cryptbot | 88483e5e82b2362be92c707450c3205427359e6c18bf7ae4d723282451af18d5

Analysis

max time kernel
146s
max time network
150s
platform
windows10_x64
resource
win10v20210408
submitted
09-06-2021 14:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

88483e5e82b2362be92c707450c3205427359e6c18bf7.exe
Size

713KB
MD5

9f70f3c99573438e3a904a056f09798f
SHA1

47bcdc19b767d13515af816b08d95fdac24e8521
SHA256

88483e5e82b2362be92c707450c3205427359e6c18bf7ae4d723282451af18d5
SHA512

5ea56ee3e682b801a488a0cfd2dfd883e7480dffef75dfe2629a0e2c8aa53cb23bf525d909a76ace292ba7d36f407ee261656de29bc090f74c36f7018c69aeb0

Score

10^/10

cryptbot danabot 3 banker discovery spyware stealer trojan

Malware Config

Extracted

Family

cryptbot

olmqmc32.top

morovz03.top

Attributes

payload_url
http://vamzcd04.top/download.php?file=lv.exe

Extracted

Family

danabot

Version

1827

Botnet

184.95.51.175:443

184.95.51.183:443

192.210.198.12:443

37.220.31.52:443

Attributes

embedded_hash
41DB94464223E2DE95BE6AE704AE054E

rsa_pubkey.plain

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

CryptBot Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/848-114-0x00000000022D0000-0x00000000023B1000-memory.dmp	family_cryptbot
behavioral2/memory/848-115-0x0000000000400000-0x00000000004E5000-memory.dmp	family_cryptbot

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Blocklisted process makes network request 5 IoCs

Processes:

RUNDLL32.EXEWScript.exe

flow pid process

36 4080 RUNDLL32.EXE
38 3352 WScript.exe
40 3352 WScript.exe
42 3352 WScript.exe
44 3352 WScript.exe
Downloads MZ/PE file
Executes dropped EXE 7 IoCs

Processes:

WjhCf.exevpn.exe4.exeGabbie.exe.comGabbie.exe.comSmartClock.exendibkgroo.exe

pid process

2376 WjhCf.exe
2304 vpn.exe
3532 4.exe
3920 Gabbie.exe.com
3184 Gabbie.exe.com
868 SmartClock.exe
1332 ndibkgroo.exe
Drops startup file 1 IoCs

Processes:

4.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk 4.exe
Loads dropped DLL 3 IoCs

Processes:

WjhCf.exerundll32.exeRUNDLL32.EXE

pid process

2376 WjhCf.exe
3996 rundll32.exe
4080 RUNDLL32.EXE
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

23 ip-api.com

flow	pid	process
36	4080	RUNDLL32.EXE
38	3352	WScript.exe
40	3352	WScript.exe
42	3352	WScript.exe
44	3352	WScript.exe

pid	process
2376	WjhCf.exe
2304	vpn.exe
3532	4.exe
3920	Gabbie.exe.com
3184	Gabbie.exe.com
868	SmartClock.exe
1332	ndibkgroo.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk	4.exe

pid	process
2376	WjhCf.exe
3996	rundll32.exe
4080	RUNDLL32.EXE

flow	ioc
23	ip-api.com

Drops file in Program Files directory 3 IoCs

Processes:

WjhCf.exe

description	ioc	process
File created	C:\Program Files (x86)\foler\olader\acppage.dll	WjhCf.exe
File created	C:\Program Files (x86)\foler\olader\adprovider.dll	WjhCf.exe
File created	C:\Program Files (x86)\foler\olader\acledit.dll	WjhCf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RUNDLL32.EXE88483e5e82b2362be92c707450c3205427359e6c18bf7.exeGabbie.exe.com

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	88483e5e82b2362be92c707450c3205427359e6c18bf7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	88483e5e82b2362be92c707450c3205427359e6c18bf7.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Gabbie.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Gabbie.exe.com
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2588 timeout.exe
Modifies registry class 1 IoCs

Processes:

Gabbie.exe.com

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings Gabbie.exe.com

pid	process
2588	timeout.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	Gabbie.exe.com

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	WScript.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2044 PING.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

SmartClock.exe

pid process

868 SmartClock.exe

pid	process
2044	PING.EXE

pid	process
868	SmartClock.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exeRUNDLL32.EXEpowershell.exe

pid	process
1208	powershell.exe
1208	powershell.exe
1208	powershell.exe
4080	RUNDLL32.EXE
4080	RUNDLL32.EXE
2592	powershell.exe
2592	powershell.exe
2592	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

rundll32.exeRUNDLL32.EXEpowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3996	rundll32.exe
Token: SeDebugPrivilege	4080	RUNDLL32.EXE
Token: SeDebugPrivilege	1208	powershell.exe
Token: SeDebugPrivilege	2592	powershell.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

