cryptbot | 50f41c07db1d0d625cd0746a78dc15a1193f4fd0f80e6a4df40315f24efe2110

Analysis

max time kernel
136s
max time network
158s
platform
windows10_x64
resource
win10v20210408
submitted
27-07-2021 15:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

737d02c261755ff5c920fa52d4f03fce.exe
Size

758KB
MD5

737d02c261755ff5c920fa52d4f03fce
SHA1

bf966e82d41c1fe537763339fa779e3ba9236331
SHA256

50f41c07db1d0d625cd0746a78dc15a1193f4fd0f80e6a4df40315f24efe2110
SHA512

83f0abaacb5c470d31372d97a0aae5e64bfbb73c401341e71be9d65984346d4ea68cae09a400f36567daf604e81db4d3806dfffbf5e2c4668e8c079688382bfb

Score

10^/10

cryptbot danabot 4 banker discovery spyware stealer suricata trojan

Malware Config

Extracted

Family

cryptbot

ewaisg12.top

morvay01.top

Attributes

payload_url
http://winezo01.top/download.php?file=lv.exe

Extracted

Family

danabot

Version

1987

Botnet

142.11.244.124:443

142.11.206.50:443

Attributes

embedded_hash
6AD9FE4F9E491E785665E0D144F61DAB

rsa_privkey.plain

rsa_pubkey.plain

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

CryptBot Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4648-114-0x0000000002230000-0x0000000002311000-memory.dmp	family_cryptbot
behavioral2/memory/4648-115-0x0000000000400000-0x00000000004E5000-memory.dmp	family_cryptbot

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
Blocklisted process makes network request 6 IoCs

Processes:

WScript.exerundll32.exeRUNDLL32.EXE

flow pid process

38 2824 WScript.exe
40 2824 WScript.exe
42 2824 WScript.exe
44 2824 WScript.exe
46 2620 rundll32.exe
47 4032 RUNDLL32.EXE
Downloads MZ/PE file
Executes dropped EXE 5 IoCs

Processes:

CkrsXav.exe4.exevpn.exeSmartClock.exedcgjnoy.exe

pid process

4188 CkrsXav.exe
2432 4.exe
504 vpn.exe
1496 SmartClock.exe
1872 dcgjnoy.exe
Drops startup file 1 IoCs

Processes:

4.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk 4.exe
Loads dropped DLL 5 IoCs

Processes:

CkrsXav.exerundll32.exeRUNDLL32.EXE

pid process

4188 CkrsXav.exe
2620 rundll32.exe
2620 rundll32.exe
4032 RUNDLL32.EXE
4032 RUNDLL32.EXE
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

22 ip-api.com

flow	pid	process
38	2824	WScript.exe
40	2824	WScript.exe
42	2824	WScript.exe
44	2824	WScript.exe
46	2620	rundll32.exe
47	4032	RUNDLL32.EXE

pid	process
4188	CkrsXav.exe
2432	4.exe
504	vpn.exe
1496	SmartClock.exe
1872	dcgjnoy.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk	4.exe

pid	process
4188	CkrsXav.exe
2620	rundll32.exe
2620	rundll32.exe
4032	RUNDLL32.EXE
4032	RUNDLL32.EXE

flow	ioc
22	ip-api.com

Drops file in Program Files directory 4 IoCs

Processes:

CkrsXav.exerundll32.exe

description	ioc	process
File created	C:\Program Files (x86)\foler\olader\acppage.dll	CkrsXav.exe
File created	C:\Program Files (x86)\foler\olader\adprovider.dll	CkrsXav.exe
File created	C:\Program Files (x86)\foler\olader\acledit.dll	CkrsXav.exe
File created	C:\PROGRA~3\Jvgzbfh.tmp	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 24 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RUNDLL32.EXE737d02c261755ff5c920fa52d4f03fce.exevpn.exe

description	ioc	process
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	737d02c261755ff5c920fa52d4f03fce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	737d02c261755ff5c920fa52d4f03fce.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	vpn.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	vpn.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	RUNDLL32.EXE

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1112 timeout.exe
Modifies registry class 1 IoCs

Processes:

vpn.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings vpn.exe

pid	process
1112	timeout.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	vpn.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

