cryptbot | 9d27976b21da5fc419da598ea44456a528b9fbf83f24fc5e14f697f610a5b295

Analysis

max time kernel
139s
max time network
141s
platform
windows10_x64
resource
win10v20210410
submitted
13-06-2021 14:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

E1B1B906B90D0996A66F7132AEA2ADD6.exe
Size

1.7MB
MD5

e1b1b906b90d0996a66f7132aea2add6
SHA1

6f1957598ee5f9bef19313d10665d599353960f9
SHA256

9d27976b21da5fc419da598ea44456a528b9fbf83f24fc5e14f697f610a5b295
SHA512

dd877760b1ae888df1d15d482b34e24dd5f382a45d5b31d97d22483fced48dcbc385c0bb5d75a266634d0ed19cc1da4afc87c1242eeeadbb71c148c475b85083

Score

10^/10

cryptbot danabot 3 banker discovery spyware stealer trojan

Malware Config

Extracted

Family

danabot

Version

1827

Botnet

192.210.198.12:443

37.220.31.50:443

184.95.51.183:443

184.95.51.175:443

Attributes

embedded_hash
410EB249B3A3D8613B29638D583F7193

rsa_pubkey.plain

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot
Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Blocklisted process makes network request 5 IoCs

Processes:

RUNDLL32.EXEWScript.exe

flow pid process

37 2388 RUNDLL32.EXE
39 384 WScript.exe
41 384 WScript.exe
43 384 WScript.exe
45 384 WScript.exe
Downloads MZ/PE file
Executes dropped EXE 7 IoCs

Processes:

Chiamando.exe.comChiamando.exe.combUacOUQk.exe4.exevpn.exeSmartClock.exetydjwkjx.exe

pid process

2972 Chiamando.exe.com
748 Chiamando.exe.com
1128 bUacOUQk.exe
1184 4.exe
2380 vpn.exe
4056 SmartClock.exe
636 tydjwkjx.exe
Drops startup file 1 IoCs

Processes:

4.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk 4.exe
Loads dropped DLL 5 IoCs

Processes:

bUacOUQk.exerundll32.exeRUNDLL32.EXE

pid process

1128 bUacOUQk.exe
3152 rundll32.exe
3152 rundll32.exe
2388 RUNDLL32.EXE
2388 RUNDLL32.EXE
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

24 ip-api.com

flow	pid	process
37	2388	RUNDLL32.EXE
39	384	WScript.exe
41	384	WScript.exe
43	384	WScript.exe
45	384	WScript.exe

pid	process
2972	Chiamando.exe.com
748	Chiamando.exe.com
1128	bUacOUQk.exe
1184	4.exe
2380	vpn.exe
4056	SmartClock.exe
636	tydjwkjx.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk	4.exe

pid	process
1128	bUacOUQk.exe
3152	rundll32.exe
3152	rundll32.exe
2388	RUNDLL32.EXE
2388	RUNDLL32.EXE

flow	ioc
24	ip-api.com

Drops file in Program Files directory 3 IoCs

Processes:

bUacOUQk.exe

description	ioc	process
File created	C:\Program Files (x86)\foler\olader\acppage.dll	bUacOUQk.exe
File created	C:\Program Files (x86)\foler\olader\adprovider.dll	bUacOUQk.exe
File created	C:\Program Files (x86)\foler\olader\acledit.dll	bUacOUQk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

vpn.exeRUNDLL32.EXEChiamando.exe.com

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	vpn.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Chiamando.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Chiamando.exe.com
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	vpn.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2000 timeout.exe
Modifies registry class 1 IoCs

Processes:

vpn.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings vpn.exe

pid	process
2000	timeout.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings	vpn.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	WScript.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1884 PING.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

SmartClock.exe

pid process

4056 SmartClock.exe

pid	process
1884	PING.EXE

pid	process
4056	SmartClock.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exeRUNDLL32.EXEpowershell.exe

pid	process
1396	powershell.exe
1396	powershell.exe
1396	powershell.exe
2388	RUNDLL32.EXE
2388	RUNDLL32.EXE
2392	powershell.exe
2392	powershell.exe
2392	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

rundll32.exeRUNDLL32.EXEpowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3152	rundll32.exe
Token: SeDebugPrivilege	2388	RUNDLL32.EXE
Token: SeDebugPrivilege	1396	powershell.exe
Token: SeDebugPrivilege	2392	powershell.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

E1B1B906B90D0996A66F7132AEA2ADD6.exeChiamando.exe.comRUNDLL32.EXE

pid process

1844 E1B1B906B90D0996A66F7132AEA2ADD6.exe
748 Chiamando.exe.com
748 Chiamando.exe.com
2388 RUNDLL32.EXE

pid	process
1844	E1B1B906B90D0996A66F7132AEA2ADD6.exe
748	Chiamando.exe.com
748	Chiamando.exe.com
2388	RUNDLL32.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