88483e5e82b2362be92c707450c3205427359e6c18bf7.exevpn.exeRUNDLL32.EXE

pid process

848 88483e5e82b2362be92c707450c3205427359e6c18bf7.exe
848 88483e5e82b2362be92c707450c3205427359e6c18bf7.exe
2304 vpn.exe
4080 RUNDLL32.EXE

pid	process
848	88483e5e82b2362be92c707450c3205427359e6c18bf7.exe
848	88483e5e82b2362be92c707450c3205427359e6c18bf7.exe
2304	vpn.exe
4080	RUNDLL32.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

88483e5e82b2362be92c707450c3205427359e6c18bf7.execmd.exeWjhCf.exevpn.execmd.execmd.exeGabbie.exe.comcmd.exe4.exeGabbie.exe.comndibkgroo.exerundll32.exeRUNDLL32.EXEpowershell.exe

description	pid	process	target process
PID 848 wrote to memory of 2936	848	88483e5e82b2362be92c707450c3205427359e6c18bf7.exe	cmd.exe
PID 848 wrote to memory of 2936	848	88483e5e82b2362be92c707450c3205427359e6c18bf7.exe	cmd.exe
PID 848 wrote to memory of 2936	848	88483e5e82b2362be92c707450c3205427359e6c18bf7.exe	cmd.exe
PID 2936 wrote to memory of 2376	2936	cmd.exe	WjhCf.exe
PID 2936 wrote to memory of 2376	2936	cmd.exe	WjhCf.exe
PID 2936 wrote to memory of 2376	2936	cmd.exe	WjhCf.exe
PID 2376 wrote to memory of 2304	2376	WjhCf.exe	vpn.exe
PID 2376 wrote to memory of 2304	2376	WjhCf.exe	vpn.exe
PID 2376 wrote to memory of 2304	2376	WjhCf.exe	vpn.exe
PID 2376 wrote to memory of 3532	2376	WjhCf.exe	4.exe
PID 2376 wrote to memory of 3532	2376	WjhCf.exe	4.exe
PID 2376 wrote to memory of 3532	2376	WjhCf.exe	4.exe
PID 2304 wrote to memory of 648	2304	vpn.exe	cmd.exe
PID 2304 wrote to memory of 648	2304	vpn.exe	cmd.exe
PID 2304 wrote to memory of 648	2304	vpn.exe	cmd.exe
PID 648 wrote to memory of 3924	648	cmd.exe	cmd.exe
PID 648 wrote to memory of 3924	648	cmd.exe	cmd.exe
PID 648 wrote to memory of 3924	648	cmd.exe	cmd.exe
PID 3924 wrote to memory of 3992	3924	cmd.exe	findstr.exe
PID 3924 wrote to memory of 3992	3924	cmd.exe	findstr.exe
PID 3924 wrote to memory of 3992	3924	cmd.exe	findstr.exe
PID 848 wrote to memory of 3984	848	88483e5e82b2362be92c707450c3205427359e6c18bf7.exe	cmd.exe
PID 848 wrote to memory of 3984	848	88483e5e82b2362be92c707450c3205427359e6c18bf7.exe	cmd.exe
PID 848 wrote to memory of 3984	848	88483e5e82b2362be92c707450c3205427359e6c18bf7.exe	cmd.exe
PID 3924 wrote to memory of 3920	3924	cmd.exe	Gabbie.exe.com
PID 3924 wrote to memory of 3920	3924	cmd.exe	Gabbie.exe.com
PID 3924 wrote to memory of 3920	3924	cmd.exe	Gabbie.exe.com
PID 3920 wrote to memory of 3184	3920	Gabbie.exe.com	Gabbie.exe.com
PID 3920 wrote to memory of 3184	3920	Gabbie.exe.com	Gabbie.exe.com
PID 3920 wrote to memory of 3184	3920	Gabbie.exe.com	Gabbie.exe.com
PID 3924 wrote to memory of 2044	3924	cmd.exe	PING.EXE
PID 3924 wrote to memory of 2044	3924	cmd.exe	PING.EXE
PID 3924 wrote to memory of 2044	3924	cmd.exe	PING.EXE
PID 3984 wrote to memory of 2588	3984	cmd.exe	timeout.exe
PID 3984 wrote to memory of 2588	3984	cmd.exe	timeout.exe
PID 3984 wrote to memory of 2588	3984	cmd.exe	timeout.exe
PID 3532 wrote to memory of 868	3532	4.exe	SmartClock.exe
PID 3532 wrote to memory of 868	3532	4.exe	SmartClock.exe
PID 3532 wrote to memory of 868	3532	4.exe	SmartClock.exe
PID 3184 wrote to memory of 1332	3184	Gabbie.exe.com	ndibkgroo.exe
PID 3184 wrote to memory of 1332	3184	Gabbie.exe.com	ndibkgroo.exe
PID 3184 wrote to memory of 1332	3184	Gabbie.exe.com	ndibkgroo.exe
PID 3184 wrote to memory of 1320	3184	Gabbie.exe.com	WScript.exe
PID 3184 wrote to memory of 1320	3184	Gabbie.exe.com	WScript.exe
PID 3184 wrote to memory of 1320	3184	Gabbie.exe.com	WScript.exe
PID 1332 wrote to memory of 3996	1332	ndibkgroo.exe	rundll32.exe
PID 1332 wrote to memory of 3996	1332	ndibkgroo.exe	rundll32.exe
PID 1332 wrote to memory of 3996	1332	ndibkgroo.exe	rundll32.exe
PID 3996 wrote to memory of 4080	3996	rundll32.exe	RUNDLL32.EXE
PID 3996 wrote to memory of 4080	3996	rundll32.exe	RUNDLL32.EXE
PID 3996 wrote to memory of 4080	3996	rundll32.exe	RUNDLL32.EXE
PID 3184 wrote to memory of 3352	3184	Gabbie.exe.com	WScript.exe
PID 3184 wrote to memory of 3352	3184	Gabbie.exe.com	WScript.exe
PID 3184 wrote to memory of 3352	3184	Gabbie.exe.com	WScript.exe
PID 4080 wrote to memory of 1208	4080	RUNDLL32.EXE	powershell.exe
PID 4080 wrote to memory of 1208	4080	RUNDLL32.EXE	powershell.exe
PID 4080 wrote to memory of 1208	4080	RUNDLL32.EXE	powershell.exe
PID 4080 wrote to memory of 2592	4080	RUNDLL32.EXE	powershell.exe
PID 4080 wrote to memory of 2592	4080	RUNDLL32.EXE	powershell.exe
PID 4080 wrote to memory of 2592	4080	RUNDLL32.EXE	powershell.exe
PID 2592 wrote to memory of 912	2592	powershell.exe	nslookup.exe
PID 2592 wrote to memory of 912	2592	powershell.exe	nslookup.exe
PID 2592 wrote to memory of 912	2592	powershell.exe	nslookup.exe
PID 4080 wrote to memory of 2616	4080	RUNDLL32.EXE	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\88483e5e82b2362be92c707450c3205427359e6c18bf7.exe
"C:\Users\Admin\AppData\Local\Temp\88483e5e82b2362be92c707450c3205427359e6c18bf7.exe"
1⤵
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:848
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\WjhCf.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2936
- - C:\Users\Admin\AppData\Local\Temp\WjhCf.exe
    "C:\Users\Admin\AppData\Local\Temp\WjhCf.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:2376
  - - C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe
      "C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:2304
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c cmd < Gote.aiff
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:648
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3924
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /R "^LjaIWKsNCnNrcrIGrRSgkvhmTVtiUhayrefgTaEfPZCszvASPFwjlwZgZTOwGpSgyIZzOzMKjDnkUVybxkagkuUerqfqE$" Diritto.aiff
        7⤵
        
