cryptbot | 7224633aec5f96349eea1bc38ae40d5cbc1d5ed120aee617efca5ba7facafa26

Analysis

max time kernel
128s
max time network
144s
platform
windows10_x64
resource
win10v20210410
submitted
23-07-2021 06:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

395d2c345e8212d9ff97248a13824075.exe
Size

641KB
MD5

395d2c345e8212d9ff97248a13824075
SHA1

8cff8ab4dd9765a60735697d86af2c5d90fdee0f
SHA256

7224633aec5f96349eea1bc38ae40d5cbc1d5ed120aee617efca5ba7facafa26
SHA512

beeb6bc8769b81df7edf5470921c5c27a686c50405a8f47a1ac00b9a65d3255b69f57094e2055db556c60cb224b133724f8edc69adc0b6b35056acb38847ff86

Score

10^/10

cryptbot danabot 4 banker discovery spyware stealer suricata trojan

Malware Config

Extracted

Family

cryptbot

smasrp42.top

morbea04.top

Attributes

payload_url
http://gurdgo06.top/download.php?file=lv.exe

Extracted

Family

danabot

Version

1987

Botnet

142.11.244.124:443

142.11.206.50:443

Attributes

embedded_hash
6AD9FE4F9E491E785665E0D144F61DAB

rsa_privkey.plain

rsa_pubkey.plain

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

CryptBot Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4432-115-0x0000000000400000-0x000000000090A000-memory.dmp	family_cryptbot
behavioral2/memory/4432-114-0x00000000025F0000-0x00000000026D1000-memory.dmp	family_cryptbot

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
Blocklisted process makes network request 6 IoCs

Processes:

WScript.exerundll32.exeRUNDLL32.EXE

flow pid process

39 1836 WScript.exe
41 1836 WScript.exe
43 1836 WScript.exe
45 1836 WScript.exe
48 1292 rundll32.exe
49 2756 RUNDLL32.EXE
Downloads MZ/PE file
Executes dropped EXE 5 IoCs

Processes:

YFcQTmV.exe4.exevpn.exeSmartClock.exeofyhtejn.exe

pid process

768 YFcQTmV.exe
4108 4.exe
4040 vpn.exe
4244 SmartClock.exe
660 ofyhtejn.exe
Drops startup file 1 IoCs

Processes:

4.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk 4.exe
Loads dropped DLL 3 IoCs

Processes:

YFcQTmV.exerundll32.exeRUNDLL32.EXE

pid process

768 YFcQTmV.exe
1292 rundll32.exe
2756 RUNDLL32.EXE
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

22 ip-api.com

flow	pid	process
39	1836	WScript.exe
41	1836	WScript.exe
43	1836	WScript.exe
45	1836	WScript.exe
48	1292	rundll32.exe
49	2756	RUNDLL32.EXE

pid	process
768	YFcQTmV.exe
4108	4.exe
4040	vpn.exe
4244	SmartClock.exe
660	ofyhtejn.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk	4.exe

pid	process
768	YFcQTmV.exe
1292	rundll32.exe
2756	RUNDLL32.EXE

flow	ioc
22	ip-api.com

Drops file in Program Files directory 4 IoCs

Processes:

YFcQTmV.exerundll32.exe

description	ioc	process
File created	C:\Program Files (x86)\foler\olader\acppage.dll	YFcQTmV.exe
File created	C:\Program Files (x86)\foler\olader\adprovider.dll	YFcQTmV.exe
File created	C:\Program Files (x86)\foler\olader\acledit.dll	YFcQTmV.exe
File created	C:\PROGRA~3\Jvgzbfh.tmp	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 27 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

395d2c345e8212d9ff97248a13824075.exeRUNDLL32.EXEvpn.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	395d2c345e8212d9ff97248a13824075.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	395d2c345e8212d9ff97248a13824075.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	RUNDLL32.EXE
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	vpn.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	vpn.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	RUNDLL32.EXE

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4256 timeout.exe
Modifies registry class 1 IoCs

Processes:

vpn.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings vpn.exe

pid	process
4256	timeout.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings	vpn.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

