cryptbot | 9bae907c90204ebf2ac85fe63e96ffb3422505631698ce9165053ab0125d1d9a

Analysis

max time kernel
150s
max time network
143s
platform
windows10_x64
resource
win10v20210410
submitted
08-06-2021 09:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9bae907c90204ebf2ac85fe63e96ffb3422505631698c.exe
Size

724KB
MD5

96252c0e8e662be93777228beeb11511
SHA1

0a9642ac8bc109d0a0f97b80ee1426e6911aa5d7
SHA256

9bae907c90204ebf2ac85fe63e96ffb3422505631698ce9165053ab0125d1d9a
SHA512

52fe4a268b302250ae0772aa0d434fd7268fb8171441c772474717a605877e6dde56c32c5e23a04975bf7307f605f2057f7269f16fd9df293f75e0b3712f2435

Score

10^/10

cryptbot danabot 3 banker discovery spyware stealer trojan

Malware Config

Extracted

Family

cryptbot

olmrso12.top

morleg01.top

Attributes

payload_url
http://vamgha01.top/download.php?file=lv.exe

Extracted

Family

danabot

Version

1827

Botnet

184.95.51.183:443

184.95.51.175:443

192.210.198.12:443

184.95.51.180:443

Attributes

embedded_hash
AEF96B4D339B580ABB737F203C2D0F52

rsa_pubkey.plain

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

CryptBot Payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3904-115-0x0000000000400000-0x00000000004E5000-memory.dmp	family_cryptbot
behavioral2/memory/3904-114-0x0000000002180000-0x0000000002261000-memory.dmp	family_cryptbot
behavioral2/memory/1352-148-0x00000000004E0000-0x000000000058E000-memory.dmp	family_cryptbot

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Blocklisted process makes network request 5 IoCs

Processes:

RUNDLL32.EXEWScript.exe

flow pid process

36 3176 RUNDLL32.EXE
38 3860 WScript.exe
40 3860 WScript.exe
42 3860 WScript.exe
44 3860 WScript.exe
Downloads MZ/PE file
Executes dropped EXE 7 IoCs

Processes:

aqFIU.exevpn.exe4.exeEsplorarne.exe.comEsplorarne.exe.comSmartClock.exejklmqyaulo.exe

pid process

4092 aqFIU.exe
3748 vpn.exe
1352 4.exe
1292 Esplorarne.exe.com
1824 Esplorarne.exe.com
3920 SmartClock.exe
1812 jklmqyaulo.exe
Drops startup file 1 IoCs

Processes:

4.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk 4.exe
Loads dropped DLL 5 IoCs

Processes:

aqFIU.exerundll32.exeRUNDLL32.EXE

pid process

4092 aqFIU.exe
2240 rundll32.exe
2240 rundll32.exe
3176 RUNDLL32.EXE
3176 RUNDLL32.EXE
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

23 ip-api.com

flow	pid	process
36	3176	RUNDLL32.EXE
38	3860	WScript.exe
40	3860	WScript.exe
42	3860	WScript.exe
44	3860	WScript.exe

pid	process
4092	aqFIU.exe
3748	vpn.exe
1352	4.exe
1292	Esplorarne.exe.com
1824	Esplorarne.exe.com
3920	SmartClock.exe
1812	jklmqyaulo.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk	4.exe

pid	process
4092	aqFIU.exe
2240	rundll32.exe
2240	rundll32.exe
3176	RUNDLL32.EXE
3176	RUNDLL32.EXE

flow	ioc
23	ip-api.com

Drops file in Program Files directory 3 IoCs

Processes:

aqFIU.exe

description	ioc	process
File created	C:\Program Files (x86)\foler\olader\acppage.dll	aqFIU.exe
File created	C:\Program Files (x86)\foler\olader\adprovider.dll	aqFIU.exe
File created	C:\Program Files (x86)\foler\olader\acledit.dll	aqFIU.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

9bae907c90204ebf2ac85fe63e96ffb3422505631698c.exeEsplorarne.exe.comRUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	9bae907c90204ebf2ac85fe63e96ffb3422505631698c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	9bae907c90204ebf2ac85fe63e96ffb3422505631698c.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Esplorarne.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Esplorarne.exe.com
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1840 timeout.exe
Modifies registry class 1 IoCs

Processes:

Esplorarne.exe.com

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings Esplorarne.exe.com

pid	process
1840	timeout.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings	Esplorarne.exe.com

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	WScript.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3040 PING.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

SmartClock.exe

pid process

3920 SmartClock.exe

pid	process
3040	PING.EXE

pid	process
3920	SmartClock.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exeRUNDLL32.EXEpowershell.exe

pid	process
3944	powershell.exe
3944	powershell.exe
3944	powershell.exe
3176	RUNDLL32.EXE
3176	RUNDLL32.EXE
3344	powershell.exe
3344	powershell.exe
3344	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

rundll32.exeRUNDLL32.EXEpowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2240	rundll32.exe
Token: SeDebugPrivilege	3176	RUNDLL32.EXE
Token: SeDebugPrivilege	3944	powershell.exe
Token: SeDebugPrivilege	3344	powershell.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