        PID:3992
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Gabbie.exe.com
        
        Gabbie.exe.com c
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3920
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Gabbie.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Gabbie.exe.com c
        8⤵
        Executes dropped EXE
        Checks processor information in registry
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3184
        
        C:\Users\Admin\AppData\Local\Temp\ndibkgroo.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ndibkgroo.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1332
        
        C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\NDIBKG~1.DLL,Z C:\Users\Admin\AppData\Local\Temp\NDIBKG~1.EXE
        10⤵
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3996
        
        C:\Windows\SysWOW64\RUNDLL32.EXE
        
        C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\NDIBKG~1.DLL,e2EaLDaYBQ==
        11⤵
        Blocklisted process makes network request
        Loads dropped DLL
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:4080
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp510A.tmp.ps1"
        12⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1208
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp6BF7.tmp.ps1"
        12⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2592
        
        C:\Windows\SysWOW64\nslookup.exe
        
        "C:\Windows\system32\nslookup.exe" -type=any localhost
        13⤵
        
        PID:912
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
        12⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
        12⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\sslqccpes.vbs"
        9⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\wtgkdppn.vbs"
        9⤵
        Blocklisted process makes network request
        Modifies system certificate store
        
        PID:3352
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 30
        7⤵
        Runs ping.exe
        
        PID:2044
  - - C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe
      "C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe"
      4⤵
      Executes dropped EXE
      Drops startup file
      Suspicious use of WriteProcessMemory
      PID:3532
    - - C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
        
        "C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: AddClipboardFormatListener
        
        PID:868
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\vGbOpXIF & timeout 3 & del /f /q "C:\Users\Admin\AppData\Local\Temp\88483e5e82b2362be92c707450c3205427359e6c18bf7.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3984
- - C:\Windows\SysWOW64\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:2588

