cryptbot | 32e6aeda569edacaf5dea7f815c7e22e32ba8b7992bb787b68149cf0b06d273c

Analysis

max time kernel
143s
max time network
130s
platform
windows10_x64
resource
win10v20210410
submitted
28-05-2021 20:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cabf8671cc9bf2085707ad603d1c3312.exe
Size

725KB
MD5

cabf8671cc9bf2085707ad603d1c3312
SHA1

ad7231649ef55e5222b1aff96e30adbe8ad70b5c
SHA256

32e6aeda569edacaf5dea7f815c7e22e32ba8b7992bb787b68149cf0b06d273c
SHA512

840636c5a89438eafb4211361ed88d71b25330f0e195a07c8a7744b2404af932c7e4f0e8f9e8051ceeb4214faedf1acb20cb424b066f199230618724f68b0acf

Score

10^/10

cryptbot danabot 3 banker discovery spyware stealer trojan

Malware Config

Extracted

Family

cryptbot

geofrz52.top

morvmz05.top

Attributes

payload_url
http://rogkpf07.top/download.php?file=lv.exe

Extracted

Family

danabot

Version

1827

Botnet

184.95.51.183:443

184.95.51.175:443

192.210.198.12:443

184.95.51.180:443

Attributes

embedded_hash
AEF96B4D339B580ABB737F203C2D0F52

rsa_pubkey.plain

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

CryptBot Payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2204-114-0x0000000002190000-0x0000000002271000-memory.dmp	family_cryptbot
behavioral2/memory/2204-115-0x0000000000400000-0x00000000004E5000-memory.dmp	family_cryptbot
behavioral2/memory/4084-153-0x0000000000460000-0x00000000005AA000-memory.dmp	family_cryptbot

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Blocklisted process makes network request 5 IoCs

Processes:

RUNDLL32.EXEWScript.exe

flow pid process

35 2196 RUNDLL32.EXE
37 1796 WScript.exe
39 1796 WScript.exe
41 1796 WScript.exe
43 1796 WScript.exe
Downloads MZ/PE file
Executes dropped EXE 7 IoCs

Processes:

sghYs.exevpn.exe4.exePulsare.exe.comPulsare.exe.comSmartClock.exebbfyhqxoe.exe

pid process

3956 sghYs.exe
2412 vpn.exe
2448 4.exe
744 Pulsare.exe.com
2116 Pulsare.exe.com
4084 SmartClock.exe
3956 bbfyhqxoe.exe
Drops startup file 1 IoCs

Processes:

4.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk 4.exe
Loads dropped DLL 4 IoCs

Processes:

sghYs.exerundll32.exeRUNDLL32.EXE

pid process

3956 sghYs.exe
1296 rundll32.exe
1296 rundll32.exe
2196 RUNDLL32.EXE
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

22 ip-api.com

flow	pid	process
35	2196	RUNDLL32.EXE
37	1796	WScript.exe
39	1796	WScript.exe
41	1796	WScript.exe
43	1796	WScript.exe

pid	process
3956	sghYs.exe
2412	vpn.exe
2448	4.exe
744	Pulsare.exe.com
2116	Pulsare.exe.com
4084	SmartClock.exe
3956	bbfyhqxoe.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk	4.exe

pid	process
3956	sghYs.exe
1296	rundll32.exe
1296	rundll32.exe
2196	RUNDLL32.EXE

flow	ioc
22	ip-api.com

Drops file in Program Files directory 3 IoCs

Processes:

sghYs.exe

description	ioc	process
File created	C:\Program Files (x86)\foler\olader\acppage.dll	sghYs.exe
File created	C:\Program Files (x86)\foler\olader\adprovider.dll	sghYs.exe
File created	C:\Program Files (x86)\foler\olader\acledit.dll	sghYs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cabf8671cc9bf2085707ad603d1c3312.exePulsare.exe.comRUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	cabf8671cc9bf2085707ad603d1c3312.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	cabf8671cc9bf2085707ad603d1c3312.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Pulsare.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Pulsare.exe.com
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3932 timeout.exe
Modifies registry class 1 IoCs

Processes:

Pulsare.exe.com

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings Pulsare.exe.com

pid	process
3932	timeout.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings	Pulsare.exe.com

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	WScript.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

