cryptbot | 88483e5e82b2362be92c707450c3205427359e6c18bf7ae4d723282451af18d5

Analysis

max time kernel
143s
max time network
152s
platform
windows10_x64
resource
win10v20210408
submitted
09-06-2021 13:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

88483e5e82b2362be92c707450c3205427359e6c18bf7.exe
Size

713KB
MD5

9f70f3c99573438e3a904a056f09798f
SHA1

47bcdc19b767d13515af816b08d95fdac24e8521
SHA256

88483e5e82b2362be92c707450c3205427359e6c18bf7ae4d723282451af18d5
SHA512

5ea56ee3e682b801a488a0cfd2dfd883e7480dffef75dfe2629a0e2c8aa53cb23bf525d909a76ace292ba7d36f407ee261656de29bc090f74c36f7018c69aeb0

Score

10^/10

cryptbot danabot 3 banker discovery spyware stealer trojan

Malware Config

Extracted

Family

cryptbot

olmqmc32.top

morovz03.top

Attributes

payload_url
http://vamzcd04.top/download.php?file=lv.exe

Extracted

Family

danabot

Version

1827

Botnet

184.95.51.183:443

184.95.51.175:443

192.210.198.12:443

184.95.51.180:443

Attributes

embedded_hash
AEF96B4D339B580ABB737F203C2D0F52

rsa_pubkey.plain

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

CryptBot Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/668-115-0x0000000000400000-0x00000000004E5000-memory.dmp	family_cryptbot
behavioral2/memory/668-114-0x00000000022A0000-0x0000000002381000-memory.dmp	family_cryptbot

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Blocklisted process makes network request 5 IoCs

Processes:

RUNDLL32.EXEWScript.exe

flow pid process

34 1284 RUNDLL32.EXE
36 2240 WScript.exe
38 2240 WScript.exe
40 2240 WScript.exe
42 2240 WScript.exe
Downloads MZ/PE file
Executes dropped EXE 7 IoCs

Processes:

psTOv.exevpn.exe4.exeGabbie.exe.comGabbie.exe.comSmartClock.execgntkwg.exe

pid process

2164 psTOv.exe
4016 vpn.exe
3952 4.exe
3996 Gabbie.exe.com
196 Gabbie.exe.com
3868 SmartClock.exe
2164 cgntkwg.exe
Drops startup file 1 IoCs

Processes:

4.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk 4.exe
Loads dropped DLL 5 IoCs

Processes:

psTOv.exerundll32.exeRUNDLL32.EXE

pid process

2164 psTOv.exe
2772 rundll32.exe
2772 rundll32.exe
1284 RUNDLL32.EXE
1284 RUNDLL32.EXE
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

21 ip-api.com

flow	pid	process
34	1284	RUNDLL32.EXE
36	2240	WScript.exe
38	2240	WScript.exe
40	2240	WScript.exe
42	2240	WScript.exe

pid	process
2164	psTOv.exe
4016	vpn.exe
3952	4.exe
3996	Gabbie.exe.com
196	Gabbie.exe.com
3868	SmartClock.exe
2164	cgntkwg.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk	4.exe

pid	process
2164	psTOv.exe
2772	rundll32.exe
2772	rundll32.exe
1284	RUNDLL32.EXE
1284	RUNDLL32.EXE

flow	ioc
21	ip-api.com

Drops file in Program Files directory 3 IoCs

Processes:

psTOv.exe

description	ioc	process
File created	C:\Program Files (x86)\foler\olader\acledit.dll	psTOv.exe
File created	C:\Program Files (x86)\foler\olader\acppage.dll	psTOv.exe
File created	C:\Program Files (x86)\foler\olader\adprovider.dll	psTOv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

88483e5e82b2362be92c707450c3205427359e6c18bf7.exeGabbie.exe.comRUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	88483e5e82b2362be92c707450c3205427359e6c18bf7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	88483e5e82b2362be92c707450c3205427359e6c18bf7.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Gabbie.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Gabbie.exe.com
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2468 timeout.exe
Modifies registry class 1 IoCs

Processes:

Gabbie.exe.com

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings Gabbie.exe.com

pid	process
2468	timeout.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	Gabbie.exe.com

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	WScript.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1504 PING.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

SmartClock.exe

pid process

3868 SmartClock.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exeRUNDLL32.EXEpowershell.exe

pid process

3568 powershell.exe
3568 powershell.exe
3568 powershell.exe
1284 RUNDLL32.EXE
1284 RUNDLL32.EXE
704 powershell.exe
704 powershell.exe
704 powershell.exe

pid	process
1504	PING.EXE

pid	process
3868	SmartClock.exe

pid	process
3568	powershell.exe
3568	powershell.exe
3568	powershell.exe
1284	RUNDLL32.EXE
1284	RUNDLL32.EXE
704	powershell.exe
704	powershell.exe
704	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

rundll32.exeRUNDLL32.EXEpowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2772	rundll32.exe
Token: SeDebugPrivilege	1284	RUNDLL32.EXE
Token: SeDebugPrivilege	3568	powershell.exe
Token: SeDebugPrivilege	704	powershell.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