E1B1B906B90D0996A66F7132AEA2ADD6.execmd.execmd.exeChiamando.exe.comChiamando.exe.comcmd.exebUacOUQk.execmd.exe4.exevpn.exetydjwkjx.exerundll32.exeRUNDLL32.EXEpowershell.exe

description	pid	process	target process
PID 1844 wrote to memory of 4012	1844	E1B1B906B90D0996A66F7132AEA2ADD6.exe	dllhost.exe
PID 1844 wrote to memory of 4012	1844	E1B1B906B90D0996A66F7132AEA2ADD6.exe	dllhost.exe
PID 1844 wrote to memory of 4012	1844	E1B1B906B90D0996A66F7132AEA2ADD6.exe	dllhost.exe
PID 1844 wrote to memory of 768	1844	E1B1B906B90D0996A66F7132AEA2ADD6.exe	cmd.exe
PID 1844 wrote to memory of 768	1844	E1B1B906B90D0996A66F7132AEA2ADD6.exe	cmd.exe
PID 1844 wrote to memory of 768	1844	E1B1B906B90D0996A66F7132AEA2ADD6.exe	cmd.exe
PID 768 wrote to memory of 204	768	cmd.exe	cmd.exe
PID 768 wrote to memory of 204	768	cmd.exe	cmd.exe
PID 768 wrote to memory of 204	768	cmd.exe	cmd.exe
PID 204 wrote to memory of 3144	204	cmd.exe	findstr.exe
PID 204 wrote to memory of 3144	204	cmd.exe	findstr.exe
PID 204 wrote to memory of 3144	204	cmd.exe	findstr.exe
PID 204 wrote to memory of 2972	204	cmd.exe	Chiamando.exe.com
PID 204 wrote to memory of 2972	204	cmd.exe	Chiamando.exe.com
PID 204 wrote to memory of 2972	204	cmd.exe	Chiamando.exe.com
PID 204 wrote to memory of 1884	204	cmd.exe	PING.EXE
PID 204 wrote to memory of 1884	204	cmd.exe	PING.EXE
PID 204 wrote to memory of 1884	204	cmd.exe	PING.EXE
PID 2972 wrote to memory of 748	2972	Chiamando.exe.com	Chiamando.exe.com
PID 2972 wrote to memory of 748	2972	Chiamando.exe.com	Chiamando.exe.com
PID 2972 wrote to memory of 748	2972	Chiamando.exe.com	Chiamando.exe.com
PID 748 wrote to memory of 3172	748	Chiamando.exe.com	cmd.exe
PID 748 wrote to memory of 3172	748	Chiamando.exe.com	cmd.exe
PID 748 wrote to memory of 3172	748	Chiamando.exe.com	cmd.exe
PID 3172 wrote to memory of 1128	3172	cmd.exe	bUacOUQk.exe
PID 3172 wrote to memory of 1128	3172	cmd.exe	bUacOUQk.exe
PID 3172 wrote to memory of 1128	3172	cmd.exe	bUacOUQk.exe
PID 1128 wrote to memory of 1184	1128	bUacOUQk.exe	4.exe
PID 1128 wrote to memory of 1184	1128	bUacOUQk.exe	4.exe
PID 1128 wrote to memory of 1184	1128	bUacOUQk.exe	4.exe
PID 1128 wrote to memory of 2380	1128	bUacOUQk.exe	vpn.exe
PID 1128 wrote to memory of 2380	1128	bUacOUQk.exe	vpn.exe
PID 1128 wrote to memory of 2380	1128	bUacOUQk.exe	vpn.exe
PID 748 wrote to memory of 2096	748	Chiamando.exe.com	cmd.exe
PID 748 wrote to memory of 2096	748	Chiamando.exe.com	cmd.exe
PID 748 wrote to memory of 2096	748	Chiamando.exe.com	cmd.exe
PID 2096 wrote to memory of 2000	2096	cmd.exe	timeout.exe
PID 2096 wrote to memory of 2000	2096	cmd.exe	timeout.exe
PID 2096 wrote to memory of 2000	2096	cmd.exe	timeout.exe
PID 1184 wrote to memory of 4056	1184	4.exe	SmartClock.exe
PID 1184 wrote to memory of 4056	1184	4.exe	SmartClock.exe
PID 1184 wrote to memory of 4056	1184	4.exe	SmartClock.exe
PID 2380 wrote to memory of 636	2380	vpn.exe	tydjwkjx.exe
PID 2380 wrote to memory of 636	2380	vpn.exe	tydjwkjx.exe
PID 2380 wrote to memory of 636	2380	vpn.exe	tydjwkjx.exe
PID 2380 wrote to memory of 812	2380	vpn.exe	WScript.exe
PID 2380 wrote to memory of 812	2380	vpn.exe	WScript.exe
PID 2380 wrote to memory of 812	2380	vpn.exe	WScript.exe
PID 636 wrote to memory of 3152	636	tydjwkjx.exe	rundll32.exe
PID 636 wrote to memory of 3152	636	tydjwkjx.exe	rundll32.exe
PID 636 wrote to memory of 3152	636	tydjwkjx.exe	rundll32.exe
PID 3152 wrote to memory of 2388	3152	rundll32.exe	RUNDLL32.EXE
PID 3152 wrote to memory of 2388	3152	rundll32.exe	RUNDLL32.EXE
PID 3152 wrote to memory of 2388	3152	rundll32.exe	RUNDLL32.EXE
PID 2388 wrote to memory of 1396	2388	RUNDLL32.EXE	powershell.exe
PID 2388 wrote to memory of 1396	2388	RUNDLL32.EXE	powershell.exe
PID 2388 wrote to memory of 1396	2388	RUNDLL32.EXE	powershell.exe
PID 2380 wrote to memory of 384	2380	vpn.exe	WScript.exe
PID 2380 wrote to memory of 384	2380	vpn.exe	WScript.exe
PID 2380 wrote to memory of 384	2380	vpn.exe	WScript.exe
PID 2388 wrote to memory of 2392	2388	RUNDLL32.EXE	powershell.exe
PID 2388 wrote to memory of 2392	2388	RUNDLL32.EXE	powershell.exe
PID 2388 wrote to memory of 2392	2388	RUNDLL32.EXE	powershell.exe
PID 2392 wrote to memory of 2084	2392	powershell.exe	nslookup.exe