632 PING.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

SmartClock.exe

pid process

4084 SmartClock.exe

pid	process
632	PING.EXE

pid	process
4084	SmartClock.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exeRUNDLL32.EXEpowershell.exe

pid	process
3672	powershell.exe
3672	powershell.exe
3672	powershell.exe
2196	RUNDLL32.EXE
2196	RUNDLL32.EXE
1900	powershell.exe
1900	powershell.exe
1900	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

rundll32.exeRUNDLL32.EXEpowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1296	rundll32.exe
Token: SeDebugPrivilege	2196	RUNDLL32.EXE
Token: SeDebugPrivilege	3672	powershell.exe
Token: SeDebugPrivilege	1900	powershell.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

cabf8671cc9bf2085707ad603d1c3312.exeRUNDLL32.EXE

pid process

2204 cabf8671cc9bf2085707ad603d1c3312.exe
2204 cabf8671cc9bf2085707ad603d1c3312.exe
2196 RUNDLL32.EXE

pid	process
2204	cabf8671cc9bf2085707ad603d1c3312.exe
2204	cabf8671cc9bf2085707ad603d1c3312.exe
2196	RUNDLL32.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cabf8671cc9bf2085707ad603d1c3312.execmd.exesghYs.exevpn.execmd.execmd.exePulsare.exe.comcmd.exe4.exePulsare.exe.combbfyhqxoe.exerundll32.exeRUNDLL32.EXEpowershell.exe

description	pid	process	target process
PID 2204 wrote to memory of 2068	2204	cabf8671cc9bf2085707ad603d1c3312.exe	cmd.exe
PID 2204 wrote to memory of 2068	2204	cabf8671cc9bf2085707ad603d1c3312.exe	cmd.exe
PID 2204 wrote to memory of 2068	2204	cabf8671cc9bf2085707ad603d1c3312.exe	cmd.exe
PID 2068 wrote to memory of 3956	2068	cmd.exe	sghYs.exe
PID 2068 wrote to memory of 3956	2068	cmd.exe	sghYs.exe
PID 2068 wrote to memory of 3956	2068	cmd.exe	sghYs.exe
PID 3956 wrote to memory of 2412	3956	sghYs.exe	vpn.exe
PID 3956 wrote to memory of 2412	3956	sghYs.exe	vpn.exe
PID 3956 wrote to memory of 2412	3956	sghYs.exe	vpn.exe
PID 3956 wrote to memory of 2448	3956	sghYs.exe	4.exe
PID 3956 wrote to memory of 2448	3956	sghYs.exe	4.exe
PID 3956 wrote to memory of 2448	3956	sghYs.exe	4.exe
PID 2412 wrote to memory of 2084	2412	vpn.exe	cmd.exe
PID 2412 wrote to memory of 2084	2412	vpn.exe	cmd.exe
PID 2412 wrote to memory of 2084	2412	vpn.exe	cmd.exe
PID 2084 wrote to memory of 1968	2084	cmd.exe	cmd.exe
PID 2084 wrote to memory of 1968	2084	cmd.exe	cmd.exe
PID 2084 wrote to memory of 1968	2084	cmd.exe	cmd.exe
PID 1968 wrote to memory of 2392	1968	cmd.exe	findstr.exe
PID 1968 wrote to memory of 2392	1968	cmd.exe	findstr.exe
PID 1968 wrote to memory of 2392	1968	cmd.exe	findstr.exe
PID 1968 wrote to memory of 744	1968	cmd.exe	Pulsare.exe.com
PID 1968 wrote to memory of 744	1968	cmd.exe	Pulsare.exe.com
PID 1968 wrote to memory of 744	1968	cmd.exe	Pulsare.exe.com
PID 1968 wrote to memory of 632	1968	cmd.exe	PING.EXE
PID 1968 wrote to memory of 632	1968	cmd.exe	PING.EXE
PID 1968 wrote to memory of 632	1968	cmd.exe	PING.EXE
PID 744 wrote to memory of 2116	744	Pulsare.exe.com	Pulsare.exe.com
PID 744 wrote to memory of 2116	744	Pulsare.exe.com	Pulsare.exe.com
PID 744 wrote to memory of 2116	744	Pulsare.exe.com	Pulsare.exe.com
PID 2204 wrote to memory of 3064	2204	cabf8671cc9bf2085707ad603d1c3312.exe	cmd.exe
PID 2204 wrote to memory of 3064	2204	cabf8671cc9bf2085707ad603d1c3312.exe	cmd.exe
PID 2204 wrote to memory of 3064	2204	cabf8671cc9bf2085707ad603d1c3312.exe	cmd.exe
PID 3064 wrote to memory of 3932	3064	cmd.exe	timeout.exe
PID 3064 wrote to memory of 3932	3064	cmd.exe	timeout.exe
PID 3064 wrote to memory of 3932	3064	cmd.exe	timeout.exe
PID 2448 wrote to memory of 4084	2448	4.exe	SmartClock.exe
PID 2448 wrote to memory of 4084	2448	4.exe	SmartClock.exe
PID 2448 wrote to memory of 4084	2448	4.exe	SmartClock.exe
PID 2116 wrote to memory of 3956	2116	Pulsare.exe.com	bbfyhqxoe.exe
PID 2116 wrote to memory of 3956	2116	Pulsare.exe.com	bbfyhqxoe.exe
PID 2116 wrote to memory of 3956	2116	Pulsare.exe.com	bbfyhqxoe.exe
PID 2116 wrote to memory of 3064	2116	Pulsare.exe.com	WScript.exe
PID 2116 wrote to memory of 3064	2116	Pulsare.exe.com	WScript.exe
PID 2116 wrote to memory of 3064	2116	Pulsare.exe.com	WScript.exe
PID 3956 wrote to memory of 1296	3956	bbfyhqxoe.exe	rundll32.exe
PID 3956 wrote to memory of 1296	3956	bbfyhqxoe.exe	rundll32.exe
PID 3956 wrote to memory of 1296	3956	bbfyhqxoe.exe	rundll32.exe
PID 1296 wrote to memory of 2196	1296	rundll32.exe	RUNDLL32.EXE
PID 1296 wrote to memory of 2196	1296	rundll32.exe	RUNDLL32.EXE
PID 1296 wrote to memory of 2196	1296	rundll32.exe	RUNDLL32.EXE
PID 2116 wrote to memory of 1796	2116	Pulsare.exe.com	WScript.exe
PID 2116 wrote to memory of 1796	2116	Pulsare.exe.com	WScript.exe
PID 2116 wrote to memory of 1796	2116	Pulsare.exe.com	WScript.exe
PID 2196 wrote to memory of 3672	2196	RUNDLL32.EXE	powershell.exe
PID 2196 wrote to memory of 3672	2196	RUNDLL32.EXE	powershell.exe
PID 2196 wrote to memory of 3672	2196	RUNDLL32.EXE	powershell.exe
PID 2196 wrote to memory of 1900	2196	RUNDLL32.EXE	powershell.exe
PID 2196 wrote to memory of 1900	2196	RUNDLL32.EXE	powershell.exe
PID 2196 wrote to memory of 1900	2196	RUNDLL32.EXE	powershell.exe
PID 1900 wrote to memory of 812	1900	powershell.exe	nslookup.exe
PID 1900 wrote to memory of 812	1900	powershell.exe	nslookup.exe
PID 1900 wrote to memory of 812	1900	powershell.exe	nslookup.exe
PID 2196 wrote to memory of 1868	2196	RUNDLL32.EXE	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\cabf8671cc9bf2085707ad603d1c3312.exe
"C:\Users\Admin\AppData\Local\Temp\cabf8671cc9bf2085707ad603d1c3312.exe"
1⤵
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2204