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5
47eebe401625bbc55e75dbfb72e9e89a

SHA1
db3b2135942d2532c59b9788253638eb77e5995e

SHA256
f1cd56000c44bbdb6880b5b133731f493fe8cba8198c5a861da6ae7b489ed0c3

SHA512
590b149863d58be346e7927c28501375cc570858d2f156d234b03d68b86c5c0667a1038e2b6f6639172bf95638ca9f7c70f45270951abbcdf43b1be853b81d56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
99db1a03ff076f5b4cd808ca0aee5f20

SHA1
3cb1d2d828eb51b3bdae0be3fc51f7619ff6ab16

SHA256
a35719ffc52e720442788671a17c5abff11987412de6eb2561ddf0c172d9d18a

SHA512
523750333fd6161ceb97fa552fb235b751f9a740e48052b25f6cb556b0bd729b95f940a93b75af62509f7cb4d8393c565393bd64f2ae3ea769cfb3243007e064

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Dal.aiff

MD5
31dedc55170d4ed52eb76be3a9638985

SHA1
513dac3929f455ed419517b1c2c4d47f7eac31ac

SHA256
97f4344e07d26691dffaf8f46a00a05b72227b36efaa8ceb5c2c443fd1922bae

SHA512
82744a91d4ad070c30dd173cd5ec3e6c71f45b6e7df283fa3ffeaf8f2f8313c3c6bb2a576c730a80c2b740fce823139760249151cee7664a4e971b011768916d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Diritto.aiff

MD5
e9c5421045344ad1ddc7e258ad6c2de3

SHA1
b5e34b9c6bbddc1b1d0f77c8e328896ad6e00099

SHA256
c49fa942faccaf5b0421615b8ed9a6a2dec6224842d01344f3fc56617d170fd4

SHA512
a23eac6f1bc5c973d66d3872b057833bdc6af258cfe5e59a8bf87ea93f5cf19e50e1cba8152490c66166827bf50d7403f642b6f04553e845c610cdb56047e703

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Dov.aiff

MD5
a75e61ee5ef9237ebfa7a39a46d92a7c

SHA1
697bfa9b2d843b464afd18ce8622095c1f26db60

SHA256
a0cc11634073dd89a19ce08c720f2ae583c7ba1f951869e0cd6bc5dcb1ab2058

SHA512
1224fd94be43bedf8d89b1a95b789ac41272eb4006b5b1f57d5879dcc666ffb54a204969256a44ae43dac56bd32a8c50e51f9fc1cc7778447ede7adbc2604b10

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Gabbie.exe.com

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Gabbie.exe.com

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Gabbie.exe.com

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Gote.aiff

MD5
93b381d92ae8bb0723bf1ba3dd3acf47

SHA1
ebad215f84bf321e5d9dbae1ae7ac1b93d0f130d

SHA256
2318dabdad1ad9bfb9f5261b89016d3db0758c58187e7a52fda9e007a93ca783

SHA512
5bf53e505dc3d23335b7717516f2e5326ff3a7d8d8f3bc2840b412ffd7536b319db7a496f55e239b0721eafe4ddcd3e5abc9d1ff35445f6e0064f2c8c54927b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\c

MD5
a75e61ee5ef9237ebfa7a39a46d92a7c

SHA1
697bfa9b2d843b464afd18ce8622095c1f26db60

SHA256
a0cc11634073dd89a19ce08c720f2ae583c7ba1f951869e0cd6bc5dcb1ab2058

SHA512
1224fd94be43bedf8d89b1a95b789ac41272eb4006b5b1f57d5879dcc666ffb54a204969256a44ae43dac56bd32a8c50e51f9fc1cc7778447ede7adbc2604b10

Download Submit
C:\Users\Admin\AppData\Local\Temp\NDIBKG~1.DLL

MD5
b762d7d76c21c104084249e3a93f79a3

SHA1
7e2d7325c45630ee7fda7fd1b7de864f8806b1f0

SHA256
73058af6661970bb1a8aa52c9f21f0e02462b462aaee99cfd8687e2d0655ded2

SHA512
c3d53739d64d29f17645f9a29275b1e7b87f313abc3b963a3bc6a6b066cadd2bd6abc6cc7271339007861131aad6fd93a07b8a44d23ed173369b14720a7b2c46

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe

MD5
7ef8ad5de4fa46c24883d3175c874cd2

SHA1
e5720aa9a513cbe447f8a523d2779953ae4c13c3

SHA256
35d3210a87ba84d84c9c67504beec21e75a0f39ff14086490bdaa0d747fc9169

SHA512
d9cad29d7472fc8000de707be76ca475a4367e9fdb116104ed1ed7d085d9974122f5bf40fa0608f076a6051ca218fa639c316c1340dd6e12feade4bdf69577f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe

MD5
7ef8ad5de4fa46c24883d3175c874cd2

SHA1
e5720aa9a513cbe447f8a523d2779953ae4c13c3

SHA256
35d3210a87ba84d84c9c67504beec21e75a0f39ff14086490bdaa0d747fc9169

SHA512
d9cad29d7472fc8000de707be76ca475a4367e9fdb116104ed1ed7d085d9974122f5bf40fa0608f076a6051ca218fa639c316c1340dd6e12feade4bdf69577f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe

MD5
bec2296d7ddebe58a5726011a1e9dc87

SHA1
e3bafc52d8d426f43fc642beb4d82cdec0a8a9c3

SHA256
6355a148b4e7875887a72b883f7219f0dc9b5c7691eea40a89cb71c2c7215b64

SHA512
1e196048d014ba97931b815a141d76b43f54feb05482885251adf02da324bd9d841b981752c97e782a0c812941aec3063bd99afadd0a931b2958192b8e94fbe8

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe

MD5
bec2296d7ddebe58a5726011a1e9dc87

SHA1
e3bafc52d8d426f43fc642beb4d82cdec0a8a9c3

SHA256
6355a148b4e7875887a72b883f7219f0dc9b5c7691eea40a89cb71c2c7215b64

SHA512
1e196048d014ba97931b815a141d76b43f54feb05482885251adf02da324bd9d841b981752c97e782a0c812941aec3063bd99afadd0a931b2958192b8e94fbe8

Download Submit
C:\Users\Admin\AppData\Local\Temp\WjhCf.exe

MD5
4f8b192c791bf3cb38ff05af7761e503

SHA1
f8be899d4d3d678cdc96cb4a0dce4da2907e8082

SHA256
3dad22fd73ed8cd57325be22cc0a79058306e20afbd1318b49f591784294b700

SHA512
b3e92712d166305fd04b59327aa4925aa8aac9404c1ffefd9890702141c8cb745417bc7ff90d9f5e67a03caa35c70d5415cd5c522545ab60d516d4acc5875b0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\WjhCf.exe

MD5
4f8b192c791bf3cb38ff05af7761e503

SHA1
f8be899d4d3d678cdc96cb4a0dce4da2907e8082

SHA256
3dad22fd73ed8cd57325be22cc0a79058306e20afbd1318b49f591784294b700

SHA512
b3e92712d166305fd04b59327aa4925aa8aac9404c1ffefd9890702141c8cb745417bc7ff90d9f5e67a03caa35c70d5415cd5c522545ab60d516d4acc5875b0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ndibkgroo.exe

MD5
66c284b62bd5b6640f4478761a690301

SHA1
c1a1d3feed660dc7194869fc2dbc9ae43370fe07

SHA256
0e9fb0a524be6d8ff7ca8704b42dcaa025c83247109b5d4e42b1384cf0308f07

SHA512
ee4e84d189beec51681573fa3b8d2661a9dd09c68b60f75596eb940bc1b8fd8bd1345f39fc29f93504eb2776317b6a0d1f11be9850215da554904b7152e1e45d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ndibkgroo.exe

MD5
66c284b62bd5b6640f4478761a690301

SHA1
c1a1d3feed660dc7194869fc2dbc9ae43370fe07

SHA256
0e9fb0a524be6d8ff7ca8704b42dcaa025c83247109b5d4e42b1384cf0308f07

SHA512
ee4e84d189beec51681573fa3b8d2661a9dd09c68b60f75596eb940bc1b8fd8bd1345f39fc29f93504eb2776317b6a0d1f11be9850215da554904b7152e1e45d

Download Submit
C:\Users\Admin\AppData\Local\Temp\sslqccpes.vbs

MD5
3c94e0bc62aae2546d8143a3070f3e82

SHA1
7d7f47ac48ea1f164849fdbc4dc8087e14e1772f

SHA256
d80e0b74c4efccbdc13ec19250304cf9772b5dbdf49eae12ef49ae62ce2287ab

SHA512
93795fba6deb1cf77f9f852a301c6a2b04f9bec4452b77554a187c39e390d77491f8b40305bbef39ef4776f649b7faae7fe9dbc63f516f7297768fe38d964ae6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp510A.tmp.ps1

MD5
8cd52443195d5e270b8d4e8fc3aed5b0

SHA1
ca7a72ee397bcd61389dd4522f9d42546041d2d3

SHA256
ab849f393053eabe413a76222e32f2453334bc5fc2c506e7f85605b1a0635154

SHA512
e04a6440e88857a8c5ba127505bbe7ef21de16f7185a6b1803b3cf5ac68e9f5b51e396166883306cc7d92ba88b2afa030ed030e988faf9459d38be94658d6291

