cryptbot | 8a76004d1a369fe370c6427a17869a59844c131ac485ac7577a41df8f61d13f9

Analysis

max time kernel
137s
max time network
124s
platform
windows10_x64
resource
win10v20210410
submitted
04-06-2021 00:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Troj.Kryptik-TR.832.4367.exe
Size

746KB
MD5

8d93b4ca20dea336647b556294a36ab4
SHA1

f4c3c4e89f53676b7b88280fdf37dba5a237d047
SHA256

8a76004d1a369fe370c6427a17869a59844c131ac485ac7577a41df8f61d13f9
SHA512

8afbe6e21fda9c43ac2337bfc45cf1a3867cd4dd48e076584f23b24ed25908b7d057ae6a824929aabebc98d4832585b329e285045b2eea449f1509f19b91c2e6

Score

10^/10

cryptbot danabot 3 banker discovery spyware stealer trojan

Malware Config

Extracted

Family

cryptbot

nimvsw42.top

morpwz04.top

Attributes

payload_url
http://noirsb05.top/download.php?file=lv.exe

Extracted

Family

danabot

Version

1827

Botnet

184.95.51.183:443

184.95.51.175:443

192.210.198.12:443

184.95.51.180:443

Attributes

embedded_hash
AEF96B4D339B580ABB737F203C2D0F52

rsa_pubkey.plain

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

CryptBot Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3172-115-0x0000000000400000-0x00000000004E5000-memory.dmp	family_cryptbot
behavioral2/memory/3172-114-0x0000000002220000-0x0000000002301000-memory.dmp	family_cryptbot

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Blocklisted process makes network request 5 IoCs

Processes:

RUNDLL32.EXEWScript.exe

flow pid process

37 3776 RUNDLL32.EXE
39 3828 WScript.exe
41 3828 WScript.exe
43 3828 WScript.exe
45 3828 WScript.exe
Downloads MZ/PE file
Executes dropped EXE 7 IoCs

Processes:

maHwJpej.exe4.exevpn.exeChiude.exe.comChiude.exe.comSmartClock.exegnkhhga.exe

pid process

1320 maHwJpej.exe
2124 4.exe
484 vpn.exe
1128 Chiude.exe.com
2872 Chiude.exe.com
2408 SmartClock.exe
3584 gnkhhga.exe
Drops startup file 1 IoCs

Processes:

4.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk 4.exe
Loads dropped DLL 5 IoCs

Processes:

maHwJpej.exerundll32.exeRUNDLL32.EXE

pid process

1320 maHwJpej.exe
3668 rundll32.exe
3668 rundll32.exe
3776 RUNDLL32.EXE
3776 RUNDLL32.EXE
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

24 ip-api.com

flow	pid	process
37	3776	RUNDLL32.EXE
39	3828	WScript.exe
41	3828	WScript.exe
43	3828	WScript.exe
45	3828	WScript.exe

pid	process
1320	maHwJpej.exe
2124	4.exe
484	vpn.exe
1128	Chiude.exe.com
2872	Chiude.exe.com
2408	SmartClock.exe
3584	gnkhhga.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk	4.exe

pid	process
1320	maHwJpej.exe
3668	rundll32.exe
3668	rundll32.exe
3776	RUNDLL32.EXE
3776	RUNDLL32.EXE

flow	ioc
24	ip-api.com

Drops file in Program Files directory 3 IoCs

Processes:

maHwJpej.exe

description	ioc	process
File created	C:\Program Files (x86)\foler\olader\acppage.dll	maHwJpej.exe
File created	C:\Program Files (x86)\foler\olader\adprovider.dll	maHwJpej.exe
File created	C:\Program Files (x86)\foler\olader\acledit.dll	maHwJpej.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SecuriteInfo.com.Troj.Kryptik-TR.832.4367.exeChiude.exe.comRUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	SecuriteInfo.com.Troj.Kryptik-TR.832.4367.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	SecuriteInfo.com.Troj.Kryptik-TR.832.4367.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Chiude.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Chiude.exe.com
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

740 timeout.exe
Modifies registry class 1 IoCs

Processes:

Chiude.exe.com

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings Chiude.exe.com

pid	process
740	timeout.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings	Chiude.exe.com

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	WScript.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3792 PING.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

SmartClock.exe

pid process

2408 SmartClock.exe

pid	process
3792	PING.EXE

pid	process
2408	SmartClock.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exeRUNDLL32.EXEpowershell.exe

pid	process
2684	powershell.exe
2684	powershell.exe
2684	powershell.exe
3776	RUNDLL32.EXE
3776	RUNDLL32.EXE
2576	powershell.exe
2576	powershell.exe
2576	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

rundll32.exeRUNDLL32.EXEpowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3668	rundll32.exe
Token: SeDebugPrivilege	3776	RUNDLL32.EXE
Token: SeDebugPrivilege	2684	powershell.exe
Token: SeDebugPrivilege	2576	powershell.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