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\sghYs.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2068

C:\Users\Admin\AppData\Local\Temp\sghYs.exe
"C:\Users\Admin\AppData\Local\Temp\sghYs.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3956

C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe
"C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2412

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\cmd < Fai.potm
5⤵
- Suspicious use of WriteProcessMemory
PID:2084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd
6⤵
- Suspicious use of WriteProcessMemory
PID:1968

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^lbfXreWdTXRitRhlMXtPdpbYhPgMlueYgPLnUSCvWbGrGCTqdIdkGhRwZsKhOluMUSSfuPdUxISSCxsKWhcBQRaqXK$" Dei.potm
7⤵
PID:2392

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Pulsare.exe.com
Pulsare.exe.com N
7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:744

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Pulsare.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Pulsare.exe.com N
8⤵
- Executes dropped EXE
- Checks processor information in registry
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2116

C:\Users\Admin\AppData\Local\Temp\bbfyhqxoe.exe
"C:\Users\Admin\AppData\Local\Temp\bbfyhqxoe.exe"
9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3956

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\BBFYHQ~1.DLL,Z C:\Users\Admin\AppData\Local\Temp\BBFYHQ~1.EXE
10⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1296

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\BBFYHQ~1.DLL,SgpALDZMBXw=
11⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2196

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp6BDA.tmp.ps1"
12⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3672

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp7EB8.tmp.ps1"
12⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1900

C:\Windows\SysWOW64\nslookup.exe
"C:\Windows\system32\nslookup.exe" -type=any localhost
13⤵
PID:812

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
12⤵
PID:1868

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
12⤵
PID:2816

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\sulfggin.vbs"
9⤵
PID:3064

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aymhjkf.vbs"
9⤵
- Blocklisted process makes network request
- Modifies system certificate store
PID:1796

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 30
7⤵
- Runs ping.exe
PID:632