88483e5e82b2362be92c707450c3205427359e6c18bf7.exevpn.exeRUNDLL32.EXE

pid process

668 88483e5e82b2362be92c707450c3205427359e6c18bf7.exe
668 88483e5e82b2362be92c707450c3205427359e6c18bf7.exe
4016 vpn.exe
1284 RUNDLL32.EXE

pid	process
668	88483e5e82b2362be92c707450c3205427359e6c18bf7.exe
668	88483e5e82b2362be92c707450c3205427359e6c18bf7.exe
4016	vpn.exe
1284	RUNDLL32.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

88483e5e82b2362be92c707450c3205427359e6c18bf7.execmd.exepsTOv.exevpn.execmd.execmd.execmd.exeGabbie.exe.com4.exeGabbie.exe.comcgntkwg.exerundll32.exeRUNDLL32.EXEpowershell.exe

description	pid	process	target process
PID 668 wrote to memory of 4060	668	88483e5e82b2362be92c707450c3205427359e6c18bf7.exe	cmd.exe
PID 668 wrote to memory of 4060	668	88483e5e82b2362be92c707450c3205427359e6c18bf7.exe	cmd.exe
PID 668 wrote to memory of 4060	668	88483e5e82b2362be92c707450c3205427359e6c18bf7.exe	cmd.exe
PID 4060 wrote to memory of 2164	4060	cmd.exe	psTOv.exe
PID 4060 wrote to memory of 2164	4060	cmd.exe	psTOv.exe
PID 4060 wrote to memory of 2164	4060	cmd.exe	psTOv.exe
PID 2164 wrote to memory of 4016	2164	psTOv.exe	vpn.exe
PID 2164 wrote to memory of 4016	2164	psTOv.exe	vpn.exe
PID 2164 wrote to memory of 4016	2164	psTOv.exe	vpn.exe
PID 2164 wrote to memory of 3952	2164	psTOv.exe	4.exe
PID 2164 wrote to memory of 3952	2164	psTOv.exe	4.exe
PID 2164 wrote to memory of 3952	2164	psTOv.exe	4.exe
PID 4016 wrote to memory of 1944	4016	vpn.exe	cmd.exe
PID 4016 wrote to memory of 1944	4016	vpn.exe	cmd.exe
PID 4016 wrote to memory of 1944	4016	vpn.exe	cmd.exe
PID 668 wrote to memory of 4028	668	88483e5e82b2362be92c707450c3205427359e6c18bf7.exe	cmd.exe
PID 668 wrote to memory of 4028	668	88483e5e82b2362be92c707450c3205427359e6c18bf7.exe	cmd.exe
PID 668 wrote to memory of 4028	668	88483e5e82b2362be92c707450c3205427359e6c18bf7.exe	cmd.exe
PID 1944 wrote to memory of 956	1944	cmd.exe	cmd.exe
PID 1944 wrote to memory of 956	1944	cmd.exe	cmd.exe
PID 1944 wrote to memory of 956	1944	cmd.exe	cmd.exe
PID 4028 wrote to memory of 2468	4028	cmd.exe	timeout.exe
PID 4028 wrote to memory of 2468	4028	cmd.exe	timeout.exe
PID 4028 wrote to memory of 2468	4028	cmd.exe	timeout.exe
PID 956 wrote to memory of 192	956	cmd.exe	findstr.exe
PID 956 wrote to memory of 192	956	cmd.exe	findstr.exe
PID 956 wrote to memory of 192	956	cmd.exe	findstr.exe
PID 956 wrote to memory of 3996	956	cmd.exe	Gabbie.exe.com
PID 956 wrote to memory of 3996	956	cmd.exe	Gabbie.exe.com
PID 956 wrote to memory of 3996	956	cmd.exe	Gabbie.exe.com
PID 956 wrote to memory of 1504	956	cmd.exe	PING.EXE
PID 956 wrote to memory of 1504	956	cmd.exe	PING.EXE
PID 956 wrote to memory of 1504	956	cmd.exe	PING.EXE
PID 3996 wrote to memory of 196	3996	Gabbie.exe.com	Gabbie.exe.com
PID 3996 wrote to memory of 196	3996	Gabbie.exe.com	Gabbie.exe.com
PID 3996 wrote to memory of 196	3996	Gabbie.exe.com	Gabbie.exe.com
PID 3952 wrote to memory of 3868	3952	4.exe	SmartClock.exe
PID 3952 wrote to memory of 3868	3952	4.exe	SmartClock.exe
PID 3952 wrote to memory of 3868	3952	4.exe	SmartClock.exe
PID 196 wrote to memory of 2164	196	Gabbie.exe.com	cgntkwg.exe
PID 196 wrote to memory of 2164	196	Gabbie.exe.com	cgntkwg.exe
PID 196 wrote to memory of 2164	196	Gabbie.exe.com	cgntkwg.exe
PID 196 wrote to memory of 2784	196	Gabbie.exe.com	WScript.exe
PID 196 wrote to memory of 2784	196	Gabbie.exe.com	WScript.exe
PID 196 wrote to memory of 2784	196	Gabbie.exe.com	WScript.exe
PID 2164 wrote to memory of 2772	2164	cgntkwg.exe	rundll32.exe
PID 2164 wrote to memory of 2772	2164	cgntkwg.exe	rundll32.exe
PID 2164 wrote to memory of 2772	2164	cgntkwg.exe	rundll32.exe
PID 2772 wrote to memory of 1284	2772	rundll32.exe	RUNDLL32.EXE
PID 2772 wrote to memory of 1284	2772	rundll32.exe	RUNDLL32.EXE
PID 2772 wrote to memory of 1284	2772	rundll32.exe	RUNDLL32.EXE
PID 196 wrote to memory of 2240	196	Gabbie.exe.com	WScript.exe
PID 196 wrote to memory of 2240	196	Gabbie.exe.com	WScript.exe
PID 196 wrote to memory of 2240	196	Gabbie.exe.com	WScript.exe
PID 1284 wrote to memory of 3568	1284	RUNDLL32.EXE	powershell.exe
PID 1284 wrote to memory of 3568	1284	RUNDLL32.EXE	powershell.exe
PID 1284 wrote to memory of 3568	1284	RUNDLL32.EXE	powershell.exe
PID 1284 wrote to memory of 704	1284	RUNDLL32.EXE	powershell.exe
PID 1284 wrote to memory of 704	1284	RUNDLL32.EXE	powershell.exe
PID 1284 wrote to memory of 704	1284	RUNDLL32.EXE	powershell.exe
PID 704 wrote to memory of 3876	704	powershell.exe	nslookup.exe
PID 704 wrote to memory of 3876	704	powershell.exe	nslookup.exe
PID 704 wrote to memory of 3876	704	powershell.exe	nslookup.exe
PID 1284 wrote to memory of 3452	1284	RUNDLL32.EXE	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\88483e5e82b2362be92c707450c3205427359e6c18bf7.exe
"C:\Users\Admin\AppData\Local\Temp\88483e5e82b2362be92c707450c3205427359e6c18bf7.exe"
1⤵
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:668
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\psTOv.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4060
- - C:\Users\Admin\AppData\Local\Temp\psTOv.exe
    "C:\Users\Admin\AppData\Local\Temp\psTOv.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:2164
  - - C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe
      "C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:4016
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c cmd < Gote.aiff
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1944
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:956
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /R "^LjaIWKsNCnNrcrIGrRSgkvhmTVtiUhayrefgTaEfPZCszvASPFwjlwZgZTOwGpSgyIZzOzMKjDnkUVybxkagkuUerqfqE$" Diritto.aiff
        7⤵
        