9bae907c90204ebf2ac85fe63e96ffb3422505631698c.exevpn.exeRUNDLL32.EXE

pid process

3904 9bae907c90204ebf2ac85fe63e96ffb3422505631698c.exe
3904 9bae907c90204ebf2ac85fe63e96ffb3422505631698c.exe
3748 vpn.exe
3176 RUNDLL32.EXE

pid	process
3904	9bae907c90204ebf2ac85fe63e96ffb3422505631698c.exe
3904	9bae907c90204ebf2ac85fe63e96ffb3422505631698c.exe
3748	vpn.exe
3176	RUNDLL32.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

9bae907c90204ebf2ac85fe63e96ffb3422505631698c.execmd.exeaqFIU.exevpn.execmd.execmd.execmd.exeEsplorarne.exe.com4.exeEsplorarne.exe.comjklmqyaulo.exerundll32.exeRUNDLL32.EXEpowershell.exe

description	pid	process	target process
PID 3904 wrote to memory of 2720	3904	9bae907c90204ebf2ac85fe63e96ffb3422505631698c.exe	cmd.exe
PID 3904 wrote to memory of 2720	3904	9bae907c90204ebf2ac85fe63e96ffb3422505631698c.exe	cmd.exe
PID 3904 wrote to memory of 2720	3904	9bae907c90204ebf2ac85fe63e96ffb3422505631698c.exe	cmd.exe
PID 2720 wrote to memory of 4092	2720	cmd.exe	aqFIU.exe
PID 2720 wrote to memory of 4092	2720	cmd.exe	aqFIU.exe
PID 2720 wrote to memory of 4092	2720	cmd.exe	aqFIU.exe
PID 4092 wrote to memory of 3748	4092	aqFIU.exe	vpn.exe
PID 4092 wrote to memory of 3748	4092	aqFIU.exe	vpn.exe
PID 4092 wrote to memory of 3748	4092	aqFIU.exe	vpn.exe
PID 4092 wrote to memory of 1352	4092	aqFIU.exe	4.exe
PID 4092 wrote to memory of 1352	4092	aqFIU.exe	4.exe
PID 4092 wrote to memory of 1352	4092	aqFIU.exe	4.exe
PID 3748 wrote to memory of 1100	3748	vpn.exe	cmd.exe
PID 3748 wrote to memory of 1100	3748	vpn.exe	cmd.exe
PID 3748 wrote to memory of 1100	3748	vpn.exe	cmd.exe
PID 1100 wrote to memory of 3928	1100	cmd.exe	cmd.exe
PID 1100 wrote to memory of 3928	1100	cmd.exe	cmd.exe
PID 1100 wrote to memory of 3928	1100	cmd.exe	cmd.exe
PID 3928 wrote to memory of 3964	3928	cmd.exe	findstr.exe
PID 3928 wrote to memory of 3964	3928	cmd.exe	findstr.exe
PID 3928 wrote to memory of 3964	3928	cmd.exe	findstr.exe
PID 3904 wrote to memory of 3100	3904	9bae907c90204ebf2ac85fe63e96ffb3422505631698c.exe	cmd.exe
PID 3904 wrote to memory of 3100	3904	9bae907c90204ebf2ac85fe63e96ffb3422505631698c.exe	cmd.exe
PID 3904 wrote to memory of 3100	3904	9bae907c90204ebf2ac85fe63e96ffb3422505631698c.exe	cmd.exe
PID 3100 wrote to memory of 1840	3100	cmd.exe	timeout.exe
PID 3100 wrote to memory of 1840	3100	cmd.exe	timeout.exe
PID 3100 wrote to memory of 1840	3100	cmd.exe	timeout.exe
PID 3928 wrote to memory of 1292	3928	cmd.exe	Esplorarne.exe.com
PID 3928 wrote to memory of 1292	3928	cmd.exe	Esplorarne.exe.com
PID 3928 wrote to memory of 1292	3928	cmd.exe	Esplorarne.exe.com
PID 3928 wrote to memory of 3040	3928	cmd.exe	PING.EXE
PID 3928 wrote to memory of 3040	3928	cmd.exe	PING.EXE
PID 3928 wrote to memory of 3040	3928	cmd.exe	PING.EXE
PID 1292 wrote to memory of 1824	1292	Esplorarne.exe.com	Esplorarne.exe.com
PID 1292 wrote to memory of 1824	1292	Esplorarne.exe.com	Esplorarne.exe.com
