cryptbot | 0329f707c1e908925f23bc015b422526620f308142a2e75df56257ac3aec4c3a

Analysis

max time kernel
148s
max time network
151s
platform
windows10_x64
resource
win10v20210410
submitted
13-06-2021 06:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d18dc9cf860133016c0c244b9ad579bd.exe
Size

1.7MB
MD5

d18dc9cf860133016c0c244b9ad579bd
SHA1

1fc0e27cdab3f5ff40cac4448f4023c0693ec071
SHA256

0329f707c1e908925f23bc015b422526620f308142a2e75df56257ac3aec4c3a
SHA512

77d9135160dc9e35c3112e8036e0f39778235c3630805001b1230090fba47104ed306e30b4633dcfcd4f0440d731ba5c4a61906ec1140f78bd0b2e3241e91f1f

Score

10^/10

cryptbot danabot 3 banker discovery spyware stealer trojan

Malware Config

Extracted

Family

danabot

Version

1827

Botnet

192.210.198.12:443

37.220.31.50:443

184.95.51.183:443

184.95.51.175:443

Attributes

embedded_hash
410EB249B3A3D8613B29638D583F7193

rsa_pubkey.plain

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot
Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Blocklisted process makes network request 5 IoCs

Processes:

RUNDLL32.EXEWScript.exe

flow pid process

36 2332 RUNDLL32.EXE
38 8 WScript.exe
40 8 WScript.exe
42 8 WScript.exe
44 8 WScript.exe
Downloads MZ/PE file
Executes dropped EXE 7 IoCs

Processes:

Leva.exe.comLeva.exe.comLgXUBcTt.exe4.exevpn.exeSmartClock.exeqgqllxoq.exe

pid process

2736 Leva.exe.com
3280 Leva.exe.com
1892 LgXUBcTt.exe
2736 4.exe
3544 vpn.exe
3792 SmartClock.exe
4032 qgqllxoq.exe
Drops startup file 1 IoCs

Processes:

4.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk 4.exe
Loads dropped DLL 5 IoCs

Processes:

LgXUBcTt.exerundll32.exeRUNDLL32.EXE

pid process

1892 LgXUBcTt.exe
2576 rundll32.exe
2576 rundll32.exe
2332 RUNDLL32.EXE
2332 RUNDLL32.EXE
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

23 ip-api.com

flow	pid	process
36	2332	RUNDLL32.EXE
38	8	WScript.exe
40	8	WScript.exe
42	8	WScript.exe
44	8	WScript.exe

pid	process
2736	Leva.exe.com
3280	Leva.exe.com
1892	LgXUBcTt.exe
2736	4.exe
3544	vpn.exe
3792	SmartClock.exe
4032	qgqllxoq.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk	4.exe

pid	process
1892	LgXUBcTt.exe
2576	rundll32.exe
2576	rundll32.exe
2332	RUNDLL32.EXE
2332	RUNDLL32.EXE

flow	ioc
23	ip-api.com

Drops file in Program Files directory 3 IoCs

Processes:

LgXUBcTt.exe

description	ioc	process
File created	C:\Program Files (x86)\foler\olader\adprovider.dll	LgXUBcTt.exe
File created	C:\Program Files (x86)\foler\olader\acledit.dll	LgXUBcTt.exe
File created	C:\Program Files (x86)\foler\olader\acppage.dll	LgXUBcTt.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RUNDLL32.EXELeva.exe.comvpn.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Leva.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Leva.exe.com
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	vpn.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	vpn.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1200 timeout.exe
Modifies registry class 1 IoCs

Processes:

vpn.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings vpn.exe

pid	process
1200	timeout.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings	vpn.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	WScript.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

212 PING.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

SmartClock.exe

pid process

3792 SmartClock.exe

pid	process
212	PING.EXE

pid	process
3792	SmartClock.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exeRUNDLL32.EXEpowershell.exe

pid	process
3496	powershell.exe
3496	powershell.exe
3496	powershell.exe
2332	RUNDLL32.EXE
2332	RUNDLL32.EXE
2880	powershell.exe
2880	powershell.exe
2880	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

rundll32.exeRUNDLL32.EXEpowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2576	rundll32.exe
Token: SeDebugPrivilege	2332	RUNDLL32.EXE
Token: SeDebugPrivilege	3496	powershell.exe
Token: SeDebugPrivilege	2880	powershell.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

d18dc9cf860133016c0c244b9ad579bd.exeLeva.exe.comRUNDLL32.EXE

pid process

3176 d18dc9cf860133016c0c244b9ad579bd.exe
3280 Leva.exe.com
3280 Leva.exe.com
2332 RUNDLL32.EXE

pid	process
3176	d18dc9cf860133016c0c244b9ad579bd.exe
3280	Leva.exe.com
3280	Leva.exe.com
2332	RUNDLL32.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

