cryptbot | 7893541b010d78ca63a1f443f01f7f4100f1782eabfa486d53191d53646dd150

Analysis

max time kernel
140s
max time network
126s
platform
windows10_x64
resource
win10v20210410
submitted
31-05-2021 06:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7893541b010d78ca63a1f443f01f7f4100f1782eabfa4.exe
Size

754KB
MD5

9f5038a906df9d9a701a19f582ebc638
SHA1

e94d6bce0d20babfc1c22220d4479f0d9f179cb2
SHA256

7893541b010d78ca63a1f443f01f7f4100f1782eabfa486d53191d53646dd150
SHA512

348fa99606b1bd7e8259b246a41dfab70275ad21f8ac78d5ac45a6bc202eab0077e7351f914512588cf43ce785777f77c3b3f00d7b9765db61e0e749883c2bbb

Score

10^/10

cryptbot danabot 3 banker discovery spyware stealer trojan

Malware Config

Extracted

Family

cryptbot

geobna72.top

moryce07.top

Attributes

payload_url
http://rogkjs10.top/download.php?file=lv.exe

Extracted

Family

danabot

Version

1827

Botnet

184.95.51.183:443

184.95.51.175:443

192.210.198.12:443

184.95.51.180:443

Attributes

embedded_hash
AEF96B4D339B580ABB737F203C2D0F52

rsa_pubkey.plain

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

CryptBot Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3540-115-0x0000000000400000-0x00000000004E5000-memory.dmp	family_cryptbot
behavioral2/memory/3540-114-0x0000000002170000-0x0000000002251000-memory.dmp	family_cryptbot

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Blocklisted process makes network request 5 IoCs

Processes:

RUNDLL32.EXEWScript.exe

flow pid process

35 2700 RUNDLL32.EXE
37 2788 WScript.exe
39 2788 WScript.exe
41 2788 WScript.exe
43 2788 WScript.exe
Downloads MZ/PE file
Executes dropped EXE 7 IoCs

Processes:

dwkAd.exevpn.exe4.exeSubito.exe.comSubito.exe.comSmartClock.exelrvcgpqqqsl.exe

pid process

2392 dwkAd.exe
1472 vpn.exe
3208 4.exe
1920 Subito.exe.com
1656 Subito.exe.com
2936 SmartClock.exe
3092 lrvcgpqqqsl.exe
Drops startup file 1 IoCs

Processes:

4.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk 4.exe
Loads dropped DLL 3 IoCs

Processes:

dwkAd.exerundll32.exeRUNDLL32.EXE

pid process

2392 dwkAd.exe
2532 rundll32.exe
2700 RUNDLL32.EXE
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

22 ip-api.com

flow	pid	process
35	2700	RUNDLL32.EXE
37	2788	WScript.exe
39	2788	WScript.exe
41	2788	WScript.exe
43	2788	WScript.exe

pid	process
2392	dwkAd.exe
1472	vpn.exe
3208	4.exe
1920	Subito.exe.com
1656	Subito.exe.com
2936	SmartClock.exe
3092	lrvcgpqqqsl.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk	4.exe

pid	process
2392	dwkAd.exe
2532	rundll32.exe
2700	RUNDLL32.EXE

flow	ioc
22	ip-api.com

Drops file in Program Files directory 3 IoCs

Processes:

dwkAd.exe

description	ioc	process
File created	C:\Program Files (x86)\foler\olader\acledit.dll	dwkAd.exe
File created	C:\Program Files (x86)\foler\olader\acppage.dll	dwkAd.exe
File created	C:\Program Files (x86)\foler\olader\adprovider.dll	dwkAd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

7893541b010d78ca63a1f443f01f7f4100f1782eabfa4.exeSubito.exe.comRUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	7893541b010d78ca63a1f443f01f7f4100f1782eabfa4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	7893541b010d78ca63a1f443f01f7f4100f1782eabfa4.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Subito.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Subito.exe.com
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4004 timeout.exe
Modifies registry class 1 IoCs

Processes:

Subito.exe.com

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings Subito.exe.com

pid	process
4004	timeout.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings	Subito.exe.com

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	WScript.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2316 PING.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

SmartClock.exe

pid process

2936 SmartClock.exe

pid	process
2316	PING.EXE

pid	process
2936	SmartClock.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exeRUNDLL32.EXEpowershell.exe

pid	process
3508	powershell.exe
3508	powershell.exe
3508	powershell.exe
2700	RUNDLL32.EXE
2700	RUNDLL32.EXE
2772	powershell.exe
2772	powershell.exe
2772	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

rundll32.exeRUNDLL32.EXEpowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2532	rundll32.exe
Token: SeDebugPrivilege	2700	RUNDLL32.EXE
Token: SeDebugPrivilege	3508	powershell.exe
Token: SeDebugPrivilege	2772	powershell.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