RUNDLL32.EXEWScript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\489B87FD284C590BC6766E95EBD8E0E8099D1A46	RUNDLL32.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\489B87FD284C590BC6766E95EBD8E0E8099D1A46\Blob = 030000000100000014000000489b87fd284c590bc6766e95ebd8e0e8099d1a4620000000010000009e0200003082029a30820203a00302010202087751892200295624300d06092a864886f70d01010b0500306d312c302a06035504030c234469326769436572742048696768204173737572616e636520455620526f6f7420434131193017060355040b0c107777772e64696769636572742e636f6d31153013060355040a0c0c446967694365727420496e63310b3009060355040613025553301e170d3139303732383137343233385a170d3233303732373137343233385a306d312c302a06035504030c234469326769436572742048696768204173737572616e636520455620526f6f7420434131193017060355040b0c107777772e64696769636572742e636f6d31153013060355040a0c0c446967694365727420496e63310b300906035504061302555330819f300d06092a864886f70d010101050003818d0030818902818100c28c82505c6834c97fce3edadbdc1f630a8d32ab06ab8f60c7ea1f1ffe54fe3d60593f6b9d759efdbe3bc7857dd1348daf01aba1d4541e498ef89f4f8b3803ed917aa1d03fc96e4d879cefbcd5b92cd40eb8e6f90ffa939bd14688180da6208c1784027e1609112ef093672db0b3efb42da91253fedf6f17346162347014fb710203010001a3433041300f0603551d130101ff040530030101ff302e0603551d110427302582234469326769436572742048696768204173737572616e636520455620526f6f74204341300d06092a864886f70d01010b05000381810058c831990f5c6c919a88b2884eb82408205b88aed438cc8b93f172ae64e620cd06c58820e2fb9e37288e84785c7c11cba4896dd20e5d5223681e4326d99dbea28c5528fe7d5a06a5e05e2b3cd2f913d27182cbd151e48e4199ca6f6bd806e6d35487bdd522c06d1100c3f2653d3643e87ffde9e7b03c06587612225ae6b5229d	RUNDLL32.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	WScript.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

SmartClock.exe

pid process

1496 SmartClock.exe

pid	process
1496	SmartClock.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

RUNDLL32.EXEpowershell.exepowershell.exe

pid	process
4032	RUNDLL32.EXE
4032	RUNDLL32.EXE
4032	RUNDLL32.EXE
4032	RUNDLL32.EXE
4032	RUNDLL32.EXE
4032	RUNDLL32.EXE
4428	powershell.exe
4428	powershell.exe
4428	powershell.exe
4032	RUNDLL32.EXE
4032	RUNDLL32.EXE
1336	powershell.exe
1336	powershell.exe
1336	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

RUNDLL32.EXEpowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 4032 RUNDLL32.EXE
Token: SeDebugPrivilege 4428 powershell.exe
Token: SeDebugPrivilege 1336 powershell.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

737d02c261755ff5c920fa52d4f03fce.exeRUNDLL32.EXE

pid process

4648 737d02c261755ff5c920fa52d4f03fce.exe
4648 737d02c261755ff5c920fa52d4f03fce.exe
4032 RUNDLL32.EXE

description	pid	process
Token: SeDebugPrivilege	4032	RUNDLL32.EXE
Token: SeDebugPrivilege	4428	powershell.exe
Token: SeDebugPrivilege	1336	powershell.exe

pid	process
4648	737d02c261755ff5c920fa52d4f03fce.exe
4648	737d02c261755ff5c920fa52d4f03fce.exe
4032	RUNDLL32.EXE

Suspicious use of WriteProcessMemory 51 IoCs

Processes:

737d02c261755ff5c920fa52d4f03fce.execmd.exeCkrsXav.execmd.exe4.exevpn.exedcgjnoy.exerundll32.exeRUNDLL32.EXEpowershell.exe

