cryptbot | 0329f707c1e908925f23bc015b422526620f308142a2e75df56257ac3aec4c3a

Analysis

max time kernel
134s
max time network
131s
platform
windows10_x64
resource
win10v20210410
submitted
13-06-2021 05:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d18dc9cf860133016c0c244b9ad579bd.exe
Size

1.7MB
MD5

d18dc9cf860133016c0c244b9ad579bd
SHA1

1fc0e27cdab3f5ff40cac4448f4023c0693ec071
SHA256

0329f707c1e908925f23bc015b422526620f308142a2e75df56257ac3aec4c3a
SHA512

77d9135160dc9e35c3112e8036e0f39778235c3630805001b1230090fba47104ed306e30b4633dcfcd4f0440d731ba5c4a61906ec1140f78bd0b2e3241e91f1f

Score

10^/10

cryptbot danabot 3 banker discovery spyware stealer trojan

Malware Config

Extracted

Family

danabot

Version

1827

Botnet

192.210.198.12:443

37.220.31.50:443

184.95.51.183:443

184.95.51.175:443

Attributes

embedded_hash
410EB249B3A3D8613B29638D583F7193

rsa_pubkey.plain

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot
Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Blocklisted process makes network request 5 IoCs

Processes:

RUNDLL32.EXEWScript.exe

flow pid process

35 1032 RUNDLL32.EXE
37 3212 WScript.exe
39 3212 WScript.exe
41 3212 WScript.exe
43 3212 WScript.exe
Downloads MZ/PE file
Executes dropped EXE 7 IoCs

Processes:

Leva.exe.comLeva.exe.combTrxp.exe4.exevpn.exeSmartClock.exejdftqalqnh.exe

pid process

2940 Leva.exe.com
3144 Leva.exe.com
4016 bTrxp.exe
208 4.exe
1468 vpn.exe
3464 SmartClock.exe
3644 jdftqalqnh.exe
Drops startup file 1 IoCs

Processes:

4.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk 4.exe
Loads dropped DLL 4 IoCs

Processes:

bTrxp.exerundll32.exeRUNDLL32.EXE

pid process

4016 bTrxp.exe
1564 rundll32.exe
1032 RUNDLL32.EXE
1032 RUNDLL32.EXE
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

22 ip-api.com

flow	pid	process
35	1032	RUNDLL32.EXE
37	3212	WScript.exe
39	3212	WScript.exe
41	3212	WScript.exe
43	3212	WScript.exe

pid	process
2940	Leva.exe.com
3144	Leva.exe.com
4016	bTrxp.exe
208	4.exe
1468	vpn.exe
3464	SmartClock.exe
3644	jdftqalqnh.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk	4.exe

pid	process
4016	bTrxp.exe
1564	rundll32.exe
1032	RUNDLL32.EXE
1032	RUNDLL32.EXE

flow	ioc
22	ip-api.com

Drops file in Program Files directory 3 IoCs

Processes:

bTrxp.exe

description	ioc	process
File created	C:\Program Files (x86)\foler\olader\acppage.dll	bTrxp.exe
File created	C:\Program Files (x86)\foler\olader\adprovider.dll	bTrxp.exe
File created	C:\Program Files (x86)\foler\olader\acledit.dll	bTrxp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RUNDLL32.EXELeva.exe.comvpn.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Leva.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Leva.exe.com
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	vpn.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	vpn.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2016 timeout.exe
Modifies registry class 1 IoCs

Processes:

vpn.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings vpn.exe

pid	process
2016	timeout.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings	vpn.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	WScript.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1236 PING.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

SmartClock.exe

pid process

3464 SmartClock.exe

pid	process
1236	PING.EXE

pid	process
3464	SmartClock.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exeRUNDLL32.EXEpowershell.exe

pid	process
3848	powershell.exe
3848	powershell.exe
3848	powershell.exe
1032	RUNDLL32.EXE
1032	RUNDLL32.EXE
3540	powershell.exe
3540	powershell.exe
3540	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

rundll32.exeRUNDLL32.EXEpowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1564	rundll32.exe
Token: SeDebugPrivilege	1032	RUNDLL32.EXE
Token: SeDebugPrivilege	3848	powershell.exe
Token: SeDebugPrivilege	3540	powershell.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

d18dc9cf860133016c0c244b9ad579bd.exeLeva.exe.comRUNDLL32.EXE

pid process

3896 d18dc9cf860133016c0c244b9ad579bd.exe
3144 Leva.exe.com
3144 Leva.exe.com
1032 RUNDLL32.EXE

pid	process
3896	d18dc9cf860133016c0c244b9ad579bd.exe
3144	Leva.exe.com
3144	Leva.exe.com
1032	RUNDLL32.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