C:\Users\Admin\AppData\Local\Temp\E1B1B906B90D0996A66F7132AEA2ADD6.exe
"C:\Users\Admin\AppData\Local\Temp\E1B1B906B90D0996A66F7132AEA2ADD6.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1844
- C:\Windows\SysWOW64\dllhost.exe
  "C:\Windows\System32\dllhost.exe"
  2⤵
  PID:4012
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c cmd < Impedisce.pptm
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:768
- - C:\Windows\SysWOW64\cmd.exe
    cmd
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:204
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V /R "^wagEkAdCleHJqaSSdYHKLqULPpcBuUcgiylPKnulHizoVYqpafEPVEewbDOeyPvfGaBVoeiSRvrEGMPQokoQdGzDepaiJtyRKtCCbywdiLXnAnxLNYUTGFYqYYSZJqoNskTCp$" Per.pptm
      4⤵
      PID:3144
  - - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Chiamando.exe.com
      Chiamando.exe.com U
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2972
    - - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Chiamando.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Chiamando.exe.com U
        5⤵
        Executes dropped EXE
        Checks processor information in registry
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:748
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\bUacOUQk.exe"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3172
        
        C:\Users\Admin\AppData\Local\Temp\bUacOUQk.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bUacOUQk.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:1128
        
        C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe"
        8⤵
        Executes dropped EXE
        Drops startup file
        Suspicious use of WriteProcessMemory
        
        PID:1184
        
        C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
        
        "C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: AddClipboardFormatListener
        
        PID:4056
        
        C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe"
        8⤵
        Executes dropped EXE
        Checks processor information in registry
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2380
        
        C:\Users\Admin\AppData\Local\Temp\tydjwkjx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tydjwkjx.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:636
        
        C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\TYDJWK~1.DLL,Z C:\Users\Admin\AppData\Local\Temp\tydjwkjx.exe
        10⤵
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3152
        
        C:\Windows\SysWOW64\RUNDLL32.EXE
        
        C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\TYDJWK~1.DLL,NxgfTI07
        11⤵
        Blocklisted process makes network request
        Loads dropped DLL
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpABE1.tmp.ps1"
        12⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1396
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpBDD4.tmp.ps1"
        12⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2392
        
        C:\Windows\SysWOW64\nslookup.exe
        
        "C:\Windows\system32\nslookup.exe" -type=any localhost
        13⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
        12⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
        12⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\wdvsnmoi.vbs"
        9⤵
        
        PID:812
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yjgmgntqwtgg.vbs"
        9⤵
        Blocklisted process makes network request
        Modifies system certificate store
        
        PID:384
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\wuoomyuyCChBs & timeout 3 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Chiamando.exe.com"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2096
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        7⤵
        Delays execution with timeout.exe
        
        PID:2000
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 30
      4⤵
      Runs ping.exe
      PID:1884

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5
54176ec6eaef90744f5c2f7bb7614825