description	pid	process	target process
PID 4648 wrote to memory of 4092	4648	737d02c261755ff5c920fa52d4f03fce.exe	cmd.exe
PID 4648 wrote to memory of 4092	4648	737d02c261755ff5c920fa52d4f03fce.exe	cmd.exe
PID 4648 wrote to memory of 4092	4648	737d02c261755ff5c920fa52d4f03fce.exe	cmd.exe
PID 4092 wrote to memory of 4188	4092	cmd.exe	CkrsXav.exe
PID 4092 wrote to memory of 4188	4092	cmd.exe	CkrsXav.exe
PID 4092 wrote to memory of 4188	4092	cmd.exe	CkrsXav.exe
PID 4188 wrote to memory of 2432	4188	CkrsXav.exe	4.exe
PID 4188 wrote to memory of 2432	4188	CkrsXav.exe	4.exe
PID 4188 wrote to memory of 2432	4188	CkrsXav.exe	4.exe
PID 4188 wrote to memory of 504	4188	CkrsXav.exe	vpn.exe
PID 4188 wrote to memory of 504	4188	CkrsXav.exe	vpn.exe
PID 4188 wrote to memory of 504	4188	CkrsXav.exe	vpn.exe
PID 4648 wrote to memory of 804	4648	737d02c261755ff5c920fa52d4f03fce.exe	cmd.exe
PID 4648 wrote to memory of 804	4648	737d02c261755ff5c920fa52d4f03fce.exe	cmd.exe
PID 4648 wrote to memory of 804	4648	737d02c261755ff5c920fa52d4f03fce.exe	cmd.exe
PID 804 wrote to memory of 1112	804	cmd.exe	timeout.exe
PID 804 wrote to memory of 1112	804	cmd.exe	timeout.exe
PID 804 wrote to memory of 1112	804	cmd.exe	timeout.exe
PID 2432 wrote to memory of 1496	2432	4.exe	SmartClock.exe
PID 2432 wrote to memory of 1496	2432	4.exe	SmartClock.exe
PID 2432 wrote to memory of 1496	2432	4.exe	SmartClock.exe
PID 504 wrote to memory of 1872	504	vpn.exe	dcgjnoy.exe
PID 504 wrote to memory of 1872	504	vpn.exe	dcgjnoy.exe
PID 504 wrote to memory of 1872	504	vpn.exe	dcgjnoy.exe
PID 504 wrote to memory of 2200	504	vpn.exe	WScript.exe
PID 504 wrote to memory of 2200	504	vpn.exe	WScript.exe
PID 504 wrote to memory of 2200	504	vpn.exe	WScript.exe
PID 1872 wrote to memory of 2620	1872	dcgjnoy.exe	rundll32.exe
PID 1872 wrote to memory of 2620	1872	dcgjnoy.exe	rundll32.exe
PID 1872 wrote to memory of 2620	1872	dcgjnoy.exe	rundll32.exe
PID 504 wrote to memory of 2824	504	vpn.exe	WScript.exe
PID 504 wrote to memory of 2824	504	vpn.exe	WScript.exe
PID 504 wrote to memory of 2824	504	vpn.exe	WScript.exe
PID 2620 wrote to memory of 4032	2620	rundll32.exe	RUNDLL32.EXE
PID 2620 wrote to memory of 4032	2620	rundll32.exe	RUNDLL32.EXE
PID 2620 wrote to memory of 4032	2620	rundll32.exe	RUNDLL32.EXE
PID 4032 wrote to memory of 4428	4032	RUNDLL32.EXE	powershell.exe
PID 4032 wrote to memory of 4428	4032	RUNDLL32.EXE	powershell.exe
PID 4032 wrote to memory of 4428	4032	RUNDLL32.EXE	powershell.exe
PID 4032 wrote to memory of 1336	4032	RUNDLL32.EXE	powershell.exe
PID 4032 wrote to memory of 1336	4032	RUNDLL32.EXE	powershell.exe
PID 4032 wrote to memory of 1336	4032	RUNDLL32.EXE	powershell.exe
PID 1336 wrote to memory of 5060	1336	powershell.exe	nslookup.exe
PID 1336 wrote to memory of 5060	1336	powershell.exe	nslookup.exe
PID 1336 wrote to memory of 5060	1336	powershell.exe	nslookup.exe
PID 4032 wrote to memory of 3092	4032	RUNDLL32.EXE	schtasks.exe
PID 4032 wrote to memory of 3092	4032	RUNDLL32.EXE	schtasks.exe
PID 4032 wrote to memory of 3092	4032	RUNDLL32.EXE	schtasks.exe
PID 4032 wrote to memory of 3592	4032	RUNDLL32.EXE	schtasks.exe
PID 4032 wrote to memory of 3592	4032	RUNDLL32.EXE	schtasks.exe
PID 4032 wrote to memory of 3592	4032	RUNDLL32.EXE	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\737d02c261755ff5c920fa52d4f03fce.exe
"C:\Users\Admin\AppData\Local\Temp\737d02c261755ff5c920fa52d4f03fce.exe"
1⤵
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4648

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\CkrsXav.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4092

C:\Users\Admin\AppData\Local\Temp\CkrsXav.exe
"C:\Users\Admin\AppData\Local\Temp\CkrsXav.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4188

C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe
"C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe"
4⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:2432

C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
PID:1496

C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe
"C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe"
4⤵
- Executes dropped EXE
- Checks processor information in registry
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:504

