96f39dd65cab65178c233e36b7b58e1de189a6d7d9ea2754a2b540870c020c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCA85.tmp

MD5
c416c12d1b2b1da8c8655e393b544362

SHA1
fb1a43cd8e1c556c2d25f361f42a21293c29e447

SHA256
0600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046

SHA512
cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDD24.tmp.ps1

MD5
e51924179c43e2e10c9224a9079ed540

SHA1
683049b9888282256cbb95abe41b3789428caae7

SHA256
f92e5df7290634aea6724cf4e11ced98347d6ffa32a8c26afffbcc745bee60a7

SHA512
bfc36a9ed9746e29badfb7d56df50991978ae57b7039901116d45524cdc92872c4870ff5d202682d64ff4f84a5a9dfde4ca6eb8e905ae261628e102693b0ff9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDD25.tmp

MD5
1860260b2697808b80802352fe324782

SHA1
f07b4cb6a8133d8dd942fc285d63cb3ce5a1ed6b

SHA256
0c4bb6ae7726faa47aef8459bcf37bf9ca16f0b93fd52790932adaf7845d1fb1

SHA512
d9fd458e2fe871e93199d7f3783133ded898d824024d9525e8c9af2af31892b13f3fb147d3bfda7dfd7659b7072f5cd1d6c3ebfe2dbf5893afd00e59a96aa94f

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

MD5
e91ac3549fe840cc9d8b51f4873b196b

SHA1
51fc1f52925996a0f81efb4ff69fab0fae2a2931

SHA256
8e4113dc5f285dfd9bd8316642024a7c1d454f41cde5fdffa867476b3d7d2437

SHA512
13b0de194dfba02c68c516377e1c71ba13bba00b23d25420a1cefb5993fd6ddbe699de2e9c98d2468b0be164bbbbf73e28a908828ffa7ed0ef9e270cb4c799df

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

MD5
e91ac3549fe840cc9d8b51f4873b196b

SHA1
51fc1f52925996a0f81efb4ff69fab0fae2a2931

SHA256
8e4113dc5f285dfd9bd8316642024a7c1d454f41cde5fdffa867476b3d7d2437

SHA512
13b0de194dfba02c68c516377e1c71ba13bba00b23d25420a1cefb5993fd6ddbe699de2e9c98d2468b0be164bbbbf73e28a908828ffa7ed0ef9e270cb4c799df

Download Submit
\Users\Admin\AppData\Local\Temp\BPPJFD~1.DLL

MD5
7ac078a4c0a0c82464f31418b512cad7

SHA1
edafdb4391106484521c3a76890690ee525a9d68

SHA256
8c8d6d7a1c6ce3ae445a85b32aac61eef74d00effcaaac0379d33cd299008418

SHA512
e5c6cff838a20a0130ed42b170fdd0fcca3491dd65ffb4ced4612b8c8598b3083172f3218a5471c22ffdd6189f748c22e6c7b9417a775344b04956fa2e141507

Download Submit
\Users\Admin\AppData\Local\Temp\BPPJFD~1.DLL

MD5
7ac078a4c0a0c82464f31418b512cad7

SHA1
edafdb4391106484521c3a76890690ee525a9d68

SHA256
8c8d6d7a1c6ce3ae445a85b32aac61eef74d00effcaaac0379d33cd299008418

SHA512
e5c6cff838a20a0130ed42b170fdd0fcca3491dd65ffb4ced4612b8c8598b3083172f3218a5471c22ffdd6189f748c22e6c7b9417a775344b04956fa2e141507

Download Submit
\Users\Admin\AppData\Local\Temp\nsl88CE.tmp\UAC.dll

MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
memory/184-145-0x0000000000000000-mapping.dmp