SHA1
3b302e4d62cb5811779cd18939f7b40484e7dead

SHA256
c7baa57ca88fe15a03be7bbd16f8b0b87c76482291302de57bc1410e360992ef

SHA512
28a0f7e32cd291bdead87fa5f3d24512d32e372fc442d142628a681eabb6701ebeaaae3d6782d6e2d1ba438414479dec93a5afd43b7773fdcac18991008a26cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
d8722c14b2cdc671cbfeff2800185b4d

SHA1
f59a32e6481274e6c7b766ace4a3a0b6139b12c3

SHA256
30f7b6170eb9003333ea369525dacfd9cf802cbff225d95983e54c68992c9325

SHA512
532f4666a949824086b47aa325422e33d865097e9a02ad27daf2df18418af22b2b5a226703b49e2e22c0d34250eae143ed8a6db07cbdbb298c864cad2d93890f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Chi.pptm

MD5
e110ce72625078d547c886a740e68c57

SHA1
215779e0efb7b7c9d9565ae0bc3fcdb75615aabe

SHA256
53b4d7f48f4beadf64fc47329e221fabee171a22458f75de5bcaf39d22e33ff9

SHA512
82840e046fd15b970ed5124d15db4cc47dacc80f8cec9492bb26a0de97a008690d3ab95a05ad0c53cda8d44eb4d412a417699bb34211e482f449534d6fff1673

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Chiamando.exe.com

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Chiamando.exe.com

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Chiamando.exe.com

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Impedisce.pptm

MD5
d17fc67d0b5c5935aa4b830c9507b948

SHA1
beffdceb7356942c4b66f5325040c73229dc88b1

SHA256
6da630d00bf32ef1601dc2340bd5aa5a3ea2ef7c41ea7cf2ced6da52a1063132

SHA512
39b3dec3f5b12aa9240265eef49663c8c4ac5d595d6a3e57ef4bd4d5469bf2939e5ad3aabc74a3a5c4ef58192e75730e058612af0de02586cf6eb6321ff0fc4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Per.pptm

MD5
30fce572d6ac11368a49ca0383b967fb

SHA1
2630d72c33213dddce822a4342177dbad60e8bfb

SHA256
36be6115204a59a7396a9c80309c97d4d57531e6bc9c1d4c993428d69f5512f2

SHA512
d4857d4cd095fe97e0916a9609bc7e332b92edfbb0d945ee32b8b4fffd6e1dec82bfdd60964712020b7ad3ba50b881eb8a69b13612ce5e5a9d78609b4e88b476

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\U

MD5
e110ce72625078d547c886a740e68c57

SHA1
215779e0efb7b7c9d9565ae0bc3fcdb75615aabe

SHA256
53b4d7f48f4beadf64fc47329e221fabee171a22458f75de5bcaf39d22e33ff9

SHA512
82840e046fd15b970ed5124d15db4cc47dacc80f8cec9492bb26a0de97a008690d3ab95a05ad0c53cda8d44eb4d412a417699bb34211e482f449534d6fff1673

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Vai.pptm

MD5
369210a42bfd6b07df2fc02d118e5fe6

SHA1
56d6250b99e63361fe4a325f1d54d3ca3f5ee1f8

SHA256
9e5d8edbaccfc2afa94b6361f877ecd6a5a55ff0adc1a930b5e28127a4909e3d

SHA512
c05095cd6d34398e62ae119ed3dc4397ce3b9d7a036e71322f25f372895d9ef342ff34cfd3ee04f74cbf0949750801657ec1a5aec3e4c487f8174415a250248f

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe

MD5
fd227a7538d17ed4f7998b83b730c087

SHA1
8370c13e88d96b86d6b55c92218ac328cea9e0da

SHA256
b224ac93890d1fbe59e8fd43f12107f2c24c5430a74380b45053207e6b0e412c

SHA512
86c0f6f6c72bbca21c9b0f1742e167120df24eb23a95418898eeb4d47322c4ef2d0c60682de6128f663c139385c8a001ff853c917ec818ffbc888560c879c1c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe

MD5
fd227a7538d17ed4f7998b83b730c087

SHA1
8370c13e88d96b86d6b55c92218ac328cea9e0da

SHA256
b224ac93890d1fbe59e8fd43f12107f2c24c5430a74380b45053207e6b0e412c

SHA512
86c0f6f6c72bbca21c9b0f1742e167120df24eb23a95418898eeb4d47322c4ef2d0c60682de6128f663c139385c8a001ff853c917ec818ffbc888560c879c1c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe

MD5
06bbc875b35e47505013e38ef5e9c825

SHA1
372741d7fc3f7111c7f1a971170aa5c9cc4d3399

SHA256
ebe2283591a3fa0b2bc3900b962b765ab09d8e805c1d21e45626c579efac4782

SHA512
88af6066457871bf5bf10252487b15c01856f70aec14886e6bcb76023d97ebb3be7ef846e73ed91ac41faca53f0cf75b3c16af36758840d215a7488c80710c03