SecuriteInfo.com.Troj.Kryptik-TR.832.4367.exeRUNDLL32.EXE

pid process

3172 SecuriteInfo.com.Troj.Kryptik-TR.832.4367.exe
3172 SecuriteInfo.com.Troj.Kryptik-TR.832.4367.exe
3776 RUNDLL32.EXE

pid	process
3172	SecuriteInfo.com.Troj.Kryptik-TR.832.4367.exe
3172	SecuriteInfo.com.Troj.Kryptik-TR.832.4367.exe
3776	RUNDLL32.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

SecuriteInfo.com.Troj.Kryptik-TR.832.4367.execmd.exemaHwJpej.exevpn.execmd.execmd.exeChiude.exe.comcmd.exe4.exeChiude.exe.comgnkhhga.exerundll32.exeRUNDLL32.EXEpowershell.exe

description	pid	process	target process
PID 3172 wrote to memory of 3464	3172	SecuriteInfo.com.Troj.Kryptik-TR.832.4367.exe	cmd.exe
PID 3172 wrote to memory of 3464	3172	SecuriteInfo.com.Troj.Kryptik-TR.832.4367.exe	cmd.exe
PID 3172 wrote to memory of 3464	3172	SecuriteInfo.com.Troj.Kryptik-TR.832.4367.exe	cmd.exe
PID 3464 wrote to memory of 1320	3464	cmd.exe	maHwJpej.exe
PID 3464 wrote to memory of 1320	3464	cmd.exe	maHwJpej.exe
PID 3464 wrote to memory of 1320	3464	cmd.exe	maHwJpej.exe
PID 1320 wrote to memory of 2124	1320	maHwJpej.exe	4.exe
PID 1320 wrote to memory of 2124	1320	maHwJpej.exe	4.exe
PID 1320 wrote to memory of 2124	1320	maHwJpej.exe	4.exe
PID 1320 wrote to memory of 484	1320	maHwJpej.exe	vpn.exe
PID 1320 wrote to memory of 484	1320	maHwJpej.exe	vpn.exe
PID 1320 wrote to memory of 484	1320	maHwJpej.exe	vpn.exe
PID 484 wrote to memory of 1612	484	vpn.exe	cmd.exe
PID 484 wrote to memory of 1612	484	vpn.exe	cmd.exe
PID 484 wrote to memory of 1612	484	vpn.exe	cmd.exe
PID 1612 wrote to memory of 1244	1612	cmd.exe	cmd.exe
PID 1612 wrote to memory of 1244	1612	cmd.exe	cmd.exe
PID 1612 wrote to memory of 1244	1612	cmd.exe	cmd.exe
PID 1244 wrote to memory of 2828	1244	cmd.exe	findstr.exe
PID 1244 wrote to memory of 2828	1244	cmd.exe	findstr.exe
PID 1244 wrote to memory of 2828	1244	cmd.exe	findstr.exe
PID 1244 wrote to memory of 1128	1244	cmd.exe	Chiude.exe.com
PID 1244 wrote to memory of 1128	1244	cmd.exe	Chiude.exe.com
PID 1244 wrote to memory of 1128	1244	cmd.exe	Chiude.exe.com
PID 1244 wrote to memory of 3792	1244	cmd.exe	PING.EXE
PID 1244 wrote to memory of 3792	1244	cmd.exe	PING.EXE
PID 1244 wrote to memory of 3792	1244	cmd.exe	PING.EXE
PID 1128 wrote to memory of 2872	1128	Chiude.exe.com	Chiude.exe.com
PID 1128 wrote to memory of 2872	1128	Chiude.exe.com	Chiude.exe.com
PID 1128 wrote to memory of 2872	1128	Chiude.exe.com	Chiude.exe.com
PID 3172 wrote to memory of 2528	3172	SecuriteInfo.com.Troj.Kryptik-TR.832.4367.exe	cmd.exe
PID 3172 wrote to memory of 2528	3172	SecuriteInfo.com.Troj.Kryptik-TR.832.4367.exe	cmd.exe
PID 3172 wrote to memory of 2528	3172	SecuriteInfo.com.Troj.Kryptik-TR.832.4367.exe	cmd.exe
PID 2528 wrote to memory of 740	2528	cmd.exe	timeout.exe
PID 2528 wrote to memory of 740	2528	cmd.exe	timeout.exe
PID 2528 wrote to memory of 740	2528	cmd.exe	timeout.exe
PID 2124 wrote to memory of 2408	2124	4.exe	SmartClock.exe
PID 2124 wrote to memory of 2408	2124	4.exe	SmartClock.exe
PID 2124 wrote to memory of 2408	2124	4.exe	SmartClock.exe
PID 2872 wrote to memory of 3584	2872	Chiude.exe.com	gnkhhga.exe
PID 2872 wrote to memory of 3584	2872	Chiude.exe.com	gnkhhga.exe
PID 2872 wrote to memory of 3584	2872	Chiude.exe.com	gnkhhga.exe
PID 2872 wrote to memory of 1896	2872	Chiude.exe.com	WScript.exe
PID 2872 wrote to memory of 1896	2872	Chiude.exe.com	WScript.exe
PID 2872 wrote to memory of 1896	2872	Chiude.exe.com	WScript.exe
PID 3584 wrote to memory of 3668	3584	gnkhhga.exe	rundll32.exe
PID 3584 wrote to memory of 3668	3584	gnkhhga.exe	rundll32.exe
PID 3584 wrote to memory of 3668	3584	gnkhhga.exe	rundll32.exe
PID 3668 wrote to memory of 3776	3668	rundll32.exe	RUNDLL32.EXE
PID 3668 wrote to memory of 3776	3668	rundll32.exe	RUNDLL32.EXE
PID 3668 wrote to memory of 3776	3668	rundll32.exe	RUNDLL32.EXE
PID 3776 wrote to memory of 2684	3776	RUNDLL32.EXE	powershell.exe
PID 3776 wrote to memory of 2684	3776	RUNDLL32.EXE	powershell.exe
PID 3776 wrote to memory of 2684	3776	RUNDLL32.EXE	powershell.exe
PID 2872 wrote to memory of 3828	2872	Chiude.exe.com	WScript.exe
PID 2872 wrote to memory of 3828	2872	Chiude.exe.com	WScript.exe
PID 2872 wrote to memory of 3828	2872	Chiude.exe.com	WScript.exe
PID 3776 wrote to memory of 2576	3776	RUNDLL32.EXE	powershell.exe
PID 3776 wrote to memory of 2576	3776	RUNDLL32.EXE	powershell.exe
PID 3776 wrote to memory of 2576	3776	RUNDLL32.EXE	powershell.exe
PID 2576 wrote to memory of 1664	2576	powershell.exe	nslookup.exe
PID 2576 wrote to memory of 1664	2576	powershell.exe	nslookup.exe
PID 2576 wrote to memory of 1664	2576	powershell.exe	nslookup.exe
PID 3776 wrote to memory of 1676	3776	RUNDLL32.EXE	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Troj.Kryptik-TR.832.4367.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Troj.Kryptik-TR.832.4367.exe"
1⤵
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3172
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\maHwJpej.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3464
- - C:\Users\Admin\AppData\Local\Temp\maHwJpej.exe
    "C:\Users\Admin\AppData\Local\Temp\maHwJpej.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:1320
  - - C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe
      "C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe"
      4⤵
      Executes dropped EXE
      Drops startup file
      Suspicious use of WriteProcessMemory
      PID:2124
    - - C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
        