d18dc9cf860133016c0c244b9ad579bd.execmd.execmd.exeLeva.exe.comLeva.exe.comcmd.exebTrxp.execmd.exe4.exevpn.exejdftqalqnh.exerundll32.exeRUNDLL32.EXEpowershell.exe

description	pid	process	target process
PID 3896 wrote to memory of 2724	3896	d18dc9cf860133016c0c244b9ad579bd.exe	dllhost.exe
PID 3896 wrote to memory of 2724	3896	d18dc9cf860133016c0c244b9ad579bd.exe	dllhost.exe
PID 3896 wrote to memory of 2724	3896	d18dc9cf860133016c0c244b9ad579bd.exe	dllhost.exe
PID 3896 wrote to memory of 2788	3896	d18dc9cf860133016c0c244b9ad579bd.exe	cmd.exe
PID 3896 wrote to memory of 2788	3896	d18dc9cf860133016c0c244b9ad579bd.exe	cmd.exe
PID 3896 wrote to memory of 2788	3896	d18dc9cf860133016c0c244b9ad579bd.exe	cmd.exe
PID 2788 wrote to memory of 4092	2788	cmd.exe	cmd.exe
PID 2788 wrote to memory of 4092	2788	cmd.exe	cmd.exe
PID 2788 wrote to memory of 4092	2788	cmd.exe	cmd.exe
PID 4092 wrote to memory of 2968	4092	cmd.exe	findstr.exe
PID 4092 wrote to memory of 2968	4092	cmd.exe	findstr.exe
PID 4092 wrote to memory of 2968	4092	cmd.exe	findstr.exe
PID 4092 wrote to memory of 2940	4092	cmd.exe	Leva.exe.com
PID 4092 wrote to memory of 2940	4092	cmd.exe	Leva.exe.com
PID 4092 wrote to memory of 2940	4092	cmd.exe	Leva.exe.com
PID 4092 wrote to memory of 1236	4092	cmd.exe	PING.EXE
PID 4092 wrote to memory of 1236	4092	cmd.exe	PING.EXE
PID 4092 wrote to memory of 1236	4092	cmd.exe	PING.EXE
PID 2940 wrote to memory of 3144	2940	Leva.exe.com	Leva.exe.com
PID 2940 wrote to memory of 3144	2940	Leva.exe.com	Leva.exe.com
PID 2940 wrote to memory of 3144	2940	Leva.exe.com	Leva.exe.com
PID 3144 wrote to memory of 2812	3144	Leva.exe.com	cmd.exe
PID 3144 wrote to memory of 2812	3144	Leva.exe.com	cmd.exe
PID 3144 wrote to memory of 2812	3144	Leva.exe.com	cmd.exe
PID 2812 wrote to memory of 4016	2812	cmd.exe	bTrxp.exe
PID 2812 wrote to memory of 4016	2812	cmd.exe	bTrxp.exe
PID 2812 wrote to memory of 4016	2812	cmd.exe	bTrxp.exe
PID 4016 wrote to memory of 208	4016	bTrxp.exe	4.exe
PID 4016 wrote to memory of 208	4016	bTrxp.exe	4.exe
PID 4016 wrote to memory of 208	4016	bTrxp.exe	4.exe
PID 4016 wrote to memory of 1468	4016	bTrxp.exe	vpn.exe
PID 4016 wrote to memory of 1468	4016	bTrxp.exe	vpn.exe
PID 4016 wrote to memory of 1468	4016	bTrxp.exe	vpn.exe
PID 3144 wrote to memory of 988	3144	Leva.exe.com	cmd.exe
PID 3144 wrote to memory of 988	3144	Leva.exe.com	cmd.exe
PID 3144 wrote to memory of 988	3144	Leva.exe.com	cmd.exe
PID 988 wrote to memory of 2016	988	cmd.exe	timeout.exe
PID 988 wrote to memory of 2016	988	cmd.exe	timeout.exe
PID 988 wrote to memory of 2016	988	cmd.exe	timeout.exe
PID 208 wrote to memory of 3464	208	4.exe	SmartClock.exe
PID 208 wrote to memory of 3464	208	4.exe	SmartClock.exe
PID 208 wrote to memory of 3464	208	4.exe	SmartClock.exe
PID 1468 wrote to memory of 3644	1468	vpn.exe	jdftqalqnh.exe
PID 1468 wrote to memory of 3644	1468	vpn.exe	jdftqalqnh.exe
PID 1468 wrote to memory of 3644	1468	vpn.exe	jdftqalqnh.exe
PID 1468 wrote to memory of 3696	1468	vpn.exe	WScript.exe
PID 1468 wrote to memory of 3696	1468	vpn.exe	WScript.exe
PID 1468 wrote to memory of 3696	1468	vpn.exe	WScript.exe
PID 3644 wrote to memory of 1564	3644	jdftqalqnh.exe	rundll32.exe
PID 3644 wrote to memory of 1564	3644	jdftqalqnh.exe	rundll32.exe
PID 3644 wrote to memory of 1564	3644	jdftqalqnh.exe	rundll32.exe
PID 1564 wrote to memory of 1032	1564	rundll32.exe	RUNDLL32.EXE
PID 1564 wrote to memory of 1032	1564	rundll32.exe	RUNDLL32.EXE
PID 1564 wrote to memory of 1032	1564	rundll32.exe	RUNDLL32.EXE
PID 1032 wrote to memory of 3848	1032	RUNDLL32.EXE	powershell.exe
PID 1032 wrote to memory of 3848	1032	RUNDLL32.EXE	powershell.exe
PID 1032 wrote to memory of 3848	1032	RUNDLL32.EXE	powershell.exe
PID 1032 wrote to memory of 3540	1032	RUNDLL32.EXE	powershell.exe
PID 1032 wrote to memory of 3540	1032	RUNDLL32.EXE	powershell.exe
PID 1032 wrote to memory of 3540	1032	RUNDLL32.EXE	powershell.exe
PID 1468 wrote to memory of 3212	1468	vpn.exe	WScript.exe
PID 1468 wrote to memory of 3212	1468	vpn.exe	WScript.exe
PID 1468 wrote to memory of 3212	1468	vpn.exe	WScript.exe
PID 3540 wrote to memory of 2928	3540	powershell.exe	nslookup.exe