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe

MD5
06bbc875b35e47505013e38ef5e9c825

SHA1
372741d7fc3f7111c7f1a971170aa5c9cc4d3399

SHA256
ebe2283591a3fa0b2bc3900b962b765ab09d8e805c1d21e45626c579efac4782

SHA512
88af6066457871bf5bf10252487b15c01856f70aec14886e6bcb76023d97ebb3be7ef846e73ed91ac41faca53f0cf75b3c16af36758840d215a7488c80710c03

Download Submit
C:\Users\Admin\AppData\Local\Temp\TYDJWK~1.DLL

MD5
d737e87a8c985246adb399d0a8bf9b3b

SHA1
2ed4f18c905108e45535ea0e8fa7cb2187675f87

SHA256
ab5742f22795a19c1cff270d3d3fef390e43a6a12bba6b69bbe54d479f9502f7

SHA512
9257b42d3b4ded392582d72107692d212d46252f218754149882c8faa65aae06881eee8be291f96da43f88f120878faeba23fa3c98f9cf99c9392f702f1a949b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bUacOUQk.exe

MD5
b805442d06f7fbba1772d15fdad402ce

SHA1
2bbc42ae47a2ec9ca1471931f8924197d073bf57

SHA256
f4da967e84e593cadb3e0a622f59dc4bbc7393c4aeef1a29df60b37b57548299

SHA512
f674205f2f28cf76af5960b0728eb2576d3572c9b51b4336309c458e005ec72b8ca197d140d266c2675affb4d2ba780b88406275eace42941cc0f0fdce8b4745

Download Submit
C:\Users\Admin\AppData\Local\Temp\bUacOUQk.exe

MD5
b805442d06f7fbba1772d15fdad402ce

SHA1
2bbc42ae47a2ec9ca1471931f8924197d073bf57

SHA256
f4da967e84e593cadb3e0a622f59dc4bbc7393c4aeef1a29df60b37b57548299

SHA512
f674205f2f28cf76af5960b0728eb2576d3572c9b51b4336309c458e005ec72b8ca197d140d266c2675affb4d2ba780b88406275eace42941cc0f0fdce8b4745

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpABE1.tmp.ps1

MD5
06564652b788058d5184ba4d8154c3d1

SHA1
83cc5f635435aa59b029522e5e423d16885e467e

SHA256
9365cf1a3cc1f1b2def25e6be61f696bcb8a95c88961d6ca3c70af62969ec7ac

SHA512
e5593e63ebcb15b14af6c5343c623918bd67bb49d677bd3190a5d85e653c237148f1b96e466c008d683869f264932c3aedaf10e048d614cfa3c7e79ea8c8935c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpABE2.tmp

MD5
c416c12d1b2b1da8c8655e393b544362

SHA1
fb1a43cd8e1c556c2d25f361f42a21293c29e447

SHA256
0600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046

SHA512
cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBDD4.tmp.ps1

MD5
b35ab95abf87059a992e541542f26588

SHA1
3183af15d02d4a2ef0441fc4762611db1dae8f23

SHA256
04d0596d58779631212bb6087c23c66993689c64378528bdc73ddac1cb6886af

SHA512
008f0b331835c31061544d5eebe707566cafa8cfd18bece39568f13cf2dd979158178d9168264236706783cc1c52ba973a6ade058c5f3c1ab153758078e4dad0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBDD5.tmp

MD5
1860260b2697808b80802352fe324782

SHA1
f07b4cb6a8133d8dd942fc285d63cb3ce5a1ed6b

SHA256
0c4bb6ae7726faa47aef8459bcf37bf9ca16f0b93fd52790932adaf7845d1fb1

SHA512
d9fd458e2fe871e93199d7f3783133ded898d824024d9525e8c9af2af31892b13f3fb147d3bfda7dfd7659b7072f5cd1d6c3ebfe2dbf5893afd00e59a96aa94f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tydjwkjx.exe

MD5
0ff374c3159b219d903f02de1a32a66c

SHA1
374e1024e946b4ead72b76527e4cae21bb064b78

SHA256
4b58b3a1b756e396ec79b962397b65f3c5ca38c769ea923670da4bd503b30f74

SHA512
e7cdac7ad46f2b44e76379d8c910088e7f2ebdf6362cec3d8fb633a960ec6107337f4e85ae0bae018b26a6f5c53fa00c28e3cf0a2a1875aa2719bb974a196216