PID 1292 wrote to memory of 1824	1292	Esplorarne.exe.com	Esplorarne.exe.com
PID 1352 wrote to memory of 3920	1352	4.exe	SmartClock.exe
PID 1352 wrote to memory of 3920	1352	4.exe	SmartClock.exe
PID 1352 wrote to memory of 3920	1352	4.exe	SmartClock.exe
PID 1824 wrote to memory of 1812	1824	Esplorarne.exe.com	jklmqyaulo.exe
PID 1824 wrote to memory of 1812	1824	Esplorarne.exe.com	jklmqyaulo.exe
PID 1824 wrote to memory of 1812	1824	Esplorarne.exe.com	jklmqyaulo.exe
PID 1824 wrote to memory of 2988	1824	Esplorarne.exe.com	WScript.exe
PID 1824 wrote to memory of 2988	1824	Esplorarne.exe.com	WScript.exe
PID 1824 wrote to memory of 2988	1824	Esplorarne.exe.com	WScript.exe
PID 1812 wrote to memory of 2240	1812	jklmqyaulo.exe	rundll32.exe
PID 1812 wrote to memory of 2240	1812	jklmqyaulo.exe	rundll32.exe
PID 1812 wrote to memory of 2240	1812	jklmqyaulo.exe	rundll32.exe
PID 2240 wrote to memory of 3176	2240	rundll32.exe	RUNDLL32.EXE
PID 2240 wrote to memory of 3176	2240	rundll32.exe	RUNDLL32.EXE
PID 2240 wrote to memory of 3176	2240	rundll32.exe	RUNDLL32.EXE
PID 3176 wrote to memory of 3944	3176	RUNDLL32.EXE	powershell.exe
PID 3176 wrote to memory of 3944	3176	RUNDLL32.EXE	powershell.exe
PID 3176 wrote to memory of 3944	3176	RUNDLL32.EXE	powershell.exe
PID 1824 wrote to memory of 3860	1824	Esplorarne.exe.com	WScript.exe
PID 1824 wrote to memory of 3860	1824	Esplorarne.exe.com	WScript.exe
PID 1824 wrote to memory of 3860	1824	Esplorarne.exe.com	WScript.exe
PID 3176 wrote to memory of 3344	3176	RUNDLL32.EXE	powershell.exe
PID 3176 wrote to memory of 3344	3176	RUNDLL32.EXE	powershell.exe
PID 3176 wrote to memory of 3344	3176	RUNDLL32.EXE	powershell.exe
PID 3344 wrote to memory of 4008	3344	powershell.exe	nslookup.exe
PID 3344 wrote to memory of 4008	3344	powershell.exe	nslookup.exe
PID 3344 wrote to memory of 4008	3344	powershell.exe	nslookup.exe
PID 3176 wrote to memory of 3356	3176	RUNDLL32.EXE	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\9bae907c90204ebf2ac85fe63e96ffb3422505631698c.exe
"C:\Users\Admin\AppData\Local\Temp\9bae907c90204ebf2ac85fe63e96ffb3422505631698c.exe"
1⤵
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3904
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\aqFIU.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2720
- - C:\Users\Admin\AppData\Local\Temp\aqFIU.exe
    "C:\Users\Admin\AppData\Local\Temp\aqFIU.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:4092
  - - C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe
      "C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:3748
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c cmd < Impaziente.pptx
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1100
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3928
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /R "^rvlkqKVoeVAMHCWAIZnknRpRgyZLjKwPmJyMWtjeFgBKaZRxDfZktUPjhaWVKlVaUKjXbpDENvFlfnmfgEiWKQLFTSmDidaczpQ$" Convulso.pptx
        7⤵
        