C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe
"C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe"
4⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:2448

C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
PID:4084

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\ZRXoiRWdX & timeout 3 & del /f /q "C:\Users\Admin\AppData\Local\Temp\cabf8671cc9bf2085707ad603d1c3312.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3064

C:\Windows\SysWOW64\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:3932

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
47eebe401625bbc55e75dbfb72e9e89a

SHA1
db3b2135942d2532c59b9788253638eb77e5995e

SHA256
f1cd56000c44bbdb6880b5b133731f493fe8cba8198c5a861da6ae7b489ed0c3

SHA512
590b149863d58be346e7927c28501375cc570858d2f156d234b03d68b86c5c0667a1038e2b6f6639172bf95638ca9f7c70f45270951abbcdf43b1be853b81d56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
94a8e21cb42291987b7a24bf88e01ddc

SHA1
e31f5564257223a5e57c14d2c9313f11da64853a

SHA256
b21888c63309ce5bf2560a348a30088d6a48c3632679e7faf2aaa13776498067

SHA512
1d47d862e5acc1d5803ddb030c3c2fd66ad08483384394e9ffd0f2000fbfb4a901e963664f24873f9c280f17b9ebc595788b0ba97eda0f7db1d1caa7beba2391

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Dai.potm
MD5
ab5248bfc73dba700a7b24d6f0ef3e0d

SHA1
eba901b65790c84bde823ed21e7a27e4ad14d76b

SHA256
0068a388c5526c04cc733da90db563aa5ec1a44653f2841f2e21cb58c2afc579

SHA512
07edb9ff4f16652609447c082593501d525c6c5d9ba385ee93db1dd157815a73a340dbd4549cc99175b452b36320990e806470344572d3007a92b50942a4e2df

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Dei.potm
MD5
73fde661df0f3fe1785b0c5b2a0dabcb

SHA1
24acc3072f2877857275bdfc1d7dbf905dfa89d9

SHA256
a5e9ff33a07d114a9b696dd91a7c18cbd98e10ca82397169cdf44fb010c0f8ab

SHA512
10811690303a87b861df075f5a0ab9ed8ebb733b06e8218e158a8b8d8e0274356e730547ce52fbe9a84518def442e80a2bab20c3dec503ae108d0b2f86640eca

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Fai.potm
MD5
52165227feb2386e86b50ec258a3f74e

SHA1
bd699c18451d4a15a8e735eda00a8bbf3411cdb3

SHA256
13492fbdb6c4d3918171c1950779a18d71a490d6fbf0b7e525af22fdbbaafdc8

SHA512
b8f979904124c66145fc6bfdc856bdaf7d555b2c46684e6f42d12bd166fb20286bddfc4e8d740caad7d72874a9d0b5fecf07fa34d4013acf31ef5d3b7ce5bb16

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Febrili.potm
MD5
635ff1e421bad9b7287c4032a5d61345

SHA1
0dbc5241ce7aa77d9edf7dc628859a30793ca7d3

SHA256
ea8743b8a719868763d121cedc6a641c4bd738367a1413001e722c2a2bfe4335

SHA512
9e5697e321b5536345eb40e76dd2d967477d2fb0493bc71c4a0f75fb50e1cbea17af1cdac2046e11b800d434758fe55f7c0c8e3730bdf51e4ee363e495c4da28

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\N
MD5
ab5248bfc73dba700a7b24d6f0ef3e0d

SHA1
eba901b65790c84bde823ed21e7a27e4ad14d76b

SHA256
0068a388c5526c04cc733da90db563aa5ec1a44653f2841f2e21cb58c2afc579

SHA512
07edb9ff4f16652609447c082593501d525c6c5d9ba385ee93db1dd157815a73a340dbd4549cc99175b452b36320990e806470344572d3007a92b50942a4e2df

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Pulsare.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Pulsare.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Pulsare.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\BBFYHQ~1.DLL
MD5
7ac078a4c0a0c82464f31418b512cad7

SHA1
edafdb4391106484521c3a76890690ee525a9d68

SHA256
8c8d6d7a1c6ce3ae445a85b32aac61eef74d00effcaaac0379d33cd299008418

SHA512
e5c6cff838a20a0130ed42b170fdd0fcca3491dd65ffb4ced4612b8c8598b3083172f3218a5471c22ffdd6189f748c22e6c7b9417a775344b04956fa2e141507

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe
MD5
d6fea5f1df050b2c793bee568e84d50e