Download Submit
C:\Users\Admin\AppData\Local\Temp\tydjwkjx.exe

MD5
0ff374c3159b219d903f02de1a32a66c

SHA1
374e1024e946b4ead72b76527e4cae21bb064b78

SHA256
4b58b3a1b756e396ec79b962397b65f3c5ca38c769ea923670da4bd503b30f74

SHA512
e7cdac7ad46f2b44e76379d8c910088e7f2ebdf6362cec3d8fb633a960ec6107337f4e85ae0bae018b26a6f5c53fa00c28e3cf0a2a1875aa2719bb974a196216

Download Submit
C:\Users\Admin\AppData\Local\Temp\wdvsnmoi.vbs

MD5
14ece29f882a769acd47ff95f0028014

SHA1
e5d1d9273f27b25b3e58fc575c34466b9180f971

SHA256
1f625ba964cbb83a40fed1397824627a6c1a0df3c8b7a8d9ad9605be766b1de9

SHA512
4e271e1a56a7d6f2166584b056c408613e56a7dc1376b11b5f87fffabeb1e20f5f01332548850e240b24c67073b35637e43227171267eadab4b91228cc50058c

Download Submit
C:\Users\Admin\AppData\Local\Temp\wuoomyuyCChBs\IRFQFW~1.ZIP

MD5
884ea7fce02a693237cf695098e40fce

SHA1
8162924e9e752fc134b9f3025245d280258b0e68

SHA256
7ba14d6b0c03c5311f7b2f52b25aad1fb4c290e432b8ffb02f937e7478fb792f

SHA512
717cd2f2be8082200334c3f2a3d27356b0562d19ea649dab1307c07c88d905b98236ecfaef563a0240323aa83fcd132e45de8cffa998ecd65efc4f432bf9489a

Download Submit
C:\Users\Admin\AppData\Local\Temp\wuoomyuyCChBs\NIIYER~1.ZIP

MD5
d0e8dbdc4d71ce5acb5aa93252a9b217

SHA1
a6ad6a63c367dcac64e4120ac0c9a242869b4a66

SHA256
be6618807bec637ab63a29c5f0e6fcdbae53a10052625f34198254161f9c211b

SHA512
44301df46789c434936b20354d82bfeebd9d4c22305a1ed3d471499142891f160aa3561af3bf0f1197fcab1521b7fb225ac063a4540611b38112b1860952e7a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\wuoomyuyCChBs\_Files\_INFOR~1.TXT

MD5
01d7d6dc7fa50f7d20c0a5028f7387f6

SHA1
636a0e4b71f8c237df163d3937d6f7c357ec4c1d

SHA256
3382df75e3ff8ddf288209106d6cec6b33df0ca5a5f662a5474e75f10e4b4780

SHA512
c2a45cc102cd2edc7ebce7752fb367967eb00a9098d11424b39f5df396608de50ca1808a156945c6c6254740cceb21f6db408b873023905419444f819394cf6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\wuoomyuyCChBs\_Files\_SCREE~1.JPE

MD5
bcf3032d271061a64d0d9218328a14f5

SHA1
09aea77b31ebf47e4795713b0b3abdfda5373655

SHA256
2cba6cec7fe1be24214452617b7dc075cedee6cb3e6208b195206d21917a44c2

SHA512
f5868dd27e03891c901e4d1f92078ccdfcde6d5eecda900a1f478b481e9229cd22f84d3e6010717fee957d21f2782ed2f3d8896540d674195374f632c9672ef7

Download Submit
C:\Users\Admin\AppData\Local\Temp\wuoomyuyCChBs\files_\SCREEN~1.JPG

MD5
bcf3032d271061a64d0d9218328a14f5

SHA1
09aea77b31ebf47e4795713b0b3abdfda5373655

SHA256
2cba6cec7fe1be24214452617b7dc075cedee6cb3e6208b195206d21917a44c2

SHA512
f5868dd27e03891c901e4d1f92078ccdfcde6d5eecda900a1f478b481e9229cd22f84d3e6010717fee957d21f2782ed2f3d8896540d674195374f632c9672ef7

Download Submit
C:\Users\Admin\AppData\Local\Temp\wuoomyuyCChBs\files_\SYSTEM~1.TXT

MD5
c881ac55ece13d5d942e13c3497d0c3c

SHA1
02d1742a4f7990e021429b0a971319c912e4510a

SHA256
9a374c35578ca849532472020661d3c8fc72e689cef6ee19c050a364f4614dac

SHA512
70c08f24cce79055cd1b117b32abfb0bdb6fd5075af11495bf3695c365eb50b6020591c39f5b9afbad8b0818421a9b67ac6bc9feb19b31c4d17c179adefe8f85

Download Submit
C:\Users\Admin\AppData\Local\Temp\yjgmgntqwtgg.vbs

MD5
9954b86711822748821e5f839f78396b

SHA1
0175391544399823eff25bc01e377ea3814c7f40

SHA256
1ab113d06b7d2218d9711ba4ea74fb2c7a0987e9ae0a7e13320cfd2d836433cc

SHA512
aa9f211bd113ba5c05d8bfceec96773a4f63789b975ad53b0d0e11e961fa146b453bd62396440a4f7970ef3bb8065190e3a8a2e0a16f5160b4fad0f7a0eaaee0