7893541b010d78ca63a1f443f01f7f4100f1782eabfa4.exeRUNDLL32.EXE

pid process

3540 7893541b010d78ca63a1f443f01f7f4100f1782eabfa4.exe
3540 7893541b010d78ca63a1f443f01f7f4100f1782eabfa4.exe
2700 RUNDLL32.EXE

pid	process
3540	7893541b010d78ca63a1f443f01f7f4100f1782eabfa4.exe
3540	7893541b010d78ca63a1f443f01f7f4100f1782eabfa4.exe
2700	RUNDLL32.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

7893541b010d78ca63a1f443f01f7f4100f1782eabfa4.execmd.exedwkAd.exevpn.execmd.execmd.exeSubito.exe.comcmd.exe4.exeSubito.exe.comlrvcgpqqqsl.exerundll32.exeRUNDLL32.EXEpowershell.exe

description	pid	process	target process
PID 3540 wrote to memory of 2284	3540	7893541b010d78ca63a1f443f01f7f4100f1782eabfa4.exe	cmd.exe
PID 3540 wrote to memory of 2284	3540	7893541b010d78ca63a1f443f01f7f4100f1782eabfa4.exe	cmd.exe
PID 3540 wrote to memory of 2284	3540	7893541b010d78ca63a1f443f01f7f4100f1782eabfa4.exe	cmd.exe
PID 2284 wrote to memory of 2392	2284	cmd.exe	dwkAd.exe
PID 2284 wrote to memory of 2392	2284	cmd.exe	dwkAd.exe
PID 2284 wrote to memory of 2392	2284	cmd.exe	dwkAd.exe
PID 2392 wrote to memory of 1472	2392	dwkAd.exe	vpn.exe
PID 2392 wrote to memory of 1472	2392	dwkAd.exe	vpn.exe
PID 2392 wrote to memory of 1472	2392	dwkAd.exe	vpn.exe
PID 2392 wrote to memory of 3208	2392	dwkAd.exe	4.exe
PID 2392 wrote to memory of 3208	2392	dwkAd.exe	4.exe
PID 2392 wrote to memory of 3208	2392	dwkAd.exe	4.exe
PID 1472 wrote to memory of 3692	1472	vpn.exe	cmd.exe
PID 1472 wrote to memory of 3692	1472	vpn.exe	cmd.exe
PID 1472 wrote to memory of 3692	1472	vpn.exe	cmd.exe
PID 3692 wrote to memory of 3788	3692	cmd.exe	cmd.exe
PID 3692 wrote to memory of 3788	3692	cmd.exe	cmd.exe
PID 3692 wrote to memory of 3788	3692	cmd.exe	cmd.exe
PID 3788 wrote to memory of 3488	3788	cmd.exe	findstr.exe
PID 3788 wrote to memory of 3488	3788	cmd.exe	findstr.exe
PID 3788 wrote to memory of 3488	3788	cmd.exe	findstr.exe
PID 3788 wrote to memory of 1920	3788	cmd.exe	Subito.exe.com
PID 3788 wrote to memory of 1920	3788	cmd.exe	Subito.exe.com
PID 3788 wrote to memory of 1920	3788	cmd.exe	Subito.exe.com
PID 3788 wrote to memory of 2316	3788	cmd.exe	PING.EXE
PID 3788 wrote to memory of 2316	3788	cmd.exe	PING.EXE
PID 3788 wrote to memory of 2316	3788	cmd.exe	PING.EXE
PID 1920 wrote to memory of 1656	1920	Subito.exe.com	Subito.exe.com
PID 1920 wrote to memory of 1656	1920	Subito.exe.com	Subito.exe.com
PID 1920 wrote to memory of 1656	1920	Subito.exe.com	Subito.exe.com
PID 3540 wrote to memory of 1384	3540	7893541b010d78ca63a1f443f01f7f4100f1782eabfa4.exe	cmd.exe
PID 3540 wrote to memory of 1384	3540	7893541b010d78ca63a1f443f01f7f4100f1782eabfa4.exe	cmd.exe
PID 3540 wrote to memory of 1384	3540	7893541b010d78ca63a1f443f01f7f4100f1782eabfa4.exe	cmd.exe
PID 1384 wrote to memory of 4004	1384	cmd.exe	timeout.exe
PID 1384 wrote to memory of 4004	1384	cmd.exe	timeout.exe
PID 1384 wrote to memory of 4004	1384	cmd.exe	timeout.exe
PID 3208 wrote to memory of 2936	3208	4.exe	SmartClock.exe
PID 3208 wrote to memory of 2936	3208	4.exe	SmartClock.exe
PID 3208 wrote to memory of 2936	3208	4.exe	SmartClock.exe
PID 1656 wrote to memory of 3092	1656	Subito.exe.com	lrvcgpqqqsl.exe
PID 1656 wrote to memory of 3092	1656	Subito.exe.com	lrvcgpqqqsl.exe
PID 1656 wrote to memory of 3092	1656	Subito.exe.com	lrvcgpqqqsl.exe
PID 1656 wrote to memory of 3464	1656	Subito.exe.com	WScript.exe
PID 1656 wrote to memory of 3464	1656	Subito.exe.com	WScript.exe
PID 1656 wrote to memory of 3464	1656	Subito.exe.com	WScript.exe
PID 3092 wrote to memory of 2532	3092	lrvcgpqqqsl.exe	rundll32.exe
PID 3092 wrote to memory of 2532	3092	lrvcgpqqqsl.exe	rundll32.exe
PID 3092 wrote to memory of 2532	3092	lrvcgpqqqsl.exe	rundll32.exe
PID 2532 wrote to memory of 2700	2532	rundll32.exe	RUNDLL32.EXE
PID 2532 wrote to memory of 2700	2532	rundll32.exe	RUNDLL32.EXE
PID 2532 wrote to memory of 2700	2532	rundll32.exe	RUNDLL32.EXE
PID 2700 wrote to memory of 3508	2700	RUNDLL32.EXE	powershell.exe
PID 2700 wrote to memory of 3508	2700	RUNDLL32.EXE	powershell.exe
PID 2700 wrote to memory of 3508	2700	RUNDLL32.EXE	powershell.exe
PID 1656 wrote to memory of 2788	1656	Subito.exe.com	WScript.exe
PID 1656 wrote to memory of 2788	1656	Subito.exe.com	WScript.exe
PID 1656 wrote to memory of 2788	1656	Subito.exe.com	WScript.exe
PID 2700 wrote to memory of 2772	2700	RUNDLL32.EXE	powershell.exe
PID 2700 wrote to memory of 2772	2700	RUNDLL32.EXE	powershell.exe
PID 2700 wrote to memory of 2772	2700	RUNDLL32.EXE	powershell.exe
PID 2772 wrote to memory of 3792	2772	powershell.exe	nslookup.exe
PID 2772 wrote to memory of 3792	2772	powershell.exe	nslookup.exe
PID 2772 wrote to memory of 3792	2772	powershell.exe	nslookup.exe
PID 2700 wrote to memory of 1576	2700	RUNDLL32.EXE	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\7893541b010d78ca63a1f443f01f7f4100f1782eabfa4.exe
"C:\Users\Admin\AppData\Local\Temp\7893541b010d78ca63a1f443f01f7f4100f1782eabfa4.exe"
1⤵
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3540
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\dwkAd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2284
- - C:\Users\Admin\AppData\Local\Temp\dwkAd.exe
    "C:\Users\Admin\AppData\Local\Temp\dwkAd.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:2392
  - - C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe
      "C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1472
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Windows\system32\cmd < Fina.pdf
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3692
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3788
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /R "^PTaQUHsswdKSMiIsfCPEpDoeOIRStnozZXYFKKXvthvySBXRyJEGOOjkKdejQnhCidSPoeGFFamWurphLqNcUCFlKMVxILGFZUXBIoIreZwcfd$" Dici.pdf
        7⤵
        