RUNDLL32.EXEWScript.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\ACB689B6C65FCC6456C5FB4A5740A99B4CB4854E\Blob = 030000000100000014000000acb689b6c65fcc6456c5fb4a5740a99b4cb4854e200000000100000026020000308202223082018ba0030201020208718badd65353cc49300d06092a864886f70d01010b05003030312e302c06035504030c254d693463726f736f667420526f6f7420436572746966696361746520417574686f72697479301e170d3139303732343036323732365a170d3233303732333036323732365a3030312e302c06035504030c254d693463726f736f667420526f6f7420436572746966696361746520417574686f7269747930819f300d06092a864886f70d010101050003818d0030818902818100ce7ecefe2a05e823eae4e9a06177866b30d45a70bc0092b6ae1979e6152e0328849d755f5d8e041ba276675ef00e2d79fa3a9467780d5d2e577ec66a20e79cac3bafd0de4bbea4a77a76f1817252490a8f47a291b45ba86325904c400c2be86db0aad768124ff49d0ed4855a96d60d79d4b0c0b056d580ca07fd4c5e518867ff0203010001a3453043300f0603551d130101ff040530030101ff30300603551d110429302782254d693463726f736f667420526f6f7420436572746966696361746520417574686f72697479300d06092a864886f70d01010b050003818100b42e707a98d9cd673c0782454bf5df220a1ddfebc39a722f261a14ba7c5d645311b89350d088baa40ea7179b772dfb86c3b06c9af95c1b6e8be13666d846640d2cc6c7dcc42ad8ce131626c483bd625e20e761a97dfa179d89566d5c91001013027da4257a89bba66bf4dac219fa119688c499774717ac9ea76964b139800e87	RUNDLL32.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\ACB689B6C65FCC6456C5FB4A5740A99B4CB4854E	RUNDLL32.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

SmartClock.exe

pid process

4244 SmartClock.exe

pid	process
4244	SmartClock.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

RUNDLL32.EXEpowershell.exepowershell.exe

pid	process
2756	RUNDLL32.EXE
2756	RUNDLL32.EXE
2756	RUNDLL32.EXE
2756	RUNDLL32.EXE
2756	RUNDLL32.EXE
2756	RUNDLL32.EXE
2856	powershell.exe
2856	powershell.exe
2856	powershell.exe
2756	RUNDLL32.EXE
2756	RUNDLL32.EXE
4288	powershell.exe
4288	powershell.exe
4288	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

RUNDLL32.EXEpowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2756 RUNDLL32.EXE
Token: SeDebugPrivilege 2856 powershell.exe
Token: SeDebugPrivilege 4288 powershell.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

395d2c345e8212d9ff97248a13824075.exeRUNDLL32.EXE

pid process

4432 395d2c345e8212d9ff97248a13824075.exe
4432 395d2c345e8212d9ff97248a13824075.exe
2756 RUNDLL32.EXE

description	pid	process
Token: SeDebugPrivilege	2756	RUNDLL32.EXE
Token: SeDebugPrivilege	2856	powershell.exe
Token: SeDebugPrivilege	4288	powershell.exe

pid	process
4432	395d2c345e8212d9ff97248a13824075.exe
4432	395d2c345e8212d9ff97248a13824075.exe
2756	RUNDLL32.EXE

Suspicious use of WriteProcessMemory 51 IoCs

Processes:

395d2c345e8212d9ff97248a13824075.execmd.exeYFcQTmV.execmd.exe4.exevpn.exeofyhtejn.exerundll32.exeRUNDLL32.EXEpowershell.exe