SHA1
d1a3b230e374496a85e5e635b49be9fc8b8a4483

SHA256
4fd51d3cbec822d9b5777ab5252d4ff407ef129c915e079ba2cfe6d37a8c9a85

SHA512
3ef7e2dd126df41f70ba29c084fd7a8e557b36344cd8693ee8c7042956ba94a8989bf220e0a21eeb5173f342f435e2e394a7cfc7dacc0b616b80fe118504c1de

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe
MD5
d6fea5f1df050b2c793bee568e84d50e

SHA1
d1a3b230e374496a85e5e635b49be9fc8b8a4483

SHA256
4fd51d3cbec822d9b5777ab5252d4ff407ef129c915e079ba2cfe6d37a8c9a85

SHA512
3ef7e2dd126df41f70ba29c084fd7a8e557b36344cd8693ee8c7042956ba94a8989bf220e0a21eeb5173f342f435e2e394a7cfc7dacc0b616b80fe118504c1de

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe
MD5
f77029723f5f56d322779482fc2f9c9f

SHA1
286243319aaf21c6c08922c70ffec410f60d232b

SHA256
0443c051b7106972ea6dd353be3d0f42670fc983e663906504c401dfb0728bc3

SHA512
8ae69190723cd581b393997afe68155d47a23772be146e711f4d309fe6cd45e1f704af6186816626a95b59d3670bea977ac7227bc4b10b018ef0f3106f395de2

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe
MD5
f77029723f5f56d322779482fc2f9c9f

SHA1
286243319aaf21c6c08922c70ffec410f60d232b

SHA256
0443c051b7106972ea6dd353be3d0f42670fc983e663906504c401dfb0728bc3

SHA512
8ae69190723cd581b393997afe68155d47a23772be146e711f4d309fe6cd45e1f704af6186816626a95b59d3670bea977ac7227bc4b10b018ef0f3106f395de2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZRXoiRWdX\OAAHOO~1.ZIP
MD5
9ca654fc9aca0b6f1349faee76b3f371

SHA1
1dc04a10ffc1933860d751162e9a4db304352cae

SHA256
c494b63a75118ba8ab70d366c804a9e270cd36c653594564839d37a85cf00cca

SHA512
9fdae34259776a29132cc1b63bcd2f8f331afc8573bc0b151aed7276b5b74cbca4b256c8f99bbecf856d2f2ee2ef0dfed4826fe0243b159f80d7b722a6aee3d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZRXoiRWdX\XTZAUA~1.ZIP
MD5
17d0f7011795d00ae936e5ca727b696a

SHA1
e10e0337d27380ae1634b1bd8e53c02e4a793be8

SHA256
2c1e0aa32e76c1446f33e2a7e3aa51ddfecaa3d83864dcc742cc7ac1cadc3afa

SHA512
4c412544b433efaf1930f3fcc9e0f02d0e03fea740ba927e0040ce60232d34a59fdc1bc724eec7b4207da6d4c5cb2701b99073885b9e5419a69b57b3ecec6289

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZRXoiRWdX\_Files\_INFOR~1.TXT
MD5
1cb4f4428f6d5528ec4e2209760f37e1

SHA1
d865bf27899fcf422c002d3a026f31468b57432c

SHA256
da49f06f3825687c4d8608671bd83d42879ab847dc8c8c03205e9fcd70ac2c47

SHA512
9a342f9d6b755dc57a542f7e071672bd9090a03f865a1f2c4afab3aea3a7e09f587498db0874a94bd513c9cbb4023a20d8960ef342a0c86ca61b7219ab12bb6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZRXoiRWdX\_Files\_SCREE~1.JPE
MD5
dcde9712adf62ed8d1c0cad32ec7c155

SHA1
52ae719b949b56214edc0a8eceb4d24ca930aeaa

SHA256
54edc79a688cb78b522f502e2a902da72f678de2c46155faf7d2bd615a505b0a

SHA512
d90227e331a6bb658fae2a9b765c9c7ae958efc6f87efd47dbd8e81c7a35d21f5d0c7f6a3adacadea4bfda016819cf84507ab760a66418ff1ec6ef93f887b8f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZRXoiRWdX\files_\SCREEN~1.JPG
MD5
dcde9712adf62ed8d1c0cad32ec7c155

SHA1
52ae719b949b56214edc0a8eceb4d24ca930aeaa

SHA256
54edc79a688cb78b522f502e2a902da72f678de2c46155faf7d2bd615a505b0a

SHA512
d90227e331a6bb658fae2a9b765c9c7ae958efc6f87efd47dbd8e81c7a35d21f5d0c7f6a3adacadea4bfda016819cf84507ab760a66418ff1ec6ef93f887b8f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZRXoiRWdX\files_\SYSTEM~1.TXT
MD5
5e0aed39fc4344cbe1b58059cb3f2ff7