C:\Users\Admin\AppData\Local\Temp\d18dc9cf860133016c0c244b9ad579bd.exe
"C:\Users\Admin\AppData\Local\Temp\d18dc9cf860133016c0c244b9ad579bd.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3896

C:\Windows\SysWOW64\dllhost.exe
"C:\Windows\System32\dllhost.exe"
2⤵
PID:2724

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Tornato.png
2⤵
- Suspicious use of WriteProcessMemory
PID:2788

C:\Windows\SysWOW64\cmd.exe
cmd
3⤵
- Suspicious use of WriteProcessMemory
PID:4092

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^OlSktDCltJXwMRVSSmmpBhzNzZddlihGzPuRoTcXAVxOIQjWDdCKnvzBRyRyhkZWcdHWLtJZrCIFSEtDNxMUEDiXvEZrwfKgWbaapflmGDGWNNIjqgaSnyaRpKAutGXOSxJcjMxbphhqXk$" Basso.png
4⤵
PID:2968

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Leva.exe.com
Leva.exe.com Q
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2940

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Leva.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Leva.exe.com Q
5⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3144

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\bTrxp.exe"
6⤵
- Suspicious use of WriteProcessMemory
PID:2812

C:\Users\Admin\AppData\Local\Temp\bTrxp.exe
"C:\Users\Admin\AppData\Local\Temp\bTrxp.exe"
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4016

C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe
"C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe"
8⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:208

C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
9⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
PID:3464

C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe
"C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe"
8⤵
- Executes dropped EXE
- Checks processor information in registry
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1468

C:\Users\Admin\AppData\Local\Temp\jdftqalqnh.exe
"C:\Users\Admin\AppData\Local\Temp\jdftqalqnh.exe"
9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3644

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\JDFTQA~1.DLL,Z C:\Users\Admin\AppData\Local\Temp\JDFTQA~1.EXE
10⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1564

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\JDFTQA~1.DLL,MiYM
11⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1032

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpB66.tmp.ps1"
12⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3848

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp1DE6.tmp.ps1"
12⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3540

C:\Windows\SysWOW64\nslookup.exe
"C:\Windows\system32\nslookup.exe" -type=any localhost
13⤵
PID:2928

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
12⤵
PID:2188

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
12⤵
PID:1820

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\qivksohdvy.vbs"
9⤵
PID:3696

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cvujxrxd.vbs"
9⤵
- Blocklisted process makes network request
- Modifies system certificate store
PID:3212

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\swiojrDXV & timeout 3 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Leva.exe.com"
6⤵
- Suspicious use of WriteProcessMemory
PID:988

C:\Windows\SysWOW64\timeout.exe
timeout 3
7⤵
- Delays execution with timeout.exe
PID:2016

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 30
4⤵
- Runs ping.exe
PID:1236

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
47eebe401625bbc55e75dbfb72e9e89a

SHA1
db3b2135942d2532c59b9788253638eb77e5995e

SHA256
f1cd56000c44bbdb6880b5b133731f493fe8cba8198c5a861da6ae7b489ed0c3

SHA512
590b149863d58be346e7927c28501375cc570858d2f156d234b03d68b86c5c0667a1038e2b6f6639172bf95638ca9f7c70f45270951abbcdf43b1be853b81d56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
c33509a73b25b440d65860d59597d88e

