cryptbot | 9ac798196b54bcc62cf880e28321e32b2b59cdab375267027f5e812c139c1892

Analysis

max time kernel
142s
max time network
128s
platform
windows10_x64
resource
win10v20210408
submitted
05-06-2021 07:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7c2b0bda407dc5959dbf8ddab4f143ad.exe
Size

708KB
MD5

7c2b0bda407dc5959dbf8ddab4f143ad
SHA1

7e39313fad0c98c495ee8697720fa50aba399219
SHA256

9ac798196b54bcc62cf880e28321e32b2b59cdab375267027f5e812c139c1892
SHA512

5125da80b483a39306eea5c74890dd814daa17e6bddd9d1e8aada5bac35dd8b982a2b75dc526894ef7f7c67f78ea8f13d67d58ebfbd3b7d9ac07d6ef3098ae86

Score

10^/10

cryptbot danabot 3 banker discovery spyware stealer trojan

Malware Config

Extracted

Family

cryptbot

nimqfv52.top

moryhm05.top

Attributes

payload_url
http://noiriz07.top/download.php?file=lv.exe

Extracted

Family

danabot

Version

1827

Botnet

184.95.51.183:443

184.95.51.175:443

192.210.198.12:443

184.95.51.180:443

Attributes

embedded_hash
AEF96B4D339B580ABB737F203C2D0F52

rsa_pubkey.plain

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

CryptBot Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/764-114-0x00000000022A0000-0x0000000002381000-memory.dmp	family_cryptbot
behavioral2/memory/764-115-0x0000000000400000-0x00000000004E5000-memory.dmp	family_cryptbot

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Blocklisted process makes network request 5 IoCs

Processes:

RUNDLL32.EXEWScript.exe

flow pid process

36 3700 RUNDLL32.EXE
38 1772 WScript.exe
40 1772 WScript.exe
42 1772 WScript.exe
44 1772 WScript.exe
Downloads MZ/PE file
Executes dropped EXE 7 IoCs

Processes:

ThTYAKaw.exevpn.exe4.exeIpogeo.exe.comIpogeo.exe.comSmartClock.exesvbdsrwmmn.exe

pid process

4032 ThTYAKaw.exe
1620 vpn.exe
3956 4.exe
2140 Ipogeo.exe.com
1868 Ipogeo.exe.com
3424 SmartClock.exe
3872 svbdsrwmmn.exe
Drops startup file 1 IoCs

Processes:

4.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk 4.exe
Loads dropped DLL 4 IoCs

Processes:

ThTYAKaw.exerundll32.exeRUNDLL32.EXE

pid process

4032 ThTYAKaw.exe
2360 rundll32.exe
2360 rundll32.exe
3700 RUNDLL32.EXE
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

23 ip-api.com

flow	pid	process
36	3700	RUNDLL32.EXE
38	1772	WScript.exe
40	1772	WScript.exe
42	1772	WScript.exe
44	1772	WScript.exe

pid	process
4032	ThTYAKaw.exe
1620	vpn.exe
3956	4.exe
2140	Ipogeo.exe.com
1868	Ipogeo.exe.com
3424	SmartClock.exe
3872	svbdsrwmmn.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk	4.exe

pid	process
4032	ThTYAKaw.exe
2360	rundll32.exe
2360	rundll32.exe
3700	RUNDLL32.EXE

flow	ioc
23	ip-api.com

Drops file in Program Files directory 3 IoCs

Processes:

ThTYAKaw.exe

description	ioc	process
File created	C:\Program Files (x86)\foler\olader\acppage.dll	ThTYAKaw.exe
File created	C:\Program Files (x86)\foler\olader\adprovider.dll	ThTYAKaw.exe
File created	C:\Program Files (x86)\foler\olader\acledit.dll	ThTYAKaw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Ipogeo.exe.comRUNDLL32.EXE7c2b0bda407dc5959dbf8ddab4f143ad.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Ipogeo.exe.com
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	7c2b0bda407dc5959dbf8ddab4f143ad.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	7c2b0bda407dc5959dbf8ddab4f143ad.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Ipogeo.exe.com

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2792 timeout.exe
Modifies registry class 1 IoCs

Processes:

Ipogeo.exe.com

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings Ipogeo.exe.com

pid	process
2792	timeout.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	Ipogeo.exe.com

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	WScript.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2228 PING.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

SmartClock.exe

pid process

3424 SmartClock.exe

pid	process
2228	PING.EXE

pid	process
3424	SmartClock.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exeRUNDLL32.EXEpowershell.exe

pid	process
3756	powershell.exe
3756	powershell.exe
3756	powershell.exe
3700	RUNDLL32.EXE
3700	RUNDLL32.EXE
3876	powershell.exe
3876	powershell.exe
3876	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

rundll32.exeRUNDLL32.EXEpowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2360	rundll32.exe
Token: SeDebugPrivilege	3700	RUNDLL32.EXE
Token: SeDebugPrivilege	3756	powershell.exe
Token: SeDebugPrivilege	3876	powershell.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