SHA1
2951ee7bdf7d7c5bba41322190b34ab1e1491245

SHA256
c34dbf0dcb5e2c6c0c40b4fc932bd0e0d7e1b77db7ad587d68f9f52e1e31f74a

SHA512
63d7982292d212549ac745851103caa9db546e280b89a10c0852fcc680c6cda65de24548852cec1a82d88fdf37ac060129eca1c6f2a67fc238b6b5313ad5abfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\aymhjkf.vbs
MD5
7da399663b12a5b3aa562cae9eb68181

SHA1
5ead9c70d87b9df9897869826bcce7f0b6651f5c

SHA256
c28ebcecf62d87fcb534a83b201229c982a56395708c7009c9b74bc79a561ec5

SHA512
bad256b15812eb9564d07ce31382faa48d7bf1c9eb9965b2a00cb8bc3569942efec228fcf395611d08b40b4c81079b7b8c81dff31911fdcf9de5872caff698d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\bbfyhqxoe.exe
MD5
72d25d9745d6a07edd64490113bfb9ec

SHA1
147e3a7d7dbe7d00a56874ac6ed068b55515db0c

SHA256
b31ac582fb2bf1708657f6212bd3bbe9a6d351ac9b5138d821454ea358d469c0

SHA512
bacd37e9635d1bf63bffe5373dd61c7317b73efa5e47bb8cef9423833abf836ace50992b3f283ddd45e1a82ac721cbfce43294750456e6b30aafe392999335d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\bbfyhqxoe.exe
MD5
72d25d9745d6a07edd64490113bfb9ec

SHA1
147e3a7d7dbe7d00a56874ac6ed068b55515db0c

SHA256
b31ac582fb2bf1708657f6212bd3bbe9a6d351ac9b5138d821454ea358d469c0

SHA512
bacd37e9635d1bf63bffe5373dd61c7317b73efa5e47bb8cef9423833abf836ace50992b3f283ddd45e1a82ac721cbfce43294750456e6b30aafe392999335d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\sghYs.exe
MD5
1e63a95a8d758fe5a63aac5f62029a21

SHA1
ae7063986a2201e9a95144cb10e805cb9c70f663

SHA256
6bdc76babfd926e062085274aee16df8933bfebe4c11aad26052484280c22b90

SHA512
a80eceb7874c46c5386333ccb57e6a0615a8161a60549da7270433708133de6baac869c1da2878161c37c0402419f1a940b6541de00a23e74ea3afe3c475f5c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\sghYs.exe
MD5
1e63a95a8d758fe5a63aac5f62029a21

SHA1
ae7063986a2201e9a95144cb10e805cb9c70f663

SHA256
6bdc76babfd926e062085274aee16df8933bfebe4c11aad26052484280c22b90

SHA512
a80eceb7874c46c5386333ccb57e6a0615a8161a60549da7270433708133de6baac869c1da2878161c37c0402419f1a940b6541de00a23e74ea3afe3c475f5c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\sulfggin.vbs
MD5
75e735d463e6ff53b7ca66e69bce6cbb

SHA1
2f4c4f588923d4fcf4c80e24e36312518e29f961

SHA256
a353f19d90848edd5fc6ae2fc13455c57db2509610cbc15f342793fabe7d2f5a

SHA512
b1cd5621b145564949d8101af902f832e5ca7ba9ccf9cf05baf0f13ac249b305a012a0432790d254d5d233dcdfedcf1d9e00ac1d75263afbfa3c4c436d57dc09

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6BDA.tmp.ps1
MD5
e13ee12f55c1c28ca7d04dba9acf54cd

SHA1
42a6a7c88b5d98c27515a4ee0e08894b2b660c62

SHA256
42d70b582bbd5e05f6c0fe71c6600d96a335850ed4d16d36089a5a419fb0d2d4

SHA512
cb7cceed64295b2d29ef5108babfb9fe6fa20c63e110f6195d1a3ecbaf17c199aac439aa7a57dd1b4a967edf85bb4905fec25d170dc357bf904d32914486c264

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6BDB.tmp
MD5
c416c12d1b2b1da8c8655e393b544362

SHA1
fb1a43cd8e1c556c2d25f361f42a21293c29e447

SHA256
0600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046

SHA512
cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7EB8.tmp.ps1
MD5
bfd5c336b6630b275524b64c9da654a6

SHA1
6dc0f1a209bb063ac2ce4454f6069056ae03084f

SHA256
804a2986e88085749bab7c88d24a90e499aa7f60484bfd94a7290d3b98ab9e62

SHA512
51bc16b834b7d797187b85bd24eb09f423c0dba7129911ed2966ff5cc9b15ca5658c796c48c9bfb52dd6c721ae4ce363255d001b9351ee434a8b7578b5236d88