        PID:3488
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Subito.exe.com
        
        Subito.exe.com S
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1920
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Subito.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Subito.exe.com S
        8⤵
        Executes dropped EXE
        Checks processor information in registry
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\lrvcgpqqqsl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\lrvcgpqqqsl.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3092
        
        C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\LRVCGP~1.DLL,Z C:\Users\Admin\AppData\Local\Temp\LRVCGP~1.EXE
        10⤵
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2532
        
        C:\Windows\SysWOW64\RUNDLL32.EXE
        
        C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\LRVCGP~1.DLL,dyhPZA==
        11⤵
        Blocklisted process makes network request
        Loads dropped DLL
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:2700
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp759E.tmp.ps1"
        12⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3508
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp880F.tmp.ps1"
        12⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2772
        
        C:\Windows\SysWOW64\nslookup.exe
        
        "C:\Windows\system32\nslookup.exe" -type=any localhost
        13⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
        12⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
        12⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\nwukpyjokv.vbs"
        9⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\gmvrcbhyjjkr.vbs"
        9⤵
        Blocklisted process makes network request
        Modifies system certificate store
        
        PID:2788
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 30
        7⤵
        Runs ping.exe
        
        PID:2316
  - - C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe
      "C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe"
      4⤵
      Executes dropped EXE
      Drops startup file
      Suspicious use of WriteProcessMemory
      PID:3208
    - - C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
        
        "C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: AddClipboardFormatListener
        