7c2b0bda407dc5959dbf8ddab4f143ad.exeRUNDLL32.EXE

pid process

764 7c2b0bda407dc5959dbf8ddab4f143ad.exe
764 7c2b0bda407dc5959dbf8ddab4f143ad.exe
3700 RUNDLL32.EXE

pid	process
764	7c2b0bda407dc5959dbf8ddab4f143ad.exe
764	7c2b0bda407dc5959dbf8ddab4f143ad.exe
3700	RUNDLL32.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

7c2b0bda407dc5959dbf8ddab4f143ad.execmd.exeThTYAKaw.exevpn.execmd.execmd.exeIpogeo.exe.comcmd.exe4.exeIpogeo.exe.comsvbdsrwmmn.exerundll32.exeRUNDLL32.EXEpowershell.exe

description	pid	process	target process
PID 764 wrote to memory of 1548	764	7c2b0bda407dc5959dbf8ddab4f143ad.exe	cmd.exe
PID 764 wrote to memory of 1548	764	7c2b0bda407dc5959dbf8ddab4f143ad.exe	cmd.exe
PID 764 wrote to memory of 1548	764	7c2b0bda407dc5959dbf8ddab4f143ad.exe	cmd.exe
PID 1548 wrote to memory of 4032	1548	cmd.exe	ThTYAKaw.exe
PID 1548 wrote to memory of 4032	1548	cmd.exe	ThTYAKaw.exe
PID 1548 wrote to memory of 4032	1548	cmd.exe	ThTYAKaw.exe
PID 4032 wrote to memory of 1620	4032	ThTYAKaw.exe	vpn.exe
PID 4032 wrote to memory of 1620	4032	ThTYAKaw.exe	vpn.exe
PID 4032 wrote to memory of 1620	4032	ThTYAKaw.exe	vpn.exe
PID 4032 wrote to memory of 3956	4032	ThTYAKaw.exe	4.exe
PID 4032 wrote to memory of 3956	4032	ThTYAKaw.exe	4.exe
PID 4032 wrote to memory of 3956	4032	ThTYAKaw.exe	4.exe
PID 1620 wrote to memory of 776	1620	vpn.exe	cmd.exe
PID 1620 wrote to memory of 776	1620	vpn.exe	cmd.exe
PID 1620 wrote to memory of 776	1620	vpn.exe	cmd.exe
PID 776 wrote to memory of 2948	776	cmd.exe	cmd.exe
PID 776 wrote to memory of 2948	776	cmd.exe	cmd.exe
PID 776 wrote to memory of 2948	776	cmd.exe	cmd.exe
PID 2948 wrote to memory of 2276	2948	cmd.exe	findstr.exe
PID 2948 wrote to memory of 2276	2948	cmd.exe	findstr.exe
PID 2948 wrote to memory of 2276	2948	cmd.exe	findstr.exe
PID 2948 wrote to memory of 2140	2948	cmd.exe	Ipogeo.exe.com
PID 2948 wrote to memory of 2140	2948	cmd.exe	Ipogeo.exe.com
PID 2948 wrote to memory of 2140	2948	cmd.exe	Ipogeo.exe.com
PID 2948 wrote to memory of 2228	2948	cmd.exe	PING.EXE
PID 2948 wrote to memory of 2228	2948	cmd.exe	PING.EXE
PID 2948 wrote to memory of 2228	2948	cmd.exe	PING.EXE
PID 2140 wrote to memory of 1868	2140	Ipogeo.exe.com	Ipogeo.exe.com
PID 2140 wrote to memory of 1868	2140	Ipogeo.exe.com	Ipogeo.exe.com
PID 2140 wrote to memory of 1868	2140	Ipogeo.exe.com	Ipogeo.exe.com
PID 764 wrote to memory of 2816	764	7c2b0bda407dc5959dbf8ddab4f143ad.exe	cmd.exe
PID 764 wrote to memory of 2816	764	7c2b0bda407dc5959dbf8ddab4f143ad.exe	cmd.exe
PID 764 wrote to memory of 2816	764	7c2b0bda407dc5959dbf8ddab4f143ad.exe	cmd.exe
PID 2816 wrote to memory of 2792	2816	cmd.exe	timeout.exe
PID 2816 wrote to memory of 2792	2816	cmd.exe	timeout.exe
PID 2816 wrote to memory of 2792	2816	cmd.exe	timeout.exe
PID 3956 wrote to memory of 3424	3956	4.exe	SmartClock.exe