        PID:3964
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        Esplorarne.exe.com F
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1292
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com F
        8⤵
        Executes dropped EXE
        Checks processor information in registry
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1824
        
        C:\Users\Admin\AppData\Local\Temp\jklmqyaulo.exe
        
        "C:\Users\Admin\AppData\Local\Temp\jklmqyaulo.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1812
        
        C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\JKLMQY~1.DLL,Z C:\Users\Admin\AppData\Local\Temp\JKLMQY~1.EXE
        10⤵
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2240
        
        C:\Windows\SysWOW64\RUNDLL32.EXE
        
        C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\JKLMQY~1.DLL,b0QrLDatAA==
        11⤵
        Blocklisted process makes network request
        Loads dropped DLL
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:3176
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp1326.tmp.ps1"
        12⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3944
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp249D.tmp.ps1"
        12⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3344
        
        C:\Windows\SysWOW64\nslookup.exe
        
        "C:\Windows\system32\nslookup.exe" -type=any localhost
        13⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
        12⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
        12⤵
        
        PID:756
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ehnifgct.vbs"
        9⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\mftccwysawo.vbs"
        9⤵
        Blocklisted process makes network request
        Modifies system certificate store
        
        PID:3860
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 30
        7⤵
        Runs ping.exe
        
        PID:3040
  - - C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe
      "C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe"
      4⤵
      Executes dropped EXE
      Drops startup file
      Suspicious use of WriteProcessMemory
      PID:1352
    - - C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
        
        "C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: AddClipboardFormatListener
        
        PID:3920
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\XgPlFCnY & timeout 3 & del /f /q "C:\Users\Admin\AppData\Local\Temp\9bae907c90204ebf2ac85fe63e96ffb3422505631698c.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3100
- - C:\Windows\SysWOW64\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:1840

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5
47eebe401625bbc55e75dbfb72e9e89a

SHA1
db3b2135942d2532c59b9788253638eb77e5995e

SHA256
f1cd56000c44bbdb6880b5b133731f493fe8cba8198c5a861da6ae7b489ed0c3

SHA512
590b149863d58be346e7927c28501375cc570858d2f156d234b03d68b86c5c0667a1038e2b6f6639172bf95638ca9f7c70f45270951abbcdf43b1be853b81d56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
4d147bbd1030e0a91b2218516fb2f7ac

SHA1
bc88f802df23033b9f1cf6eb146f3da5ba9ac601

SHA256
dd6c1e5c55a2423eeaa4f528f9eb05f9f8bc090b00883167e9175646d6b9cf0a

SHA512
0a46c28f14ff3fd591e124b49748d08b421c10e036f7adc4e49e7a06e6c7834d79e7181dfefcfa067764a4b068796b4aae444ba7fd752f7dd88375022c1fde6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Convulso.pptx

MD5
e520d1a1782da98c1f34f5941564bc76

SHA1
ba87a53c805b36ff812121b0c77997ac0ad8a9c1

SHA256
763fe23774a504719bf154eced890124f3cec3ba760a3ffd5be7c2a34a476f94

SHA512
5b4f5fe3542303cdecdcbc19a214362a14aa8f76c17a90ded4db607041a31f66ac7937c5a945c8453521d1a0af2f128e5e148999cd15669bc1367fe685284d29

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.pptx

MD5
98e738b53452321f130bad6d768f05ff

SHA1
25c72d4ddaf40c1232e32bf3cafc6ee61a5dd94b

SHA256
b9f5a2f5dd75c15f2f59706e260eb643e4be4f72f68c235b97bb4700ab8f87b6

SHA512
e39939f2aed94f3145f65c9ac9280b8018edc3a31847ce3da3fed4ec1d5e1e1bdb0d5a696031ace4d5b40789c330af07488d91e200ea445a08b5c8f357416445

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\F

MD5
98e738b53452321f130bad6d768f05ff

SHA1
25c72d4ddaf40c1232e32bf3cafc6ee61a5dd94b

SHA256
b9f5a2f5dd75c15f2f59706e260eb643e4be4f72f68c235b97bb4700ab8f87b6

SHA512
e39939f2aed94f3145f65c9ac9280b8018edc3a31847ce3da3fed4ec1d5e1e1bdb0d5a696031ace4d5b40789c330af07488d91e200ea445a08b5c8f357416445

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Impaziente.pptx

MD5
02d509d985e0ebb3cee1fb0fc737d0e4

SHA1
1ddb58a650a40e26a2098df77cc233d35bf29481

SHA256
9bf2d841fcb2cad4aaa35b8ee83dc3e2323a39041cd28077c91bafb63a676f70

SHA512
d0c735d0e521700fd18ae67cef7585197683ba8b3c988a4cb639a898cadb9c37cf9c24cea636be785db13b98fd411837c6a818a7a6cdf580fc59018375d136f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sui.pptx

MD5
273ae9c778d89a9045728eb5a124af96

SHA1
c7a72ecff43c70ff8efd2efbff11be0ae4d12411

SHA256
49c6625bf68fce9df5373c0dd836dfc3731f980a67df7f8208bdb92e478d00f8

SHA512
a9a513c7c92ea03661c61db0d6c7e3002230f532c218932c200727c7ae6603e353ff6684cb7b0fe09d50142dc8f3744b378ad73724ee00e6690c71e0f778ce33

Download Submit
C:\Users\Admin\AppData\Local\Temp\JKLMQY~1.DLL

MD5
7ac078a4c0a0c82464f31418b512cad7

SHA1
edafdb4391106484521c3a76890690ee525a9d68

SHA256
8c8d6d7a1c6ce3ae445a85b32aac61eef74d00effcaaac0379d33cd299008418

SHA512
e5c6cff838a20a0130ed42b170fdd0fcca3491dd65ffb4ced4612b8c8598b3083172f3218a5471c22ffdd6189f748c22e6c7b9417a775344b04956fa2e141507

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe

MD5
4934060484b4843c3120a85c9767ce3b

SHA1
18a8b130781711ac9bf51b50ca39f4e52b5ac698

SHA256
3650b22c45da2db8aaff1021eb1b3a19ed0130e27f6380d948575cd0b4444c9f

SHA512
53baee2400e25a2545c6c2cc1eab489101c665851a327cb85b48e93b8ed5dd426b21cd1a8d374e821d2790495b040e86bc5319cfb834db50af41c43576304349