        "C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: AddClipboardFormatListener
        
        PID:2408
  - - C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe
      "C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:484
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c cmd < Ospitarvi.wp5
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1612
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1244
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /R "^BlybJrevDIXicTNyHSXAvVvwNqlwGVmOxbiETupYIDdofaDbjqoXAudFNrKISqPHopMXLpjAIYRTEhMcbNPGNChgiCQQvBuHNJqyFFLeOHgCgbqmsfktkpUFWnQpactuSpyVh$" Voi.wp5
        7⤵
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Chiude.exe.com
        
        Chiude.exe.com J
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1128
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Chiude.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Chiude.exe.com J
        8⤵
        Executes dropped EXE
        Checks processor information in registry
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2872
        
        C:\Users\Admin\AppData\Local\Temp\gnkhhga.exe
        
        "C:\Users\Admin\AppData\Local\Temp\gnkhhga.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3584
        
        C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\GNKHHG~1.DLL,Z C:\Users\Admin\AppData\Local\Temp\gnkhhga.exe
        10⤵
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3668
        
        C:\Windows\SysWOW64\RUNDLL32.EXE
        
        C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\GNKHHG~1.DLL,i049LDZtBYw=
        11⤵
        Blocklisted process makes network request
        Loads dropped DLL
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:3776
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp4F4A.tmp.ps1"
        12⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2684
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp61BA.tmp.ps1"
        12⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2576
        
        C:\Windows\SysWOW64\nslookup.exe
        
        "C:\Windows\system32\nslookup.exe" -type=any localhost
        13⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
        12⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
        12⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ebolqwbjrnlq.vbs"
        9⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yhrkwtohqkdk.vbs"
        9⤵
        Blocklisted process makes network request
        Modifies system certificate store
        
        PID:3828
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 30
        7⤵
        Runs ping.exe
        
        PID:3792
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\kHMPhqLQhCZI & timeout 3 & del /f /q "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Troj.Kryptik-TR.832.4367.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2528
- - C:\Windows\SysWOW64\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:740