        PID:192
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Gabbie.exe.com
        
        Gabbie.exe.com c
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3996
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Gabbie.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Gabbie.exe.com c
        8⤵
        Executes dropped EXE
        Checks processor information in registry
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:196
        
        C:\Users\Admin\AppData\Local\Temp\cgntkwg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cgntkwg.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2164
        
        C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\CGNTKW~1.DLL,Z C:\Users\Admin\AppData\Local\Temp\cgntkwg.exe
        10⤵
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2772
        
        C:\Windows\SysWOW64\RUNDLL32.EXE
        
        C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\CGNTKW~1.DLL,Lh0RLDZnBUw=
        11⤵
        Blocklisted process makes network request
        Loads dropped DLL
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:1284
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp2B52.tmp.ps1"
        12⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3568
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp4A55.tmp.ps1"
        12⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:704
        
        C:\Windows\SysWOW64\nslookup.exe
        
        "C:\Windows\system32\nslookup.exe" -type=any localhost
        13⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
        12⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
        12⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yocdussajd.vbs"
        9⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\egdmvyfebj.vbs"
        9⤵
        Blocklisted process makes network request
        Modifies system certificate store
        
        PID:2240
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 30
        7⤵
        Runs ping.exe
        
        PID:1504
  - - C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe
      "C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe"
      4⤵
      Executes dropped EXE
      Drops startup file
      Suspicious use of WriteProcessMemory
      PID:3952
    - - C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
        
        "C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: AddClipboardFormatListener
        
        PID:3868
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\mDFsWgaC & timeout 3 & del /f /q "C:\Users\Admin\AppData\Local\Temp\88483e5e82b2362be92c707450c3205427359e6c18bf7.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4028
- - C:\Windows\SysWOW64\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:2468

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5
47eebe401625bbc55e75dbfb72e9e89a