C:\Users\Admin\AppData\Local\Temp\dcgjnoy.exe
"C:\Users\Admin\AppData\Local\Temp\dcgjnoy.exe"
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1872

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\DCGJNO~1.TMP,S C:\Users\Admin\AppData\Local\Temp\dcgjnoy.exe
6⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2620

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\DCGJNO~1.TMP,aE0bYUg3Q2g=
7⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4032

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp2641.tmp.ps1"
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4428

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp3F39.tmp.ps1"
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1336

C:\Windows\SysWOW64\nslookup.exe
"C:\Windows\system32\nslookup.exe" -type=any localhost
9⤵
PID:5060

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
8⤵
PID:3092

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
8⤵
PID:3592

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\nydqklrw.vbs"
5⤵
PID:2200

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ycnwxbkbd.vbs"
5⤵
- Blocklisted process makes network request
- Modifies system certificate store
PID:2824

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\IrqqcCBAvEvwK & timeout 3 & del /f /q "C:\Users\Admin\AppData\Local\Temp\737d02c261755ff5c920fa52d4f03fce.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:804

C:\Windows\SysWOW64\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:1112

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Jvgzbfh.tmp
MD5
dcc593948262d954c0a7ff5487d582e7

SHA1
07b9b4cebe228e26f2217c6045de4a37d475eaed

SHA256
2ee414410c0b968a9929d4315b7142bd8374136dc99260e435fd3812d697608d

SHA512
3364676aba2a9319edbc96a3d78c15eccb97eb8a47eef3224a27f7726678006ac25c81de7a042ade9399467acb5d216487e6c2df008f29238b6cf5ede6ac6d56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
47eebe401625bbc55e75dbfb72e9e89a

SHA1
db3b2135942d2532c59b9788253638eb77e5995e

SHA256
f1cd56000c44bbdb6880b5b133731f493fe8cba8198c5a861da6ae7b489ed0c3

SHA512
590b149863d58be346e7927c28501375cc570858d2f156d234b03d68b86c5c0667a1038e2b6f6639172bf95638ca9f7c70f45270951abbcdf43b1be853b81d56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
9616e1b287dabe59ea0fff6487af0b1b

SHA1
918b36641d35c88f93b0147e91f173472bd56474

SHA256
21d3c59f8f66e68e545cfe6dfa667a7888bc198b92deff231d62a604c2585dce

SHA512
c66d8c7e84ebd3b41606c70668b49c14abea5afa1852a905ed77a2a3bf3be59849acb856e3e7069108d78fb10bfe281ef52c460908244106fbfe9767c0f6e841

Download Submit
C:\Users\Admin\AppData\Local\Temp\CkrsXav.exe
MD5
e1993ec02a47a879db8454c1e1f4cb6d

SHA1
489c76ef6ec40edfe2b9174ee20e4c225e5dd1c5

SHA256
c572a00f0d7fb2621a580d153985b9a00f322f11aaf83547f289b94ac497d020

SHA512
5472abbc488bda7311836920e1c73e27678f506d6a08b6455f1ccbacf0677b815b5c1cb1c7c2fc6fabdd30306e28e32d6d405d13f8c137d29d7641514f7bc872

Download Submit
C:\Users\Admin\AppData\Local\Temp\CkrsXav.exe
MD5
e1993ec02a47a879db8454c1e1f4cb6d

SHA1
489c76ef6ec40edfe2b9174ee20e4c225e5dd1c5

SHA256
c572a00f0d7fb2621a580d153985b9a00f322f11aaf83547f289b94ac497d020

SHA512
5472abbc488bda7311836920e1c73e27678f506d6a08b6455f1ccbacf0677b815b5c1cb1c7c2fc6fabdd30306e28e32d6d405d13f8c137d29d7641514f7bc872

Download Submit
C:\Users\Admin\AppData\Local\Temp\DCGJNO~1.TMP
MD5
808d3ad409144db9e8a6e645713690a4

SHA1
3632c2550c1163703cd179cc9ccdc6aa4dd73bce

SHA256
c9d0491f301ac2effbf939ab104c0d73942d86b03db34b96a1a85847e37b71e5

SHA512
2dda74f88d3065c9b7cf09e06d2be92d32042ad5e1abb001e54c72ddb7949530aaaaa24c45490517c121305c7f572c306dd3f0b9c0d2b2f888eba71931747e30

Download Submit
C:\Users\Admin\AppData\Local\Temp\IrqqcCBAvEvwK\BOEEDL~1.ZIP
MD5
8d64604bcb08b2478dd5f64e95b98a74