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe

MD5
4934060484b4843c3120a85c9767ce3b

SHA1
18a8b130781711ac9bf51b50ca39f4e52b5ac698

SHA256
3650b22c45da2db8aaff1021eb1b3a19ed0130e27f6380d948575cd0b4444c9f

SHA512
53baee2400e25a2545c6c2cc1eab489101c665851a327cb85b48e93b8ed5dd426b21cd1a8d374e821d2790495b040e86bc5319cfb834db50af41c43576304349

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe

MD5
e3585b40100331d7cf6368aaa35e17ea

SHA1
ca3f0c3be719af3c719e65d24a9a445ed8fbb05e

SHA256
92da931838da8c24e3283aa02a964f471ce64c29b0d83b1a98a73b2d8ef57c3f

SHA512
5c2fd3da40b045a890330d081f052b2d0853e8e2302e87fb648105bbf2b5e6b147f2e63963f3e8d7d0691115d668eb4be1671a91794258afdc3efaf7f1cdc0d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe

MD5
e3585b40100331d7cf6368aaa35e17ea

SHA1
ca3f0c3be719af3c719e65d24a9a445ed8fbb05e

SHA256
92da931838da8c24e3283aa02a964f471ce64c29b0d83b1a98a73b2d8ef57c3f

SHA512
5c2fd3da40b045a890330d081f052b2d0853e8e2302e87fb648105bbf2b5e6b147f2e63963f3e8d7d0691115d668eb4be1671a91794258afdc3efaf7f1cdc0d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\XgPlFCnY\OXNSJI~1.ZIP

MD5
ac8878c7bcde111427e61df686596382

SHA1
d3ce04cded71907d2460c878287de26305f38127

SHA256
bef3961717ba15d524847586a858f05ecdf7a4165eee3f670a7f9004e8a7b1b8

SHA512
24edabaf8607292c7ed8dd9a794042ab5ff8caf6b75823da3e8836659535e929356eecb26ecc7ad435b6510a90b42e7dc968100be67de718fab804d877f29356

Download Submit
C:\Users\Admin\AppData\Local\Temp\XgPlFCnY\SXROYS~1.ZIP

MD5
ad1e59f56e1e6719a762cdac41727915

SHA1
b32525aa18c3063fbb5a75d0797c88fe0ced55ff

SHA256
56778b8374f06954c02b6980294f2665426700fa978ac136542f9013f8431782

SHA512
98cc78b7329f00d6bc5fc9c45b6048162ff213fe2f412c9bc413565d5526d2df1e60f9710d6369f20c6914f6e41f7da4fcd4ffddeec397c88710f5fb58db27e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XgPlFCnY\_Files\_INFOR~1.TXT

MD5
299103eaf7438c66e1ac0afaae6a010b

SHA1
e87b66c77c812a9a1b9afba4f9f5c8881a9efcc2

SHA256
3871f0f2edd3ef336ee849d62cc93c4f847335dc63adf4366bf5bcc372b43641

SHA512
f059a0d034d32f8849c000a50de8636eb1cf68256b48962f5f2dce42497bc37dea48b98b32c5adc2afdab99c5a222ed75c8da71406010a471800e41df5af5f90

Download Submit
C:\Users\Admin\AppData\Local\Temp\XgPlFCnY\_Files\_SCREE~1.JPE

MD5
3c78012de509fb0ff68b01e0f6dfb40e

SHA1
bfb56f3b1adc15f5d4f21049709d75449b97fa60

SHA256
ebf95b2a02c997c737d3c57def27e957e20dfaa4f5bed31ffc0c9455b39b57a9

SHA512
d42844d9485eaa9d882f84e2fd56786b3ec627ab83c0d15e1249f153456bdde94c7e8f531d0d8af6041ecd813200af2e20ce58aeb2f26baf5ce02dd9551938cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\XgPlFCnY\files_\SCREEN~1.JPG

MD5
3c78012de509fb0ff68b01e0f6dfb40e

SHA1
bfb56f3b1adc15f5d4f21049709d75449b97fa60

SHA256
ebf95b2a02c997c737d3c57def27e957e20dfaa4f5bed31ffc0c9455b39b57a9

SHA512
d42844d9485eaa9d882f84e2fd56786b3ec627ab83c0d15e1249f153456bdde94c7e8f531d0d8af6041ecd813200af2e20ce58aeb2f26baf5ce02dd9551938cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\XgPlFCnY\files_\SYSTEM~1.TXT