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5
47eebe401625bbc55e75dbfb72e9e89a

SHA1
db3b2135942d2532c59b9788253638eb77e5995e

SHA256
f1cd56000c44bbdb6880b5b133731f493fe8cba8198c5a861da6ae7b489ed0c3

SHA512
590b149863d58be346e7927c28501375cc570858d2f156d234b03d68b86c5c0667a1038e2b6f6639172bf95638ca9f7c70f45270951abbcdf43b1be853b81d56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
52523067315836b9e98f888d01c089c4

SHA1
afc2a0bfa0476f6a5d62c16e29fb3abd12b25866

SHA256
a1197fdbb9c5ca68bd0949f3714641fdc341d716b0ae488bb3d37fd1b7cb47da

SHA512
603597b0e3e31986f3a0075819a5ace82da418ec00291378c1ad809f4b84593b6ea477c3c25d48fa5930da273cf156a2cbb014065f8f9569e62216b0a5589860

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Chiude.exe.com

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Chiude.exe.com

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Chiude.exe.com

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\J

MD5
fe24a486cd5bb6da8f4665784a50486b

SHA1
59cbc66d7b3d50b5adc6293ced89a291d72ea7d7

SHA256
9a04b8b6f38ddf7c605901a8faa96211eacaa0c86fedd9ae3e098c3ca24030fb

SHA512
a3ac3b200f80d1da72b34f7257c22af8199d049832fead7f69eedeea99b515c74431c0ef191d72d4f201af40da08a0df7127396300bdb0cfdcd7900b6b5d83eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Mio.wp5

MD5
587f9124aa53b78af24d167516c047fc

SHA1
e51f025a08e0a10a8c8296f256c9892d111c5bd4

SHA256
047dde75c4713337561660c686afaf0a29af0948693c197c94a8006355a605cb

SHA512
df30bb7d5c8da760436ec830f80d3017b6e1ef1228f46471072a6275824dcbd96d3915558ec7c4097c14437b43c7332b9d9baeb626745d0ca3a7b8bc16dd3259

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ospitarvi.wp5

MD5
e88ee3d282025ead3a85358c7d0a9a69

SHA1
f8139c4bdaf27a4158a4cb9d892c1aa41959e9d6

SHA256
1f1212beb16d87f3ec485d9ae21e1da295ed8a21e6806d152d04ad61240f8fee

SHA512
550627be15a9c488abe8357a47c4666955e2c3e1abc89042bd31ad7f9dc175f10b9b642ebd878c84758b58a7164105ccc9631723874c55c52a3a82dc32b10447

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Scoprirvi.wp5

MD5
fe24a486cd5bb6da8f4665784a50486b

SHA1
59cbc66d7b3d50b5adc6293ced89a291d72ea7d7

SHA256
9a04b8b6f38ddf7c605901a8faa96211eacaa0c86fedd9ae3e098c3ca24030fb

SHA512
a3ac3b200f80d1da72b34f7257c22af8199d049832fead7f69eedeea99b515c74431c0ef191d72d4f201af40da08a0df7127396300bdb0cfdcd7900b6b5d83eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Voi.wp5

MD5
6154da170f0393bd25a4ec43fd504bac

SHA1
606acffc41001c3f3988e2f90357d150f763df9d

SHA256
3be3352be592cef9e2a9989eafb164dac22b346405e1a4dbbe80cc6a5863b8b8

SHA512
49e5efbeb2942a24cf33b9183c4fee9464abf425dfa1175c803cd77e3b9c98b81442c81a3e6d656cccdf2157f7f7240f4a9e68ebf5e1917cba5ad0bfbd824ad4

Download Submit
C:\Users\Admin\AppData\Local\Temp\GNKHHG~1.DLL

MD5
7ac078a4c0a0c82464f31418b512cad7

SHA1
edafdb4391106484521c3a76890690ee525a9d68

SHA256
8c8d6d7a1c6ce3ae445a85b32aac61eef74d00effcaaac0379d33cd299008418

SHA512
e5c6cff838a20a0130ed42b170fdd0fcca3491dd65ffb4ced4612b8c8598b3083172f3218a5471c22ffdd6189f748c22e6c7b9417a775344b04956fa2e141507

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe

MD5
cbfb18145ca9fa74489234b684f3b0b2

SHA1
9c0534cbc672f378f4e7930890b8acc5e35624eb

SHA256
2a1441d07dc6af2a0e4ba2ed0edbaa69af9466c1fdac397b2aebd17ebf01e583

SHA512
636d20cde0dc129e04fc7de2fee3162830cfedd9dffe808ca0bade3944b8d4cc82e4fbabc3186c918d2207471a127bf19a8229400bea91bd90c765298f566733