SHA1
fa09cf6f951f2a27d65baeb3bf719052592d390b

SHA256
c0548f4820e5111ce09eedb34ab9b77a3b76d68847c32a2b06bcfab083cc159a

SHA512
a3187c009e88730edf406856f38485570a451dc2174ce1f144b5bc15f8f11dd1ab38d204dd47eee661c945b4a8df9af75f35d819746a15472e34bc8e6e87c8df

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Basso.png
MD5
172d4c14c7654c95a3474afbf4c4c104

SHA1
b16ec68de817985c4548bbb598de7cef365ae513

SHA256
4e8a9443d4d16f796dfd9f78e875bd5c0b66b69dd98c2f75fd30295e37c57119

SHA512
026e8afa026808f12e9605b588efe43859b8c7b49eec14607f3fa77f4791b1e63a0e773c775b0935f5cac92d130c4b2e53e1a3b20b9056d02215eb32fec42455

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Leva.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Leva.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Leva.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Q
MD5
8979f95100c036e06a65767d1a1c0207

SHA1
8bbd73bdced488364eddf00da1079129e4e4e84b

SHA256
297ba66b2c885e6b37e81d5a6cb96d9276a12153165851b6242f48c436c4c9fb

SHA512
12461a986811e14cde1dd8398a4d6d2df9bd64a5fb7fb5900ab70c4c82b48236db2a06a2cab804145a6da16d55c2e6d97397913b2990ed2f44f72a01f125df65

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ritornarvi.png
MD5
8979f95100c036e06a65767d1a1c0207

SHA1
8bbd73bdced488364eddf00da1079129e4e4e84b

SHA256
297ba66b2c885e6b37e81d5a6cb96d9276a12153165851b6242f48c436c4c9fb

SHA512
12461a986811e14cde1dd8398a4d6d2df9bd64a5fb7fb5900ab70c4c82b48236db2a06a2cab804145a6da16d55c2e6d97397913b2990ed2f44f72a01f125df65

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Splendido.png
MD5
3efcd80a02332c9b2b84390a08d541d0

SHA1
d65943bec952053fccddd2e7865f0b50800d2283

SHA256
fe77afd57a0a9353d6370ca8d34d9c94ef5988a16655adc93e4b36aa1e4f5337

SHA512
8fcfb341b8be15378505400395c86a748430f97b0981177f0debfbca37db69983a4b81acb9d9cab95f8ad82e6a74bab1cb32258167a096d327913f44024ab237

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Tornato.png
MD5
eaf43205aa58bcf0fcced0535fb97d34

SHA1
d42827604b82edf3722d6cc29be03de04ef66748

SHA256
3eed6c7c13b633199b1ddac6cf2574356817cd9409b456845ff47b25d1bffe09

SHA512
679c8c2e48532dd6db9e9592c0388936e77408620f5cc97e91ac2c6a2305b6c17ae4baab0fa5d5d61c22da0de36fa66f71dda4ed4f6b4b93c71ed7953ae57937

Download Submit
C:\Users\Admin\AppData\Local\Temp\JDFTQA~1.DLL
MD5
d737e87a8c985246adb399d0a8bf9b3b

SHA1
2ed4f18c905108e45535ea0e8fa7cb2187675f87

SHA256
ab5742f22795a19c1cff270d3d3fef390e43a6a12bba6b69bbe54d479f9502f7

SHA512
9257b42d3b4ded392582d72107692d212d46252f218754149882c8faa65aae06881eee8be291f96da43f88f120878faeba23fa3c98f9cf99c9392f702f1a949b

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe
MD5
fd227a7538d17ed4f7998b83b730c087

SHA1
8370c13e88d96b86d6b55c92218ac328cea9e0da

SHA256
b224ac93890d1fbe59e8fd43f12107f2c24c5430a74380b45053207e6b0e412c

SHA512
86c0f6f6c72bbca21c9b0f1742e167120df24eb23a95418898eeb4d47322c4ef2d0c60682de6128f663c139385c8a001ff853c917ec818ffbc888560c879c1c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe
MD5
fd227a7538d17ed4f7998b83b730c087

SHA1
8370c13e88d96b86d6b55c92218ac328cea9e0da

SHA256
b224ac93890d1fbe59e8fd43f12107f2c24c5430a74380b45053207e6b0e412c

SHA512
86c0f6f6c72bbca21c9b0f1742e167120df24eb23a95418898eeb4d47322c4ef2d0c60682de6128f663c139385c8a001ff853c917ec818ffbc888560c879c1c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe
MD5
06bbc875b35e47505013e38ef5e9c825