MD5
d2e458918062b972ec53a95322741f30

SHA1
f9cb88b9b2caa640efe27c007a5fbabc95ea293b

SHA256
f0951b59af58db962cbb3c64e1c03a3ecd048cd31d333bd67668c9a67256ac8b

SHA512
52db061f7b6b3dcfdc2a35cca00b13b8e2c748cccb209357cf4d499d002442049bb03e56a6e3d1c793cc626e43b9f22186fa3fc78173a091508a0079e8b71d5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\aqFIU.exe

MD5
dba9d5c211d728da4b92e0064a445ecd

SHA1
30ba2ff291af1ee572f9eb9299b41d83157c1b83

SHA256
d47844ec0804c45feddfb89791832c4040754a703e46454cf571a2d30ac83124

SHA512
c17d82d4a116b350bbb2129e3070dc2379bda1cda23edaa8c415271699f0c1eeeb21aedd005e4db650fb4912709642f64df3abd96d8d1787bb657061846fcb66

Download Submit
C:\Users\Admin\AppData\Local\Temp\aqFIU.exe

MD5
dba9d5c211d728da4b92e0064a445ecd

SHA1
30ba2ff291af1ee572f9eb9299b41d83157c1b83

SHA256
d47844ec0804c45feddfb89791832c4040754a703e46454cf571a2d30ac83124

SHA512
c17d82d4a116b350bbb2129e3070dc2379bda1cda23edaa8c415271699f0c1eeeb21aedd005e4db650fb4912709642f64df3abd96d8d1787bb657061846fcb66

Download Submit
C:\Users\Admin\AppData\Local\Temp\ehnifgct.vbs

MD5
c58408ccaa138a08c8ebeccad97df0f0

SHA1
1ed5509a220c13a2727d8e5c8f1f9314715c7220

SHA256
cf578b57ad77cc847598e4a473055a354744549996782da4a0c1e5e5203086ec

SHA512
3ec9e65230adee25a78eb52abeea49f240c8a7f20f8113f7917093c7fa9d62780ab36fcdc1299637c2483ffa14f91def9a6665cc0c0632b4e0a9ecd59558a299

Download Submit
C:\Users\Admin\AppData\Local\Temp\jklmqyaulo.exe

MD5
e91d25fe1c352dde539dfe3956693a9e

SHA1
478ceadecb5529b39b8c71c436f6ba3a03b12de6

SHA256
1876ed395dafc0dfadea8019a9362a065bb43a5f870e0c3e8810d347a0ab61d0

SHA512
ec48e80bdc5639673a850ea8f25a575db381d2e4ca47a66b76eda7adc68cf5bdedd69cf1864f9abc6f57d88a65b831ffe7729fb0617bbeb081802cebbf5ec5ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\jklmqyaulo.exe

MD5
e91d25fe1c352dde539dfe3956693a9e

SHA1
478ceadecb5529b39b8c71c436f6ba3a03b12de6

SHA256
1876ed395dafc0dfadea8019a9362a065bb43a5f870e0c3e8810d347a0ab61d0

SHA512
ec48e80bdc5639673a850ea8f25a575db381d2e4ca47a66b76eda7adc68cf5bdedd69cf1864f9abc6f57d88a65b831ffe7729fb0617bbeb081802cebbf5ec5ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\mftccwysawo.vbs

MD5
6f74eb3b914e11eb187f1e594802b033

SHA1
9b6477293cddb09a2a3c1fb5b27aea23e6132025

SHA256
fc52c16f1ca1a77b876b29a4d56c6e265663f03f558660819d940ed7c87a36e2

SHA512
2b7efaf0f71fb0df553fb27ef52a70ec75b82e4d2f47f02704dfbad30e2f7c994e9c362a819b6e067e12b7726cf8647c9b9ad0057fa2aeecae7aff3f635ef9ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1326.tmp.ps1

MD5
a8f9ddcd8d54d31b20bb274507761a42

SHA1
25188bc54100bee86c23029847a2e173ea6e9342

SHA256
3f6673198000dfe651f1f584deb3e715bb625a512da4f270b58bcb354e3ba3e2

SHA512
a735829a245d3da3392a4b950d8bf6cea2bd03d040cb5c0bd5e0007434854c341926762093a20a339f08a84dea99d03e23eef97cb5f73e3b3130f97beaad93ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1327.tmp

MD5
c416c12d1b2b1da8c8655e393b544362

SHA1
fb1a43cd8e1c556c2d25f361f42a21293c29e447

SHA256
0600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046

SHA512
cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp249D.tmp.ps1

MD5
51e4f4e6b40bd775ca81a1626f0a2246

SHA1
9829c1db72bc629d60e585e5845b959fd2d53b08

SHA256
ebceee13a6029206e05721b56f088936f99376037b45bdb8714b71cd927ea70f

SHA512
fa710390c3124a6e597f96069e0bb57ee7ac249221a6341c0bcfb36a6aa4982ee0340955180faef15cc17d8ac0c4c028bedd1ce2a246ae4ff53cbc6134f555a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp249E.tmp