description	pid	process	target process
PID 4432 wrote to memory of 4016	4432	395d2c345e8212d9ff97248a13824075.exe	cmd.exe
PID 4432 wrote to memory of 4016	4432	395d2c345e8212d9ff97248a13824075.exe	cmd.exe
PID 4432 wrote to memory of 4016	4432	395d2c345e8212d9ff97248a13824075.exe	cmd.exe
PID 4016 wrote to memory of 768	4016	cmd.exe	YFcQTmV.exe
PID 4016 wrote to memory of 768	4016	cmd.exe	YFcQTmV.exe
PID 4016 wrote to memory of 768	4016	cmd.exe	YFcQTmV.exe
PID 768 wrote to memory of 4108	768	YFcQTmV.exe	4.exe
PID 768 wrote to memory of 4108	768	YFcQTmV.exe	4.exe
PID 768 wrote to memory of 4108	768	YFcQTmV.exe	4.exe
PID 768 wrote to memory of 4040	768	YFcQTmV.exe	vpn.exe
PID 768 wrote to memory of 4040	768	YFcQTmV.exe	vpn.exe
PID 768 wrote to memory of 4040	768	YFcQTmV.exe	vpn.exe
PID 4432 wrote to memory of 3976	4432	395d2c345e8212d9ff97248a13824075.exe	cmd.exe
PID 4432 wrote to memory of 3976	4432	395d2c345e8212d9ff97248a13824075.exe	cmd.exe
PID 4432 wrote to memory of 3976	4432	395d2c345e8212d9ff97248a13824075.exe	cmd.exe
PID 3976 wrote to memory of 4256	3976	cmd.exe	timeout.exe
PID 3976 wrote to memory of 4256	3976	cmd.exe	timeout.exe
PID 3976 wrote to memory of 4256	3976	cmd.exe	timeout.exe
PID 4108 wrote to memory of 4244	4108	4.exe	SmartClock.exe
PID 4108 wrote to memory of 4244	4108	4.exe	SmartClock.exe
PID 4108 wrote to memory of 4244	4108	4.exe	SmartClock.exe
PID 4040 wrote to memory of 660	4040	vpn.exe	ofyhtejn.exe
PID 4040 wrote to memory of 660	4040	vpn.exe	ofyhtejn.exe
PID 4040 wrote to memory of 660	4040	vpn.exe	ofyhtejn.exe
PID 4040 wrote to memory of 1956	4040	vpn.exe	WScript.exe
PID 4040 wrote to memory of 1956	4040	vpn.exe	WScript.exe
PID 4040 wrote to memory of 1956	4040	vpn.exe	WScript.exe
PID 660 wrote to memory of 1292	660	ofyhtejn.exe	rundll32.exe
PID 660 wrote to memory of 1292	660	ofyhtejn.exe	rundll32.exe
PID 660 wrote to memory of 1292	660	ofyhtejn.exe	rundll32.exe
PID 4040 wrote to memory of 1836	4040	vpn.exe	WScript.exe
PID 4040 wrote to memory of 1836	4040	vpn.exe	WScript.exe
PID 4040 wrote to memory of 1836	4040	vpn.exe	WScript.exe
PID 1292 wrote to memory of 2756	1292	rundll32.exe	RUNDLL32.EXE
PID 1292 wrote to memory of 2756	1292	rundll32.exe	RUNDLL32.EXE
PID 1292 wrote to memory of 2756	1292	rundll32.exe	RUNDLL32.EXE
PID 2756 wrote to memory of 2856	2756	RUNDLL32.EXE	powershell.exe
PID 2756 wrote to memory of 2856	2756	RUNDLL32.EXE	powershell.exe
PID 2756 wrote to memory of 2856	2756	RUNDLL32.EXE	powershell.exe
PID 2756 wrote to memory of 4288	2756	RUNDLL32.EXE	powershell.exe
PID 2756 wrote to memory of 4288	2756	RUNDLL32.EXE	powershell.exe
PID 2756 wrote to memory of 4288	2756	RUNDLL32.EXE	powershell.exe
PID 4288 wrote to memory of 4928	4288	powershell.exe	nslookup.exe
PID 4288 wrote to memory of 4928	4288	powershell.exe	nslookup.exe
PID 4288 wrote to memory of 4928	4288	powershell.exe	nslookup.exe
PID 2756 wrote to memory of 4964	2756	RUNDLL32.EXE	schtasks.exe
PID 2756 wrote to memory of 4964	2756	RUNDLL32.EXE	schtasks.exe
PID 2756 wrote to memory of 4964	2756	RUNDLL32.EXE	schtasks.exe
PID 2756 wrote to memory of 4492	2756	RUNDLL32.EXE	schtasks.exe
PID 2756 wrote to memory of 4492	2756	RUNDLL32.EXE	schtasks.exe
PID 2756 wrote to memory of 4492	2756	RUNDLL32.EXE	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\395d2c345e8212d9ff97248a13824075.exe
"C:\Users\Admin\AppData\Local\Temp\395d2c345e8212d9ff97248a13824075.exe"
1⤵
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4432

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\YFcQTmV.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4016

C:\Users\Admin\AppData\Local\Temp\YFcQTmV.exe
"C:\Users\Admin\AppData\Local\Temp\YFcQTmV.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:768