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

MD5
fd227a7538d17ed4f7998b83b730c087

SHA1
8370c13e88d96b86d6b55c92218ac328cea9e0da

SHA256
b224ac93890d1fbe59e8fd43f12107f2c24c5430a74380b45053207e6b0e412c

SHA512
86c0f6f6c72bbca21c9b0f1742e167120df24eb23a95418898eeb4d47322c4ef2d0c60682de6128f663c139385c8a001ff853c917ec818ffbc888560c879c1c5

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

MD5
fd227a7538d17ed4f7998b83b730c087

SHA1
8370c13e88d96b86d6b55c92218ac328cea9e0da

SHA256
b224ac93890d1fbe59e8fd43f12107f2c24c5430a74380b45053207e6b0e412c

SHA512
86c0f6f6c72bbca21c9b0f1742e167120df24eb23a95418898eeb4d47322c4ef2d0c60682de6128f663c139385c8a001ff853c917ec818ffbc888560c879c1c5

Download Submit
\Users\Admin\AppData\Local\Temp\TYDJWK~1.DLL

MD5
d737e87a8c985246adb399d0a8bf9b3b

SHA1
2ed4f18c905108e45535ea0e8fa7cb2187675f87

SHA256
ab5742f22795a19c1cff270d3d3fef390e43a6a12bba6b69bbe54d479f9502f7

SHA512
9257b42d3b4ded392582d72107692d212d46252f218754149882c8faa65aae06881eee8be291f96da43f88f120878faeba23fa3c98f9cf99c9392f702f1a949b

Download Submit
\Users\Admin\AppData\Local\Temp\TYDJWK~1.DLL

MD5
d737e87a8c985246adb399d0a8bf9b3b

SHA1
2ed4f18c905108e45535ea0e8fa7cb2187675f87

SHA256
ab5742f22795a19c1cff270d3d3fef390e43a6a12bba6b69bbe54d479f9502f7

SHA512
9257b42d3b4ded392582d72107692d212d46252f218754149882c8faa65aae06881eee8be291f96da43f88f120878faeba23fa3c98f9cf99c9392f702f1a949b

Download Submit
\Users\Admin\AppData\Local\Temp\TYDJWK~1.DLL

MD5
d737e87a8c985246adb399d0a8bf9b3b

SHA1
2ed4f18c905108e45535ea0e8fa7cb2187675f87

SHA256
ab5742f22795a19c1cff270d3d3fef390e43a6a12bba6b69bbe54d479f9502f7

SHA512
9257b42d3b4ded392582d72107692d212d46252f218754149882c8faa65aae06881eee8be291f96da43f88f120878faeba23fa3c98f9cf99c9392f702f1a949b

Download Submit
\Users\Admin\AppData\Local\Temp\TYDJWK~1.DLL

MD5
d737e87a8c985246adb399d0a8bf9b3b

SHA1
2ed4f18c905108e45535ea0e8fa7cb2187675f87

SHA256
ab5742f22795a19c1cff270d3d3fef390e43a6a12bba6b69bbe54d479f9502f7

SHA512
9257b42d3b4ded392582d72107692d212d46252f218754149882c8faa65aae06881eee8be291f96da43f88f120878faeba23fa3c98f9cf99c9392f702f1a949b

Download Submit
\Users\Admin\AppData\Local\Temp\nsc496F.tmp\UAC.dll

MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
memory/204-117-0x0000000000000000-mapping.dmp

Download
memory/384-211-0x0000000000000000-mapping.dmp

Download
memory/636-164-0x0000000000400000-0x00000000011D5000-memory.dmp

Filesize
13.8MB

Download
memory/636-156-0x0000000000000000-mapping.dmp

Download
memory/636-163-0x00000000033E0000-0x0000000003AE7000-memory.dmp

Filesize
7.0MB

Download
memory/636-165-0x0000000003AF0000-0x0000000003AF1000-memory.dmp

Filesize
4KB

Download
memory/748-125-0x0000000000000000-mapping.dmp

Download
memory/748-128-0x0000000000D40000-0x0000000000D63000-memory.dmp

Filesize
140KB

Download
memory/768-115-0x0000000000000000-mapping.dmp

Download
memory/812-159-0x0000000000000000-mapping.dmp

Download
memory/1128-131-0x0000000000000000-mapping.dmp

Download
memory/1184-135-0x0000000000000000-mapping.dmp

Download
memory/1184-243-0x0000000000000000-mapping.dmp

Download
memory/1184-152-0x00000000004E0000-0x000000000058E000-memory.dmp

Filesize
696KB

Download
memory/1184-153-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1396-216-0x0000000004543000-0x0000000004544000-memory.dmp