SHA1
db3b2135942d2532c59b9788253638eb77e5995e

SHA256
f1cd56000c44bbdb6880b5b133731f493fe8cba8198c5a861da6ae7b489ed0c3

SHA512
590b149863d58be346e7927c28501375cc570858d2f156d234b03d68b86c5c0667a1038e2b6f6639172bf95638ca9f7c70f45270951abbcdf43b1be853b81d56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
52d0cee4bd67fe46cba37494f0fbec9e

SHA1
712885641655eadfb02e7f964de5ff54f22bd6ca

SHA256
37b9526c8d8bf54813e56ae2eac371724a2d9709f572ad9e87ff51fea9cde4db

SHA512
4d1fffa2b0b8e732adc90030596bcf0f70f8551d27ceafb1c3ae79c3e0b98e2f890b9251496c997755018ec35432516ff35d086815dc8b2fd8f9ba885ff4bf76

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Dal.aiff

MD5
31dedc55170d4ed52eb76be3a9638985

SHA1
513dac3929f455ed419517b1c2c4d47f7eac31ac

SHA256
97f4344e07d26691dffaf8f46a00a05b72227b36efaa8ceb5c2c443fd1922bae

SHA512
82744a91d4ad070c30dd173cd5ec3e6c71f45b6e7df283fa3ffeaf8f2f8313c3c6bb2a576c730a80c2b740fce823139760249151cee7664a4e971b011768916d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Diritto.aiff

MD5
e9c5421045344ad1ddc7e258ad6c2de3

SHA1
b5e34b9c6bbddc1b1d0f77c8e328896ad6e00099

SHA256
c49fa942faccaf5b0421615b8ed9a6a2dec6224842d01344f3fc56617d170fd4

SHA512
a23eac6f1bc5c973d66d3872b057833bdc6af258cfe5e59a8bf87ea93f5cf19e50e1cba8152490c66166827bf50d7403f642b6f04553e845c610cdb56047e703

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Dov.aiff

MD5
a75e61ee5ef9237ebfa7a39a46d92a7c

SHA1
697bfa9b2d843b464afd18ce8622095c1f26db60

SHA256
a0cc11634073dd89a19ce08c720f2ae583c7ba1f951869e0cd6bc5dcb1ab2058

SHA512
1224fd94be43bedf8d89b1a95b789ac41272eb4006b5b1f57d5879dcc666ffb54a204969256a44ae43dac56bd32a8c50e51f9fc1cc7778447ede7adbc2604b10

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Gabbie.exe.com

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Gabbie.exe.com

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Gabbie.exe.com

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Gote.aiff

MD5
93b381d92ae8bb0723bf1ba3dd3acf47

SHA1
ebad215f84bf321e5d9dbae1ae7ac1b93d0f130d

SHA256
2318dabdad1ad9bfb9f5261b89016d3db0758c58187e7a52fda9e007a93ca783

SHA512
5bf53e505dc3d23335b7717516f2e5326ff3a7d8d8f3bc2840b412ffd7536b319db7a496f55e239b0721eafe4ddcd3e5abc9d1ff35445f6e0064f2c8c54927b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\c

MD5
a75e61ee5ef9237ebfa7a39a46d92a7c

SHA1
697bfa9b2d843b464afd18ce8622095c1f26db60

SHA256
a0cc11634073dd89a19ce08c720f2ae583c7ba1f951869e0cd6bc5dcb1ab2058

SHA512
1224fd94be43bedf8d89b1a95b789ac41272eb4006b5b1f57d5879dcc666ffb54a204969256a44ae43dac56bd32a8c50e51f9fc1cc7778447ede7adbc2604b10

Download Submit
C:\Users\Admin\AppData\Local\Temp\CGNTKW~1.DLL

MD5
7ac078a4c0a0c82464f31418b512cad7

SHA1
edafdb4391106484521c3a76890690ee525a9d68

SHA256
8c8d6d7a1c6ce3ae445a85b32aac61eef74d00effcaaac0379d33cd299008418

SHA512
e5c6cff838a20a0130ed42b170fdd0fcca3491dd65ffb4ced4612b8c8598b3083172f3218a5471c22ffdd6189f748c22e6c7b9417a775344b04956fa2e141507

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB2F.tmp

MD5
0c17abb0ed055fecf0c48bb6e46eb4eb

SHA1
a692730c8ec7353c31b94a888f359edb54aaa4c8

SHA256
f41e99f954e33e7b0e39930ec8620bf29801efc44275c1ee6b5cfa5e1be202c0

SHA512
645a9f2f94461d8a187261b736949df398ece5cfbf1af8653d18d3487ec1269d9f565534c1e249c12f31b3b1a41a8512953b1e991b001fc1360059e3fd494ec3

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe

MD5
7ef8ad5de4fa46c24883d3175c874cd2

SHA1
e5720aa9a513cbe447f8a523d2779953ae4c13c3

SHA256
35d3210a87ba84d84c9c67504beec21e75a0f39ff14086490bdaa0d747fc9169

SHA512
d9cad29d7472fc8000de707be76ca475a4367e9fdb116104ed1ed7d085d9974122f5bf40fa0608f076a6051ca218fa639c316c1340dd6e12feade4bdf69577f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe

MD5
7ef8ad5de4fa46c24883d3175c874cd2

SHA1
e5720aa9a513cbe447f8a523d2779953ae4c13c3

SHA256
35d3210a87ba84d84c9c67504beec21e75a0f39ff14086490bdaa0d747fc9169

SHA512
d9cad29d7472fc8000de707be76ca475a4367e9fdb116104ed1ed7d085d9974122f5bf40fa0608f076a6051ca218fa639c316c1340dd6e12feade4bdf69577f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe

MD5
bec2296d7ddebe58a5726011a1e9dc87

SHA1
e3bafc52d8d426f43fc642beb4d82cdec0a8a9c3

SHA256
6355a148b4e7875887a72b883f7219f0dc9b5c7691eea40a89cb71c2c7215b64

SHA512
1e196048d014ba97931b815a141d76b43f54feb05482885251adf02da324bd9d841b981752c97e782a0c812941aec3063bd99afadd0a931b2958192b8e94fbe8

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe

MD5
bec2296d7ddebe58a5726011a1e9dc87

SHA1
e3bafc52d8d426f43fc642beb4d82cdec0a8a9c3

SHA256
6355a148b4e7875887a72b883f7219f0dc9b5c7691eea40a89cb71c2c7215b64

SHA512
1e196048d014ba97931b815a141d76b43f54feb05482885251adf02da324bd9d841b981752c97e782a0c812941aec3063bd99afadd0a931b2958192b8e94fbe8

Download Submit
C:\Users\Admin\AppData\Local\Temp\cgntkwg.exe

MD5
61b31c8267fdb149ea1505a897a5d576

SHA1
f6d5c36acddf7788e19dbe50a0e13f2fe044895f

SHA256
5d29ea4a89d94d578daf235375de6bec0f2906fdbdefdfba6c223ccc52026b1c

SHA512
e442041b2b50651b9f66ac4137267f388c905479277c59d6afc888d65ec8ba4f53fb5b89f4c1696a80422458559609249bd794dbe185117e793c3ae075efe76f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cgntkwg.exe

MD5
61b31c8267fdb149ea1505a897a5d576

SHA1
f6d5c36acddf7788e19dbe50a0e13f2fe044895f

SHA256
5d29ea4a89d94d578daf235375de6bec0f2906fdbdefdfba6c223ccc52026b1c

SHA512
e442041b2b50651b9f66ac4137267f388c905479277c59d6afc888d65ec8ba4f53fb5b89f4c1696a80422458559609249bd794dbe185117e793c3ae075efe76f

Download Submit
C:\Users\Admin\AppData\Local\Temp\egdmvyfebj.vbs

MD5
9862d2019d84240dcf1b9e6589740e57

SHA1
eef475584b1382b39570a9391268327ceb07d663

SHA256
d9d4ea2caa14f3f382120929a11e951dc890135b474194e9b67c64a63722b78a

SHA512
cb08617f08258732d882df55c94e2560be292ac49d9b2b8a401aff4c861ba38ddcd18c3cab402d0ccfc47102582dca10b37ce8f8951ef9ad41b0e1c9e6c548bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\mDFsWgaC\DASDBF~1.ZIP

MD5
2e562d8810bce923456178def456c8ad

SHA1
130be62bd787ed534dd4fec3f6b55069c6b7ceec

SHA256
8e79becf78a9e8161909947fd4669b2d02f1c5d8adadec376535e6f6e4b3d4cd

SHA512
5fd51e4f34eadb94f65cad8afb84187fc1aa6d6884773b23fc7d87c7c44e67a35a393a4edd0f4eaac056e1470b1a541b3c7191c4be6d4b1bdba0caa7b3e61b18

Download Submit
C:\Users\Admin\AppData\Local\Temp\mDFsWgaC\FVZCBS~1.ZIP

MD5
fb20ff98bee1114a225221acb94abe94

SHA1
38eeac9299fc9aae37cdd2fc0d6433c94d098dad

SHA256
3a69df3a1261956e9693b61d1e8ecb61025ba25cfbe199558e4df698fff4f60e

SHA512
b636b649e8f1e747f34edb57275e32b07d7ef7736f0753d0d031e6c87e1940e591256a6c5d9917b31b3e735383812806600a5df3b35a3ae29ed64e824df7d3a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\mDFsWgaC\_Files\_INFOR~1.TXT

MD5
3364ae06693af3da049dd6ea08066b49

SHA1
41f29ec5525c64f4f292f8382dfe0e94f1e04e46

SHA256
f9824092d5008158c9ffb983e0ce12565f483ee3afcb5ccb4880e1292323faac

SHA512
9edd4f459ab5b6b8cb5ae6581e6b003d1e4b3a765097b00962df8696b324b7a3e2a9fc4d08a6a178362801e91f6f53095833b0236bd9777849d9f3a5f5c46113