PID 3956 wrote to memory of 3424	3956	4.exe	SmartClock.exe
PID 3956 wrote to memory of 3424	3956	4.exe	SmartClock.exe
PID 1868 wrote to memory of 3872	1868	Ipogeo.exe.com	svbdsrwmmn.exe
PID 1868 wrote to memory of 3872	1868	Ipogeo.exe.com	svbdsrwmmn.exe
PID 1868 wrote to memory of 3872	1868	Ipogeo.exe.com	svbdsrwmmn.exe
PID 1868 wrote to memory of 2264	1868	Ipogeo.exe.com	WScript.exe
PID 1868 wrote to memory of 2264	1868	Ipogeo.exe.com	WScript.exe
PID 1868 wrote to memory of 2264	1868	Ipogeo.exe.com	WScript.exe
PID 3872 wrote to memory of 2360	3872	svbdsrwmmn.exe	rundll32.exe
PID 3872 wrote to memory of 2360	3872	svbdsrwmmn.exe	rundll32.exe
PID 3872 wrote to memory of 2360	3872	svbdsrwmmn.exe	rundll32.exe
PID 2360 wrote to memory of 3700	2360	rundll32.exe	RUNDLL32.EXE
PID 2360 wrote to memory of 3700	2360	rundll32.exe	RUNDLL32.EXE
PID 2360 wrote to memory of 3700	2360	rundll32.exe	RUNDLL32.EXE
PID 1868 wrote to memory of 1772	1868	Ipogeo.exe.com	WScript.exe
PID 1868 wrote to memory of 1772	1868	Ipogeo.exe.com	WScript.exe
PID 1868 wrote to memory of 1772	1868	Ipogeo.exe.com	WScript.exe
PID 3700 wrote to memory of 3756	3700	RUNDLL32.EXE	powershell.exe
PID 3700 wrote to memory of 3756	3700	RUNDLL32.EXE	powershell.exe
PID 3700 wrote to memory of 3756	3700	RUNDLL32.EXE	powershell.exe
PID 3700 wrote to memory of 3876	3700	RUNDLL32.EXE	powershell.exe
PID 3700 wrote to memory of 3876	3700	RUNDLL32.EXE	powershell.exe
PID 3700 wrote to memory of 3876	3700	RUNDLL32.EXE	powershell.exe
PID 3876 wrote to memory of 1140	3876	powershell.exe	nslookup.exe
PID 3876 wrote to memory of 1140	3876	powershell.exe	nslookup.exe
PID 3876 wrote to memory of 1140	3876	powershell.exe	nslookup.exe
PID 3700 wrote to memory of 2072	3700	RUNDLL32.EXE	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\7c2b0bda407dc5959dbf8ddab4f143ad.exe
"C:\Users\Admin\AppData\Local\Temp\7c2b0bda407dc5959dbf8ddab4f143ad.exe"
1⤵
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:764
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\ThTYAKaw.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1548
- - C:\Users\Admin\AppData\Local\Temp\ThTYAKaw.exe
    "C:\Users\Admin\AppData\Local\Temp\ThTYAKaw.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:4032
  - - C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe
      "C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1620
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c cmd < Fai.mp4
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:776
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2948
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /R "^jMOtTsVOtSzoHJrwXZUHhBaJAxyITaBXyEoEEDIKCjsqTrlytEwGQzcLzyDmjjUMscerAmbzsptwpsPbpZEfdVuMpvlnZpndsEJnqiFEiIfHfxBwdudhIFvcgdUtfY$" Ora.mp4
        7⤵
        