d18dc9cf860133016c0c244b9ad579bd.execmd.execmd.exeLeva.exe.comLeva.exe.comcmd.exeLgXUBcTt.execmd.exe4.exevpn.exeqgqllxoq.exerundll32.exeRUNDLL32.EXEpowershell.exe

description	pid	process	target process
PID 3176 wrote to memory of 2764	3176	d18dc9cf860133016c0c244b9ad579bd.exe	dllhost.exe
PID 3176 wrote to memory of 2764	3176	d18dc9cf860133016c0c244b9ad579bd.exe	dllhost.exe
PID 3176 wrote to memory of 2764	3176	d18dc9cf860133016c0c244b9ad579bd.exe	dllhost.exe
PID 3176 wrote to memory of 2808	3176	d18dc9cf860133016c0c244b9ad579bd.exe	cmd.exe
PID 3176 wrote to memory of 2808	3176	d18dc9cf860133016c0c244b9ad579bd.exe	cmd.exe
PID 3176 wrote to memory of 2808	3176	d18dc9cf860133016c0c244b9ad579bd.exe	cmd.exe
PID 2808 wrote to memory of 804	2808	cmd.exe	cmd.exe
PID 2808 wrote to memory of 804	2808	cmd.exe	cmd.exe
PID 2808 wrote to memory of 804	2808	cmd.exe	cmd.exe
PID 804 wrote to memory of 2888	804	cmd.exe	findstr.exe
PID 804 wrote to memory of 2888	804	cmd.exe	findstr.exe
PID 804 wrote to memory of 2888	804	cmd.exe	findstr.exe
PID 804 wrote to memory of 2736	804	cmd.exe	Leva.exe.com
PID 804 wrote to memory of 2736	804	cmd.exe	Leva.exe.com
PID 804 wrote to memory of 2736	804	cmd.exe	Leva.exe.com
PID 804 wrote to memory of 212	804	cmd.exe	PING.EXE
PID 804 wrote to memory of 212	804	cmd.exe	PING.EXE
PID 804 wrote to memory of 212	804	cmd.exe	PING.EXE
PID 2736 wrote to memory of 3280	2736	Leva.exe.com	Leva.exe.com
PID 2736 wrote to memory of 3280	2736	Leva.exe.com	Leva.exe.com
PID 2736 wrote to memory of 3280	2736	Leva.exe.com	Leva.exe.com
PID 3280 wrote to memory of 196	3280	Leva.exe.com	cmd.exe
PID 3280 wrote to memory of 196	3280	Leva.exe.com	cmd.exe
PID 3280 wrote to memory of 196	3280	Leva.exe.com	cmd.exe
PID 196 wrote to memory of 1892	196	cmd.exe	LgXUBcTt.exe
PID 196 wrote to memory of 1892	196	cmd.exe	LgXUBcTt.exe
PID 196 wrote to memory of 1892	196	cmd.exe	LgXUBcTt.exe
PID 1892 wrote to memory of 2736	1892	LgXUBcTt.exe	4.exe
PID 1892 wrote to memory of 2736	1892	LgXUBcTt.exe	4.exe
PID 1892 wrote to memory of 2736	1892	LgXUBcTt.exe	4.exe
PID 1892 wrote to memory of 3544	1892	LgXUBcTt.exe	vpn.exe
PID 1892 wrote to memory of 3544	1892	LgXUBcTt.exe	vpn.exe
PID 1892 wrote to memory of 3544	1892	LgXUBcTt.exe	vpn.exe
PID 3280 wrote to memory of 2496	3280	Leva.exe.com	cmd.exe
PID 3280 wrote to memory of 2496	3280	Leva.exe.com	cmd.exe
PID 3280 wrote to memory of 2496	3280	Leva.exe.com	cmd.exe
PID 2496 wrote to memory of 1200	2496	cmd.exe	timeout.exe
PID 2496 wrote to memory of 1200	2496	cmd.exe	timeout.exe
PID 2496 wrote to memory of 1200	2496	cmd.exe	timeout.exe
PID 2736 wrote to memory of 3792	2736	4.exe	SmartClock.exe
PID 2736 wrote to memory of 3792	2736	4.exe	SmartClock.exe
PID 2736 wrote to memory of 3792	2736	4.exe	SmartClock.exe
PID 3544 wrote to memory of 4032	3544	vpn.exe	qgqllxoq.exe
PID 3544 wrote to memory of 4032	3544	vpn.exe	qgqllxoq.exe
PID 3544 wrote to memory of 4032	3544	vpn.exe	qgqllxoq.exe
PID 3544 wrote to memory of 4048	3544	vpn.exe	WScript.exe
PID 3544 wrote to memory of 4048	3544	vpn.exe	WScript.exe
PID 3544 wrote to memory of 4048	3544	vpn.exe	WScript.exe
PID 4032 wrote to memory of 2576	4032	qgqllxoq.exe	rundll32.exe
PID 4032 wrote to memory of 2576	4032	qgqllxoq.exe	rundll32.exe
PID 4032 wrote to memory of 2576	4032	qgqllxoq.exe	rundll32.exe
PID 2576 wrote to memory of 2332	2576	rundll32.exe	RUNDLL32.EXE
PID 2576 wrote to memory of 2332	2576	rundll32.exe	RUNDLL32.EXE
PID 2576 wrote to memory of 2332	2576	rundll32.exe	RUNDLL32.EXE
PID 2332 wrote to memory of 3496	2332	RUNDLL32.EXE	powershell.exe
PID 2332 wrote to memory of 3496	2332	RUNDLL32.EXE	powershell.exe
PID 2332 wrote to memory of 3496	2332	RUNDLL32.EXE	powershell.exe
PID 3544 wrote to memory of 8	3544	vpn.exe	WScript.exe
PID 3544 wrote to memory of 8	3544	vpn.exe	WScript.exe
PID 3544 wrote to memory of 8	3544	vpn.exe	WScript.exe
PID 2332 wrote to memory of 2880	2332	RUNDLL32.EXE	powershell.exe
PID 2332 wrote to memory of 2880	2332	RUNDLL32.EXE	powershell.exe
PID 2332 wrote to memory of 2880	2332	RUNDLL32.EXE	powershell.exe
PID 2880 wrote to memory of 1824	2880	powershell.exe	nslookup.exe