C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe
"C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe"
4⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:4108

C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
PID:4244

C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe
"C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe"
4⤵
- Executes dropped EXE
- Checks processor information in registry
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4040

C:\Users\Admin\AppData\Local\Temp\ofyhtejn.exe
"C:\Users\Admin\AppData\Local\Temp\ofyhtejn.exe"
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:660

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\OFYHTE~1.TMP,S C:\Users\Admin\AppData\Local\Temp\ofyhtejn.exe
6⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1292

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\OFYHTE~1.TMP,Mx0WcQ==
7⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2756

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpA1AF.tmp.ps1"
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2856

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpB1AF.tmp.ps1"
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4288

C:\Windows\SysWOW64\nslookup.exe
"C:\Windows\system32\nslookup.exe" -type=any localhost
9⤵
PID:4928

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
8⤵
PID:4964

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
8⤵
PID:4492

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\wfqaaqadssc.vbs"
5⤵
PID:1956

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\swxvygm.vbs"
5⤵
- Blocklisted process makes network request
- Modifies system certificate store
PID:1836

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\seCJNqWtx & timeout 3 & del /f /q "C:\Users\Admin\AppData\Local\Temp\395d2c345e8212d9ff97248a13824075.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3976

C:\Windows\SysWOW64\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:4256

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Jvgzbfh.tmp
MD5
28af8cb2774479463f175bc7b7635092

SHA1
a870d7de7f76cd66e7716b3ef4af412aae0a7a63

SHA256
bcacc0f1afb24b1f902acc8caae2679c850ce8c3e08daaff51d6ebfe70d969c1

SHA512
ac69eb7993fd5cd15ed4b96a0220c86dfb629e7029021804b01569d0290572b834834b6a577c350d0d3e93f8615713e002622eea3f43ae24e4753e96435e7c6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
47eebe401625bbc55e75dbfb72e9e89a

SHA1
db3b2135942d2532c59b9788253638eb77e5995e

SHA256
f1cd56000c44bbdb6880b5b133731f493fe8cba8198c5a861da6ae7b489ed0c3

SHA512
590b149863d58be346e7927c28501375cc570858d2f156d234b03d68b86c5c0667a1038e2b6f6639172bf95638ca9f7c70f45270951abbcdf43b1be853b81d56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
fec1a7a13bb621c2fda1a8340ba0a4b3

SHA1
e55b41404296cd480d882418b1b9378f117f963e

SHA256
16667b45ee731cd3290cc856da0db13c9599c0000b5bc1399a0924e997c7a93a

SHA512
1b3ea6c244ff5c5fa128fcccf94603e72cb62cfbb43b99b26dadefa5872a67c1b448b51f0a9ed2c33351889f8f34946ab3fd2ec15f4b9c8febd0dcc52cba54ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe
MD5
14e173fe07917fef4e641eb80a2fa213

SHA1
3bdd028b2fccd6c774c21ddb9a3afc916b1d06df

SHA256
da4e48e3137b9bd0bfd3a9da5e205f93125bec8f4852336c07e3813fe0875679

SHA512
0102f8a53d564bcfa5ee328e9e5ee9f440919adae986e7b15674960c3af435cad1eefc684392cf918e9b6870995cf44f7860c49f219d4617922a1dcabcb9483c

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe
MD5
14e173fe07917fef4e641eb80a2fa213

SHA1
3bdd028b2fccd6c774c21ddb9a3afc916b1d06df

SHA256
da4e48e3137b9bd0bfd3a9da5e205f93125bec8f4852336c07e3813fe0875679

SHA512
0102f8a53d564bcfa5ee328e9e5ee9f440919adae986e7b15674960c3af435cad1eefc684392cf918e9b6870995cf44f7860c49f219d4617922a1dcabcb9483c

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe
MD5
4db8c2308b5ab9c8b43d8111272d1d1a

SHA1
8a556d2c045865033e230e16c69e406341ce602f

SHA256
89dc7453ef96644bae0d1c9419681d0587ec68ab08cd6fbb27599b798cc608c5

SHA512
36367a26e5b02c9977a5a63cd9ae102a612e426253ef18ca8acf4e48369b8a61a0c9b6631a8f5fef1f1a09dec8204d95fff06b5dbd94b9d04b7892c8c6c8d423