        PID:2936
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\yvHdgCKLyInca & timeout 3 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7893541b010d78ca63a1f443f01f7f4100f1782eabfa4.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1384
- - C:\Windows\SysWOW64\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:4004

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5
47eebe401625bbc55e75dbfb72e9e89a

SHA1
db3b2135942d2532c59b9788253638eb77e5995e

SHA256
f1cd56000c44bbdb6880b5b133731f493fe8cba8198c5a861da6ae7b489ed0c3

SHA512
590b149863d58be346e7927c28501375cc570858d2f156d234b03d68b86c5c0667a1038e2b6f6639172bf95638ca9f7c70f45270951abbcdf43b1be853b81d56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
d2c6fd919d86613ec35f59c00cf93b47

SHA1
d35d3b8da872cdf22624646088377e0200c067ba

SHA256
5cac7eebcad714df322e4b1d505919b9bc9ad3db3433ceefc4e532e8dfcfbd9b

SHA512
73147033d12051bbfbada9b9c97b095dc5cac126fbd3767503b47020d0e2fc323191fd95b4bc0567f1c478c268377f431713cb33a991db12e8ba66b1a3b7dfa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Cio.pdf

MD5
ee62e1149fe0249d3eb5a0a3f62bc2ae

SHA1
ba7c57e5dd86708fc09a94112ac93c9435ea24ce

SHA256
ce3d45b030f4d57c1a3c92a2854cd42d38c772c46f856b158218d0dcdafec075

SHA512
77eb08d0462f5325c955717723009d7d362f0c85c713b691bc0289d597fa5067573a3711c154a02285ab2fe78dc16ea754c40c925750f14fbc2095cc29220821

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Dici.pdf

MD5
5aae09141ac59dc2d8466a6c954a7ec3

SHA1
4b93c89e1ca9d86a2a289bcef01d3926227524de

SHA256
75411531e56306acc4cbb4b9faa4e5a483ddae473bab32303f62526a58c0c25e

SHA512
6692729fcc405ff4190433efeb2090eaf68ac0096c0b2c0722d3f9a0eb2ff9f716aa0bb0b6a83c04f1b059cafaa7e3e55deabd4806528fa8d170295e63e94b0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Fina.pdf

MD5
097f7c9c0a0a70435ea879cee6a01938

SHA1
e77075e61ee9d7d7687db64980202d21b3edb2b6

SHA256
4ce7ffaa753c64a7948014fed12534a15a05ac668f477acac554b90b800fbbce

SHA512
e76226438c4c12c11cbb681c2be69e2f7d21dc9a2b21bc940938fbe132603cf6fce01e037a0ec070511dc136d829216c1621c0e3c91e0149403b2e84e27a19a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Pare.pdf

MD5
c3d398e85e5459c8406d0b89418edb1e

SHA1
e00275913d8018d878b6bad0172bd028ccb0bec8

SHA256
98187b3eab0ba996d0deab0f79d1713a178337243934ef3e7eb100effc4f6e17

SHA512
c2af18a836667f8fdb09d084b79c63f8926edf7ee5a60825c251f2d05c518e37c9f8aeb6b89ae69aacd05a986026283df2e4d82f9114b6153c64afe4fd6cb2c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\S

MD5
c3d398e85e5459c8406d0b89418edb1e

SHA1
e00275913d8018d878b6bad0172bd028ccb0bec8

SHA256
98187b3eab0ba996d0deab0f79d1713a178337243934ef3e7eb100effc4f6e17

SHA512
c2af18a836667f8fdb09d084b79c63f8926edf7ee5a60825c251f2d05c518e37c9f8aeb6b89ae69aacd05a986026283df2e4d82f9114b6153c64afe4fd6cb2c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Subito.exe.com

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Subito.exe.com

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Subito.exe.com

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\LRVCGP~1.DLL

MD5
7ac078a4c0a0c82464f31418b512cad7

SHA1
edafdb4391106484521c3a76890690ee525a9d68

SHA256
8c8d6d7a1c6ce3ae445a85b32aac61eef74d00effcaaac0379d33cd299008418

SHA512
e5c6cff838a20a0130ed42b170fdd0fcca3491dd65ffb4ced4612b8c8598b3083172f3218a5471c22ffdd6189f748c22e6c7b9417a775344b04956fa2e141507

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe

MD5
1697074239d73fd8ace71b82b4a72da1

SHA1
72b1610ec3c8fcea401de3b0768ce0eb6a5a3764

SHA256
a194ef8e0fe86dac1c063040a8c4f9617a57ac42d89783cd20b25721dd12e2c3

SHA512
f4a19841cde98b8b04bdbd6e4f9673f22fdb800d45d4afd30047364ea22fceb16ca02a7a62b1416d78f406fbb0e82018b13832ace4026c5c29d7dd2eeb88dfa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe

MD5
1697074239d73fd8ace71b82b4a72da1

SHA1
72b1610ec3c8fcea401de3b0768ce0eb6a5a3764

SHA256
a194ef8e0fe86dac1c063040a8c4f9617a57ac42d89783cd20b25721dd12e2c3

SHA512
f4a19841cde98b8b04bdbd6e4f9673f22fdb800d45d4afd30047364ea22fceb16ca02a7a62b1416d78f406fbb0e82018b13832ace4026c5c29d7dd2eeb88dfa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe

MD5
52e92966d04f123f111533d06b37e33a

SHA1
3ed602320e0aab7a287ef840a5480133bbee4920

SHA256
b70b74bc0de35bba127da84085078aa07e84cdadb04632168f99b3e52ef53b5a

SHA512
55ec236218bbc6b315a9881932e133cfb1cfa4ba0a5fdff43429b2cd715040dd6e9a647322b12b33dea4e378de4e1ddea195faf0954841b6618034d6ac610adc

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe

MD5
52e92966d04f123f111533d06b37e33a

SHA1
3ed602320e0aab7a287ef840a5480133bbee4920

SHA256
b70b74bc0de35bba127da84085078aa07e84cdadb04632168f99b3e52ef53b5a

SHA512
55ec236218bbc6b315a9881932e133cfb1cfa4ba0a5fdff43429b2cd715040dd6e9a647322b12b33dea4e378de4e1ddea195faf0954841b6618034d6ac610adc

Download Submit
C:\Users\Admin\AppData\Local\Temp\dwkAd.exe

MD5
bf3b4ff799c200bbb96228c07bcce882

SHA1
4f0ad56c4d839a6621f88fdc0276b05e8b18c8bf

SHA256
2b45fc8ae2420f664b50ccac2cbb7425775383deb7840af635bb133968107f73

SHA512
659a12fcf4b185599a682d386f2c49d014ea4aa288a59b834d419a0bc1d46de21ed5d7876106bf0b8af19e58d21539a3268eace1896ae44c2dfd38def3c2804e

Download Submit
C:\Users\Admin\AppData\Local\Temp\dwkAd.exe

MD5
bf3b4ff799c200bbb96228c07bcce882

SHA1
4f0ad56c4d839a6621f88fdc0276b05e8b18c8bf

SHA256
2b45fc8ae2420f664b50ccac2cbb7425775383deb7840af635bb133968107f73

SHA512
659a12fcf4b185599a682d386f2c49d014ea4aa288a59b834d419a0bc1d46de21ed5d7876106bf0b8af19e58d21539a3268eace1896ae44c2dfd38def3c2804e

Download Submit
C:\Users\Admin\AppData\Local\Temp\gmvrcbhyjjkr.vbs

MD5
1779c215e9972b1ab2f88ac0ec8e7f24

SHA1
2e8668898227d942653c7432d86b119426b317a8

SHA256
4e48943e708a8226c512d13facfe860c8a9640ccf2fb600f77891d3220c601f2

SHA512
49513588f74cde46d7ea152fc658afc7a2c1a4a46d58d0ed0b2bbcb87f5e2b4d43ebc788af8c4c20adc4ad1fdd27dfc16a204fa1bb71b9a0a53e7852e941e0c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\lrvcgpqqqsl.exe

MD5
13e1b790f95f241a0ea111a3c16b1c9f

SHA1
6769b61181a6639c29a1e2b036b39115f944f7e1

SHA256
f41b9b30a677e7d360ab774e1e2ab345cce30c8c1e956d81f86320974857a8f1

SHA512
a66df93eb39307a57ccd5a9a2cde28f69d4a0f734118244c1681a3670d427594de50738cda27fa86889712bc8eba6ea1815069c2e5bb5f4e315ffd06d2a7d8c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\lrvcgpqqqsl.exe

MD5
13e1b790f95f241a0ea111a3c16b1c9f

SHA1
6769b61181a6639c29a1e2b036b39115f944f7e1

SHA256
f41b9b30a677e7d360ab774e1e2ab345cce30c8c1e956d81f86320974857a8f1

SHA512
a66df93eb39307a57ccd5a9a2cde28f69d4a0f734118244c1681a3670d427594de50738cda27fa86889712bc8eba6ea1815069c2e5bb5f4e315ffd06d2a7d8c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nwukpyjokv.vbs

MD5
8a14183b827e2452919f90ac6a610114

SHA1
36f661f06014930b449360b5862fefebb2688f45

SHA256
9b97aeb6be082d9afdae63ce252c7311626d9b36aefa475d187c57b0e4dd9c48

SHA512
b92aba6dbb1f5722a6a6cd5b9231e56c08e3b20ebfb2b84cb8ee87d00cca136b8bad40556315a7b34f172bb03d44ece392104c34128b214936f1fd2fd4575e1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp759E.tmp.ps1