C:\Users\Admin\AppData\Local\Temp\d18dc9cf860133016c0c244b9ad579bd.exe
"C:\Users\Admin\AppData\Local\Temp\d18dc9cf860133016c0c244b9ad579bd.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3176

C:\Windows\SysWOW64\dllhost.exe
"C:\Windows\System32\dllhost.exe"
2⤵
PID:2764

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Tornato.png
2⤵
- Suspicious use of WriteProcessMemory
PID:2808

C:\Windows\SysWOW64\cmd.exe
cmd
3⤵
- Suspicious use of WriteProcessMemory
PID:804

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^OlSktDCltJXwMRVSSmmpBhzNzZddlihGzPuRoTcXAVxOIQjWDdCKnvzBRyRyhkZWcdHWLtJZrCIFSEtDNxMUEDiXvEZrwfKgWbaapflmGDGWNNIjqgaSnyaRpKAutGXOSxJcjMxbphhqXk$" Basso.png
4⤵
PID:2888

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Leva.exe.com
Leva.exe.com Q
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2736

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Leva.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Leva.exe.com Q
5⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3280

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\LgXUBcTt.exe"
6⤵
- Suspicious use of WriteProcessMemory
PID:196

C:\Users\Admin\AppData\Local\Temp\LgXUBcTt.exe
"C:\Users\Admin\AppData\Local\Temp\LgXUBcTt.exe"
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1892

C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe
"C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe"
8⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:2736

C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
9⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
PID:3792

C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe
"C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe"
8⤵
- Executes dropped EXE
- Checks processor information in registry
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3544

C:\Users\Admin\AppData\Local\Temp\qgqllxoq.exe
"C:\Users\Admin\AppData\Local\Temp\qgqllxoq.exe"
9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4032

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\QGQLLX~1.DLL,Z C:\Users\Admin\AppData\Local\Temp\qgqllxoq.exe
10⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2576

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\QGQLLX~1.DLL,QBwkLDZHBVz8
11⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2332

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp3A84.tmp.ps1"
12⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3496

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp4D91.tmp.ps1"
12⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2880

C:\Windows\SysWOW64\nslookup.exe
"C:\Windows\system32\nslookup.exe" -type=any localhost
13⤵
PID:1824

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
12⤵
PID:2444

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
12⤵
PID:3444

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aculoyoywjra.vbs"
9⤵
PID:4048

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\kgrboaruy.vbs"
9⤵
- Blocklisted process makes network request
- Modifies system certificate store
PID:8

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\EtbfHjUoJjafw & timeout 3 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Leva.exe.com"
6⤵
- Suspicious use of WriteProcessMemory
PID:2496

C:\Windows\SysWOW64\timeout.exe
timeout 3
7⤵
- Delays execution with timeout.exe
PID:1200

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 30
4⤵
- Runs ping.exe
PID:212

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
47eebe401625bbc55e75dbfb72e9e89a

SHA1
db3b2135942d2532c59b9788253638eb77e5995e

SHA256
f1cd56000c44bbdb6880b5b133731f493fe8cba8198c5a861da6ae7b489ed0c3

SHA512
590b149863d58be346e7927c28501375cc570858d2f156d234b03d68b86c5c0667a1038e2b6f6639172bf95638ca9f7c70f45270951abbcdf43b1be853b81d56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
23c6838323eb16c49cf6ef54a9a952ed