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe
MD5
4db8c2308b5ab9c8b43d8111272d1d1a

SHA1
8a556d2c045865033e230e16c69e406341ce602f

SHA256
89dc7453ef96644bae0d1c9419681d0587ec68ab08cd6fbb27599b798cc608c5

SHA512
36367a26e5b02c9977a5a63cd9ae102a612e426253ef18ca8acf4e48369b8a61a0c9b6631a8f5fef1f1a09dec8204d95fff06b5dbd94b9d04b7892c8c6c8d423

Download Submit
C:\Users\Admin\AppData\Local\Temp\OFYHTE~1.TMP
MD5
c92a53cc671aa0e174d0697f7b6e35e9

SHA1
a2dd513e7988b2e2d56b4bede0840093ad2ac4bb

SHA256
aaf22f0fb83992b924ada07e7f7353c8cda6a208330aefc1e5127fcccc9e2aea

SHA512
e158f8318b2715a8176d15b5778632c99fbea5217f5921ce9da2737e3f63049c75a1982577c65f938b4dd62b853adbee80d0af0251dceae3f395a6ec87602e8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\YFcQTmV.exe
MD5
a6a8f833fdd0b5f4ee7b46714a3d20c7

SHA1
bb056be49140db02baa6b03618d0fa4fdc14ea0f

SHA256
c97d5d2645cc3028888156c99ddec9d67c3eb8812295d6f2fdd3f6e1a182f9a3

SHA512
d237d4e6d17c31a19a633c88c11b47e63fcb9fee386ab1772103e068cf59c56ac2676184e17e612b1dc345b69643d65fa89ddcb7ea87dab8d593eb6867cc10aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\YFcQTmV.exe
MD5
a6a8f833fdd0b5f4ee7b46714a3d20c7

SHA1
bb056be49140db02baa6b03618d0fa4fdc14ea0f

SHA256
c97d5d2645cc3028888156c99ddec9d67c3eb8812295d6f2fdd3f6e1a182f9a3

SHA512
d237d4e6d17c31a19a633c88c11b47e63fcb9fee386ab1772103e068cf59c56ac2676184e17e612b1dc345b69643d65fa89ddcb7ea87dab8d593eb6867cc10aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\ofyhtejn.exe
MD5
ff776b2fb6736075adfcb1739a180491

SHA1
1c5cb0eb48f441d8493f7c5f6428d7af8c1c9abb

SHA256
ef6fc7bf417d763f9c7c8c9bf723ce7d3b4acbeb4cc47e65bcb3d6b8f143fee2

SHA512
58fe0bb6f3dcda9831332d0dfcd0d5a92d58ed1107a3d246c4b092be384535be0d1d33ca9728b6944be171e3fa62663608e27ca7834a725b6ca9f81fcba853c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ofyhtejn.exe
MD5
ff776b2fb6736075adfcb1739a180491

SHA1
1c5cb0eb48f441d8493f7c5f6428d7af8c1c9abb

SHA256
ef6fc7bf417d763f9c7c8c9bf723ce7d3b4acbeb4cc47e65bcb3d6b8f143fee2

SHA512
58fe0bb6f3dcda9831332d0dfcd0d5a92d58ed1107a3d246c4b092be384535be0d1d33ca9728b6944be171e3fa62663608e27ca7834a725b6ca9f81fcba853c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\seCJNqWtx\MHQIBA~1.ZIP
MD5
8d7b35524e17ffc7a6499c01ea51e6ff

SHA1
0a679455cedc9b33034c011512f86789d65979e0

SHA256
18dc2ac155cba1312085a9426efc69c1c8dc89b02b453031b6187c327138675b

SHA512
244c8efcdf9b4a2b246be86568a82211dff6bf924fd2078269718ae1ba26e655fc21ae932b90fce9c0a9f050dc71c7fce7872ff2e5198d871c6d3387c0798416

Download Submit
C:\Users\Admin\AppData\Local\Temp\seCJNqWtx\WYOFQA~1.ZIP
MD5
d96943e74e54059403d1da4678ce8af6

SHA1
ae741a492a8c748ef9f8d1628c11198390fdc3ba

SHA256
66eab9a2b7ceb84da5ee5b8b7a4043f23143d14e3f78d7448f1fe9746f4cf22f

SHA512
715939f871b2fc52b853656f78a4432393f526cd4696badbd3dd7ef1c6e55b1232abb799990b898d67605c9cb5665e66deab42891b72942cd44f3cf12a4e8daa