MD5
fe2a0534167a75aa85ad0e18f006c4de

SHA1
53b3bba2434ad229fbd04b79c49838049ef0137b

SHA256
751dd760229641574c1852bb2165912149333a475aae97b04cc8d14b95c8d717

SHA512
02249869cb90328d6b77e210aa986077adcc43e210e2103b765f99d417bd4055696b3256f8e606d7d50ce5e6cf0e0c7ff9bd84ef705bda0fe0a1e3fe0836dee9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp759F.tmp

MD5
c416c12d1b2b1da8c8655e393b544362

SHA1
fb1a43cd8e1c556c2d25f361f42a21293c29e447

SHA256
0600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046

SHA512
cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp880F.tmp.ps1

MD5
677d597e56b0c79a79ac4f88fcef5d42

SHA1
770a31f64250a69b2f1fb65bc33a726c6fdc2039

SHA256
e983a63f0557b167fc6f123f0ba1c3e9659e993130524de91f5705e1ff8f7b11

SHA512
93858c80bfaa8a464089f3d1f7a51780941ce88c489ff753b99d8e7f4c1a17b9a2e919fe2002ef767561cc29b78c2ea925a9aa07ebec17e4ee7a975e1ce3a1d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp881F.tmp

MD5
1860260b2697808b80802352fe324782

SHA1
f07b4cb6a8133d8dd942fc285d63cb3ce5a1ed6b

SHA256
0c4bb6ae7726faa47aef8459bcf37bf9ca16f0b93fd52790932adaf7845d1fb1

SHA512
d9fd458e2fe871e93199d7f3783133ded898d824024d9525e8c9af2af31892b13f3fb147d3bfda7dfd7659b7072f5cd1d6c3ebfe2dbf5893afd00e59a96aa94f

Download Submit
C:\Users\Admin\AppData\Local\Temp\yvHdgCKLyInca\PHKLIA~1.ZIP

MD5
f84208e21c7618011ff27c80c4276aa0

SHA1
0d103a1b5db491e50b1a9b16009e85b5803418e2

SHA256
a1eedf29676859acc565c25f8cd785a4f21d03ac3a6a943b4b40a3a5bb5e85ea

SHA512
6c5468092db15c281065dcd8063a104e5ecd36cc701c60c36b7c1f11a7f4ad7fc8495a8c8fe1e6d917277d866c6ffd61eb4df25dcd454ae11bdc0a46cab14d0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\yvHdgCKLyInca\UWXyTHfV.zip

MD5
25aa81c60d53498a8681f5ebaa565d71

SHA1
deb4f5ec24d2830fe9c82ba98c77db0fc0b41a3c

SHA256
5f34307e54066585ef12b0e1a4aa21159b4ad93b87f19cbdb1c9e951906febfe

SHA512
46aa15264f5e189d1eeaf3cd9301489bcb20c055269d6a32b6516cba8d99d03d965cd89a506b36a788051ca024e3c3104d8c11ff149dac5b051921381423b69a

Download Submit
C:\Users\Admin\AppData\Local\Temp\yvHdgCKLyInca\_Files\_Files\CONNEC~1.TXT

MD5
cee1f05e82b5770c7a9ea5eeca8fa67a

SHA1
34cfefdf3e01f3f8f2de83e863b2412a413f02c0

SHA256
b74369130503d82230586dc2b9c43e471dd057b2db880bc3ae7ea8d99365d893

SHA512
28a6093d3fb70862650fe311fcb961cae33a90de1d8beaef4981b8b70bac5342200e63d9c453815d36c88d32a7d29220d2583fb7d05d8a66813bde89ee979ae4

Download Submit
C:\Users\Admin\AppData\Local\Temp\yvHdgCKLyInca\_Files\_INFOR~1.TXT

MD5
6866942fa3a68fefd6f6873f71d0a415

SHA1
da1f870040a275a887c638ee15fb04fb6bd00eef

SHA256
0f1e2f7f983c321f65122d2f2d030cc2049d2df78c45b963fe07278665b6557f

SHA512
66024bfd466f8c198f9856b44221b14d5d5a48346a183e24e905e13f989437395be8c41df2f64e77e587232f1bda000347785e9068bf46e9a07c9970e9647f2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\yvHdgCKLyInca\_Files\_SCREE~1.JPE

MD5
1371329ac63d08098ceaa8461ab4f907

SHA1
8dc0eacc458ef0e72d1f53dce8c940a2e050bb79

SHA256
d4e66e80c5957674a1e921dd505592d9f74f5c4879581a0e0c131bf47670d916

SHA512
f5fd57cae22defbff635ff3ed2a9c3bf0940ed3aa1454f33d7bf24335aef88cfe10e918b83dc9a58ddb25b0590c25065515378c6cdd927fb34bc10b280eccd4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\yvHdgCKLyInca\files_\SCREEN~1.JPG