        PID:2276
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ipogeo.exe.com
        
        Ipogeo.exe.com w
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2140
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ipogeo.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ipogeo.exe.com w
        8⤵
        Executes dropped EXE
        Checks processor information in registry
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\svbdsrwmmn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svbdsrwmmn.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3872
        
        C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\SVBDSR~1.DLL,Z C:\Users\Admin\AppData\Local\Temp\SVBDSR~1.EXE
        10⤵
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2360
        
        C:\Windows\SysWOW64\RUNDLL32.EXE
        
        C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\SVBDSR~1.DLL,eB5aZI0=
        11⤵
        Blocklisted process makes network request
        Loads dropped DLL
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:3700
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpBC3C.tmp.ps1"
        12⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3756
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpDC0B.tmp.ps1"
        12⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3876
        
        C:\Windows\SysWOW64\nslookup.exe
        
        "C:\Windows\system32\nslookup.exe" -type=any localhost
        13⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
        12⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
        12⤵
        
        PID:900
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dcqqreyaqy.vbs"
        9⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ygmetgb.vbs"
        9⤵
        Blocklisted process makes network request
        Modifies system certificate store
        
        PID:1772
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 30
        7⤵
        Runs ping.exe
        
        PID:2228
  - - C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe
      "C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe"
      4⤵
      Executes dropped EXE
      Drops startup file
      Suspicious use of WriteProcessMemory
      PID:3956
    - - C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
        
        "C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: AddClipboardFormatListener
        
        PID:3424
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\nrtvbfvxJgVF & timeout 3 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7c2b0bda407dc5959dbf8ddab4f143ad.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2816
- - C:\Windows\SysWOW64\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:2792

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5
47eebe401625bbc55e75dbfb72e9e89a

SHA1
db3b2135942d2532c59b9788253638eb77e5995e

SHA256
f1cd56000c44bbdb6880b5b133731f493fe8cba8198c5a861da6ae7b489ed0c3

SHA512
590b149863d58be346e7927c28501375cc570858d2f156d234b03d68b86c5c0667a1038e2b6f6639172bf95638ca9f7c70f45270951abbcdf43b1be853b81d56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
fc3de63f30071cee187e2cec223f00b6

SHA1
c8e485bfcc896498d60152f4bdfb3af5fc02f55a

SHA256
f0bd2cb6f4d7d9981452a21da9d1e461e2ccb5d41a4dd61d78a7922d6ef116a8

SHA512
87250a3911a8d3793fd1d4e1298da8a508d5dfe6fa9016ced7a066678d42f5d01ed851382d46110a268f50e3773a93cd84e756c2f31e46ceab79ce0c7f48fe02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Eleganza.mp4

MD5
81411ecc1731b99870add5ed3bbe78d7

SHA1
e47c50e2adca9d0bf70e82ed045fdaa278ebceb5

SHA256
dc5845412944e2fd9d7d82bc3ede63a9dcf39bd831740d39c28499ed1bfc7b1b

SHA512
a572a1a6b4523182d93618b1266532c86842f360b6c1fb1b6a9c0a89ab802efb1667e33b302fa33bf9d3b29be1ab72814179a12021123a1df4af56380cb633de

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Fai.mp4

MD5
9b2d542b503ef693f1c33961f1e7c681

SHA1
56f06e581fd3cf7193dcc2229356952dde4d22e9

SHA256
75187fb061e7ae247d4ea91ce90013960fa8351ca592fdb625bd717690ba87fa

SHA512
09901ef283a56f614cd12017c95f0b64c35141ae3d20c48ce7a637421fe62f08787b38816caebb7d8f2b0c4d6855e164571c8400ca63588605b86353c96379b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ipogeo.exe.com

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ipogeo.exe.com

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ipogeo.exe.com

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ora.mp4

MD5
d1c81a5f592adceec4772f54279debb1

SHA1
ceafed96a4ec5cb9230dc1b3f611ade681fba7f4

SHA256
657433c07136726e28b4428630bd827c7e15045a52f881d0243882e9d8720408

SHA512
01699524a3cdd36eb52b658402eb04289cb0cf8b773ae6278cb947ea61e09f9727da3a817f75805d042d52dcfc2d9fee80c2720687e223e5c7aedbcad7b00f5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Rimasta.mp4

MD5
af3cf8c1d5d3ecebdaa07592240b5fc8

SHA1
a49eeeb20fd8d1277d06758c099005f778ebfb91

SHA256
995f43d1c43ae19bfe495b08dd4f02c64af85fe51a345a132faed8b45456042d

SHA512
c550993b2ea06afc5652c79294b27e0a79ff28c7298b87eb4dcddf6701cb62d8972595e5a893bcedf088247d1a22ccc40bf11191341d1b2cf0be226f418d2aed

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\w

MD5
af3cf8c1d5d3ecebdaa07592240b5fc8

SHA1
a49eeeb20fd8d1277d06758c099005f778ebfb91

SHA256
995f43d1c43ae19bfe495b08dd4f02c64af85fe51a345a132faed8b45456042d

SHA512
c550993b2ea06afc5652c79294b27e0a79ff28c7298b87eb4dcddf6701cb62d8972595e5a893bcedf088247d1a22ccc40bf11191341d1b2cf0be226f418d2aed

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe

MD5
f6338172d5221bcabd913e7a58194ac3

SHA1
d586e567fffcc3073304794295cd73b90988e3bb

SHA256
a7cd3515d40e3bf5ed25f35db0568c0f0c531de2e03b36f61dacbf5fdd525fa5

SHA512
f33d065a9a7f1832e19be9e9fc9cd0452b9aa73e8a99958f21f04c9a30d7996b32d0bfa9b4999a9a50cd02141bf63ef467eeeefb3532ea6b2ad85ca1bceeeecb