SHA1
8302120d8bc008018a18e1e9c675b7775a873d27

SHA256
7f041d9355266a3a96f0df091457e753a5ea1eeea6e1bdbfc447e6bbb525702d

SHA512
8d4482e39a1dcb7dd46db3f28249cca3f13c4b9c647874d2a79769b9d7891850c9e57fe660882482e8e325485190a25cf4c42c52931e957443b807ba87f97a87

Download Submit
C:\Users\Admin\AppData\Local\Temp\IrqqcCBAvEvwK\VOSTTV~1.ZIP
MD5
9032d08de4ce7c0f0e1770c01a1e6bf5

SHA1
218f26185fdfe511c2b5ed73ff5c654c68421904

SHA256
8038b3afe94860864e09a75cd637c63f79fb357887631f125ec6f9065217b9c0

SHA512
492e8aa73aa3b4e038dc60d80633ed79c523bd03202abc4ee04b6c0a75549d1cad7402d8414505ddb22851090086d30933ff1ca9e29fabe0e65939f8d6c45fa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IrqqcCBAvEvwK\_Files\_INFOR~1.TXT
MD5
733d8ee81a355add001f325d386167bd

SHA1
8daef5dca7b2607cfee451bad5a0e8e8492b51c0

SHA256
902e51c5ce6b5574419fbb4815dfa5dd7b6280c58127f787234911b6a7f6ec69

SHA512
ac01c3904c265b329db132eb2c7c2d2b2ee93f6055d5cd0e641565f08e3d5804ca30dddcea6352cd1087f1a8f9ebb94a895ffffd057ac13e9e999e02a061e6b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IrqqcCBAvEvwK\_Files\_SCREE~1.JPE
MD5
01603fa883ca4fa6c83ab25bd6a41169

SHA1
c6b3f320b727a20d0061fdcfd0a21094f40fff38

SHA256
f83a4249756b17f9a5d34c75ebe3755be5a2a52112b00037cffc2ffc7bda24f2

SHA512
87eb936aaccdaeb210c85e1e5d5d6b85c9636c350db48afafc0cae7c59b30d53f6c3726d987b912acbd21cc9377bad5e99adec7bef7d0111041738c9b2fd4dd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IrqqcCBAvEvwK\files_\SCREEN~1.JPG
MD5
01603fa883ca4fa6c83ab25bd6a41169

SHA1
c6b3f320b727a20d0061fdcfd0a21094f40fff38

SHA256
f83a4249756b17f9a5d34c75ebe3755be5a2a52112b00037cffc2ffc7bda24f2

SHA512
87eb936aaccdaeb210c85e1e5d5d6b85c9636c350db48afafc0cae7c59b30d53f6c3726d987b912acbd21cc9377bad5e99adec7bef7d0111041738c9b2fd4dd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IrqqcCBAvEvwK\files_\SYSTEM~1.TXT
MD5
64b79e5622ced26cd0d2ee4d4b0c13d7

SHA1
02259c9cea0d92da88bcf6d75fbd72e212bef15e

SHA256
384164d39f32e2781582d9db660cd34bebdfeaafc16449bd574632b3a4a00fe1

SHA512
e3a5c568a67517862fa14fe23d729a1ab5318bf7a988eba106b0a84c0e4d69b2d2e5cfb4375920d515cc3c6d8dc668c41bec7f61a444160a98c66c06fea40984

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe
MD5
3c539776cf69aedac424e1f9c14494ad

SHA1
4d64404d18d7084628b86dac75bf8cfade34ae1d

SHA256
6fe38946bca0129a8b4bd412611c7b4a330b0b0d54c83e87293e52e83f9b007e

SHA512
9fe1015afb1a8ebf964d6016c534ff8433bdb8b0ee040f8483103cd056761e6bb2b9ca1246b916459df4249d1dfcf91f1b19b978725ce0eba66b4e8d65bdda67

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe
MD5
3c539776cf69aedac424e1f9c14494ad

SHA1
4d64404d18d7084628b86dac75bf8cfade34ae1d

SHA256
6fe38946bca0129a8b4bd412611c7b4a330b0b0d54c83e87293e52e83f9b007e

SHA512
9fe1015afb1a8ebf964d6016c534ff8433bdb8b0ee040f8483103cd056761e6bb2b9ca1246b916459df4249d1dfcf91f1b19b978725ce0eba66b4e8d65bdda67