SHA1
4dc6c326368f785fa17ba2ff3f29d9ba6bc28d9a

SHA256
e5aca5994864821fd2d47e283170288dc21f0bf76c788b1b42fb307fa315c70b

SHA512
53ff0b2c1fda9cec63236248ac58ff90dc52737acd52e715cfcc0bfb1c8eb0bf079d8d7aeb1be360c9416f1fc7bce3a09bfc9353f71362919e0c8442d85112ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Basso.png
MD5
172d4c14c7654c95a3474afbf4c4c104

SHA1
b16ec68de817985c4548bbb598de7cef365ae513

SHA256
4e8a9443d4d16f796dfd9f78e875bd5c0b66b69dd98c2f75fd30295e37c57119

SHA512
026e8afa026808f12e9605b588efe43859b8c7b49eec14607f3fa77f4791b1e63a0e773c775b0935f5cac92d130c4b2e53e1a3b20b9056d02215eb32fec42455

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Leva.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Leva.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Leva.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Q
MD5
8979f95100c036e06a65767d1a1c0207

SHA1
8bbd73bdced488364eddf00da1079129e4e4e84b

SHA256
297ba66b2c885e6b37e81d5a6cb96d9276a12153165851b6242f48c436c4c9fb

SHA512
12461a986811e14cde1dd8398a4d6d2df9bd64a5fb7fb5900ab70c4c82b48236db2a06a2cab804145a6da16d55c2e6d97397913b2990ed2f44f72a01f125df65

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ritornarvi.png
MD5
8979f95100c036e06a65767d1a1c0207

SHA1
8bbd73bdced488364eddf00da1079129e4e4e84b

SHA256
297ba66b2c885e6b37e81d5a6cb96d9276a12153165851b6242f48c436c4c9fb

SHA512
12461a986811e14cde1dd8398a4d6d2df9bd64a5fb7fb5900ab70c4c82b48236db2a06a2cab804145a6da16d55c2e6d97397913b2990ed2f44f72a01f125df65

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Splendido.png
MD5
3efcd80a02332c9b2b84390a08d541d0

SHA1
d65943bec952053fccddd2e7865f0b50800d2283

SHA256
fe77afd57a0a9353d6370ca8d34d9c94ef5988a16655adc93e4b36aa1e4f5337

SHA512
8fcfb341b8be15378505400395c86a748430f97b0981177f0debfbca37db69983a4b81acb9d9cab95f8ad82e6a74bab1cb32258167a096d327913f44024ab237

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Tornato.png
MD5
eaf43205aa58bcf0fcced0535fb97d34

SHA1
d42827604b82edf3722d6cc29be03de04ef66748

SHA256
3eed6c7c13b633199b1ddac6cf2574356817cd9409b456845ff47b25d1bffe09

SHA512
679c8c2e48532dd6db9e9592c0388936e77408620f5cc97e91ac2c6a2305b6c17ae4baab0fa5d5d61c22da0de36fa66f71dda4ed4f6b4b93c71ed7953ae57937

Download Submit
C:\Users\Admin\AppData\Local\Temp\EtbfHjUoJjafw\YSQXSB~1.ZIP
MD5
2f1e3606ae1c5bec5f6fbca288d1439e

SHA1
09b687d7409606c3f8b872765ba93e8c0c27b7d9

SHA256
dfbad958c094523d1d0e4f107d7fe1090e386e42b40bc7ed712ff349f0dc6eb8

SHA512
4c5a6f8b5f20b361c360f55cba9b3ed762a3c998a48ef54656ecf5e06254f29fc78b8880d85d13a41682cfb24d3ce9572d68e94675edfbc8edc88ebb45affabe

Download Submit
C:\Users\Admin\AppData\Local\Temp\EtbfHjUoJjafw\_Files\_Files\GRANTS~1.TXT
MD5
f0c9e4bf6410178da7e5256f34c5d5c2

SHA1
c783a23ece6351b20832613f60374fa30720280a

SHA256
f96cf3618024b1eefe7a59ff33cd9a505258edf2ecd62106750f99287ef360e1

SHA512
9895e176d5034203a1f8442769fd79e4784061a7420bd5e2c73ac71ef64a66656ce872609a3c6e48871e31499d8c576671f189985d735120d61d200281c95f1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\EtbfHjUoJjafw\_Files\_INFOR~1.TXT
MD5
b071054e14034e28778f5a85b1c9de6f

SHA1
af9ddeebcf7fc0d9c19d71dcc64bbf34ec898dde

SHA256
19b9c7be6c2a9b58f485e3ffc52507db06979c10bf631f4ddaae65c4b8fdd02a

SHA512
dc1a55bd23f904984715dd1457f1e8baac5806552c41631a2e55cc163cbb19783127fbceb8290b131ffafa469c0b0232864232dc47458155b758e5092d6987e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\EtbfHjUoJjafw\_Files\_SCREE~1.JPE
MD5
956bb56c8ea987367d5ad1be69766042