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7EB9.tmp
MD5
1860260b2697808b80802352fe324782

SHA1
f07b4cb6a8133d8dd942fc285d63cb3ce5a1ed6b

SHA256
0c4bb6ae7726faa47aef8459bcf37bf9ca16f0b93fd52790932adaf7845d1fb1

SHA512
d9fd458e2fe871e93199d7f3783133ded898d824024d9525e8c9af2af31892b13f3fb147d3bfda7dfd7659b7072f5cd1d6c3ebfe2dbf5893afd00e59a96aa94f

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
d6fea5f1df050b2c793bee568e84d50e

SHA1
d1a3b230e374496a85e5e635b49be9fc8b8a4483

SHA256
4fd51d3cbec822d9b5777ab5252d4ff407ef129c915e079ba2cfe6d37a8c9a85

SHA512
3ef7e2dd126df41f70ba29c084fd7a8e557b36344cd8693ee8c7042956ba94a8989bf220e0a21eeb5173f342f435e2e394a7cfc7dacc0b616b80fe118504c1de

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
d6fea5f1df050b2c793bee568e84d50e

SHA1
d1a3b230e374496a85e5e635b49be9fc8b8a4483

SHA256
4fd51d3cbec822d9b5777ab5252d4ff407ef129c915e079ba2cfe6d37a8c9a85

SHA512
3ef7e2dd126df41f70ba29c084fd7a8e557b36344cd8693ee8c7042956ba94a8989bf220e0a21eeb5173f342f435e2e394a7cfc7dacc0b616b80fe118504c1de

Download Submit
\Users\Admin\AppData\Local\Temp\BBFYHQ~1.DLL
MD5
7ac078a4c0a0c82464f31418b512cad7

SHA1
edafdb4391106484521c3a76890690ee525a9d68

SHA256
8c8d6d7a1c6ce3ae445a85b32aac61eef74d00effcaaac0379d33cd299008418

SHA512
e5c6cff838a20a0130ed42b170fdd0fcca3491dd65ffb4ced4612b8c8598b3083172f3218a5471c22ffdd6189f748c22e6c7b9417a775344b04956fa2e141507

Download Submit
\Users\Admin\AppData\Local\Temp\BBFYHQ~1.DLL
MD5
7ac078a4c0a0c82464f31418b512cad7

SHA1
edafdb4391106484521c3a76890690ee525a9d68

SHA256
8c8d6d7a1c6ce3ae445a85b32aac61eef74d00effcaaac0379d33cd299008418

SHA512
e5c6cff838a20a0130ed42b170fdd0fcca3491dd65ffb4ced4612b8c8598b3083172f3218a5471c22ffdd6189f748c22e6c7b9417a775344b04956fa2e141507

Download Submit
\Users\Admin\AppData\Local\Temp\BBFYHQ~1.DLL
MD5
7ac078a4c0a0c82464f31418b512cad7

SHA1
edafdb4391106484521c3a76890690ee525a9d68

SHA256
8c8d6d7a1c6ce3ae445a85b32aac61eef74d00effcaaac0379d33cd299008418

SHA512
e5c6cff838a20a0130ed42b170fdd0fcca3491dd65ffb4ced4612b8c8598b3083172f3218a5471c22ffdd6189f748c22e6c7b9417a775344b04956fa2e141507

Download Submit
\Users\Admin\AppData\Local\Temp\nsc670D.tmp\UAC.dll
MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
memory/632-136-0x0000000000000000-mapping.dmp