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe
MD5
6d6b5c232059bdddbb75586f081fc1f8

SHA1
16a13d3dd9a924594306418a6cceddd2611588e5

SHA256
969a856e1206a3e8d27eccc9878e8c9207eb369885ffa46cff48506e86aaf4a0

SHA512
1510aff400990039bf199dd90e121b0bdc437a1337cf99b5a94b0473294d34dad9c136b3b908ad8888c07019623c7378f08e71f11c0f42a139b8f1aee73b1bb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe
MD5
6d6b5c232059bdddbb75586f081fc1f8

SHA1
16a13d3dd9a924594306418a6cceddd2611588e5

SHA256
969a856e1206a3e8d27eccc9878e8c9207eb369885ffa46cff48506e86aaf4a0

SHA512
1510aff400990039bf199dd90e121b0bdc437a1337cf99b5a94b0473294d34dad9c136b3b908ad8888c07019623c7378f08e71f11c0f42a139b8f1aee73b1bb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\dcgjnoy.exe
MD5
38b69ef4c1d553a9c41927b97d3401a6

SHA1
58e4e6e2db1d4870c8bd98015f6cdc84d3534dbd

SHA256
be391444eedc666fd587007fcf60f78120bfe056666b0784b6063a4e332aac97

SHA512
79d021e36175388e0e3031d5c95ab246b64a5844deb1a4342b241b68aad71f6ff7cb4a7a5bca2f8804afea78af7c56108f552176eaa08aa02584b79f827fb854

Download Submit
C:\Users\Admin\AppData\Local\Temp\dcgjnoy.exe
MD5
38b69ef4c1d553a9c41927b97d3401a6

SHA1
58e4e6e2db1d4870c8bd98015f6cdc84d3534dbd

SHA256
be391444eedc666fd587007fcf60f78120bfe056666b0784b6063a4e332aac97

SHA512
79d021e36175388e0e3031d5c95ab246b64a5844deb1a4342b241b68aad71f6ff7cb4a7a5bca2f8804afea78af7c56108f552176eaa08aa02584b79f827fb854

Download Submit
C:\Users\Admin\AppData\Local\Temp\nydqklrw.vbs
MD5
78b59c8a26fba03bdbeab4f377984e63

SHA1
5946e99a651f65ef0d3439dfdcd32187ad8f778e

SHA256
83182448046ff9e31bfb83a6d5efca65c110a9643b722e97477410ff4079512f

SHA512
870f0c0a471bccc7c4189da0df409f14663c88aaf20a7ce972fb11439d720c89561382440546e91a44e2816672f3b963374b51ca80be39ab75e0345d1cf5c907

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2641.tmp.ps1
MD5
edc11866ee2f70b06561d01f6b2539d0

SHA1
f55b8308328cbb9b89da904555a0130960ae78b4

SHA256
32c953a2e8a3310e5c25553190df0e6f855d9ac520fea776d32e8e443af2d19e

SHA512
9df5a842312b8dbb0b35f6421e595242b06beec5f7e49e6b7d7b53ae4400b0133129faaa66736ab6216b1f1c3a3db77fb29ed5fa73b705747d07180f4f0b092c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2642.tmp
MD5
c416c12d1b2b1da8c8655e393b544362

SHA1
fb1a43cd8e1c556c2d25f361f42a21293c29e447

SHA256
0600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046

SHA512
cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3F39.tmp.ps1
MD5
63d1a8bcbb922b9d3e34bec5fd32d7cf

SHA1
cf95c757eea0cb37afbf76741c2c35612893ae22

SHA256
d3858dc947d701000cf2cd715909988a527f744888021b7ac73c8fb2d8c88039

SHA512
1c431b1231d16e845f38faee014d8176d2be1ed03cb19d1a72266f7dfeca472cae966b52afa0974af48cf07ca2ade10970e532315272b58eb99b7f6a4eb43849

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3F3A.tmp
MD5
1860260b2697808b80802352fe324782

SHA1
f07b4cb6a8133d8dd942fc285d63cb3ce5a1ed6b

SHA256
0c4bb6ae7726faa47aef8459bcf37bf9ca16f0b93fd52790932adaf7845d1fb1

SHA512
d9fd458e2fe871e93199d7f3783133ded898d824024d9525e8c9af2af31892b13f3fb147d3bfda7dfd7659b7072f5cd1d6c3ebfe2dbf5893afd00e59a96aa94f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ycnwxbkbd.vbs
MD5
0543c98fa1597044581150aba63579d3