MD5
1860260b2697808b80802352fe324782

SHA1
f07b4cb6a8133d8dd942fc285d63cb3ce5a1ed6b

SHA256
0c4bb6ae7726faa47aef8459bcf37bf9ca16f0b93fd52790932adaf7845d1fb1

SHA512
d9fd458e2fe871e93199d7f3783133ded898d824024d9525e8c9af2af31892b13f3fb147d3bfda7dfd7659b7072f5cd1d6c3ebfe2dbf5893afd00e59a96aa94f

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

MD5
4934060484b4843c3120a85c9767ce3b

SHA1
18a8b130781711ac9bf51b50ca39f4e52b5ac698

SHA256
3650b22c45da2db8aaff1021eb1b3a19ed0130e27f6380d948575cd0b4444c9f

SHA512
53baee2400e25a2545c6c2cc1eab489101c665851a327cb85b48e93b8ed5dd426b21cd1a8d374e821d2790495b040e86bc5319cfb834db50af41c43576304349

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

MD5
4934060484b4843c3120a85c9767ce3b

SHA1
18a8b130781711ac9bf51b50ca39f4e52b5ac698

SHA256
3650b22c45da2db8aaff1021eb1b3a19ed0130e27f6380d948575cd0b4444c9f

SHA512
53baee2400e25a2545c6c2cc1eab489101c665851a327cb85b48e93b8ed5dd426b21cd1a8d374e821d2790495b040e86bc5319cfb834db50af41c43576304349

Download Submit
\Users\Admin\AppData\Local\Temp\JKLMQY~1.DLL

MD5
7ac078a4c0a0c82464f31418b512cad7

SHA1
edafdb4391106484521c3a76890690ee525a9d68

SHA256
8c8d6d7a1c6ce3ae445a85b32aac61eef74d00effcaaac0379d33cd299008418

SHA512
e5c6cff838a20a0130ed42b170fdd0fcca3491dd65ffb4ced4612b8c8598b3083172f3218a5471c22ffdd6189f748c22e6c7b9417a775344b04956fa2e141507

Download Submit
\Users\Admin\AppData\Local\Temp\JKLMQY~1.DLL

MD5
7ac078a4c0a0c82464f31418b512cad7

SHA1
edafdb4391106484521c3a76890690ee525a9d68

SHA256
8c8d6d7a1c6ce3ae445a85b32aac61eef74d00effcaaac0379d33cd299008418

SHA512
e5c6cff838a20a0130ed42b170fdd0fcca3491dd65ffb4ced4612b8c8598b3083172f3218a5471c22ffdd6189f748c22e6c7b9417a775344b04956fa2e141507

Download Submit
\Users\Admin\AppData\Local\Temp\JKLMQY~1.DLL

MD5
7ac078a4c0a0c82464f31418b512cad7

SHA1
edafdb4391106484521c3a76890690ee525a9d68

SHA256
8c8d6d7a1c6ce3ae445a85b32aac61eef74d00effcaaac0379d33cd299008418

SHA512
e5c6cff838a20a0130ed42b170fdd0fcca3491dd65ffb4ced4612b8c8598b3083172f3218a5471c22ffdd6189f748c22e6c7b9417a775344b04956fa2e141507

Download Submit
\Users\Admin\AppData\Local\Temp\JKLMQY~1.DLL

MD5
7ac078a4c0a0c82464f31418b512cad7

SHA1
edafdb4391106484521c3a76890690ee525a9d68

SHA256
8c8d6d7a1c6ce3ae445a85b32aac61eef74d00effcaaac0379d33cd299008418

SHA512
e5c6cff838a20a0130ed42b170fdd0fcca3491dd65ffb4ced4612b8c8598b3083172f3218a5471c22ffdd6189f748c22e6c7b9417a775344b04956fa2e141507

Download Submit
\Users\Admin\AppData\Local\Temp\nsp78E0.tmp\UAC.dll

MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
memory/756-236-0x0000000000000000-mapping.dmp

Download
memory/1100-127-0x0000000000000000-mapping.dmp

Download
memory/1292-141-0x0000000000000000-mapping.dmp

Download
memory/1352-149-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1352-148-0x00000000004E0000-0x000000000058E000-memory.dmp

