gozi_ifsb | fa668d1a58b3b92d9c1b9a740facfaebb35dd723deaf5a3833592208a8a47e5e

Analysis

max time kernel
151s
max time network
146s
platform
windows10_x64
resource
win10-en-20211208
submitted
14-12-2021 09:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6.png.dll
Size

1.7MB
MD5

ac57d694b86d8532b38d3d62f6de3afc
SHA1

c858ec742ba91bf8c139b7bb654ca2d67747c5ef
SHA256

fa668d1a58b3b92d9c1b9a740facfaebb35dd723deaf5a3833592208a8a47e5e
SHA512

cd9635d667a43c0d6715ec05c114c424b3f1292d7997c8d6c86f937ff81a08262763d33621c7d75d3c2a5fac75b58c71489fe3360fd4a2d6c804e7a72a06683b

Score

10^/10

gozi_ifsb 8899 banker suricata trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

8899

microsoft.com/windowsdisabler

windows.update3.com

berukoneru.website

gerukoneru.website

fortunarah.com

assets.msn.com

http://microsoft.com

79.110.52.217

79.110.52.215

45.9.20.190

45.9.20.128

aerukoneru.site

serukoneru.site

yerukoneru.site

karfaganda.com

Attributes

base_path
/tire/
build
260222
dga_season
10
exe_type
loader
extension
.eta
server_id
12

rsa_pubkey.plain

serpent.plain

rsa_pubkey.plain

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb
suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M1 (_2B)
suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M1 (_2B)
suricata
suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)
suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)
suricata
suricata: ET MALWARE Ursnif Variant CnC Data Exfil
suricata: ET MALWARE Ursnif Variant CnC Data Exfil
suricata
suricata: ET MALWARE [PTsecurity] Gozi/Ursnif Payload v12
suricata: ET MALWARE [PTsecurity] Gozi/Ursnif Payload v12
suricata

Suspicious use of SetThreadContext 8 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 3592 set thread context of 3012	3592	powershell.exe	Explorer.EXE
PID 3012 set thread context of 2208	3012	Explorer.EXE	cmd.exe
PID 3012 set thread context of 3464	3012	Explorer.EXE	RuntimeBroker.exe
PID 2208 set thread context of 3036	2208	cmd.exe	PING.EXE
PID 3012 set thread context of 2148	3012	Explorer.EXE	WinMail.exe
PID 3012 set thread context of 3896	3012	Explorer.EXE	WinMail.exe
PID 3012 set thread context of 3528	3012	Explorer.EXE	cmd.exe
PID 3012 set thread context of 1172	3012	Explorer.EXE	cmd.exe

Drops file in Windows directory 1 IoCs

Processes:

regsvr32.exe

description ioc process

File opened for modification C:\Windows\ regsvr32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3636 3740 WerFault.exe regsvr32.exe
Discovers systems in the same network 1 TTPs 3 IoCs
discovery

Remote System Discovery
T1018

Processes:

net.exenet.exenet.exe

pid process

1332 net.exe
1356 net.exe
1492 net.exe
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

1284 tasklist.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

772 ipconfig.exe
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

1320 systeminfo.exe
Runs net.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3036 PING.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

PING.EXE

pid process

3036 PING.EXE

description	ioc	process
File opened for modification	C:\Windows\	regsvr32.exe

pid	pid_target	process	target process
3636	3740	WerFault.exe	regsvr32.exe

pid	process
1332	net.exe
1356	net.exe
1492	net.exe

pid	process
1284	tasklist.exe

pid	process
772	ipconfig.exe

pid	process
1320	systeminfo.exe

pid	process
3036	PING.EXE

pid	process
3036	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

regsvr32.exepowershell.exeExplorer.EXE

pid	process
3740	regsvr32.exe
3740	regsvr32.exe
3592	powershell.exe
3592	powershell.exe
3592	powershell.exe
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3012 Explorer.EXE
Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

pid process

3592 powershell.exe
3012 Explorer.EXE
3012 Explorer.EXE
2208 cmd.exe
3012 Explorer.EXE
3012 Explorer.EXE
3012 Explorer.EXE
3012 Explorer.EXE

pid	process
3012	Explorer.EXE

pid	process
3592	powershell.exe
3012	Explorer.EXE
3012	Explorer.EXE
2208	cmd.exe
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 19 IoCs