Download
memory/184-156-0x0000000001400000-0x000000000154A000-memory.dmp

Filesize
1.3MB

Download
memory/500-232-0x0000000000000000-mapping.dmp

Download
memory/652-237-0x0000000000000000-mapping.dmp

Download
memory/684-121-0x0000000000000000-mapping.dmp

Download
memory/932-163-0x0000000000000000-mapping.dmp

Download
memory/1244-192-0x0000000008C20000-0x0000000008C21000-memory.dmp

Filesize
4KB

Download
memory/1244-180-0x0000000000000000-mapping.dmp

Download
memory/1244-207-0x0000000007333000-0x0000000007334000-memory.dmp

Filesize
4KB

Download
memory/1244-204-0x0000000008B00000-0x0000000008B01000-memory.dmp

Filesize
4KB

Download
memory/1244-201-0x00000000096F0000-0x00000000096F1000-memory.dmp

Filesize
4KB

Download
memory/1244-200-0x000000000A160000-0x000000000A161000-memory.dmp

Filesize
4KB

Download
memory/1244-195-0x0000000007520000-0x0000000007521000-memory.dmp

Filesize
4KB

Download
memory/1244-193-0x00000000089A0000-0x00000000089A1000-memory.dmp

Filesize
4KB

Download
memory/1244-191-0x0000000008030000-0x0000000008031000-memory.dmp

Filesize
4KB

Download
memory/1244-190-0x0000000008300000-0x0000000008301000-memory.dmp

Filesize
4KB

Download
memory/1244-189-0x0000000008180000-0x0000000008181000-memory.dmp

Filesize
4KB

Download
memory/1244-188-0x00000000081F0000-0x00000000081F1000-memory.dmp

Filesize
4KB

Download
memory/1244-187-0x00000000078F0000-0x00000000078F1000-memory.dmp

Filesize
4KB

Download
memory/1244-185-0x0000000007330000-0x0000000007331000-memory.dmp

Filesize
4KB

Download
memory/1244-186-0x0000000007332000-0x0000000007333000-memory.dmp

Filesize
4KB

Download
memory/1244-184-0x0000000007970000-0x0000000007971000-memory.dmp

Filesize
4KB

Download
memory/1244-183-0x00000000071D0000-0x00000000071D1000-memory.dmp

Filesize
4KB

Download
memory/1256-129-0x0000000000000000-mapping.dmp

Download
memory/2208-117-0x0000000000000000-mapping.dmp

Download
memory/2296-144-0x0000000000000000-mapping.dmp

Download
memory/2456-208-0x0000000000000000-mapping.dmp

Download
memory/2456-236-0x0000000007513000-0x0000000007514000-memory.dmp

Filesize
4KB

Download
memory/2456-224-0x0000000007512000-0x0000000007513000-memory.dmp

Filesize
4KB

Download
memory/2456-223-0x0000000007510000-0x0000000007511000-memory.dmp

Filesize
4KB

Download
memory/2456-220-0x0000000008CF0000-0x0000000008CF1000-memory.dmp

Filesize
4KB

Download
memory/2456-217-0x0000000008400000-0x0000000008401000-memory.dmp

Filesize
4KB

Download
memory/2464-235-0x0000000000000000-mapping.dmp

Download
memory/2464-137-0x0000000000000000-mapping.dmp

Download
memory/2732-133-0x0000000000000000-mapping.dmp

Download
memory/2868-202-0x0000000000000000-mapping.dmp

Download
memory/2920-176-0x0000000002FF0000-0x0000000002FF1000-memory.dmp

Filesize
4KB

Download
memory/2920-175-0x0000000005111000-0x0000000005770000-memory.dmp

Filesize
6.4MB

Download
memory/2920-168-0x0000000000000000-mapping.dmp

Download
memory/3152-127-0x0000000000000000-mapping.dmp

Download
memory/3160-173-0x0000000000000000-mapping.dmp

Download
memory/3160-179-0x0000000005471000-0x0000000005AD0000-memory.dmp

Filesize
6.4MB

Download
memory/3160-222-0x0000000000F20000-0x0000000000F21000-memory.dmp

Filesize
4KB

Download
memory/3332-152-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3332-151-0x0000000001F50000-0x0000000001F76000-memory.dmp

Filesize
152KB

Download
memory/3332-123-0x0000000000000000-mapping.dmp

Download
memory/3464-157-0x0000000000ED0000-0x0000000000EF7000-memory.dmp

Filesize
156KB

Download
memory/3464-159-0x0000000000ED0000-0x0000000000EF7000-memory.dmp

Filesize
156KB

Download
memory/3552-136-0x0000000000000000-mapping.dmp

Download
memory/3808-116-0x0000000000000000-mapping.dmp

Download
memory/3864-130-0x0000000000000000-mapping.dmp

Download
memory/3932-167-0x0000000000400000-0x0000000000B14000-memory.dmp

Filesize
7.1MB

Download
memory/3932-160-0x0000000000000000-mapping.dmp

Download
memory/3932-165-0x0000000002E60000-0x0000000003567000-memory.dmp

Filesize
7.0MB

Download
memory/3932-166-0x0000000002740000-0x0000000002741000-memory.dmp

Filesize
4KB

Download
memory/3992-115-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/3992-114-0x0000000002160000-0x0000000002241000-memory.dmp

Filesize
900KB

Download
memory/4064-148-0x0000000000000000-mapping.dmp

Download
memory/4064-154-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4064-153-0x00000000004C0000-0x000000000056E000-memory.dmp

Filesize
696KB

Download