Download Submit
C:\Users\Admin\AppData\Local\Temp\mDFsWgaC\_Files\_SCREE~1.JPE

MD5
af33946481c2289ce6e29b353a7eb4bd

SHA1
344a0d56ab922f9dfe31b3efb554216f7c0c3029

SHA256
e4f2315bff1791bec5f35aa87a6143c02d868fc6f90bf765fa38603609376a19

SHA512
fd5dc4b91c0e69f2d8c14e245ac4cf86bbab3e37f623cf9107826f97d00de9f6ce3f123e741605051b1cf62da2690d2cf537ab4fd9bfe31b4af366daff94ba1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\mDFsWgaC\files_\SCREEN~1.JPG

MD5
af33946481c2289ce6e29b353a7eb4bd

SHA1
344a0d56ab922f9dfe31b3efb554216f7c0c3029

SHA256
e4f2315bff1791bec5f35aa87a6143c02d868fc6f90bf765fa38603609376a19

SHA512
fd5dc4b91c0e69f2d8c14e245ac4cf86bbab3e37f623cf9107826f97d00de9f6ce3f123e741605051b1cf62da2690d2cf537ab4fd9bfe31b4af366daff94ba1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\mDFsWgaC\files_\SYSTEM~1.TXT

MD5
18a44eedd7f1b81c449b9278a4c926c5

SHA1
2e18f3b229b48a9edadd303d7c418d99d172c55f

SHA256
6767297f11fcbd84b25067ddbb9e93d7d6c48445f2d475f568768cc29463e154

SHA512
4769224480b640c1e5e9d77d8bfb85cc3d17d40e95a87a1b9a1df9f3401508102f14691325432962f0f87f56b1a85b614f0f651450b90b0b3d974501d199ef85

Download Submit
C:\Users\Admin\AppData\Local\Temp\psTOv.exe

MD5
4f8b192c791bf3cb38ff05af7761e503

SHA1
f8be899d4d3d678cdc96cb4a0dce4da2907e8082

SHA256
3dad22fd73ed8cd57325be22cc0a79058306e20afbd1318b49f591784294b700

SHA512
b3e92712d166305fd04b59327aa4925aa8aac9404c1ffefd9890702141c8cb745417bc7ff90d9f5e67a03caa35c70d5415cd5c522545ab60d516d4acc5875b0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\psTOv.exe

MD5
4f8b192c791bf3cb38ff05af7761e503

SHA1
f8be899d4d3d678cdc96cb4a0dce4da2907e8082

SHA256
3dad22fd73ed8cd57325be22cc0a79058306e20afbd1318b49f591784294b700

SHA512
b3e92712d166305fd04b59327aa4925aa8aac9404c1ffefd9890702141c8cb745417bc7ff90d9f5e67a03caa35c70d5415cd5c522545ab60d516d4acc5875b0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2B52.tmp.ps1

MD5
1ca1aafc2d3ae8cb7afc06deaa496c5f

SHA1
518bd062f243d8bd6254449c4a6ed7d250558cc2

SHA256
ede5fecc0d8a162ec806fc90662afc42119d6a2fe3864f5a0503d63f99885a10

SHA512
583481b249d1f1e8bfd0836d58e4f8a7b8d0962b8b01db5e2d18cb89b284267b58a88b41480eb6188ddd0bf1baf2bc5edc78cf9df47944d9b2bece0cb7efc1b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2B53.tmp

MD5
c416c12d1b2b1da8c8655e393b544362

SHA1
fb1a43cd8e1c556c2d25f361f42a21293c29e447

SHA256
0600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046

SHA512
cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4A55.tmp.ps1

MD5
f0d6b44cb1ef9f5d5bb46b076e0a9156

SHA1
8bacc5acd7b79237a6ffa0dc611e6c720526e5f6

SHA256
75fefaec76478bfdd590e93a55a417b23031f182134d6881a542bf6e79263f9b

SHA512
c3eb06011079ea6e81ee54f133946d26a8594564ad92af643cf0f815f33ac721007e7fd9df863a47532405507beae8e30baf1533d62d38c4fdf39cb4b971d8bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4A56.tmp

MD5
1860260b2697808b80802352fe324782

SHA1
f07b4cb6a8133d8dd942fc285d63cb3ce5a1ed6b

SHA256
0c4bb6ae7726faa47aef8459bcf37bf9ca16f0b93fd52790932adaf7845d1fb1

SHA512
d9fd458e2fe871e93199d7f3783133ded898d824024d9525e8c9af2af31892b13f3fb147d3bfda7dfd7659b7072f5cd1d6c3ebfe2dbf5893afd00e59a96aa94f