Download Submit
C:\Users\Admin\AppData\Local\Temp\seCJNqWtx\_Files\_INFOR~1.TXT
MD5
fdbe28eb89d6471f96c875cae13002b8

SHA1
c2868e270eb8af706932fe5093c0bbccef077649

SHA256
4f3e47f22fcbfed3423c0ac8cb40eee2a087ef90cdb2c44468cef3e61028106a

SHA512
4c7904f2b9b776893ae00dbc819023fc39639e335d0715ba250795650c0822e626ccabb70a025b8a4050234f4e24e415f01295e8c5b2af3644685fadf41ba201

Download Submit
C:\Users\Admin\AppData\Local\Temp\seCJNqWtx\_Files\_SCREE~1.JPE
MD5
8be301d521cdd4fcbd00728a1606c3ae

SHA1
96e4ab2666a68c076a424eb9aad25e5ba3b2a8d3

SHA256
7ecb85a8bbbafc934ba2b56ec349f6d25d7a08b055262c5f41497580ec1a4278

SHA512
02964924f17ff9e91898d5a1cd6a42cdb6ac9e57228b8ec4ffc1a23d76328df8066dd522c6e9f3b06888aa1f6d8ae51a297adc125520c97c33a7832b9b9bf141

Download Submit
C:\Users\Admin\AppData\Local\Temp\seCJNqWtx\files_\SCREEN~1.JPG
MD5
8be301d521cdd4fcbd00728a1606c3ae

SHA1
96e4ab2666a68c076a424eb9aad25e5ba3b2a8d3

SHA256
7ecb85a8bbbafc934ba2b56ec349f6d25d7a08b055262c5f41497580ec1a4278

SHA512
02964924f17ff9e91898d5a1cd6a42cdb6ac9e57228b8ec4ffc1a23d76328df8066dd522c6e9f3b06888aa1f6d8ae51a297adc125520c97c33a7832b9b9bf141

Download Submit
C:\Users\Admin\AppData\Local\Temp\seCJNqWtx\files_\SYSTEM~1.TXT
MD5
57fed2eacdea06420524fcc6b9e1bfb5

SHA1
4716adc24f66fa233edd098286238185988b0735

SHA256
3ba27a549d50f9e55bde2bdc8414a078ac7446802721006c311f0ff87bfe0204

SHA512
7814050a625b1f96659466a3fde3e1057c8ea1f07c8a0525fbebcf34673a6a97f530547dd76108bc14e8f1ed3a5749103977d978f6a61d26f07cc26f2cf57fdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\swxvygm.vbs
MD5
39613eea0ad7e72e08e85eba793eea2b

SHA1
6dbae9aa3a60eb82dfab9abcb19e7c9b42b9421d

SHA256
106c3699bf04425f1eb760feede4adff43f26db8029b05a4d7f20f5a9f591286

SHA512
8f4745d92ea6dae2ca608dc397e2029602edbf9d4b7257b5241b9360dde6ebbea514ba164aadf5a1e8c665951f61e1ea18a8b673d055b6ab3dbd2bc2a2c67508

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA1AF.tmp.ps1
MD5
6253290115e79187ab2ef509090f1d11

SHA1
d6911031d12bd36eb05fa6e90a3b8e8bfdf0a04d

SHA256
8735301c2ff4119c8a1de20833eb0aa1c0dcb9750e35e5f0ecbe516e4d829335

SHA512
8ab5e363e5618df60440b24872986a5d0852e384b7409aace44449cd546cae6ff3b34725336a04a9e23b8fbac862266f7b93795787259a0d5443de073d3f57fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA1B0.tmp
MD5
c416c12d1b2b1da8c8655e393b544362

SHA1
fb1a43cd8e1c556c2d25f361f42a21293c29e447

SHA256
0600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046

SHA512
cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB1AF.tmp.ps1
MD5
5797d6f78faee58616d16807d7fd76e6