SHA1
372741d7fc3f7111c7f1a971170aa5c9cc4d3399

SHA256
ebe2283591a3fa0b2bc3900b962b765ab09d8e805c1d21e45626c579efac4782

SHA512
88af6066457871bf5bf10252487b15c01856f70aec14886e6bcb76023d97ebb3be7ef846e73ed91ac41faca53f0cf75b3c16af36758840d215a7488c80710c03

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe
MD5
06bbc875b35e47505013e38ef5e9c825

SHA1
372741d7fc3f7111c7f1a971170aa5c9cc4d3399

SHA256
ebe2283591a3fa0b2bc3900b962b765ab09d8e805c1d21e45626c579efac4782

SHA512
88af6066457871bf5bf10252487b15c01856f70aec14886e6bcb76023d97ebb3be7ef846e73ed91ac41faca53f0cf75b3c16af36758840d215a7488c80710c03

Download Submit
C:\Users\Admin\AppData\Local\Temp\bTrxp.exe
MD5
b805442d06f7fbba1772d15fdad402ce

SHA1
2bbc42ae47a2ec9ca1471931f8924197d073bf57

SHA256
f4da967e84e593cadb3e0a622f59dc4bbc7393c4aeef1a29df60b37b57548299

SHA512
f674205f2f28cf76af5960b0728eb2576d3572c9b51b4336309c458e005ec72b8ca197d140d266c2675affb4d2ba780b88406275eace42941cc0f0fdce8b4745

Download Submit
C:\Users\Admin\AppData\Local\Temp\bTrxp.exe
MD5
b805442d06f7fbba1772d15fdad402ce

SHA1
2bbc42ae47a2ec9ca1471931f8924197d073bf57

SHA256
f4da967e84e593cadb3e0a622f59dc4bbc7393c4aeef1a29df60b37b57548299

SHA512
f674205f2f28cf76af5960b0728eb2576d3572c9b51b4336309c458e005ec72b8ca197d140d266c2675affb4d2ba780b88406275eace42941cc0f0fdce8b4745

Download Submit
C:\Users\Admin\AppData\Local\Temp\cvujxrxd.vbs
MD5
140c47d2b49ce150c20eb61ea3935cf0

SHA1
7a7e234399e13a44ff174818d241858b2b10284e

SHA256
b74c1c668ec590e100b73146971beafa67a5ef7c7f61256d5c94215bdffa2fa1

SHA512
bcd934e4dcf3f81861ca64c2e3c265dff3c65dd3eea9c68292d7abfc293b80dd30164f2ae6601c344476c6b1d3041de05f407170824e280effc56f8a36f0a04c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jdftqalqnh.exe
MD5
eb1df62a8f67980bd4b6b5cfd53afa11

SHA1
11c623348cdb4893d039c55fb178a7843120c798

SHA256
405b79e798aeb349ceddb06d655d29da72a9c85bfbc73fc6ffe4e131d738304a

SHA512
f159dcb57f30305554fcea84dacda9182a9ee57953de4e35071ef11d228329e127b444527e55fe51a5475b737fd888344a520538370d0cae94f8dd30df586add

Download Submit
C:\Users\Admin\AppData\Local\Temp\jdftqalqnh.exe
MD5
eb1df62a8f67980bd4b6b5cfd53afa11

SHA1
11c623348cdb4893d039c55fb178a7843120c798

SHA256
405b79e798aeb349ceddb06d655d29da72a9c85bfbc73fc6ffe4e131d738304a

SHA512
f159dcb57f30305554fcea84dacda9182a9ee57953de4e35071ef11d228329e127b444527e55fe51a5475b737fd888344a520538370d0cae94f8dd30df586add

Download Submit
C:\Users\Admin\AppData\Local\Temp\qivksohdvy.vbs
MD5
beeae9839fa63a90c94f9612639088fc

SHA1
7d435a52fe97660271def46958fb10150e09eb6b

SHA256
07e597a07b1596c43938491a169496d93389ff1c260348614aa330ecf7c9e86b

SHA512
d7d74841a575a1d67a58604a6bfe55ae68a1c043a75a26af93288fb0596e4c6078db4612afcc1be57b7470980cf989196ad5aead96ce441768f336e53853e9b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\swiojrDXV\RETOKX~1.ZIP
MD5
4463fbfdb119859d4ac279b6d030c5cd

SHA1
ea00914b73ce4969e61a6e855cb3a575405613a5

SHA256
cc1d5d0777728ec2641ad85b24c6792dce3fad05b4782738deee6e0d3424916b

SHA512
e0c2fc8e6cef6c13372e87d13ba70d5f8f6ddbf101536d57288af6b74d7d496c90c75a155bff54e85ab06590eacedc39512c7906c5bb4a61b48fc6ddc85d4f1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\swiojrDXV\VUULXW~1.ZIP
MD5
6d1e7fcf1ff25708d0b240957024682d