SHA1
0e0e99992d96e9b9f4238966a41fc2c5ffed2dde

SHA256
17bc4210be496c718c6345884490d853a925dd170a3fbee880138645164e8184

SHA512
9653f23e88a51414bc73e6f00d0906bdf6d658cb33e4a7a8e8bac4235545066de2a272c0b6e9b00da8dcbc4087f5c5ef61ca369434254d0f5740bcd2e761baa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\EtbfHjUoJjafw\files_\SCREEN~1.JPG
MD5
956bb56c8ea987367d5ad1be69766042

SHA1
0e0e99992d96e9b9f4238966a41fc2c5ffed2dde

SHA256
17bc4210be496c718c6345884490d853a925dd170a3fbee880138645164e8184

SHA512
9653f23e88a51414bc73e6f00d0906bdf6d658cb33e4a7a8e8bac4235545066de2a272c0b6e9b00da8dcbc4087f5c5ef61ca369434254d0f5740bcd2e761baa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\EtbfHjUoJjafw\files_\SYSTEM~1.TXT
MD5
3182cdd2e1a3a93f88561479455691ef

SHA1
a0cf01eb50f2207a8683703375166b200d72afda

SHA256
b202ddf82c2920ef3da9c0dd23d6931c6ee0b8386e9cdb396b2a53443f641eb4

SHA512
be9b6f2efe87f9f2e05822b0afc204208e1a3bf842dbf42286f50aebae231e04bdc1969134dc4d39e086f0044e4092369f1e52fd749466e4a4d15ba70b838f60

Download Submit
C:\Users\Admin\AppData\Local\Temp\EtbfHjUoJjafw\files_\files\GRANTS~1.TXT
MD5
f0c9e4bf6410178da7e5256f34c5d5c2

SHA1
c783a23ece6351b20832613f60374fa30720280a

SHA256
f96cf3618024b1eefe7a59ff33cd9a505258edf2ecd62106750f99287ef360e1

SHA512
9895e176d5034203a1f8442769fd79e4784061a7420bd5e2c73ac71ef64a66656ce872609a3c6e48871e31499d8c576671f189985d735120d61d200281c95f1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\EtbfHjUoJjafw\kVBjYqju.zip
MD5
b8895db76bcec7fec9ed35341faa0d36

SHA1
c6d4bc64040e8a5446e10ba1d240ec652fb74ba8

SHA256
7884bf07f8d552b81778fded24b4f1fab2575a14da25a74a7fbebd265ec74979

SHA512
4ed4566fc3bf94c165605c052d7bc8899854ab8136704874aa39417c21487bc83c4127fe872155bc26d11fc0f58820ac88ce8d7e6596939977a6e0a46dbbc130

Download Submit
C:\Users\Admin\AppData\Local\Temp\LgXUBcTt.exe
MD5
b805442d06f7fbba1772d15fdad402ce

SHA1
2bbc42ae47a2ec9ca1471931f8924197d073bf57

SHA256
f4da967e84e593cadb3e0a622f59dc4bbc7393c4aeef1a29df60b37b57548299

SHA512
f674205f2f28cf76af5960b0728eb2576d3572c9b51b4336309c458e005ec72b8ca197d140d266c2675affb4d2ba780b88406275eace42941cc0f0fdce8b4745

Download Submit
C:\Users\Admin\AppData\Local\Temp\LgXUBcTt.exe
MD5
b805442d06f7fbba1772d15fdad402ce

SHA1
2bbc42ae47a2ec9ca1471931f8924197d073bf57

SHA256
f4da967e84e593cadb3e0a622f59dc4bbc7393c4aeef1a29df60b37b57548299

SHA512
f674205f2f28cf76af5960b0728eb2576d3572c9b51b4336309c458e005ec72b8ca197d140d266c2675affb4d2ba780b88406275eace42941cc0f0fdce8b4745

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe
MD5
fd227a7538d17ed4f7998b83b730c087

SHA1
8370c13e88d96b86d6b55c92218ac328cea9e0da

SHA256
b224ac93890d1fbe59e8fd43f12107f2c24c5430a74380b45053207e6b0e412c

SHA512
86c0f6f6c72bbca21c9b0f1742e167120df24eb23a95418898eeb4d47322c4ef2d0c60682de6128f663c139385c8a001ff853c917ec818ffbc888560c879c1c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe
MD5
fd227a7538d17ed4f7998b83b730c087

SHA1
8370c13e88d96b86d6b55c92218ac328cea9e0da

SHA256
b224ac93890d1fbe59e8fd43f12107f2c24c5430a74380b45053207e6b0e412c

SHA512
86c0f6f6c72bbca21c9b0f1742e167120df24eb23a95418898eeb4d47322c4ef2d0c60682de6128f663c139385c8a001ff853c917ec818ffbc888560c879c1c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe
MD5
06bbc875b35e47505013e38ef5e9c825