MD5
1371329ac63d08098ceaa8461ab4f907

SHA1
8dc0eacc458ef0e72d1f53dce8c940a2e050bb79

SHA256
d4e66e80c5957674a1e921dd505592d9f74f5c4879581a0e0c131bf47670d916

SHA512
f5fd57cae22defbff635ff3ed2a9c3bf0940ed3aa1454f33d7bf24335aef88cfe10e918b83dc9a58ddb25b0590c25065515378c6cdd927fb34bc10b280eccd4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\yvHdgCKLyInca\files_\SYSTEM~1.TXT

MD5
fa5b7628d56953a030d334a1f2c46752

SHA1
5258abe4eaafa03b3958c4c508081ad19cb29b11

SHA256
2616280eac6ad6915b30cf4420389032b12c79d03fe56afe6a98c820fe802c9d

SHA512
f7a30fef829a540b69b780df5a8d28c106e05478341f16cdfc64c2079de797e31c64d7225ac4dcbccc8c628d8efde5fdc884c31ff4050d1f75d72c2e821edd28

Download Submit
C:\Users\Admin\AppData\Local\Temp\yvHdgCKLyInca\files_\files\CONNEC~1.TXT

MD5
cee1f05e82b5770c7a9ea5eeca8fa67a

SHA1
34cfefdf3e01f3f8f2de83e863b2412a413f02c0

SHA256
b74369130503d82230586dc2b9c43e471dd057b2db880bc3ae7ea8d99365d893

SHA512
28a6093d3fb70862650fe311fcb961cae33a90de1d8beaef4981b8b70bac5342200e63d9c453815d36c88d32a7d29220d2583fb7d05d8a66813bde89ee979ae4

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

MD5
1697074239d73fd8ace71b82b4a72da1

SHA1
72b1610ec3c8fcea401de3b0768ce0eb6a5a3764

SHA256
a194ef8e0fe86dac1c063040a8c4f9617a57ac42d89783cd20b25721dd12e2c3

SHA512
f4a19841cde98b8b04bdbd6e4f9673f22fdb800d45d4afd30047364ea22fceb16ca02a7a62b1416d78f406fbb0e82018b13832ace4026c5c29d7dd2eeb88dfa2

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

MD5
1697074239d73fd8ace71b82b4a72da1

SHA1
72b1610ec3c8fcea401de3b0768ce0eb6a5a3764

SHA256
a194ef8e0fe86dac1c063040a8c4f9617a57ac42d89783cd20b25721dd12e2c3

SHA512
f4a19841cde98b8b04bdbd6e4f9673f22fdb800d45d4afd30047364ea22fceb16ca02a7a62b1416d78f406fbb0e82018b13832ace4026c5c29d7dd2eeb88dfa2

Download Submit
\Users\Admin\AppData\Local\Temp\LRVCGP~1.DLL

MD5
7ac078a4c0a0c82464f31418b512cad7

SHA1
edafdb4391106484521c3a76890690ee525a9d68

SHA256
8c8d6d7a1c6ce3ae445a85b32aac61eef74d00effcaaac0379d33cd299008418

SHA512
e5c6cff838a20a0130ed42b170fdd0fcca3491dd65ffb4ced4612b8c8598b3083172f3218a5471c22ffdd6189f748c22e6c7b9417a775344b04956fa2e141507

Download Submit
\Users\Admin\AppData\Local\Temp\LRVCGP~1.DLL

MD5
7ac078a4c0a0c82464f31418b512cad7

SHA1
edafdb4391106484521c3a76890690ee525a9d68

SHA256
8c8d6d7a1c6ce3ae445a85b32aac61eef74d00effcaaac0379d33cd299008418

SHA512
e5c6cff838a20a0130ed42b170fdd0fcca3491dd65ffb4ced4612b8c8598b3083172f3218a5471c22ffdd6189f748c22e6c7b9417a775344b04956fa2e141507

Download Submit
\Users\Admin\AppData\Local\Temp\nsj82B4.tmp\UAC.dll

MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
memory/1384-140-0x0000000000000000-mapping.dmp