SHA1
5b4bb62e6adb795074bc36747d29be6990ebbfd7

SHA256
545fc5e4aaedd3699e4575dd16a9f2e42ce2f6dd7345390bb92de7d6c5eef265

SHA512
ebc4c0b18613b5bf264e434c8e1b4e18238e162fe8a3486172a11b724dcf0d2a24812e175c1887eddf510cf75b18892945aae4bf16d4b3a814bb8ce95ffd51ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\swiojrDXV\_Files\_Files\CONNEC~1.TXT
MD5
cee1f05e82b5770c7a9ea5eeca8fa67a

SHA1
34cfefdf3e01f3f8f2de83e863b2412a413f02c0

SHA256
b74369130503d82230586dc2b9c43e471dd057b2db880bc3ae7ea8d99365d893

SHA512
28a6093d3fb70862650fe311fcb961cae33a90de1d8beaef4981b8b70bac5342200e63d9c453815d36c88d32a7d29220d2583fb7d05d8a66813bde89ee979ae4

Download Submit
C:\Users\Admin\AppData\Local\Temp\swiojrDXV\_Files\_INFOR~1.TXT
MD5
90ee6c7dc32d8301cc278550de15eac5

SHA1
13df2a975b7136f4f1958ba54cf33ab48f64c012

SHA256
79dd5e23fad767b58fc251ee5e1ab2d2caf0c71334d23e1acad53f971c754948

SHA512
41346040e3f88e29ccfb46815f1c49b5af7cdf2a182da2be64178f95df2ba4a17fbbe9337eb90e19be0b9d5914685be8265ab33b8919a0f163263070d8fa0741

Download Submit
C:\Users\Admin\AppData\Local\Temp\swiojrDXV\_Files\_SCREE~1.JPE
MD5
f182c156cc1e61013332161eb5de9955

SHA1
df365dcd65ddc130c51548de06892c36b9708be3

SHA256
c5fb7eafde50f569eac6817ba21f2512cff720b9962770c63cd89971fd3cc1f6

SHA512
07ad7e2cfc27792af52d5fe2607265eac44b7b3d0978787d9c049e0b6da5251ae2317181cad459b4f8d6fbba44132c6d9087f07aade43c057b67db4f4bc2c207

Download Submit
C:\Users\Admin\AppData\Local\Temp\swiojrDXV\files_\SCREEN~1.JPG
MD5
f182c156cc1e61013332161eb5de9955

SHA1
df365dcd65ddc130c51548de06892c36b9708be3

SHA256
c5fb7eafde50f569eac6817ba21f2512cff720b9962770c63cd89971fd3cc1f6

SHA512
07ad7e2cfc27792af52d5fe2607265eac44b7b3d0978787d9c049e0b6da5251ae2317181cad459b4f8d6fbba44132c6d9087f07aade43c057b67db4f4bc2c207

Download Submit
C:\Users\Admin\AppData\Local\Temp\swiojrDXV\files_\SYSTEM~1.TXT
MD5
cac4f882986d6a095565025ac345e462

SHA1
892fec36508274ab12f5d5f5ea4c239390807cae

SHA256
977149a20a9b181c50159d36cc35e8889a68dbef951b8e8598baefba527fbe3e

SHA512
fd3829febaa38024cb9a40d84b5eb7e09b34b902aee8897359e5d564917c7c30dbc246729c85d8cc843db3359e5d613903b9b34687ee03a1a3d93a591506696e

Download Submit
C:\Users\Admin\AppData\Local\Temp\swiojrDXV\files_\files\CONNEC~1.TXT
MD5
cee1f05e82b5770c7a9ea5eeca8fa67a

SHA1
34cfefdf3e01f3f8f2de83e863b2412a413f02c0

SHA256
b74369130503d82230586dc2b9c43e471dd057b2db880bc3ae7ea8d99365d893

SHA512
28a6093d3fb70862650fe311fcb961cae33a90de1d8beaef4981b8b70bac5342200e63d9c453815d36c88d32a7d29220d2583fb7d05d8a66813bde89ee979ae4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1DE6.tmp.ps1
MD5
93ec20d0c855eb0e7334570560ffae43

SHA1
2d48e575d9e75c918a4f302dbb707ebbc31f54b4

SHA256
0e8f6579368892d138aedd9a8dd174187a504ee2bdf3ec3808de9e754ec90ce0

SHA512
1d998edd195b1ee5bd023be7e76e871c9b6d670b7a7303951bc234d849fa64e2dbc017866a5436e05bfa662a3f42c7dd8d2acd8ae357ec75aa7a4dd8a2987c83

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1DE7.tmp
MD5
1860260b2697808b80802352fe324782