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp510B.tmp

MD5
c416c12d1b2b1da8c8655e393b544362

SHA1
fb1a43cd8e1c556c2d25f361f42a21293c29e447

SHA256
0600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046

SHA512
cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6BF7.tmp.ps1

MD5
3e978e7f7f998fe03e95f7501b9d5960

SHA1
09ec6b49487444180246ced5eec8815bb53c3c04

SHA256
3ec6c9be82ea50ca749efa8f8b2023cff8a9aed421839bfc6ed2b128ee59b3a0

SHA512
d90388fafcb86af5192efa779c7b04953f7bd696cfa76596b2abbf5c164dbdde8e5ab94d75f83b173cb4e3c22a388030c113006a8f6b6fb92174422e2250bf8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6BF8.tmp

MD5
1860260b2697808b80802352fe324782

SHA1
f07b4cb6a8133d8dd942fc285d63cb3ce5a1ed6b

SHA256
0c4bb6ae7726faa47aef8459bcf37bf9ca16f0b93fd52790932adaf7845d1fb1

SHA512
d9fd458e2fe871e93199d7f3783133ded898d824024d9525e8c9af2af31892b13f3fb147d3bfda7dfd7659b7072f5cd1d6c3ebfe2dbf5893afd00e59a96aa94f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vGbOpXIF\SRRQTZ~1.ZIP

MD5
a008d6e680853aa36536964531830ff1

SHA1
b0ac863807f7d1d282451442e1afb2cd6bdcad79

SHA256
bda8a74710c3b606b22a46ef1cba05d8fb33a9fa9b6ab20091d2ec6702df246c

SHA512
8a5a8e3b2fba0c59c9e0450140152e87f376941833e92ad176cd6b6462c84ce9a7de31d3f036e6ff18dd0ce068a0a1e673ccd0f4e58923f4215de65da5a39e85

Download Submit
C:\Users\Admin\AppData\Local\Temp\vGbOpXIF\UIWHPW~1.ZIP

MD5
c8a4c2a95dd2ec3d5aec86146d57edaf

SHA1
41c625b58ab74bab1de6ad5554e3a5f329ff3a1c

SHA256
993a1f000fb4879b74691593c287d9d1b23ea6e7eff12765d60d8f130e3c5cff

SHA512
33a45c94b838c1498175b1a0f47015eeb0932c20ffc16f374288ea7fda8c659bf85c77a5c57884c6cc0a16d16819a70a856701a229c117bfa02e592e090f96ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\vGbOpXIF\_Files\_Files\CLOSEU~1.TXT

MD5
86dc1bdd11b9ca73ec301305b167f9b8

SHA1
26afe227fd790a0ab3918bdda27e7de13bcac224

SHA256
9c7d31edcaf4de852f28fba72e0fb36557cef765fdf04ae4548726bd9ef94c10

SHA512
b897e3c5ed396071f476a6e725e338c74a459e9945380753bee5bca823143db0af8bfcd400e08e1a5b6d054d001e78c1b104c5e7c3edc288b6580bbaa46a76f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vGbOpXIF\_Files\_INFOR~1.TXT

MD5
a57f9d1a3041979625729bda9b169fee

SHA1
a9e01dd75b0029ff264389a8a70f53bd9c1efeb1

SHA256
5db3ae96af8871c3d7dd4cee33fa85995d13a8f76ce66c8cf8d3e1d34aaa3d55

SHA512
6660d452e6c1bf8ff0927f223a1a1b945f84eb9575b99bc7df349e6901402546bdc7994876e6f2548a4ed324b46f273204c7e640d82ad6bfceb7f6e931bf4eae

Download Submit
C:\Users\Admin\AppData\Local\Temp\vGbOpXIF\_Files\_SCREE~1.JPE

MD5
7c24099391c5bd3ed50362a67622ec80

SHA1
6bdb57dd3749cf14d436c4f53f640ea98c3fa48b

SHA256
649d0b565a6b2b9b4bf9d885fa0b6323bbe2ce545d3867958d580e023d6971c5

SHA512
f4f4111d0349913a64f198b5d7984e48b808252b0ee77c8153fa27f0ad2a0fbf4fdd8f6108a89b5cde726fff3a39a4c76fd9dc782559cbcde4153ce5c3397e9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vGbOpXIF\files_\SCREEN~1.JPG

MD5
7c24099391c5bd3ed50362a67622ec80

SHA1
6bdb57dd3749cf14d436c4f53f640ea98c3fa48b

SHA256
649d0b565a6b2b9b4bf9d885fa0b6323bbe2ce545d3867958d580e023d6971c5

SHA512
f4f4111d0349913a64f198b5d7984e48b808252b0ee77c8153fa27f0ad2a0fbf4fdd8f6108a89b5cde726fff3a39a4c76fd9dc782559cbcde4153ce5c3397e9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vGbOpXIF\files_\SYSTEM~1.TXT