Download
memory/1472-121-0x0000000000000000-mapping.dmp

Download
memory/1576-234-0x0000000000000000-mapping.dmp

Download
memory/1656-137-0x0000000000000000-mapping.dmp

Download
memory/1656-157-0x00000000012A0000-0x00000000013EA000-memory.dmp

Filesize
1.3MB

Download
memory/1920-133-0x0000000000000000-mapping.dmp

Download
memory/2284-116-0x0000000000000000-mapping.dmp

Download
memory/2316-135-0x0000000000000000-mapping.dmp

Download
memory/2392-117-0x0000000000000000-mapping.dmp

Download
memory/2532-175-0x0000000002DF0000-0x0000000002DF1000-memory.dmp

Filesize
4KB

Download
memory/2532-174-0x00000000050D1000-0x0000000005730000-memory.dmp

Filesize
6.4MB

Download
memory/2532-167-0x0000000000000000-mapping.dmp

Download
memory/2700-172-0x0000000000000000-mapping.dmp

Download
memory/2700-208-0x0000000000BA0000-0x0000000000BA1000-memory.dmp

Filesize
4KB

Download
memory/2700-178-0x0000000004F11000-0x0000000005570000-memory.dmp

Filesize
6.4MB

Download
memory/2772-220-0x0000000008310000-0x0000000008311000-memory.dmp

Filesize
4KB

Download
memory/2772-224-0x0000000006F02000-0x0000000006F03000-memory.dmp

Filesize
4KB

Download
memory/2772-206-0x0000000000000000-mapping.dmp

Download
memory/2772-217-0x0000000007E10000-0x0000000007E11000-memory.dmp

Filesize
4KB

Download
memory/2772-235-0x0000000006F03000-0x0000000006F04000-memory.dmp

Filesize
4KB

Download
memory/2772-223-0x0000000006F00000-0x0000000006F01000-memory.dmp

Filesize
4KB

Download
memory/2788-183-0x0000000000000000-mapping.dmp

Download
memory/2936-150-0x0000000000000000-mapping.dmp

Download
memory/2936-156-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3024-236-0x0000000000000000-mapping.dmp

Download
memory/3092-165-0x0000000000400000-0x0000000000B14000-memory.dmp

Filesize
7.1MB

Download
memory/3092-166-0x0000000000D90000-0x0000000000D91000-memory.dmp

Filesize
4KB

Download
memory/3092-164-0x0000000002DB0000-0x00000000034B7000-memory.dmp

Filesize
7.0MB

Download
memory/3092-159-0x0000000000000000-mapping.dmp

Download
memory/3208-154-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3208-153-0x0000000000460000-0x000000000050E000-memory.dmp

Filesize
696KB

Download
memory/3208-124-0x0000000000000000-mapping.dmp

Download
memory/3464-162-0x0000000000000000-mapping.dmp

Download
memory/3488-130-0x0000000000000000-mapping.dmp

Download
memory/3508-191-0x0000000007880000-0x0000000007881000-memory.dmp

Filesize
4KB

Download
memory/3508-186-0x0000000006B20000-0x0000000006B21000-memory.dmp

Filesize
4KB

Download
memory/3508-193-0x0000000008140000-0x0000000008141000-memory.dmp

Filesize
4KB

Download
memory/3508-196-0x0000000008100000-0x0000000008101000-memory.dmp

Filesize
4KB

Download
memory/3508-201-0x00000000097C0000-0x00000000097C1000-memory.dmp

Filesize
4KB

Download
memory/3508-202-0x0000000008D40000-0x0000000008D41000-memory.dmp

Filesize
4KB

Download
memory/3508-203-0x0000000006BA0000-0x0000000006BA1000-memory.dmp

Filesize
4KB

Download
memory/3508-192-0x0000000007BF0000-0x0000000007BF1000-memory.dmp

Filesize
4KB

Download
memory/3508-190-0x00000000070F0000-0x00000000070F1000-memory.dmp

Filesize
4KB

Download
memory/3508-207-0x0000000006B23000-0x0000000006B24000-memory.dmp

Filesize
4KB

Download
memory/3508-189-0x0000000007800000-0x0000000007801000-memory.dmp

Filesize
4KB

Download
memory/3508-179-0x0000000000000000-mapping.dmp

Download
memory/3508-188-0x0000000006F50000-0x0000000006F51000-memory.dmp

Filesize
4KB

Download
memory/3508-182-0x0000000004500000-0x0000000004501000-memory.dmp

Filesize
4KB

Download
memory/3508-187-0x0000000006B22000-0x0000000006B23000-memory.dmp

Filesize
4KB

Download
memory/3508-184-0x0000000007160000-0x0000000007161000-memory.dmp

Filesize
4KB

Download
memory/3508-194-0x0000000007FF0000-0x0000000007FF1000-memory.dmp

Filesize
4KB

Download
memory/3540-114-0x0000000002170000-0x0000000002251000-memory.dmp

Filesize
900KB

Download
memory/3540-115-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/3692-127-0x0000000000000000-mapping.dmp

Download
memory/3788-129-0x0000000000000000-mapping.dmp

Download
memory/3792-231-0x0000000000000000-mapping.dmp

Download
memory/4004-149-0x0000000000000000-mapping.dmp

Download