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe

MD5
cbfb18145ca9fa74489234b684f3b0b2

SHA1
9c0534cbc672f378f4e7930890b8acc5e35624eb

SHA256
2a1441d07dc6af2a0e4ba2ed0edbaa69af9466c1fdac397b2aebd17ebf01e583

SHA512
636d20cde0dc129e04fc7de2fee3162830cfedd9dffe808ca0bade3944b8d4cc82e4fbabc3186c918d2207471a127bf19a8229400bea91bd90c765298f566733

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe

MD5
53ea33267e0513878cdc879b0f442252

SHA1
13e9864b9b7694eb0bbedd1c824f3774c90915da

SHA256
6dfbf0ad6cb5f8e20301850c18329304de36553b3750c191930206b91dce28b0

SHA512
dc0e726d71a3d3b21b987cba47d431d444be4f1de668f96e8fd64758affbedee4846aa6218a06f823e7e1e80c8f9cd5996029883b3034eb9db66e8bec97bac68

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe

MD5
53ea33267e0513878cdc879b0f442252

SHA1
13e9864b9b7694eb0bbedd1c824f3774c90915da

SHA256
6dfbf0ad6cb5f8e20301850c18329304de36553b3750c191930206b91dce28b0

SHA512
dc0e726d71a3d3b21b987cba47d431d444be4f1de668f96e8fd64758affbedee4846aa6218a06f823e7e1e80c8f9cd5996029883b3034eb9db66e8bec97bac68

Download Submit
C:\Users\Admin\AppData\Local\Temp\ebolqwbjrnlq.vbs

MD5
36cbf9533726afa527b58712077c7c9b

SHA1
02802b2b7b589a9a28fc2bf868817d5ebcfd1d72

SHA256
e4a3b690c7a0d0e4525efbd7591480e5a8afbe134869aa1e9d6026c938439db4

SHA512
078ec1bafeecab70821cd8c63729f7874c85c94d6dd8e42be3b9fedb9453ab740af0ff353239ea8d98cb483517b476a2990a23ef3086f9c2f6cf9ff197b13742

Download Submit
C:\Users\Admin\AppData\Local\Temp\gnkhhga.exe

MD5
06a1ad96ca8a2c84366bc5fe723a9be6

SHA1
829dd8c99f0e8253ef833619af00a1895d4a4cac

SHA256
b0e26cbdeb8ccd250cccac56058b137c0b57f0915a6312a07d7fb9ba943b4a00

SHA512
b05974220e56740051b7642c93e934cf3a57dc1d5074c4d7bfd80e82eb164c3cbb9f2ce885b524b757f74cd30ba7a5619b594d6a4a0899223ed5521512e9925e

Download Submit
C:\Users\Admin\AppData\Local\Temp\gnkhhga.exe

MD5
06a1ad96ca8a2c84366bc5fe723a9be6

SHA1
829dd8c99f0e8253ef833619af00a1895d4a4cac

SHA256
b0e26cbdeb8ccd250cccac56058b137c0b57f0915a6312a07d7fb9ba943b4a00

SHA512
b05974220e56740051b7642c93e934cf3a57dc1d5074c4d7bfd80e82eb164c3cbb9f2ce885b524b757f74cd30ba7a5619b594d6a4a0899223ed5521512e9925e

Download Submit
C:\Users\Admin\AppData\Local\Temp\kHMPhqLQhCZI\GDVHMH~1.ZIP

MD5
1cf2ce6acade3238bdde69c48883cacd

SHA1
46102decf5c6bfa1d61fc7547f20b1683beda6fa

SHA256
b67e084c480bca5cb8f410f50cb9ba28a3483ba2baa9a9cba1e4013fd595c5c6

SHA512
e82b8cb9cf31f1e876e5fec8c36221ecd690ab078fdcf22ff68e61a59b62611c44df049e6cc63bf9efc6f9e7a16327447b2869b9f0d94c7b0657b46f7f1a7b64

Download Submit
C:\Users\Admin\AppData\Local\Temp\kHMPhqLQhCZI\RRGERW~1.ZIP

MD5
30b097f25c76695d710abab734ace09f

SHA1
d39b600c7f0764ae3259b5ed479f10ebfc8a69f7

SHA256
ca3acbdd0671e4f8da16e689c54dfc63988e1b4d90668eca99c85a15ba79730b

SHA512
0a03a0eeda158e685d2da04469f8409f4cbfbbd884f7eb3b2df2a8cf815fd9de6a7952c2ab48441c3b7d7470b9ad61b11a601f000c3dfcb87bcc24589a7049c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\kHMPhqLQhCZI\_Files\_INFOR~1.TXT

MD5
7444aa86fccb5c7130c4df1a9c123992

SHA1
0a36b77173a5b672310770daf2dd636444e1194d

SHA256
09f83da5bebf164b4d230f6e118ec24a51ef3f761fddcc2918df2e42896cec68

SHA512
0e6db093ccaa00b2ae52630e439b7589b682d124fe91f31f645326361056a45155b0785f292f9b580648351becb9d03f566c2630fa3a57ba8583545533348495