SHA1
f07b4cb6a8133d8dd942fc285d63cb3ce5a1ed6b

SHA256
0c4bb6ae7726faa47aef8459bcf37bf9ca16f0b93fd52790932adaf7845d1fb1

SHA512
d9fd458e2fe871e93199d7f3783133ded898d824024d9525e8c9af2af31892b13f3fb147d3bfda7dfd7659b7072f5cd1d6c3ebfe2dbf5893afd00e59a96aa94f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB66.tmp.ps1
MD5
538e2d7d0bb41c613391db6ecfebd918

SHA1
118ca4bc658162c7d6769de696c174bba8ab3c5c

SHA256
0dd5bb6a0f7f7e6ae9b30ad470870c23e6ddb6b1c7cdb69610b3c9942c9014f9

SHA512
874239ec3a6d22019ef30ede656887c53e1604cdea958d8033750d45b83fc34ea83b19383e502d063142d327d9af8f17bfe241902e06475189a9c34653437b57

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB67.tmp
MD5
c416c12d1b2b1da8c8655e393b544362

SHA1
fb1a43cd8e1c556c2d25f361f42a21293c29e447

SHA256
0600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046

SHA512
cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
fd227a7538d17ed4f7998b83b730c087

SHA1
8370c13e88d96b86d6b55c92218ac328cea9e0da

SHA256
b224ac93890d1fbe59e8fd43f12107f2c24c5430a74380b45053207e6b0e412c

SHA512
86c0f6f6c72bbca21c9b0f1742e167120df24eb23a95418898eeb4d47322c4ef2d0c60682de6128f663c139385c8a001ff853c917ec818ffbc888560c879c1c5

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
fd227a7538d17ed4f7998b83b730c087

SHA1
8370c13e88d96b86d6b55c92218ac328cea9e0da

SHA256
b224ac93890d1fbe59e8fd43f12107f2c24c5430a74380b45053207e6b0e412c

SHA512
86c0f6f6c72bbca21c9b0f1742e167120df24eb23a95418898eeb4d47322c4ef2d0c60682de6128f663c139385c8a001ff853c917ec818ffbc888560c879c1c5

Download Submit
\Users\Admin\AppData\Local\Temp\JDFTQA~1.DLL
MD5
d737e87a8c985246adb399d0a8bf9b3b

SHA1
2ed4f18c905108e45535ea0e8fa7cb2187675f87

SHA256
ab5742f22795a19c1cff270d3d3fef390e43a6a12bba6b69bbe54d479f9502f7

SHA512
9257b42d3b4ded392582d72107692d212d46252f218754149882c8faa65aae06881eee8be291f96da43f88f120878faeba23fa3c98f9cf99c9392f702f1a949b

Download Submit
\Users\Admin\AppData\Local\Temp\JDFTQA~1.DLL
MD5
d737e87a8c985246adb399d0a8bf9b3b

SHA1
2ed4f18c905108e45535ea0e8fa7cb2187675f87

SHA256
ab5742f22795a19c1cff270d3d3fef390e43a6a12bba6b69bbe54d479f9502f7

SHA512
9257b42d3b4ded392582d72107692d212d46252f218754149882c8faa65aae06881eee8be291f96da43f88f120878faeba23fa3c98f9cf99c9392f702f1a949b

Download Submit
\Users\Admin\AppData\Local\Temp\JDFTQA~1.DLL
MD5
d737e87a8c985246adb399d0a8bf9b3b

SHA1
2ed4f18c905108e45535ea0e8fa7cb2187675f87

SHA256
ab5742f22795a19c1cff270d3d3fef390e43a6a12bba6b69bbe54d479f9502f7

SHA512
9257b42d3b4ded392582d72107692d212d46252f218754149882c8faa65aae06881eee8be291f96da43f88f120878faeba23fa3c98f9cf99c9392f702f1a949b

Download Submit
\Users\Admin\AppData\Local\Temp\nsmAEEF.tmp\UAC.dll
MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
memory/208-157-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/208-155-0x0000000000470000-0x000000000051E000-memory.dmp

Filesize
696KB

Download
memory/208-135-0x0000000000000000-mapping.dmp

Download
memory/988-141-0x0000000000000000-mapping.dmp

Download
memory/1032-173-0x0000000000000000-mapping.dmp

Download
memory/1032-178-0x00000000051B1000-0x0000000005810000-memory.dmp

Filesize
6.4MB

Download
memory/1032-223-0x0000000000A00000-0x0000000000B4A000-memory.dmp

Filesize
1.3MB

Download
memory/1032-179-0x0000000004D30000-0x0000000004D31000-memory.dmp

Filesize
4KB

Download
memory/1032-176-0x0000000004670000-0x0000000004C35000-memory.dmp

Filesize
5.8MB

Download
memory/1236-123-0x0000000000000000-mapping.dmp

Download
memory/1468-156-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1468-137-0x0000000000000000-mapping.dmp