SHA1
8b26ae2acd7785cde2334db5cfea4c0a317b670f

SHA256
a2edd2005b9f98396fdf85d7d14f6005715881a8c14296a6be3a6ab9e2d51f66

SHA512
f8866f95aeb82f4f620dde36c2893c0b1311b2b8504820534da03593439943b120ce74659f775d0900e8e36e363e823ce770d780a6ae522f8ef3089314a6f175

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB1B0.tmp
MD5
1860260b2697808b80802352fe324782

SHA1
f07b4cb6a8133d8dd942fc285d63cb3ce5a1ed6b

SHA256
0c4bb6ae7726faa47aef8459bcf37bf9ca16f0b93fd52790932adaf7845d1fb1

SHA512
d9fd458e2fe871e93199d7f3783133ded898d824024d9525e8c9af2af31892b13f3fb147d3bfda7dfd7659b7072f5cd1d6c3ebfe2dbf5893afd00e59a96aa94f

Download Submit
C:\Users\Admin\AppData\Local\Temp\wfqaaqadssc.vbs
MD5
169bbba1af41ee3a8eebb4c7280711f6

SHA1
19ec6c5dc5495ad9a390edfad849cf7bdea95ee7

SHA256
8562f34e6017116ef55b62264d086a71726ba59c2cd9cd8216178c544709dff7

SHA512
c285217cac895ae2fa6b0e90fa40e6a8ce7bda4c8dc4c4914aa30aa7935abfa352fd0e767be4138e86e555444ffb514a6b093fc91127f3b744cee4179ff5ce91

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
14e173fe07917fef4e641eb80a2fa213

SHA1
3bdd028b2fccd6c774c21ddb9a3afc916b1d06df

SHA256
da4e48e3137b9bd0bfd3a9da5e205f93125bec8f4852336c07e3813fe0875679

SHA512
0102f8a53d564bcfa5ee328e9e5ee9f440919adae986e7b15674960c3af435cad1eefc684392cf918e9b6870995cf44f7860c49f219d4617922a1dcabcb9483c

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
14e173fe07917fef4e641eb80a2fa213

SHA1
3bdd028b2fccd6c774c21ddb9a3afc916b1d06df

SHA256
da4e48e3137b9bd0bfd3a9da5e205f93125bec8f4852336c07e3813fe0875679

SHA512
0102f8a53d564bcfa5ee328e9e5ee9f440919adae986e7b15674960c3af435cad1eefc684392cf918e9b6870995cf44f7860c49f219d4617922a1dcabcb9483c

Download Submit
\Users\Admin\AppData\Local\Temp\OFYHTE~1.TMP
MD5
c92a53cc671aa0e174d0697f7b6e35e9

SHA1
a2dd513e7988b2e2d56b4bede0840093ad2ac4bb

SHA256
aaf22f0fb83992b924ada07e7f7353c8cda6a208330aefc1e5127fcccc9e2aea

SHA512
e158f8318b2715a8176d15b5778632c99fbea5217f5921ce9da2737e3f63049c75a1982577c65f938b4dd62b853adbee80d0af0251dceae3f395a6ec87602e8d

Download Submit
\Users\Admin\AppData\Local\Temp\OFYHTE~1.TMP
MD5
c92a53cc671aa0e174d0697f7b6e35e9

SHA1
a2dd513e7988b2e2d56b4bede0840093ad2ac4bb

SHA256
aaf22f0fb83992b924ada07e7f7353c8cda6a208330aefc1e5127fcccc9e2aea

SHA512
e158f8318b2715a8176d15b5778632c99fbea5217f5921ce9da2737e3f63049c75a1982577c65f938b4dd62b853adbee80d0af0251dceae3f395a6ec87602e8d

Download Submit
\Users\Admin\AppData\Local\Temp\nss5AB9.tmp\UAC.dll
MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
memory/660-152-0x0000000000400000-0x000000000097F000-memory.dmp