Download Submit
C:\Users\Admin\AppData\Local\Temp\kHMPhqLQhCZI\_Files\_SCREE~1.JPE

MD5
84c02750a13922310e25c6f10b03e81e

SHA1
0e28b4708fb2f93c28c36c7e596163c54a8beb72

SHA256
72dea35113518e5af8eedc33d93328d4a3d2b467789d6f838a87d9a617686da8

SHA512
22932b57c7008f2ce7f447b0df333141b3828d036a50ced2ba74e0ad9b3324031be27e5088263359b005eff8d5af1574213c25dd1d3fa269b176959444c300c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\kHMPhqLQhCZI\files_\SCREEN~1.JPG

MD5
84c02750a13922310e25c6f10b03e81e

SHA1
0e28b4708fb2f93c28c36c7e596163c54a8beb72

SHA256
72dea35113518e5af8eedc33d93328d4a3d2b467789d6f838a87d9a617686da8

SHA512
22932b57c7008f2ce7f447b0df333141b3828d036a50ced2ba74e0ad9b3324031be27e5088263359b005eff8d5af1574213c25dd1d3fa269b176959444c300c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\kHMPhqLQhCZI\files_\SYSTEM~1.TXT

MD5
aab162115d459266674613a87dddb024

SHA1
c15283c027ba1b6d3c5904d8036dde9ba6cb6b61

SHA256
379bf215176927e2ee4d5490bef0f2d070ca6669f7ffd58db43f51bffd16fdd7

SHA512
bb4ee1d4d0b7d505cb634e76441e3aeed56317f6dc132cc80e8220f4dd2295d1e9f2b5f9cd6109885d065d5c2a13da019ef6870df59622bcb36367cbc036ce48

Download Submit
C:\Users\Admin\AppData\Local\Temp\maHwJpej.exe

MD5
63d15d5090f05f893dddb0cfed1ffeb7

SHA1
41ca784d1848feb23abb908d8e0956b4388a3ea8

SHA256
ab989aa468cfedde0cf4f1c8a07af418c3f7d64c716f5034e7b144a14030a42e

SHA512
4a112699e8a4de4b8f9eb88a7b8007eff3ccd815988aade292e7ae95bbd5227487f693b57adcf187e425699c57149397c79536a0def8a0acc6d98ee043e748b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\maHwJpej.exe

MD5
63d15d5090f05f893dddb0cfed1ffeb7

SHA1
41ca784d1848feb23abb908d8e0956b4388a3ea8

SHA256
ab989aa468cfedde0cf4f1c8a07af418c3f7d64c716f5034e7b144a14030a42e

SHA512
4a112699e8a4de4b8f9eb88a7b8007eff3ccd815988aade292e7ae95bbd5227487f693b57adcf187e425699c57149397c79536a0def8a0acc6d98ee043e748b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4F4A.tmp.ps1

MD5
f211ae7dd5805b8f1e80a8e36139f47e

SHA1
00489785ee8b7ca0b1632403808b7f45c6576e60

SHA256
edb0b32e008746f3c1372e839bb0fd2b8a025d1e776be5c8ebfa104f491c6a62

SHA512
14f0e0b05007406374571e764b939bbd847902914e2da49269b84e8380fd1fceb0fd44e78cd0a182584d5296ebe0e9b7ad8de4731801e61f35817099ba477500

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4F4B.tmp

MD5
c416c12d1b2b1da8c8655e393b544362

SHA1
fb1a43cd8e1c556c2d25f361f42a21293c29e447

SHA256
0600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046

SHA512
cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp61BA.tmp.ps1

MD5
e16e415b42de6cdbe342c9996870af11

SHA1
144c43d3408ed32f79ace57852ae96f739c663ba

SHA256
63f456280fb523f8ed3d15d630db42b69aa02b5c6c9da9d9a540d37e179a8a50

SHA512
68bf5a23104283763964a8d291bcf8efa9f546037b64b8ebb3350e766016cc7730c13b1c8024bb8a404a8f4db66a58b471c5ed1b86a1278c4b852a783dbba241

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp61BB.tmp

MD5
1860260b2697808b80802352fe324782

SHA1
f07b4cb6a8133d8dd942fc285d63cb3ce5a1ed6b

SHA256
0c4bb6ae7726faa47aef8459bcf37bf9ca16f0b93fd52790932adaf7845d1fb1

SHA512
d9fd458e2fe871e93199d7f3783133ded898d824024d9525e8c9af2af31892b13f3fb147d3bfda7dfd7659b7072f5cd1d6c3ebfe2dbf5893afd00e59a96aa94f