Filesize
4KB

Download
memory/1396-201-0x0000000007C90000-0x0000000007C91000-memory.dmp

Filesize
4KB

Download
memory/1396-197-0x0000000007880000-0x0000000007881000-memory.dmp

Filesize
4KB

Download
memory/1396-196-0x0000000007810000-0x0000000007811000-memory.dmp

Filesize
4KB

Download
memory/1396-195-0x00000000077A0000-0x00000000077A1000-memory.dmp

Filesize
4KB

Download
memory/1396-194-0x0000000006E90000-0x0000000006E91000-memory.dmp

Filesize
4KB

Download
memory/1396-213-0x0000000006AE0000-0x0000000006AE1000-memory.dmp

Filesize
4KB

Download
memory/1396-210-0x0000000008C90000-0x0000000008C91000-memory.dmp

Filesize
4KB

Download
memory/1396-209-0x0000000009700000-0x0000000009701000-memory.dmp

Filesize
4KB

Download
memory/1396-204-0x00000000080B0000-0x00000000080B1000-memory.dmp

Filesize
4KB

Download
memory/1396-202-0x0000000007F90000-0x0000000007F91000-memory.dmp

Filesize
4KB

Download
memory/1396-198-0x0000000004540000-0x0000000004541000-memory.dmp

Filesize
4KB

Download
memory/1396-200-0x00000000075F0000-0x00000000075F1000-memory.dmp

Filesize
4KB

Download
memory/1396-188-0x0000000000000000-mapping.dmp

Download
memory/1396-199-0x0000000004542000-0x0000000004543000-memory.dmp

Filesize
4KB

Download
memory/1396-192-0x0000000004430000-0x0000000004431000-memory.dmp

Filesize
4KB

Download
memory/1396-193-0x0000000006F20000-0x0000000006F21000-memory.dmp

Filesize
4KB

Download
memory/1884-123-0x0000000000000000-mapping.dmp

Download
memory/2000-148-0x0000000000000000-mapping.dmp

Download
memory/2084-240-0x0000000000000000-mapping.dmp

Download
memory/2096-141-0x0000000000000000-mapping.dmp

Download
memory/2380-155-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2380-137-0x0000000000000000-mapping.dmp

Download
memory/2380-154-0x0000000000560000-0x0000000000584000-memory.dmp

Filesize
144KB

Download
memory/2388-187-0x0000000005841000-0x0000000005EA0000-memory.dmp

Filesize
6.4MB

Download
memory/2388-182-0x0000000005190000-0x0000000005191000-memory.dmp

Filesize
4KB

Download
memory/2388-229-0x0000000002DE0000-0x0000000002DE1000-memory.dmp

Filesize
4KB

Download
memory/2388-176-0x0000000000000000-mapping.dmp

Download
memory/2388-179-0x0000000004AD0000-0x0000000005095000-memory.dmp

Filesize
5.8MB

Download
memory/2392-230-0x0000000006950000-0x0000000006951000-memory.dmp

Filesize
4KB

Download
memory/2392-225-0x00000000076C0000-0x00000000076C1000-memory.dmp

Filesize
4KB

Download
memory/2392-244-0x0000000006953000-0x0000000006954000-memory.dmp

Filesize
4KB

Download
memory/2392-231-0x0000000006952000-0x0000000006953000-memory.dmp

Filesize
4KB

Download
memory/2392-228-0x0000000007E30000-0x0000000007E31000-memory.dmp

Filesize
4KB

Download
memory/2392-217-0x0000000000000000-mapping.dmp

Download
memory/2972-121-0x0000000000000000-mapping.dmp

Download
memory/3144-118-0x0000000000000000-mapping.dmp

Download
memory/3152-170-0x0000000003F00000-0x00000000044C5000-memory.dmp

Filesize
5.8MB

Download
memory/3152-181-0x0000000000490000-0x000000000053E000-memory.dmp

Filesize
696KB

Download
memory/3152-166-0x0000000000000000-mapping.dmp

Download
memory/3152-171-0x0000000004850000-0x0000000004851000-memory.dmp

Filesize
4KB

Download
memory/3152-180-0x0000000004C71000-0x00000000052D0000-memory.dmp

Filesize
6.4MB

Download
memory/3172-130-0x0000000000000000-mapping.dmp

Download
memory/3960-245-0x0000000000000000-mapping.dmp

Download
memory/4012-114-0x0000000000000000-mapping.dmp

Download
memory/4056-149-0x0000000000000000-mapping.dmp

Download
memory/4056-161-0x00000000005F0000-0x0000000000616000-memory.dmp

Filesize
152KB

Download
memory/4056-162-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download