Filesize
5.5MB

Download
memory/660-148-0x0000000002730000-0x0000000002830000-memory.dmp

Filesize
1024KB

Download
memory/660-142-0x0000000000000000-mapping.dmp

Download
memory/768-117-0x0000000000000000-mapping.dmp

Download
memory/1292-149-0x0000000000000000-mapping.dmp

Download
memory/1292-159-0x0000000005160000-0x00000000063F6000-memory.dmp

Filesize
18.6MB

Download
memory/1836-153-0x0000000000000000-mapping.dmp

Download
memory/1956-145-0x0000000000000000-mapping.dmp

Download
memory/2756-163-0x00000000049F0000-0x0000000005C86000-memory.dmp

Filesize
18.6MB

Download
memory/2756-157-0x0000000000000000-mapping.dmp

Download
memory/2856-179-0x0000000008010000-0x0000000008011000-memory.dmp

Filesize
4KB

Download
memory/2856-172-0x0000000007830000-0x0000000007831000-memory.dmp

Filesize
4KB

Download
memory/2856-186-0x0000000008F10000-0x0000000008F11000-memory.dmp

Filesize
4KB

Download
memory/2856-184-0x00000000096C0000-0x00000000096C1000-memory.dmp

Filesize
4KB

Download
memory/2856-189-0x0000000001113000-0x0000000001114000-memory.dmp

Filesize
4KB

Download
memory/2856-177-0x0000000007EF0000-0x0000000007EF1000-memory.dmp

Filesize
4KB

Download
memory/2856-176-0x0000000008050000-0x0000000008051000-memory.dmp

Filesize
4KB

Download
memory/2856-164-0x0000000000000000-mapping.dmp

Download
memory/2856-167-0x0000000000FC0000-0x0000000000FC1000-memory.dmp

Filesize
4KB

Download
memory/2856-168-0x0000000007070000-0x0000000007071000-memory.dmp

Filesize
4KB

Download
memory/2856-169-0x0000000006E50000-0x0000000006E51000-memory.dmp

Filesize
4KB

Download
memory/2856-170-0x0000000007710000-0x0000000007711000-memory.dmp

Filesize
4KB

Download
memory/2856-171-0x0000000007780000-0x0000000007781000-memory.dmp

Filesize
4KB

Download
memory/2856-185-0x0000000008C40000-0x0000000008C41000-memory.dmp

Filesize
4KB

Download
memory/2856-173-0x0000000001110000-0x0000000001111000-memory.dmp

Filesize
4KB

Download
memory/2856-174-0x0000000001112000-0x0000000001113000-memory.dmp

Filesize
4KB

Download
memory/2856-175-0x00000000076A0000-0x00000000076A1000-memory.dmp

Filesize
4KB

Download
memory/3976-127-0x0000000000000000-mapping.dmp

Download
memory/4016-116-0x0000000000000000-mapping.dmp

Download
memory/4040-123-0x0000000000000000-mapping.dmp

Download
memory/4040-138-0x0000000000900000-0x00000000009AE000-memory.dmp

Filesize
696KB

Download
memory/4040-140-0x0000000000400000-0x00000000008A4000-memory.dmp

Filesize
4.6MB

Download
memory/4108-141-0x0000000000400000-0x00000000008A3000-memory.dmp

Filesize
4.6MB

Download
memory/4108-121-0x0000000000000000-mapping.dmp

Download
memory/4108-139-0x0000000002390000-0x00000000023B6000-memory.dmp

Filesize
152KB

Download
memory/4244-135-0x0000000000000000-mapping.dmp

Download
memory/4244-147-0x0000000000400000-0x00000000008A3000-memory.dmp

Filesize
4.6MB

Download
memory/4256-134-0x0000000000000000-mapping.dmp

Download
memory/4288-199-0x0000000007550000-0x0000000007551000-memory.dmp

Filesize
4KB

Download
memory/4288-190-0x0000000000000000-mapping.dmp

Download
memory/4288-202-0x00000000079E0000-0x00000000079E1000-memory.dmp

Filesize
4KB

Download
memory/4288-203-0x0000000000CF0000-0x0000000000CF1000-memory.dmp

Filesize
4KB

Download
memory/4288-204-0x0000000000CF2000-0x0000000000CF3000-memory.dmp

Filesize
4KB

Download
memory/4288-217-0x0000000000CF3000-0x0000000000CF4000-memory.dmp

Filesize
4KB

Download
memory/4432-115-0x0000000000400000-0x000000000090A000-memory.dmp

Filesize
5.0MB

Download
memory/4432-114-0x00000000025F0000-0x00000000026D1000-memory.dmp

Filesize
900KB

Download
memory/4492-218-0x0000000000000000-mapping.dmp

Download
memory/4928-213-0x0000000000000000-mapping.dmp

Download
memory/4964-216-0x0000000000000000-mapping.dmp

Download