SHA1
372741d7fc3f7111c7f1a971170aa5c9cc4d3399

SHA256
ebe2283591a3fa0b2bc3900b962b765ab09d8e805c1d21e45626c579efac4782

SHA512
88af6066457871bf5bf10252487b15c01856f70aec14886e6bcb76023d97ebb3be7ef846e73ed91ac41faca53f0cf75b3c16af36758840d215a7488c80710c03

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe
MD5
06bbc875b35e47505013e38ef5e9c825

SHA1
372741d7fc3f7111c7f1a971170aa5c9cc4d3399

SHA256
ebe2283591a3fa0b2bc3900b962b765ab09d8e805c1d21e45626c579efac4782

SHA512
88af6066457871bf5bf10252487b15c01856f70aec14886e6bcb76023d97ebb3be7ef846e73ed91ac41faca53f0cf75b3c16af36758840d215a7488c80710c03

Download Submit
C:\Users\Admin\AppData\Local\Temp\QGQLLX~1.DLL
MD5
d737e87a8c985246adb399d0a8bf9b3b

SHA1
2ed4f18c905108e45535ea0e8fa7cb2187675f87

SHA256
ab5742f22795a19c1cff270d3d3fef390e43a6a12bba6b69bbe54d479f9502f7

SHA512
9257b42d3b4ded392582d72107692d212d46252f218754149882c8faa65aae06881eee8be291f96da43f88f120878faeba23fa3c98f9cf99c9392f702f1a949b

Download Submit
C:\Users\Admin\AppData\Local\Temp\aculoyoywjra.vbs
MD5
3668d776bc358e7154f0ea4b9e81e8a5

SHA1
eafb8cc59c23986fa0e40fbcc320acad28323af2

SHA256
dd486d32a5e313af71a0f46eedbea22af137a7479be55db0433fef5715f3a7d4

SHA512
158fd4a80dc03041b1e265cb6cfb9f3ea0018ce720e75d1f2a7a28fb5bc3b1398bff29d551e236453f971f6d3d41ceb0d768bda0d2ff35076ea01681b38ceabf

Download Submit
C:\Users\Admin\AppData\Local\Temp\kgrboaruy.vbs
MD5
7752956ec61dbe961a1126b19d595f13

SHA1
443122f040a8ef631f87e7b3c176ac2a01d25011

SHA256
9508775a8bba875c6c5180c831873c4111a069dc345e36372821805af17cca59

SHA512
68b946d391b97c3f2d4a6891545f95c11500e8e6d9af154759a1dca7fce20401f9de6e531e34c71f136bc72bfa4d33487ed8af5dd89ec12606d6e60d89d0ed92

Download Submit
C:\Users\Admin\AppData\Local\Temp\qgqllxoq.exe
MD5
eb1df62a8f67980bd4b6b5cfd53afa11

SHA1
11c623348cdb4893d039c55fb178a7843120c798

SHA256
405b79e798aeb349ceddb06d655d29da72a9c85bfbc73fc6ffe4e131d738304a

SHA512
f159dcb57f30305554fcea84dacda9182a9ee57953de4e35071ef11d228329e127b444527e55fe51a5475b737fd888344a520538370d0cae94f8dd30df586add

Download Submit
C:\Users\Admin\AppData\Local\Temp\qgqllxoq.exe
MD5
eb1df62a8f67980bd4b6b5cfd53afa11

SHA1
11c623348cdb4893d039c55fb178a7843120c798

SHA256
405b79e798aeb349ceddb06d655d29da72a9c85bfbc73fc6ffe4e131d738304a

SHA512
f159dcb57f30305554fcea84dacda9182a9ee57953de4e35071ef11d228329e127b444527e55fe51a5475b737fd888344a520538370d0cae94f8dd30df586add

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3A84.tmp.ps1
MD5
f48f4f438d01ccb1aeab751014671322

SHA1
c12cb896f580604555524fc66a4c49b4ab56188e

SHA256
8771a9ef8f7c0de0237f5c5a80e026111cc2d9466998df9cc9dd3584a3d62071

SHA512
99f8df624a4a7359270de89745924f205d175523714f492ed92de40874dc7f8e15080156c6a2727f53f9a4e2d67554d6c6ec8268a67822786dbe00d9e394ba6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3A85.tmp
MD5
c416c12d1b2b1da8c8655e393b544362

SHA1
fb1a43cd8e1c556c2d25f361f42a21293c29e447

SHA256
0600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046

SHA512
cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4D91.tmp.ps1
MD5
f2c3c7a3976fc25952ea3e011b3683ec

SHA1
b63407c84c588ad2d26b511215697feeb22afc7c

SHA256
08057959189ce95251ea9f1f041288711f15b299035f48edbd9f83cfee1a44e8

SHA512
f55dad56066b5c205db72e2c1f0a8b7651bfba1100312be7bb670df3a37e0b15703c3798ef7f9f6888a717ab0a042b5a64ae651338cb92abccbcc71c7872855b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4DA2.tmp
MD5
1860260b2697808b80802352fe324782