Filesize
696KB

Download
memory/1352-123-0x0000000000000000-mapping.dmp

Download
memory/1812-163-0x0000000000400000-0x0000000000B14000-memory.dmp

Filesize
7.1MB

Download
memory/1812-157-0x0000000000000000-mapping.dmp

Download
memory/1812-162-0x0000000002E10000-0x0000000003517000-memory.dmp

Filesize
7.0MB

Download
memory/1812-164-0x0000000000B20000-0x0000000000BCE000-memory.dmp

Filesize
696KB

Download
memory/1824-156-0x0000000001400000-0x0000000001401000-memory.dmp

Filesize
4KB

Download
memory/1824-145-0x0000000000000000-mapping.dmp

Download
memory/1840-140-0x0000000000000000-mapping.dmp

Download
memory/2240-170-0x00000000052F0000-0x00000000052F1000-memory.dmp

Filesize
4KB

Download
memory/2240-176-0x0000000000B40000-0x0000000000B41000-memory.dmp

Filesize
4KB

Download
memory/2240-175-0x0000000004C81000-0x00000000052E0000-memory.dmp

Filesize
6.4MB

Download
memory/2240-169-0x0000000004330000-0x00000000048F5000-memory.dmp

Filesize
5.8MB

Download
memory/2240-165-0x0000000000000000-mapping.dmp

Download
memory/2720-116-0x0000000000000000-mapping.dmp

Download
memory/2988-160-0x0000000000000000-mapping.dmp

Download
memory/3040-144-0x0000000000000000-mapping.dmp

Download
memory/3100-131-0x0000000000000000-mapping.dmp

Download
memory/3176-171-0x0000000000000000-mapping.dmp

Download
memory/3176-174-0x0000000004420000-0x00000000049E5000-memory.dmp

Filesize
5.8MB

Download
memory/3176-220-0x0000000000830000-0x00000000008DE000-memory.dmp

Filesize
696KB

Download
memory/3176-177-0x0000000004B70000-0x0000000004B71000-memory.dmp

Filesize
4KB

Download
memory/3176-178-0x0000000004FF1000-0x0000000005650000-memory.dmp

Filesize
6.4MB

Download
memory/3344-207-0x0000000000000000-mapping.dmp

Download
memory/3344-223-0x0000000006522000-0x0000000006523000-memory.dmp

Filesize
4KB

Download
memory/3344-216-0x00000000075C0000-0x00000000075C1000-memory.dmp

Filesize
4KB

Download
memory/3344-219-0x0000000007AF0000-0x0000000007AF1000-memory.dmp

Filesize
4KB

Download
memory/3344-233-0x0000000006523000-0x0000000006524000-memory.dmp

Filesize
4KB

Download
memory/3344-222-0x0000000006520000-0x0000000006521000-memory.dmp

Filesize
4KB

Download
memory/3356-235-0x0000000000000000-mapping.dmp

Download
memory/3748-121-0x0000000000000000-mapping.dmp

Download
memory/3860-192-0x0000000000000000-mapping.dmp

Download
memory/3904-115-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/3904-114-0x0000000002180000-0x0000000002261000-memory.dmp

Filesize
900KB

Download
memory/3920-150-0x0000000000000000-mapping.dmp

Download
memory/3920-154-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3928-129-0x0000000000000000-mapping.dmp

Download
memory/3944-191-0x0000000004FB2000-0x0000000004FB3000-memory.dmp

Filesize
4KB

Download
memory/3944-182-0x0000000004FB0000-0x0000000004FB1000-memory.dmp

Filesize
4KB

Download
memory/3944-202-0x0000000009A80000-0x0000000009A81000-memory.dmp

Filesize
4KB

Download
memory/3944-203-0x0000000009B20000-0x0000000009B21000-memory.dmp

Filesize
4KB

Download
memory/3944-179-0x0000000000000000-mapping.dmp

Download
memory/3944-206-0x0000000004FB3000-0x0000000004FB4000-memory.dmp

Filesize
4KB

Download
memory/3944-196-0x0000000008C00000-0x0000000008C01000-memory.dmp

Filesize
4KB

Download
memory/3944-184-0x0000000007A00000-0x0000000007A01000-memory.dmp

Filesize
4KB

Download
memory/3944-194-0x0000000008AE0000-0x0000000008AE1000-memory.dmp

Filesize
4KB

Download
memory/3944-201-0x000000000A2E0000-0x000000000A2E1000-memory.dmp

Filesize
4KB

Download
memory/3944-183-0x0000000007390000-0x0000000007391000-memory.dmp

Filesize
4KB

Download
memory/3944-190-0x0000000008870000-0x0000000008871000-memory.dmp

Filesize
4KB

Download
memory/3944-189-0x00000000083C0000-0x00000000083C1000-memory.dmp

Filesize
4KB

Download
memory/3944-188-0x0000000008460000-0x0000000008461000-memory.dmp

Filesize
4KB

Download
memory/3944-185-0x00000000080B0000-0x00000000080B1000-memory.dmp

Filesize
4KB

Download
memory/3944-186-0x0000000008330000-0x0000000008331000-memory.dmp

Filesize
4KB

Download
memory/3944-187-0x00000000082C0000-0x00000000082C1000-memory.dmp

Filesize
4KB

Download
memory/3964-130-0x0000000000000000-mapping.dmp

Download
memory/4008-231-0x0000000000000000-mapping.dmp

Download
memory/4092-117-0x0000000000000000-mapping.dmp

Download