SHA1
206aee1bcec070ae176e6f5327ccb606bdc546d3

SHA256
ebba62739360d40922aaab2fd40f83fe94f122bd6f745daa95e9ff9f9c516c45

SHA512
978ae807fa17c1dd4cc4fce8f078984f5c5304e992d79f802da9f2e7794e00d5ce350a2c372d207fe81f1faab99e3064d24e5aaa273cfbd513e9d6bc701cf7ec

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
3c539776cf69aedac424e1f9c14494ad

SHA1
4d64404d18d7084628b86dac75bf8cfade34ae1d

SHA256
6fe38946bca0129a8b4bd412611c7b4a330b0b0d54c83e87293e52e83f9b007e

SHA512
9fe1015afb1a8ebf964d6016c534ff8433bdb8b0ee040f8483103cd056761e6bb2b9ca1246b916459df4249d1dfcf91f1b19b978725ce0eba66b4e8d65bdda67

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
3c539776cf69aedac424e1f9c14494ad

SHA1
4d64404d18d7084628b86dac75bf8cfade34ae1d

SHA256
6fe38946bca0129a8b4bd412611c7b4a330b0b0d54c83e87293e52e83f9b007e

SHA512
9fe1015afb1a8ebf964d6016c534ff8433bdb8b0ee040f8483103cd056761e6bb2b9ca1246b916459df4249d1dfcf91f1b19b978725ce0eba66b4e8d65bdda67

Download Submit
\Users\Admin\AppData\Local\Temp\DCGJNO~1.TMP
MD5
808d3ad409144db9e8a6e645713690a4

SHA1
3632c2550c1163703cd179cc9ccdc6aa4dd73bce

SHA256
c9d0491f301ac2effbf939ab104c0d73942d86b03db34b96a1a85847e37b71e5

SHA512
2dda74f88d3065c9b7cf09e06d2be92d32042ad5e1abb001e54c72ddb7949530aaaaa24c45490517c121305c7f572c306dd3f0b9c0d2b2f888eba71931747e30

Download Submit
\Users\Admin\AppData\Local\Temp\DCGJNO~1.TMP
MD5
808d3ad409144db9e8a6e645713690a4

SHA1
3632c2550c1163703cd179cc9ccdc6aa4dd73bce

SHA256
c9d0491f301ac2effbf939ab104c0d73942d86b03db34b96a1a85847e37b71e5

SHA512
2dda74f88d3065c9b7cf09e06d2be92d32042ad5e1abb001e54c72ddb7949530aaaaa24c45490517c121305c7f572c306dd3f0b9c0d2b2f888eba71931747e30

Download Submit
\Users\Admin\AppData\Local\Temp\DCGJNO~1.TMP
MD5
808d3ad409144db9e8a6e645713690a4

SHA1
3632c2550c1163703cd179cc9ccdc6aa4dd73bce

SHA256
c9d0491f301ac2effbf939ab104c0d73942d86b03db34b96a1a85847e37b71e5

SHA512
2dda74f88d3065c9b7cf09e06d2be92d32042ad5e1abb001e54c72ddb7949530aaaaa24c45490517c121305c7f572c306dd3f0b9c0d2b2f888eba71931747e30

Download Submit
\Users\Admin\AppData\Local\Temp\DCGJNO~1.TMP
MD5
808d3ad409144db9e8a6e645713690a4

SHA1
3632c2550c1163703cd179cc9ccdc6aa4dd73bce

SHA256
c9d0491f301ac2effbf939ab104c0d73942d86b03db34b96a1a85847e37b71e5

SHA512
2dda74f88d3065c9b7cf09e06d2be92d32042ad5e1abb001e54c72ddb7949530aaaaa24c45490517c121305c7f572c306dd3f0b9c0d2b2f888eba71931747e30

Download Submit
\Users\Admin\AppData\Local\Temp\nsjDD66.tmp\UAC.dll
MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
memory/504-138-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/504-124-0x0000000000000000-mapping.dmp