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe

MD5
f6338172d5221bcabd913e7a58194ac3

SHA1
d586e567fffcc3073304794295cd73b90988e3bb

SHA256
a7cd3515d40e3bf5ed25f35db0568c0f0c531de2e03b36f61dacbf5fdd525fa5

SHA512
f33d065a9a7f1832e19be9e9fc9cd0452b9aa73e8a99958f21f04c9a30d7996b32d0bfa9b4999a9a50cd02141bf63ef467eeeefb3532ea6b2ad85ca1bceeeecb

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe

MD5
e9f08b7c37708d469161e9498650aa60

SHA1
4f97e4ca309140e51add36aa9fd19c384ebee596

SHA256
fc50c910418dd8bea3fae884a995000049e4456824c0e4a69216f6878192ea53

SHA512
4515c748b46444b7b62debd2dfd22d24edb7447fcd22e96afe57d6ac4e605e1dc8e8d663b8f044d4a900617d3208062c6558b787a99ac728f259351b70b953b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe

MD5
e9f08b7c37708d469161e9498650aa60

SHA1
4f97e4ca309140e51add36aa9fd19c384ebee596

SHA256
fc50c910418dd8bea3fae884a995000049e4456824c0e4a69216f6878192ea53

SHA512
4515c748b46444b7b62debd2dfd22d24edb7447fcd22e96afe57d6ac4e605e1dc8e8d663b8f044d4a900617d3208062c6558b787a99ac728f259351b70b953b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\SVBDSR~1.DLL

MD5
7ac078a4c0a0c82464f31418b512cad7

SHA1
edafdb4391106484521c3a76890690ee525a9d68

SHA256
8c8d6d7a1c6ce3ae445a85b32aac61eef74d00effcaaac0379d33cd299008418

SHA512
e5c6cff838a20a0130ed42b170fdd0fcca3491dd65ffb4ced4612b8c8598b3083172f3218a5471c22ffdd6189f748c22e6c7b9417a775344b04956fa2e141507

Download Submit
C:\Users\Admin\AppData\Local\Temp\ThTYAKaw.exe

MD5
4c3b7878e92b4048648d51464e6149c3

SHA1
5b4f38435fb2e3c9915e371cee83d5f5a5a26181

SHA256
4e4c0f9911df8f29648ab7aad0faa2ee97438db80bf79892a700151d7344e190

SHA512
0b200f588d25bce03fcf48eb74c8fabc7fc25de3cd1b2fec57f451e2b4f924093b177945ccb58e29a814a50e65a7698e88ab5c062c7eaabd61617f4ad795ad13

Download Submit
C:\Users\Admin\AppData\Local\Temp\ThTYAKaw.exe

MD5
4c3b7878e92b4048648d51464e6149c3

SHA1
5b4f38435fb2e3c9915e371cee83d5f5a5a26181

SHA256
4e4c0f9911df8f29648ab7aad0faa2ee97438db80bf79892a700151d7344e190

SHA512
0b200f588d25bce03fcf48eb74c8fabc7fc25de3cd1b2fec57f451e2b4f924093b177945ccb58e29a814a50e65a7698e88ab5c062c7eaabd61617f4ad795ad13

Download Submit
C:\Users\Admin\AppData\Local\Temp\dcqqreyaqy.vbs

MD5
693786f78b2d08c5857ac5fb244975c0

SHA1
9293cd94a19dd8e50f24a005eade7a893a379333

SHA256
3a325d15eb7d9172a51bcece7a7192ce823938ee38b1a39a5c9e4864b98d3417

SHA512
f16760f9c52fda1f1d46ae820dc678d50fbfb349bd7b674b769bb6a4a4d262cfb4f33697c90b8a41608986dde7a7470fca019ab95b69079fc4e4ddc2f5ad0c51

Download Submit
C:\Users\Admin\AppData\Local\Temp\nrtvbfvxJgVF\EXMQZS~1.ZIP

MD5
88b8d998b493ddc84924fc0e76c23986

SHA1
cc447f475c0eecd4d3fd1dbfbbc325f5ccff9c31

SHA256
b3228826b0cf64d7bb6040a4770b207cdc84d44f8db122927ac0248e78778fb9

SHA512
e353cd5c7cb49b9ec273f3c0b4647e7d37790b95edd8082aa271fd3511cf907f3fa2272e5d7269fc4a3f5f684c1d5c3ef64f883d0929c802b9f5242b2441fa8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nrtvbfvxJgVF\SKTFSI~1.ZIP

MD5
2ab61f9ed4dba47b23b84cabb2d6c546

SHA1
fd7504627f007a96e86056ed39483ec9b35f86ef

SHA256
12e43ae4104a98d6d2eee833a1f35e1e31a019a4ab3564c4b9b083df6ae0b877

SHA512
614df9eeeb3fd0808c94ed3e3b9a3e8136b4d4483c8a26c031894b93536f1a18b128d258a8b68de86f87808f1f5b131e53aca094b8bc0fc46c7f029a471c6b07