MD5
0cd2d5c3d0df02879f8190e820222f62

SHA1
afbbbae1fc32dbce88c403d91da14b7dbbd03791

SHA256
015bef31815ba6947a4a791c5f636935ede406bcdadb669fb825535a1ee359df

SHA512
51b5bd44d691755b9d21bd6ed76474c107772d8103043f15ad9203e1afc8e8a8b2520711a377641a1f1259387290c4cee447a0ab824d6330c5a924740c00be14

Download Submit
C:\Users\Admin\AppData\Local\Temp\vGbOpXIF\files_\files\CLOSEU~1.TXT

MD5
86dc1bdd11b9ca73ec301305b167f9b8

SHA1
26afe227fd790a0ab3918bdda27e7de13bcac224

SHA256
9c7d31edcaf4de852f28fba72e0fb36557cef765fdf04ae4548726bd9ef94c10

SHA512
b897e3c5ed396071f476a6e725e338c74a459e9945380753bee5bca823143db0af8bfcd400e08e1a5b6d054d001e78c1b104c5e7c3edc288b6580bbaa46a76f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\wtgkdppn.vbs

MD5
1a2d96b54fed14fd822120a5801867bc

SHA1
f72d6941544ace05d2e8580031dd0fcd4ab1fd22

SHA256
ca0181754dfc1bff53b82968b983ac65c4c209508259552de5dda900a4831f21

SHA512
71bb580c62f4bf706e51aa5f73edef90a68ce7f82ccb226bf819998974e4a7d93c34dff3d93c3227b2f91d8a06110b34a23c4083ac8b1778c2d517acc6b24241

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

MD5
7ef8ad5de4fa46c24883d3175c874cd2

SHA1
e5720aa9a513cbe447f8a523d2779953ae4c13c3

SHA256
35d3210a87ba84d84c9c67504beec21e75a0f39ff14086490bdaa0d747fc9169

SHA512
d9cad29d7472fc8000de707be76ca475a4367e9fdb116104ed1ed7d085d9974122f5bf40fa0608f076a6051ca218fa639c316c1340dd6e12feade4bdf69577f0

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

MD5
7ef8ad5de4fa46c24883d3175c874cd2

SHA1
e5720aa9a513cbe447f8a523d2779953ae4c13c3

SHA256
35d3210a87ba84d84c9c67504beec21e75a0f39ff14086490bdaa0d747fc9169

SHA512
d9cad29d7472fc8000de707be76ca475a4367e9fdb116104ed1ed7d085d9974122f5bf40fa0608f076a6051ca218fa639c316c1340dd6e12feade4bdf69577f0

Download Submit
\Users\Admin\AppData\Local\Temp\NDIBKG~1.DLL

MD5
b762d7d76c21c104084249e3a93f79a3

SHA1
7e2d7325c45630ee7fda7fd1b7de864f8806b1f0

SHA256
73058af6661970bb1a8aa52c9f21f0e02462b462aaee99cfd8687e2d0655ded2

SHA512
c3d53739d64d29f17645f9a29275b1e7b87f313abc3b963a3bc6a6b066cadd2bd6abc6cc7271339007861131aad6fd93a07b8a44d23ed173369b14720a7b2c46

Download Submit
\Users\Admin\AppData\Local\Temp\NDIBKG~1.DLL

MD5
b762d7d76c21c104084249e3a93f79a3

SHA1
7e2d7325c45630ee7fda7fd1b7de864f8806b1f0

SHA256
73058af6661970bb1a8aa52c9f21f0e02462b462aaee99cfd8687e2d0655ded2

SHA512
c3d53739d64d29f17645f9a29275b1e7b87f313abc3b963a3bc6a6b066cadd2bd6abc6cc7271339007861131aad6fd93a07b8a44d23ed173369b14720a7b2c46

Download Submit
\Users\Admin\AppData\Local\Temp\nsq13F7.tmp\UAC.dll

MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
memory/648-127-0x0000000000000000-mapping.dmp

Download
memory/848-114-0x00000000022D0000-0x00000000023B1000-memory.dmp

Filesize
900KB

Download
memory/848-115-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/868-152-0x0000000000000000-mapping.dmp

Download
memory/868-157-0x0000000002090000-0x00000000020E2000-memory.dmp

Filesize
328KB

Download
memory/868-158-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/868-160-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/912-235-0x0000000000000000-mapping.dmp