Download
memory/504-137-0x0000000000480000-0x00000000005CA000-memory.dmp

Filesize
1.3MB

Download
memory/804-127-0x0000000000000000-mapping.dmp

Download
memory/1112-134-0x0000000000000000-mapping.dmp

Download
memory/1336-228-0x0000000002FF3000-0x0000000002FF4000-memory.dmp

Filesize
4KB

Download
memory/1336-215-0x0000000002FF2000-0x0000000002FF3000-memory.dmp

Filesize
4KB

Download
memory/1336-214-0x0000000002FF0000-0x0000000002FF1000-memory.dmp

Filesize
4KB

Download
memory/1336-210-0x00000000080B0000-0x00000000080B1000-memory.dmp

Filesize
4KB

Download
memory/1336-201-0x0000000000000000-mapping.dmp

Download
memory/1336-213-0x0000000008550000-0x0000000008551000-memory.dmp

Filesize
4KB

Download
memory/1496-139-0x0000000000000000-mapping.dmp

Download
memory/1496-147-0x0000000000480000-0x000000000052E000-memory.dmp

Filesize
696KB

Download
memory/1496-148-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1872-154-0x0000000002270000-0x0000000002370000-memory.dmp

Filesize
1024KB

Download
memory/1872-155-0x0000000000400000-0x0000000000548000-memory.dmp

Filesize
1.3MB

Download
memory/1872-142-0x0000000000000000-mapping.dmp

Download
memory/2200-145-0x0000000000000000-mapping.dmp

Download
memory/2432-135-0x0000000000510000-0x00000000005BE000-memory.dmp

Filesize
696KB

Download
memory/2432-136-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2432-121-0x0000000000000000-mapping.dmp

Download
memory/2620-168-0x0000000004770000-0x0000000005A06000-memory.dmp

Filesize
18.6MB

Download
memory/2620-158-0x0000000005C20000-0x0000000005C21000-memory.dmp

Filesize
4KB

Download
memory/2620-153-0x00000000040A0000-0x00000000041FF000-memory.dmp

Filesize
1.4MB

Download
memory/2620-149-0x0000000000000000-mapping.dmp

Download
memory/2824-156-0x0000000000000000-mapping.dmp

Download
memory/3092-227-0x0000000000000000-mapping.dmp

Download
memory/3592-229-0x0000000000000000-mapping.dmp

Download
memory/4032-166-0x0000000003F10000-0x000000000406F000-memory.dmp

Filesize
1.4MB

Download
memory/4032-174-0x00000000045E0000-0x0000000005876000-memory.dmp

Filesize
18.6MB

Download
memory/4032-169-0x0000000005A90000-0x0000000005A91000-memory.dmp

Filesize
4KB

Download
memory/4032-163-0x0000000000000000-mapping.dmp

Download
memory/4092-116-0x0000000000000000-mapping.dmp

Download
memory/4188-117-0x0000000000000000-mapping.dmp

Download
memory/4428-182-0x00000000070F2000-0x00000000070F3000-memory.dmp

Filesize
4KB

Download
memory/4428-185-0x0000000007FB0000-0x0000000007FB1000-memory.dmp

Filesize
4KB

Download
memory/4428-195-0x0000000009EF0000-0x0000000009EF1000-memory.dmp

Filesize
4KB

Download
memory/4428-196-0x0000000009480000-0x0000000009481000-memory.dmp

Filesize
4KB

Download
memory/4428-197-0x00000000072B0000-0x00000000072B1000-memory.dmp

Filesize
4KB

Download
memory/4428-188-0x0000000008710000-0x0000000008711000-memory.dmp

Filesize
4KB

Download
memory/4428-200-0x00000000070F3000-0x00000000070F4000-memory.dmp

Filesize
4KB

Download
memory/4428-187-0x0000000008840000-0x0000000008841000-memory.dmp

Filesize
4KB

Download
memory/4428-186-0x0000000008320000-0x0000000008321000-memory.dmp

Filesize
4KB

Download
memory/4428-190-0x0000000008890000-0x0000000008891000-memory.dmp

Filesize
4KB

Download
memory/4428-184-0x0000000007F40000-0x0000000007F41000-memory.dmp

Filesize
4KB

Download
memory/4428-183-0x0000000007D60000-0x0000000007D61000-memory.dmp

Filesize
4KB

Download
memory/4428-175-0x0000000000000000-mapping.dmp

Download
memory/4428-181-0x00000000070F0000-0x00000000070F1000-memory.dmp

Filesize
4KB

Download
memory/4428-180-0x0000000007690000-0x0000000007691000-memory.dmp

Filesize
4KB

Download
memory/4428-178-0x0000000006F60000-0x0000000006F61000-memory.dmp

Filesize
4KB

Download
memory/4428-179-0x0000000007730000-0x0000000007731000-memory.dmp

Filesize
4KB

Download
memory/4648-115-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/4648-114-0x0000000002230000-0x0000000002311000-memory.dmp

Filesize
900KB

Download
memory/5060-224-0x0000000000000000-mapping.dmp

Download