SHA1
f07b4cb6a8133d8dd942fc285d63cb3ce5a1ed6b

SHA256
0c4bb6ae7726faa47aef8459bcf37bf9ca16f0b93fd52790932adaf7845d1fb1

SHA512
d9fd458e2fe871e93199d7f3783133ded898d824024d9525e8c9af2af31892b13f3fb147d3bfda7dfd7659b7072f5cd1d6c3ebfe2dbf5893afd00e59a96aa94f

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
fd227a7538d17ed4f7998b83b730c087

SHA1
8370c13e88d96b86d6b55c92218ac328cea9e0da

SHA256
b224ac93890d1fbe59e8fd43f12107f2c24c5430a74380b45053207e6b0e412c

SHA512
86c0f6f6c72bbca21c9b0f1742e167120df24eb23a95418898eeb4d47322c4ef2d0c60682de6128f663c139385c8a001ff853c917ec818ffbc888560c879c1c5

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
fd227a7538d17ed4f7998b83b730c087

SHA1
8370c13e88d96b86d6b55c92218ac328cea9e0da

SHA256
b224ac93890d1fbe59e8fd43f12107f2c24c5430a74380b45053207e6b0e412c

SHA512
86c0f6f6c72bbca21c9b0f1742e167120df24eb23a95418898eeb4d47322c4ef2d0c60682de6128f663c139385c8a001ff853c917ec818ffbc888560c879c1c5

Download Submit
\Users\Admin\AppData\Local\Temp\QGQLLX~1.DLL
MD5
d737e87a8c985246adb399d0a8bf9b3b

SHA1
2ed4f18c905108e45535ea0e8fa7cb2187675f87

SHA256
ab5742f22795a19c1cff270d3d3fef390e43a6a12bba6b69bbe54d479f9502f7

SHA512
9257b42d3b4ded392582d72107692d212d46252f218754149882c8faa65aae06881eee8be291f96da43f88f120878faeba23fa3c98f9cf99c9392f702f1a949b

Download Submit
\Users\Admin\AppData\Local\Temp\QGQLLX~1.DLL
MD5
d737e87a8c985246adb399d0a8bf9b3b

SHA1
2ed4f18c905108e45535ea0e8fa7cb2187675f87

SHA256
ab5742f22795a19c1cff270d3d3fef390e43a6a12bba6b69bbe54d479f9502f7

SHA512
9257b42d3b4ded392582d72107692d212d46252f218754149882c8faa65aae06881eee8be291f96da43f88f120878faeba23fa3c98f9cf99c9392f702f1a949b

Download Submit
\Users\Admin\AppData\Local\Temp\QGQLLX~1.DLL
MD5
d737e87a8c985246adb399d0a8bf9b3b

SHA1
2ed4f18c905108e45535ea0e8fa7cb2187675f87

SHA256
ab5742f22795a19c1cff270d3d3fef390e43a6a12bba6b69bbe54d479f9502f7

SHA512
9257b42d3b4ded392582d72107692d212d46252f218754149882c8faa65aae06881eee8be291f96da43f88f120878faeba23fa3c98f9cf99c9392f702f1a949b

Download Submit
\Users\Admin\AppData\Local\Temp\QGQLLX~1.DLL
MD5
d737e87a8c985246adb399d0a8bf9b3b

SHA1
2ed4f18c905108e45535ea0e8fa7cb2187675f87

SHA256
ab5742f22795a19c1cff270d3d3fef390e43a6a12bba6b69bbe54d479f9502f7

SHA512
9257b42d3b4ded392582d72107692d212d46252f218754149882c8faa65aae06881eee8be291f96da43f88f120878faeba23fa3c98f9cf99c9392f702f1a949b

Download Submit
\Users\Admin\AppData\Local\Temp\nsd667C.tmp\UAC.dll
MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
memory/8-204-0x0000000000000000-mapping.dmp