Download Submit
C:\Users\Admin\AppData\Local\Temp\nrtvbfvxJgVF\_Files\_INFOR~1.TXT

MD5
a8bbbe2a6ca1a39697b86da925b338fb

SHA1
d24d8b9c0a5ece1562805b6a8c3ce0efd1b34c12

SHA256
fae4df858b1d06d6f172fb3bbc856f5c663f8ad9f4c9c7e35ed884b392d30ad7

SHA512
7dcc40bbde0066bbe7f26ea33a01d8cc8150ee6b4671660491f3475026ceee5a1ba59b634042bec907e8a4eed2508d3de92490549ee92122232cf03bd92b6fc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nrtvbfvxJgVF\_Files\_SCREE~1.JPE

MD5
3f8b96e2aab286fec3583074a689f774

SHA1
7b4d78d6b316ededb26c4c05b5733da084f6507c

SHA256
67327153f035836d73e824690df28eca99d90f9fd20aa4fdffd42487c4c40e54

SHA512
61c07421371b75a41fe19ec66b87a25513de7315b0830493de9ccc32639bafc50b625f808dd404e4a043e76e0cabdfc7bf5a8ca208bd71f8c18f3fa78c769d5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nrtvbfvxJgVF\files_\SCREEN~1.JPG

MD5
3f8b96e2aab286fec3583074a689f774

SHA1
7b4d78d6b316ededb26c4c05b5733da084f6507c

SHA256
67327153f035836d73e824690df28eca99d90f9fd20aa4fdffd42487c4c40e54

SHA512
61c07421371b75a41fe19ec66b87a25513de7315b0830493de9ccc32639bafc50b625f808dd404e4a043e76e0cabdfc7bf5a8ca208bd71f8c18f3fa78c769d5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nrtvbfvxJgVF\files_\SYSTEM~1.TXT

MD5
0dfc8de99087e4e7d058265bcb529952

SHA1
c48bc7c08414d1f76fd1f103aa2897414dfc5382

SHA256
acde399a877dfe6a58540d2c5cc849663421c80bd57bae59d871c7f197420166

SHA512
6f82107294378377a3033f2bacec6e30d63d14c5c8a6a96f3ec8eadd1d47964c3a8dc8e57bc4e2db9c2b33171263b626e5e7e797934d38f46f85bf92e2872768

Download Submit
C:\Users\Admin\AppData\Local\Temp\svbdsrwmmn.exe

MD5
40e645feaed8ad68597e1a8a74fd36fa

SHA1
aa92369afd54fb4d16bbb55599452f51eb9a6aca

SHA256
074478496fa6b67a088cd998fdeb2e354dffebed0de6a474bc94f0435cda6aec

SHA512
952f0370c09303775fbfdd2a46f7e08ea2d63f7e461962814b6edd8519561c76bc784f0a71496ac7eb28f4181f9ca3b35b5092f82b34b2d4f2bc4324d9a6bf85

Download Submit
C:\Users\Admin\AppData\Local\Temp\svbdsrwmmn.exe

MD5
40e645feaed8ad68597e1a8a74fd36fa

SHA1
aa92369afd54fb4d16bbb55599452f51eb9a6aca

SHA256
074478496fa6b67a088cd998fdeb2e354dffebed0de6a474bc94f0435cda6aec

SHA512
952f0370c09303775fbfdd2a46f7e08ea2d63f7e461962814b6edd8519561c76bc784f0a71496ac7eb28f4181f9ca3b35b5092f82b34b2d4f2bc4324d9a6bf85

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBC3C.tmp.ps1

MD5
0a3dc5730449ad1acb15ab6e9bb92e29

SHA1
8b1dacac9c86ba72568ce4cd90fdb2605a66f76d

SHA256
b11172a3a4df30fedaf6b9edbae097d4dcfaddcc57f58729921d186a7523c622

SHA512
2d7bac6276cf0a83704097ac3923919cd6aede64736b4b9a2a6442ef45b054f3e841e01728b615aae1f7ea12f30c8f27641f170d08288e150da05b915bf5d1dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBC3D.tmp

MD5
c416c12d1b2b1da8c8655e393b544362

SHA1
fb1a43cd8e1c556c2d25f361f42a21293c29e447

SHA256
0600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046

SHA512
cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDC0B.tmp.ps1

MD5
45c7f646f6de89a6b0a76c2f3b4996c7

SHA1
bb64f528e00f872296873247fb3184a9bbe25346

SHA256
35ec5cffd91c6027fa273d953f6bd2a77715efda3ba8a9b8a0d6541acf59e802

SHA512
c1991e629f698a1ed1c7e78de87df7efae6fb630137b1c615549118571434d524cd51c3747dafca618df5d27e35aa554c71d7b5b8fdb82b15e475c750caa6e2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDC1B.tmp