Download Submit
C:\Users\Admin\AppData\Local\Temp\yocdussajd.vbs

MD5
da40fb977f5dd064ad9ec2218eba44d1

SHA1
de5568afbba52d28376b52540db3f263cee7bfd5

SHA256
d9f37afc8c52ab65b27024b7eb2af2c644c7886d3b8fd0ee36970e9f21681b3e

SHA512
13fc478feb804fa8c4cff587cf36d823e0fae3290c27834d1841cbf2be1b1d71089aa137214db76b7506300b17caae6a6e90ec67918c9f65ed447cfd565a2ce3

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

MD5
7ef8ad5de4fa46c24883d3175c874cd2

SHA1
e5720aa9a513cbe447f8a523d2779953ae4c13c3

SHA256
35d3210a87ba84d84c9c67504beec21e75a0f39ff14086490bdaa0d747fc9169

SHA512
d9cad29d7472fc8000de707be76ca475a4367e9fdb116104ed1ed7d085d9974122f5bf40fa0608f076a6051ca218fa639c316c1340dd6e12feade4bdf69577f0

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

MD5
7ef8ad5de4fa46c24883d3175c874cd2

SHA1
e5720aa9a513cbe447f8a523d2779953ae4c13c3

SHA256
35d3210a87ba84d84c9c67504beec21e75a0f39ff14086490bdaa0d747fc9169

SHA512
d9cad29d7472fc8000de707be76ca475a4367e9fdb116104ed1ed7d085d9974122f5bf40fa0608f076a6051ca218fa639c316c1340dd6e12feade4bdf69577f0

Download Submit
\Users\Admin\AppData\Local\Temp\CGNTKW~1.DLL

MD5
7ac078a4c0a0c82464f31418b512cad7

SHA1
edafdb4391106484521c3a76890690ee525a9d68

SHA256
8c8d6d7a1c6ce3ae445a85b32aac61eef74d00effcaaac0379d33cd299008418

SHA512
e5c6cff838a20a0130ed42b170fdd0fcca3491dd65ffb4ced4612b8c8598b3083172f3218a5471c22ffdd6189f748c22e6c7b9417a775344b04956fa2e141507

Download Submit
\Users\Admin\AppData\Local\Temp\CGNTKW~1.DLL

MD5
7ac078a4c0a0c82464f31418b512cad7

SHA1
edafdb4391106484521c3a76890690ee525a9d68

SHA256
8c8d6d7a1c6ce3ae445a85b32aac61eef74d00effcaaac0379d33cd299008418

SHA512
e5c6cff838a20a0130ed42b170fdd0fcca3491dd65ffb4ced4612b8c8598b3083172f3218a5471c22ffdd6189f748c22e6c7b9417a775344b04956fa2e141507

Download Submit
\Users\Admin\AppData\Local\Temp\CGNTKW~1.DLL

MD5
7ac078a4c0a0c82464f31418b512cad7

SHA1
edafdb4391106484521c3a76890690ee525a9d68

SHA256
8c8d6d7a1c6ce3ae445a85b32aac61eef74d00effcaaac0379d33cd299008418

SHA512
e5c6cff838a20a0130ed42b170fdd0fcca3491dd65ffb4ced4612b8c8598b3083172f3218a5471c22ffdd6189f748c22e6c7b9417a775344b04956fa2e141507

Download Submit
\Users\Admin\AppData\Local\Temp\CGNTKW~1.DLL

MD5
7ac078a4c0a0c82464f31418b512cad7

SHA1
edafdb4391106484521c3a76890690ee525a9d68

SHA256
8c8d6d7a1c6ce3ae445a85b32aac61eef74d00effcaaac0379d33cd299008418

SHA512
e5c6cff838a20a0130ed42b170fdd0fcca3491dd65ffb4ced4612b8c8598b3083172f3218a5471c22ffdd6189f748c22e6c7b9417a775344b04956fa2e141507

Download Submit
\Users\Admin\AppData\Local\Temp\nslD45E.tmp\UAC.dll

MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
memory/192-138-0x0000000000000000-mapping.dmp

Download
memory/196-145-0x0000000000000000-mapping.dmp

Download
memory/196-159-0x0000000004520000-0x0000000004521000-memory.dmp

Filesize
4KB

Download
memory/668-114-0x00000000022A0000-0x0000000002381000-memory.dmp

Filesize
900KB

Download
memory/668-115-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/704-234-0x0000000004B40000-0x0000000004B41000-memory.dmp