Download
memory/196-130-0x0000000000000000-mapping.dmp

Download
memory/212-123-0x0000000000000000-mapping.dmp

Download
memory/804-117-0x0000000000000000-mapping.dmp

Download
memory/1200-150-0x0000000000000000-mapping.dmp

Download
memory/1824-234-0x0000000000000000-mapping.dmp

Download
memory/1892-131-0x0000000000000000-mapping.dmp

Download
memory/2332-181-0x0000000004D81000-0x00000000053E0000-memory.dmp

Filesize
6.4MB

Download
memory/2332-180-0x00000000049A0000-0x00000000049A1000-memory.dmp

Filesize
4KB

Download
memory/2332-178-0x00000000040A0000-0x0000000004665000-memory.dmp

Filesize
5.8MB

Download
memory/2332-174-0x0000000000000000-mapping.dmp

Download
memory/2332-220-0x0000000002600000-0x000000000274A000-memory.dmp

Filesize
1.3MB

Download
memory/2444-237-0x0000000000000000-mapping.dmp

Download
memory/2496-141-0x0000000000000000-mapping.dmp

Download
memory/2576-173-0x00000000047A0000-0x00000000047A1000-memory.dmp

Filesize
4KB

Download
memory/2576-179-0x0000000002720000-0x0000000002721000-memory.dmp

Filesize
4KB

Download
memory/2576-168-0x0000000000000000-mapping.dmp

Download
memory/2576-172-0x0000000004090000-0x0000000004655000-memory.dmp

Filesize
5.8MB

Download
memory/2576-177-0x0000000004C31000-0x0000000005290000-memory.dmp

Filesize
6.4MB

Download
memory/2736-121-0x0000000000000000-mapping.dmp

Download
memory/2736-135-0x0000000000000000-mapping.dmp

Download
memory/2736-157-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2736-156-0x0000000002090000-0x00000000020B6000-memory.dmp

Filesize
152KB

Download
memory/2764-114-0x0000000000000000-mapping.dmp

Download
memory/2808-115-0x0000000000000000-mapping.dmp

Download
memory/2880-223-0x00000000048B2000-0x00000000048B3000-memory.dmp

Filesize
4KB

Download
memory/2880-221-0x00000000048B0000-0x00000000048B1000-memory.dmp

Filesize
4KB

Download
memory/2880-225-0x0000000008160000-0x0000000008161000-memory.dmp

Filesize
4KB

Download
memory/2880-218-0x0000000007B50000-0x0000000007B51000-memory.dmp

Filesize
4KB

Download
memory/2880-209-0x0000000000000000-mapping.dmp

Download
memory/2880-238-0x00000000048B3000-0x00000000048B4000-memory.dmp

Filesize
4KB

Download
memory/2888-118-0x0000000000000000-mapping.dmp

Download
memory/3280-129-0x0000000001030000-0x000000000117A000-memory.dmp

Filesize
1.3MB

Download
memory/3280-125-0x0000000000000000-mapping.dmp

Download
memory/3444-239-0x0000000000000000-mapping.dmp

Download
memory/3496-191-0x0000000006EE0000-0x0000000006EE1000-memory.dmp

Filesize
4KB

Download
memory/3496-186-0x0000000007520000-0x0000000007521000-memory.dmp

Filesize
4KB

Download
memory/3496-193-0x0000000007C10000-0x0000000007C11000-memory.dmp

Filesize
4KB

Download
memory/3496-194-0x0000000008630000-0x0000000008631000-memory.dmp

Filesize
4KB

Download
memory/3496-195-0x0000000008570000-0x0000000008571000-memory.dmp

Filesize
4KB

Download
memory/3496-190-0x0000000007E80000-0x0000000007E81000-memory.dmp

Filesize
4KB

Download
memory/3496-197-0x00000000086C0000-0x00000000086C1000-memory.dmp

Filesize
4KB

Download
memory/3496-202-0x0000000009D20000-0x0000000009D21000-memory.dmp

Filesize
4KB

Download
memory/3496-203-0x00000000092C0000-0x00000000092C1000-memory.dmp

Filesize
4KB

Download
memory/3496-189-0x0000000007E10000-0x0000000007E11000-memory.dmp

Filesize
4KB

Download
memory/3496-188-0x0000000007DA0000-0x0000000007DA1000-memory.dmp

Filesize
4KB

Download
memory/3496-206-0x0000000009560000-0x0000000009561000-memory.dmp

Filesize
4KB

Download
memory/3496-187-0x00000000074B0000-0x00000000074B1000-memory.dmp

Filesize
4KB

Download
memory/3496-192-0x0000000006EE2000-0x0000000006EE3000-memory.dmp

Filesize
4KB

Download
memory/3496-185-0x0000000006DC0000-0x0000000006DC1000-memory.dmp

Filesize
4KB

Download
memory/3496-182-0x0000000000000000-mapping.dmp

Download
memory/3496-219-0x0000000006EE3000-0x0000000006EE4000-memory.dmp

Filesize
4KB

Download
memory/3544-155-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/3544-154-0x00000000005B0000-0x00000000006FA000-memory.dmp

Filesize
1.3MB

Download
memory/3544-138-0x0000000000000000-mapping.dmp

Download
memory/3792-159-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/3792-158-0x0000000000470000-0x00000000005BA000-memory.dmp

Filesize
1.3MB

Download
memory/3792-151-0x0000000000000000-mapping.dmp

Download
memory/4032-165-0x00000000034F0000-0x0000000003BF7000-memory.dmp

Filesize
7.0MB

Download
memory/4032-167-0x0000000002CF0000-0x0000000002CF1000-memory.dmp

Filesize
4KB

Download
memory/4032-166-0x0000000000400000-0x00000000011D1000-memory.dmp

Filesize
13.8MB

Download
memory/4032-160-0x0000000000000000-mapping.dmp

Download
memory/4048-163-0x0000000000000000-mapping.dmp

Download