MD5
1860260b2697808b80802352fe324782

SHA1
f07b4cb6a8133d8dd942fc285d63cb3ce5a1ed6b

SHA256
0c4bb6ae7726faa47aef8459bcf37bf9ca16f0b93fd52790932adaf7845d1fb1

SHA512
d9fd458e2fe871e93199d7f3783133ded898d824024d9525e8c9af2af31892b13f3fb147d3bfda7dfd7659b7072f5cd1d6c3ebfe2dbf5893afd00e59a96aa94f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ygmetgb.vbs

MD5
2828e5570ba097965dde4b087c9bd7e9

SHA1
75346781c7b0097b16046994842f784d4ad3840f

SHA256
a2ebe31de5c4bdf628a8856d54db81cb278a7c29553fc9e717b92fa12993dbd0

SHA512
a88fcdb729e612e6b7abcc855ce438ae19d77105e3f849dc7e9cd7b330109a12a41f519f3aabf76f336b56c07daacf880ee1573f46e06d20d9d8a147adb02244

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

MD5
f6338172d5221bcabd913e7a58194ac3

SHA1
d586e567fffcc3073304794295cd73b90988e3bb

SHA256
a7cd3515d40e3bf5ed25f35db0568c0f0c531de2e03b36f61dacbf5fdd525fa5

SHA512
f33d065a9a7f1832e19be9e9fc9cd0452b9aa73e8a99958f21f04c9a30d7996b32d0bfa9b4999a9a50cd02141bf63ef467eeeefb3532ea6b2ad85ca1bceeeecb

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

MD5
f6338172d5221bcabd913e7a58194ac3

SHA1
d586e567fffcc3073304794295cd73b90988e3bb

SHA256
a7cd3515d40e3bf5ed25f35db0568c0f0c531de2e03b36f61dacbf5fdd525fa5

SHA512
f33d065a9a7f1832e19be9e9fc9cd0452b9aa73e8a99958f21f04c9a30d7996b32d0bfa9b4999a9a50cd02141bf63ef467eeeefb3532ea6b2ad85ca1bceeeecb

Download Submit
\Users\Admin\AppData\Local\Temp\SVBDSR~1.DLL

MD5
7ac078a4c0a0c82464f31418b512cad7

SHA1
edafdb4391106484521c3a76890690ee525a9d68

SHA256
8c8d6d7a1c6ce3ae445a85b32aac61eef74d00effcaaac0379d33cd299008418

SHA512
e5c6cff838a20a0130ed42b170fdd0fcca3491dd65ffb4ced4612b8c8598b3083172f3218a5471c22ffdd6189f748c22e6c7b9417a775344b04956fa2e141507

Download Submit
\Users\Admin\AppData\Local\Temp\SVBDSR~1.DLL

MD5
7ac078a4c0a0c82464f31418b512cad7

SHA1
edafdb4391106484521c3a76890690ee525a9d68

SHA256
8c8d6d7a1c6ce3ae445a85b32aac61eef74d00effcaaac0379d33cd299008418

SHA512
e5c6cff838a20a0130ed42b170fdd0fcca3491dd65ffb4ced4612b8c8598b3083172f3218a5471c22ffdd6189f748c22e6c7b9417a775344b04956fa2e141507

Download Submit
\Users\Admin\AppData\Local\Temp\SVBDSR~1.DLL

MD5
7ac078a4c0a0c82464f31418b512cad7

SHA1
edafdb4391106484521c3a76890690ee525a9d68

SHA256
8c8d6d7a1c6ce3ae445a85b32aac61eef74d00effcaaac0379d33cd299008418

SHA512
e5c6cff838a20a0130ed42b170fdd0fcca3491dd65ffb4ced4612b8c8598b3083172f3218a5471c22ffdd6189f748c22e6c7b9417a775344b04956fa2e141507

Download Submit
\Users\Admin\AppData\Local\Temp\nswC923.tmp\UAC.dll

MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
memory/764-115-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/764-114-0x00000000022A0000-0x0000000002381000-memory.dmp