Download Submit
C:\Users\Admin\AppData\Local\Temp\yhrkwtohqkdk.vbs

MD5
1a9872b208c0dbe2a3b91dff6fa119dc

SHA1
ee76cac489c305d339cd410b38d7b875c9b038af

SHA256
fd154cfb0a36baa484a5b5a6b4470cd785635631bcaaaec3b7adfa83c043d4e4

SHA512
e4309013d00a24a8c43f2e374868a916d386b938aa175c30137ff96664389551849f65d0c2a157788fa2fa1d26f47accd6d798eeae203d13156dd79ebd0428a3

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

MD5
cbfb18145ca9fa74489234b684f3b0b2

SHA1
9c0534cbc672f378f4e7930890b8acc5e35624eb

SHA256
2a1441d07dc6af2a0e4ba2ed0edbaa69af9466c1fdac397b2aebd17ebf01e583

SHA512
636d20cde0dc129e04fc7de2fee3162830cfedd9dffe808ca0bade3944b8d4cc82e4fbabc3186c918d2207471a127bf19a8229400bea91bd90c765298f566733

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

MD5
cbfb18145ca9fa74489234b684f3b0b2

SHA1
9c0534cbc672f378f4e7930890b8acc5e35624eb

SHA256
2a1441d07dc6af2a0e4ba2ed0edbaa69af9466c1fdac397b2aebd17ebf01e583

SHA512
636d20cde0dc129e04fc7de2fee3162830cfedd9dffe808ca0bade3944b8d4cc82e4fbabc3186c918d2207471a127bf19a8229400bea91bd90c765298f566733

Download Submit
\Users\Admin\AppData\Local\Temp\GNKHHG~1.DLL

MD5
7ac078a4c0a0c82464f31418b512cad7

SHA1
edafdb4391106484521c3a76890690ee525a9d68

SHA256
8c8d6d7a1c6ce3ae445a85b32aac61eef74d00effcaaac0379d33cd299008418

SHA512
e5c6cff838a20a0130ed42b170fdd0fcca3491dd65ffb4ced4612b8c8598b3083172f3218a5471c22ffdd6189f748c22e6c7b9417a775344b04956fa2e141507

Download Submit
\Users\Admin\AppData\Local\Temp\GNKHHG~1.DLL

MD5
7ac078a4c0a0c82464f31418b512cad7

SHA1
edafdb4391106484521c3a76890690ee525a9d68

SHA256
8c8d6d7a1c6ce3ae445a85b32aac61eef74d00effcaaac0379d33cd299008418

SHA512
e5c6cff838a20a0130ed42b170fdd0fcca3491dd65ffb4ced4612b8c8598b3083172f3218a5471c22ffdd6189f748c22e6c7b9417a775344b04956fa2e141507

Download Submit
\Users\Admin\AppData\Local\Temp\GNKHHG~1.DLL

MD5
7ac078a4c0a0c82464f31418b512cad7

SHA1
edafdb4391106484521c3a76890690ee525a9d68

SHA256
8c8d6d7a1c6ce3ae445a85b32aac61eef74d00effcaaac0379d33cd299008418

SHA512
e5c6cff838a20a0130ed42b170fdd0fcca3491dd65ffb4ced4612b8c8598b3083172f3218a5471c22ffdd6189f748c22e6c7b9417a775344b04956fa2e141507

Download Submit
\Users\Admin\AppData\Local\Temp\GNKHHG~1.DLL

MD5
7ac078a4c0a0c82464f31418b512cad7

SHA1
edafdb4391106484521c3a76890690ee525a9d68

SHA256
8c8d6d7a1c6ce3ae445a85b32aac61eef74d00effcaaac0379d33cd299008418

SHA512
e5c6cff838a20a0130ed42b170fdd0fcca3491dd65ffb4ced4612b8c8598b3083172f3218a5471c22ffdd6189f748c22e6c7b9417a775344b04956fa2e141507

Download Submit
\Users\Admin\AppData\Local\Temp\nsw6345.tmp\UAC.dll

MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
memory/484-124-0x0000000000000000-mapping.dmp

Download
memory/740-147-0x0000000000000000-mapping.dmp

Download
memory/1128-133-0x0000000000000000-mapping.dmp

Download
memory/1244-129-0x0000000000000000-mapping.dmp

Download
memory/1320-117-0x0000000000000000-mapping.dmp

Download
memory/1612-127-0x0000000000000000-mapping.dmp

Download
memory/1664-239-0x0000000000000000-mapping.dmp

Download
memory/1676-242-0x0000000000000000-mapping.dmp

Download
memory/1896-160-0x0000000000000000-mapping.dmp

Download
memory/2124-152-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2124-121-0x0000000000000000-mapping.dmp

Download
memory/2124-151-0x0000000000690000-0x00000000006B6000-memory.dmp

Filesize
152KB

Download
memory/2408-154-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2408-148-0x0000000000000000-mapping.dmp