Filesize
4KB

Download
memory/704-220-0x0000000000000000-mapping.dmp

Download
memory/704-230-0x0000000007EC0000-0x0000000007EC1000-memory.dmp

Filesize
4KB

Download
memory/704-248-0x0000000004B43000-0x0000000004B44000-memory.dmp

Filesize
4KB

Download
memory/704-233-0x0000000008790000-0x0000000008791000-memory.dmp

Filesize
4KB

Download
memory/704-235-0x0000000004B42000-0x0000000004B43000-memory.dmp

Filesize
4KB

Download
memory/956-133-0x0000000000000000-mapping.dmp

Download
memory/1284-182-0x00000000042C0000-0x0000000004885000-memory.dmp

Filesize
5.8MB

Download
memory/1284-191-0x0000000004D51000-0x00000000053B0000-memory.dmp

Filesize
6.4MB

Download
memory/1284-185-0x00000000055C0000-0x00000000055C1000-memory.dmp

Filesize
4KB

Download
memory/1284-221-0x0000000002870000-0x00000000029BA000-memory.dmp

Filesize
1.3MB

Download
memory/1284-179-0x0000000000000000-mapping.dmp

Download
memory/1504-143-0x0000000000000000-mapping.dmp

Download
memory/1944-127-0x0000000000000000-mapping.dmp

Download
memory/2164-171-0x0000000002E50000-0x0000000003557000-memory.dmp

Filesize
7.0MB

Download
memory/2164-173-0x0000000002800000-0x0000000002801000-memory.dmp

Filesize
4KB

Download
memory/2164-172-0x0000000000400000-0x0000000000B14000-memory.dmp

Filesize
7.1MB

Download
memory/2164-161-0x0000000000000000-mapping.dmp

Download
memory/2164-117-0x0000000000000000-mapping.dmp

Download
memory/2196-249-0x0000000000000000-mapping.dmp

Download
memory/2240-192-0x0000000000000000-mapping.dmp

Download
memory/2468-137-0x0000000000000000-mapping.dmp

Download
memory/2772-166-0x0000000000000000-mapping.dmp

Download
memory/2772-174-0x0000000004910000-0x0000000004911000-memory.dmp

Filesize
4KB

Download
memory/2772-184-0x0000000000680000-0x000000000072E000-memory.dmp

Filesize
696KB

Download
memory/2772-183-0x0000000004EF1000-0x0000000005550000-memory.dmp

Filesize
6.4MB

Download
memory/2772-170-0x00000000041C0000-0x0000000004785000-memory.dmp

Filesize
5.8MB

Download
memory/2784-164-0x0000000000000000-mapping.dmp

Download
memory/3452-247-0x0000000000000000-mapping.dmp

Download
memory/3568-215-0x0000000008950000-0x0000000008951000-memory.dmp

Filesize
4KB

Download
memory/3568-219-0x0000000000C43000-0x0000000000C44000-memory.dmp

Filesize
4KB

Download
memory/3568-201-0x0000000006C40000-0x0000000006C41000-memory.dmp

Filesize
4KB

Download
memory/3568-202-0x0000000006B90000-0x0000000006B91000-memory.dmp

Filesize
4KB

Download
memory/3568-203-0x0000000007450000-0x0000000007451000-memory.dmp

Filesize
4KB

Download
memory/3568-204-0x00000000074C0000-0x00000000074C1000-memory.dmp

Filesize
4KB

Download
memory/3568-205-0x0000000006DF0000-0x0000000006DF1000-memory.dmp

Filesize
4KB

Download
memory/3568-206-0x0000000007D40000-0x0000000007D41000-memory.dmp

Filesize
4KB

Download
memory/3568-207-0x0000000007BE0000-0x0000000007BE1000-memory.dmp

Filesize
4KB

Download
memory/3568-194-0x0000000000000000-mapping.dmp

Download
memory/3568-209-0x0000000007CE0000-0x0000000007CE1000-memory.dmp

Filesize
4KB

Download
memory/3568-214-0x00000000093C0000-0x00000000093C1000-memory.dmp

Filesize
4KB

Download
memory/3568-197-0x0000000000C40000-0x0000000000C41000-memory.dmp

Filesize
4KB

Download
memory/3568-216-0x0000000001310000-0x0000000001311000-memory.dmp

Filesize
4KB

Download
memory/3568-198-0x0000000000C90000-0x0000000000C91000-memory.dmp

Filesize
4KB

Download
memory/3568-200-0x0000000000C42000-0x0000000000C43000-memory.dmp

Filesize
4KB

Download
memory/3568-199-0x0000000006E20000-0x0000000006E21000-memory.dmp

Filesize
4KB

Download
memory/3868-150-0x0000000000000000-mapping.dmp

Download
memory/3868-158-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3868-156-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3876-244-0x0000000000000000-mapping.dmp

Download
memory/3952-153-0x0000000002130000-0x0000000002156000-memory.dmp

Filesize
152KB

Download
memory/3952-154-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3952-124-0x0000000000000000-mapping.dmp

Download
memory/3952-148-0x00000000006F0000-0x0000000000742000-memory.dmp

Filesize
328KB

Download
memory/3952-149-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3996-141-0x0000000000000000-mapping.dmp

Download
memory/4016-121-0x0000000000000000-mapping.dmp

Download
memory/4028-128-0x0000000000000000-mapping.dmp

Download
memory/4060-116-0x0000000000000000-mapping.dmp

Download