Filesize
900KB

Download
memory/776-127-0x0000000000000000-mapping.dmp

Download
memory/900-235-0x0000000000000000-mapping.dmp

Download
memory/1140-230-0x0000000000000000-mapping.dmp

Download
memory/1548-116-0x0000000000000000-mapping.dmp

Download
memory/1620-121-0x0000000000000000-mapping.dmp

Download
memory/1772-178-0x0000000000000000-mapping.dmp

Download
memory/1868-137-0x0000000000000000-mapping.dmp

Download
memory/1868-155-0x0000000000D20000-0x0000000000E6A000-memory.dmp

Filesize
1.3MB

Download
memory/2072-234-0x0000000000000000-mapping.dmp

Download
memory/2140-133-0x0000000000000000-mapping.dmp

Download
memory/2228-136-0x0000000000000000-mapping.dmp

Download
memory/2264-160-0x0000000000000000-mapping.dmp

Download
memory/2276-130-0x0000000000000000-mapping.dmp

Download
memory/2360-173-0x0000000004ED1000-0x0000000005530000-memory.dmp

Filesize
6.4MB

Download
memory/2360-177-0x00000000007F0000-0x00000000007F1000-memory.dmp

Filesize
4KB

Download
memory/2360-170-0x0000000005740000-0x0000000005741000-memory.dmp

Filesize
4KB

Download
memory/2360-169-0x0000000004390000-0x0000000004955000-memory.dmp

Filesize
5.8MB

Download
memory/2360-165-0x0000000000000000-mapping.dmp

Download
memory/2792-146-0x0000000000000000-mapping.dmp

Download
memory/2816-139-0x0000000000000000-mapping.dmp

Download
memory/2948-129-0x0000000000000000-mapping.dmp

Download
memory/3424-148-0x0000000000000000-mapping.dmp

Download
memory/3424-154-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3700-175-0x00000000054D1000-0x0000000005B30000-memory.dmp

Filesize
6.4MB

Download
memory/3700-171-0x0000000000000000-mapping.dmp

Download
memory/3700-219-0x0000000003200000-0x00000000032AE000-memory.dmp

Filesize
696KB

Download
memory/3756-191-0x00000000084E0000-0x00000000084E1000-memory.dmp

Filesize
4KB

Download
memory/3756-180-0x0000000000000000-mapping.dmp

Download
memory/3756-186-0x0000000004CD2000-0x0000000004CD3000-memory.dmp

Filesize
4KB

Download
memory/3756-187-0x0000000007D60000-0x0000000007D61000-memory.dmp

Filesize
4KB

Download
memory/3756-188-0x0000000007E00000-0x0000000007E01000-memory.dmp

Filesize
4KB

Download
memory/3756-189-0x0000000007FE0000-0x0000000007FE1000-memory.dmp

Filesize
4KB

Download
memory/3756-190-0x0000000008050000-0x0000000008051000-memory.dmp

Filesize
4KB

Download
memory/3756-184-0x00000000076B0000-0x00000000076B1000-memory.dmp

Filesize
4KB

Download
memory/3756-192-0x00000000089E0000-0x00000000089E1000-memory.dmp

Filesize
4KB

Download
memory/3756-193-0x0000000008810000-0x0000000008811000-memory.dmp

Filesize
4KB

Download
memory/3756-183-0x0000000004CE0000-0x0000000004CE1000-memory.dmp

Filesize
4KB

Download
memory/3756-195-0x0000000008900000-0x0000000008901000-memory.dmp

Filesize
4KB

Download
memory/3756-200-0x0000000009FA0000-0x0000000009FA1000-memory.dmp

Filesize
4KB

Download
memory/3756-201-0x0000000009530000-0x0000000009531000-memory.dmp

Filesize
4KB

Download
memory/3756-202-0x0000000007340000-0x0000000007341000-memory.dmp

Filesize
4KB

Download
memory/3756-185-0x0000000004CD0000-0x0000000004CD1000-memory.dmp

Filesize
4KB

Download
memory/3756-205-0x0000000004CD3000-0x0000000004CD4000-memory.dmp

Filesize
4KB

Download
memory/3872-162-0x0000000002EC0000-0x00000000035C7000-memory.dmp

Filesize
7.0MB

Download
memory/3872-164-0x0000000000C80000-0x0000000000C81000-memory.dmp

Filesize
4KB

Download
memory/3872-157-0x0000000000000000-mapping.dmp

Download
memory/3872-163-0x0000000000400000-0x0000000000B14000-memory.dmp

Filesize
7.1MB

Download
memory/3876-218-0x00000000083E0000-0x00000000083E1000-memory.dmp

Filesize
4KB

Download
memory/3876-220-0x0000000006A00000-0x0000000006A01000-memory.dmp

Filesize
4KB

Download
memory/3876-221-0x0000000006A02000-0x0000000006A03000-memory.dmp

Filesize
4KB

Download
memory/3876-206-0x0000000000000000-mapping.dmp

Download
memory/3876-215-0x0000000007A90000-0x0000000007A91000-memory.dmp

Filesize
4KB

Download
memory/3876-233-0x0000000006A03000-0x0000000006A04000-memory.dmp

Filesize
4KB

Download
memory/3956-152-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3956-151-0x00000000006D0000-0x00000000006F6000-memory.dmp

Filesize
152KB

Download
memory/3956-124-0x0000000000000000-mapping.dmp

Download
memory/4032-117-0x0000000000000000-mapping.dmp

Download