Download
memory/2528-140-0x0000000000000000-mapping.dmp

Download
memory/2576-228-0x0000000008B00000-0x0000000008B01000-memory.dmp

Filesize
4KB

Download
memory/2576-216-0x0000000000000000-mapping.dmp

Download
memory/2576-243-0x0000000004F03000-0x0000000004F04000-memory.dmp

Filesize
4KB

Download
memory/2576-225-0x0000000008190000-0x0000000008191000-memory.dmp

Filesize
4KB

Download
memory/2576-231-0x0000000004F00000-0x0000000004F01000-memory.dmp

Filesize
4KB

Download
memory/2576-232-0x0000000004F02000-0x0000000004F03000-memory.dmp

Filesize
4KB

Download
memory/2684-197-0x0000000008290000-0x0000000008291000-memory.dmp

Filesize
4KB

Download
memory/2684-192-0x0000000004F70000-0x0000000004F71000-memory.dmp

Filesize
4KB

Download
memory/2684-214-0x0000000004F73000-0x0000000004F74000-memory.dmp

Filesize
4KB

Download
memory/2684-211-0x0000000007560000-0x0000000007561000-memory.dmp

Filesize
4KB

Download
memory/2684-210-0x0000000009740000-0x0000000009741000-memory.dmp

Filesize
4KB

Download
memory/2684-187-0x0000000000000000-mapping.dmp

Download
memory/2684-190-0x0000000004EE0000-0x0000000004EE1000-memory.dmp

Filesize
4KB

Download
memory/2684-191-0x00000000079A0000-0x00000000079A1000-memory.dmp

Filesize
4KB

Download
memory/2684-193-0x0000000004F72000-0x0000000004F73000-memory.dmp

Filesize
4KB

Download
memory/2684-202-0x0000000008B10000-0x0000000008B11000-memory.dmp

Filesize
4KB

Download
memory/2684-194-0x0000000007930000-0x0000000007931000-memory.dmp

Filesize
4KB

Download
memory/2684-195-0x0000000008220000-0x0000000008221000-memory.dmp

Filesize
4KB

Download
memory/2684-196-0x0000000008140000-0x0000000008141000-memory.dmp

Filesize
4KB

Download
memory/2684-209-0x000000000A1B0000-0x000000000A1B1000-memory.dmp

Filesize
4KB

Download
memory/2684-198-0x0000000008200000-0x0000000008201000-memory.dmp

Filesize
4KB

Download
memory/2684-199-0x0000000008C10000-0x0000000008C11000-memory.dmp

Filesize
4KB

Download
memory/2684-200-0x0000000008A60000-0x0000000008A61000-memory.dmp

Filesize
4KB

Download
memory/2828-130-0x0000000000000000-mapping.dmp

Download
memory/2872-137-0x0000000000000000-mapping.dmp

Download
memory/2872-156-0x0000000000970000-0x0000000000971000-memory.dmp

Filesize
4KB

Download
memory/3172-115-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/3172-114-0x0000000002220000-0x0000000002301000-memory.dmp

Filesize
900KB

Download
memory/3464-116-0x0000000000000000-mapping.dmp

Download
memory/3584-164-0x0000000000BA0000-0x0000000000CEA000-memory.dmp

Filesize
1.3MB

Download
memory/3584-157-0x0000000000000000-mapping.dmp

Download
memory/3584-163-0x0000000000400000-0x0000000000B14000-memory.dmp

Filesize
7.1MB

Download
memory/3584-162-0x0000000002DB0000-0x00000000034B7000-memory.dmp

Filesize
7.0MB

Download
memory/3604-244-0x0000000000000000-mapping.dmp

Download
memory/3668-165-0x0000000000000000-mapping.dmp

Download
memory/3668-179-0x0000000004F51000-0x00000000055B0000-memory.dmp

Filesize
6.4MB

Download
memory/3668-169-0x00000000041D0000-0x0000000004795000-memory.dmp

Filesize
5.8MB

Download
memory/3668-170-0x0000000004960000-0x0000000004961000-memory.dmp

Filesize
4KB

Download
memory/3668-180-0x00000000007F0000-0x00000000007F1000-memory.dmp

Filesize
4KB

Download
memory/3776-215-0x0000000002920000-0x0000000002921000-memory.dmp

Filesize
4KB

Download
memory/3776-175-0x0000000000000000-mapping.dmp

Download
memory/3776-178-0x0000000004270000-0x0000000004835000-memory.dmp

Filesize
5.8MB

Download
memory/3776-186-0x0000000004E81000-0x00000000054E0000-memory.dmp

Filesize
6.4MB

Download
memory/3776-181-0x0000000004840000-0x0000000004841000-memory.dmp

Filesize
4KB

Download
memory/3792-136-0x0000000000000000-mapping.dmp

Download
memory/3828-205-0x0000000000000000-mapping.dmp

Download