Download
memory/744-133-0x0000000000000000-mapping.dmp

Download
memory/812-230-0x0000000000000000-mapping.dmp

Download
memory/1296-162-0x0000000000000000-mapping.dmp

Download
memory/1296-166-0x0000000004160000-0x0000000004725000-memory.dmp

Filesize
5.8MB

Download
memory/1296-174-0x00000000004C0000-0x00000000004C1000-memory.dmp

Filesize
4KB

Download
memory/1296-173-0x0000000004D41000-0x00000000053A0000-memory.dmp

Filesize
6.4MB

Download
memory/1296-170-0x00000000048E0000-0x00000000048E1000-memory.dmp

Filesize
4KB

Download
memory/1796-178-0x0000000000000000-mapping.dmp

Download
memory/1868-233-0x0000000000000000-mapping.dmp

Download
memory/1900-222-0x0000000004A02000-0x0000000004A03000-memory.dmp

Filesize
4KB

Download
memory/1900-207-0x0000000000000000-mapping.dmp

Download
memory/1900-219-0x0000000008400000-0x0000000008401000-memory.dmp

Filesize
4KB

Download
memory/1900-221-0x0000000004A00000-0x0000000004A01000-memory.dmp

Filesize
4KB

Download
memory/1900-216-0x0000000007D90000-0x0000000007D91000-memory.dmp

Filesize
4KB

Download
memory/1900-234-0x0000000004A03000-0x0000000004A04000-memory.dmp

Filesize
4KB

Download
memory/1968-129-0x0000000000000000-mapping.dmp

Download
memory/2068-116-0x0000000000000000-mapping.dmp

Download
memory/2084-127-0x0000000000000000-mapping.dmp

Download
memory/2116-155-0x0000000001B20000-0x0000000001B21000-memory.dmp

Filesize
4KB

Download
memory/2116-137-0x0000000000000000-mapping.dmp

Download
memory/2196-171-0x0000000000000000-mapping.dmp

Download
memory/2196-175-0x0000000005161000-0x00000000057C0000-memory.dmp

Filesize
6.4MB

Download
memory/2196-206-0x0000000002DB0000-0x0000000002DB1000-memory.dmp

Filesize
4KB

Download
memory/2204-114-0x0000000002190000-0x0000000002271000-memory.dmp

Filesize
900KB

Download
memory/2204-115-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/2392-130-0x0000000000000000-mapping.dmp

Download
memory/2412-121-0x0000000000000000-mapping.dmp

Download
memory/2448-123-0x0000000000000000-mapping.dmp

Download
memory/2448-152-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2448-151-0x00000000004B0000-0x00000000004D6000-memory.dmp

Filesize
152KB

Download
memory/2816-235-0x0000000000000000-mapping.dmp

Download
memory/3064-160-0x0000000000000000-mapping.dmp

Download
memory/3064-140-0x0000000000000000-mapping.dmp

Download
memory/3672-191-0x0000000007810000-0x0000000007811000-memory.dmp

Filesize
4KB

Download
memory/3672-202-0x0000000008E00000-0x0000000008E01000-memory.dmp

Filesize
4KB

Download
memory/3672-184-0x0000000006FC0000-0x0000000006FC1000-memory.dmp

Filesize
4KB

Download
memory/3672-192-0x0000000008130000-0x0000000008131000-memory.dmp

Filesize
4KB

Download
memory/3672-193-0x0000000007FC0000-0x0000000007FC1000-memory.dmp

Filesize
4KB

Download
memory/3672-183-0x0000000006840000-0x0000000006841000-memory.dmp

Filesize
4KB

Download
memory/3672-195-0x00000000080F0000-0x00000000080F1000-memory.dmp

Filesize
4KB

Download
memory/3672-200-0x00000000097B0000-0x00000000097B1000-memory.dmp

Filesize
4KB

Download
memory/3672-201-0x0000000008D30000-0x0000000008D31000-memory.dmp

Filesize
4KB

Download
memory/3672-187-0x0000000006F40000-0x0000000006F41000-memory.dmp

Filesize
4KB

Download
memory/3672-180-0x0000000000000000-mapping.dmp

Download
memory/3672-205-0x0000000006983000-0x0000000006984000-memory.dmp

Filesize
4KB

Download
memory/3672-185-0x0000000006980000-0x0000000006981000-memory.dmp

Filesize
4KB

Download
memory/3672-190-0x00000000078B0000-0x00000000078B1000-memory.dmp

Filesize
4KB

Download
memory/3672-188-0x0000000007840000-0x0000000007841000-memory.dmp

Filesize
4KB

Download
memory/3672-186-0x0000000006982000-0x0000000006983000-memory.dmp

Filesize
4KB

Download
memory/3672-189-0x0000000007760000-0x0000000007761000-memory.dmp

Filesize
4KB

Download
memory/3932-147-0x0000000000000000-mapping.dmp

Download
memory/3956-169-0x0000000003750000-0x0000000003751000-memory.dmp

Filesize
4KB

Download
memory/3956-157-0x0000000000000000-mapping.dmp

Download
memory/3956-167-0x0000000002E20000-0x0000000003527000-memory.dmp

Filesize
7.0MB

Download
memory/3956-168-0x0000000000400000-0x0000000000B14000-memory.dmp

Filesize
7.1MB

Download
memory/3956-117-0x0000000000000000-mapping.dmp

Download
memory/4084-153-0x0000000000460000-0x00000000005AA000-memory.dmp

Filesize
1.3MB

Download
memory/4084-154-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4084-148-0x0000000000000000-mapping.dmp

Download