Download
memory/1208-205-0x0000000009AF0000-0x0000000009AF1000-memory.dmp

Filesize
4KB

Download
memory/1208-193-0x0000000006DA0000-0x0000000006DA1000-memory.dmp

Filesize
4KB

Download
memory/1208-192-0x0000000007B10000-0x0000000007B11000-memory.dmp

Filesize
4KB

Download
memory/1208-191-0x0000000007300000-0x0000000007301000-memory.dmp

Filesize
4KB

Download
memory/1208-190-0x0000000007260000-0x0000000007261000-memory.dmp

Filesize
4KB

Download
memory/1208-189-0x00000000073E0000-0x00000000073E1000-memory.dmp

Filesize
4KB

Download
memory/1208-188-0x0000000004820000-0x0000000004821000-memory.dmp

Filesize
4KB

Download
memory/1208-185-0x0000000000000000-mapping.dmp

Download
memory/1208-194-0x0000000006DA2000-0x0000000006DA3000-memory.dmp

Filesize
4KB

Download
memory/1208-195-0x0000000007B80000-0x0000000007B81000-memory.dmp

Filesize
4KB

Download
memory/1208-210-0x0000000006DA3000-0x0000000006DA4000-memory.dmp

Filesize
4KB

Download
memory/1208-196-0x0000000008010000-0x0000000008011000-memory.dmp

Filesize
4KB

Download
memory/1208-207-0x0000000009350000-0x0000000009351000-memory.dmp

Filesize
4KB

Download
memory/1208-206-0x0000000009080000-0x0000000009081000-memory.dmp

Filesize
4KB

Download
memory/1208-200-0x0000000006EE0000-0x0000000006EE1000-memory.dmp

Filesize
4KB

Download
memory/1208-198-0x0000000008380000-0x0000000008381000-memory.dmp

Filesize
4KB

Download
memory/1208-197-0x0000000008060000-0x0000000008061000-memory.dmp

Filesize
4KB

Download
memory/1320-166-0x0000000000000000-mapping.dmp

Download
memory/1332-170-0x0000000000C90000-0x0000000000C91000-memory.dmp

Filesize
4KB

Download
memory/1332-169-0x0000000000400000-0x0000000000B13000-memory.dmp

Filesize
7.1MB

Download
memory/1332-168-0x0000000002E90000-0x0000000003596000-memory.dmp

Filesize
7.0MB

Download
memory/1332-163-0x0000000000000000-mapping.dmp

Download
memory/2044-147-0x0000000000000000-mapping.dmp

Download
memory/2304-121-0x0000000000000000-mapping.dmp

Download
memory/2376-117-0x0000000000000000-mapping.dmp

Download
memory/2588-148-0x0000000000000000-mapping.dmp

Download
memory/2592-220-0x0000000007E20000-0x0000000007E21000-memory.dmp

Filesize
4KB

Download
memory/2592-223-0x0000000008450000-0x0000000008451000-memory.dmp

Filesize
4KB

Download
memory/2592-239-0x0000000004D13000-0x0000000004D14000-memory.dmp

Filesize
4KB

Download
memory/2592-226-0x0000000004D12000-0x0000000004D13000-memory.dmp

Filesize
4KB

Download
memory/2592-225-0x0000000004D10000-0x0000000004D11000-memory.dmp

Filesize
4KB

Download
memory/2592-211-0x0000000000000000-mapping.dmp

Download
memory/2616-238-0x0000000000000000-mapping.dmp

Download
memory/2820-240-0x0000000000000000-mapping.dmp

Download
memory/2936-116-0x0000000000000000-mapping.dmp

Download
memory/3184-161-0x00000000011B0000-0x00000000011B1000-memory.dmp

Filesize
4KB

Download
memory/3184-145-0x0000000000000000-mapping.dmp

Download
memory/3352-183-0x0000000000000000-mapping.dmp

Download
memory/3532-156-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3532-124-0x0000000000000000-mapping.dmp

Download
memory/3532-155-0x0000000000720000-0x0000000000746000-memory.dmp

Filesize
152KB

Download
memory/3532-151-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3532-150-0x00000000005A0000-0x00000000006EA000-memory.dmp

Filesize
1.3MB

Download
memory/3920-134-0x0000000000000000-mapping.dmp

Download
memory/3924-129-0x0000000000000000-mapping.dmp

Download
memory/3984-133-0x0000000000000000-mapping.dmp

Download
memory/3992-130-0x0000000000000000-mapping.dmp

Download
memory/3996-181-0x0000000003130000-0x000000000327A000-memory.dmp

Filesize
1.3MB

Download
memory/3996-180-0x0000000005201000-0x0000000005860000-memory.dmp

Filesize
6.4MB

Download
memory/3996-171-0x0000000000000000-mapping.dmp

Download
memory/4080-176-0x0000000000000000-mapping.dmp

Download
memory/4080-182-0x0000000005171000-0x00000000057D0000-memory.dmp

Filesize
6.4MB

Download
memory/4080-224-0x0000000000DF0000-0x0000000000DF1000-memory.dmp

Filesize
4KB

Download