Download
memory/1468-154-0x00000000005E0000-0x0000000000604000-memory.dmp

Filesize
144KB

Download
memory/1564-168-0x0000000000000000-mapping.dmp

Download
memory/1564-180-0x0000000000BF0000-0x0000000000BF1000-memory.dmp

Filesize
4KB

Download
memory/1564-177-0x00000000050A1000-0x0000000005700000-memory.dmp

Filesize
6.4MB

Download
memory/1820-238-0x0000000000000000-mapping.dmp

Download
memory/2016-150-0x0000000000000000-mapping.dmp

Download
memory/2188-236-0x0000000000000000-mapping.dmp

Download
memory/2724-114-0x0000000000000000-mapping.dmp

Download
memory/2788-115-0x0000000000000000-mapping.dmp

Download
memory/2812-130-0x0000000000000000-mapping.dmp

Download
memory/2928-233-0x0000000000000000-mapping.dmp

Download
memory/2940-121-0x0000000000000000-mapping.dmp

Download
memory/2968-118-0x0000000000000000-mapping.dmp

Download
memory/3144-125-0x0000000000000000-mapping.dmp

Download
memory/3144-129-0x0000000001020000-0x000000000116A000-memory.dmp

Filesize
1.3MB

Download
memory/3212-208-0x0000000000000000-mapping.dmp

Download
memory/3464-164-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/3464-151-0x0000000000000000-mapping.dmp

Download
memory/3464-163-0x0000000000470000-0x00000000005BA000-memory.dmp

Filesize
1.3MB

Download
memory/3540-221-0x00000000080C0000-0x00000000080C1000-memory.dmp

Filesize
4KB

Download
memory/3540-237-0x0000000006D03000-0x0000000006D04000-memory.dmp

Filesize
4KB

Download
memory/3540-207-0x0000000000000000-mapping.dmp

Download
memory/3540-218-0x0000000007CB0000-0x0000000007CB1000-memory.dmp

Filesize
4KB

Download
memory/3540-225-0x0000000006D02000-0x0000000006D03000-memory.dmp

Filesize
4KB

Download
memory/3540-224-0x0000000006D00000-0x0000000006D01000-memory.dmp

Filesize
4KB

Download
memory/3644-158-0x0000000000000000-mapping.dmp

Download
memory/3644-165-0x0000000003490000-0x0000000003B97000-memory.dmp

Filesize
7.0MB

Download
memory/3644-166-0x0000000000400000-0x00000000011D1000-memory.dmp

Filesize
13.8MB

Download
memory/3644-167-0x00000000011E0000-0x000000000128E000-memory.dmp

Filesize
696KB

Download
memory/3696-161-0x0000000000000000-mapping.dmp

Download
memory/3848-194-0x0000000008180000-0x0000000008181000-memory.dmp

Filesize
4KB

Download
memory/3848-186-0x0000000006B90000-0x0000000006B91000-memory.dmp

Filesize
4KB

Download
memory/3848-206-0x0000000006B93000-0x0000000006B94000-memory.dmp

Filesize
4KB

Download
memory/3848-181-0x0000000000000000-mapping.dmp

Download
memory/3848-203-0x0000000008F30000-0x0000000008F31000-memory.dmp

Filesize
4KB

Download
memory/3848-202-0x0000000008E90000-0x0000000008E91000-memory.dmp

Filesize
4KB

Download
memory/3848-201-0x0000000009910000-0x0000000009911000-memory.dmp

Filesize
4KB

Download
memory/3848-196-0x00000000082D0000-0x00000000082D1000-memory.dmp

Filesize
4KB

Download
memory/3848-185-0x00000000071D0000-0x00000000071D1000-memory.dmp

Filesize
4KB

Download
memory/3848-184-0x0000000004640000-0x0000000004641000-memory.dmp

Filesize
4KB

Download
memory/3848-193-0x0000000008220000-0x0000000008221000-memory.dmp

Filesize
4KB

Download
memory/3848-192-0x0000000007930000-0x0000000007931000-memory.dmp

Filesize
4KB

Download
memory/3848-191-0x0000000007AA0000-0x0000000007AA1000-memory.dmp

Filesize
4KB

Download
memory/3848-190-0x0000000007A30000-0x0000000007A31000-memory.dmp

Filesize
4KB

Download
memory/3848-189-0x0000000007950000-0x0000000007951000-memory.dmp

Filesize
4KB

Download
memory/3848-188-0x00000000070A0000-0x00000000070A1000-memory.dmp

Filesize
4KB

Download
memory/3848-187-0x0000000006B92000-0x0000000006B93000-memory.dmp

Filesize
4KB

Download
memory/4016-131-0x0000000000000000-mapping.dmp

Download
memory/4092-117-0x0000000000000000-mapping.dmp

Download