Processes:

powershell.exeExplorer.EXEWerFault.exetasklist.exe

description	pid	process
Token: SeDebugPrivilege	3592	powershell.exe
Token: SeShutdownPrivilege	3012	Explorer.EXE
Token: SeCreatePagefilePrivilege	3012	Explorer.EXE
Token: SeRestorePrivilege	3636	WerFault.exe
Token: SeBackupPrivilege	3636	WerFault.exe
Token: SeShutdownPrivilege	3012	Explorer.EXE
Token: SeCreatePagefilePrivilege	3012	Explorer.EXE
Token: SeShutdownPrivilege	3012	Explorer.EXE
Token: SeCreatePagefilePrivilege	3012	Explorer.EXE
Token: SeDebugPrivilege	3636	WerFault.exe
Token: SeShutdownPrivilege	3012	Explorer.EXE
Token: SeCreatePagefilePrivilege	3012	Explorer.EXE
Token: SeShutdownPrivilege	3012	Explorer.EXE
Token: SeCreatePagefilePrivilege	3012	Explorer.EXE
Token: SeShutdownPrivilege	3012	Explorer.EXE
Token: SeCreatePagefilePrivilege	3012	Explorer.EXE
Token: SeDebugPrivilege	1284	tasklist.exe
Token: SeShutdownPrivilege	3012	Explorer.EXE
Token: SeCreatePagefilePrivilege	3012	Explorer.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

3012 Explorer.EXE

pid	process
3012	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

regsvr32.exemshta.exepowershell.execsc.execsc.exeExplorer.EXEcmd.execmd.execmd.exe

description	pid	process	target process
PID 2744 wrote to memory of 3740	2744	regsvr32.exe	regsvr32.exe
PID 2744 wrote to memory of 3740	2744	regsvr32.exe	regsvr32.exe
PID 2744 wrote to memory of 3740	2744	regsvr32.exe	regsvr32.exe
PID 1416 wrote to memory of 3592	1416	mshta.exe	powershell.exe
PID 1416 wrote to memory of 3592	1416	mshta.exe	powershell.exe
PID 3592 wrote to memory of 1144	3592	powershell.exe	csc.exe
PID 3592 wrote to memory of 1144	3592	powershell.exe	csc.exe
PID 1144 wrote to memory of 1360	1144	csc.exe	cvtres.exe
PID 1144 wrote to memory of 1360	1144	csc.exe	cvtres.exe
PID 3592 wrote to memory of 2400	3592	powershell.exe	csc.exe
PID 3592 wrote to memory of 2400	3592	powershell.exe	csc.exe
PID 2400 wrote to memory of 776	2400	csc.exe	cvtres.exe
PID 2400 wrote to memory of 776	2400	csc.exe	cvtres.exe
PID 3592 wrote to memory of 3012	3592	powershell.exe	Explorer.EXE
PID 3592 wrote to memory of 3012	3592	powershell.exe	Explorer.EXE
PID 3592 wrote to memory of 3012	3592	powershell.exe	Explorer.EXE
PID 3592 wrote to memory of 3012	3592	powershell.exe	Explorer.EXE
PID 3012 wrote to memory of 2208	3012	Explorer.EXE	cmd.exe
PID 3012 wrote to memory of 2208	3012	Explorer.EXE	cmd.exe
PID 3012 wrote to memory of 2208	3012	Explorer.EXE	cmd.exe
PID 3012 wrote to memory of 3464	3012	Explorer.EXE	RuntimeBroker.exe
PID 3012 wrote to memory of 3464	3012	Explorer.EXE	RuntimeBroker.exe
PID 3012 wrote to memory of 2208	3012	Explorer.EXE	cmd.exe
PID 3012 wrote to memory of 2208	3012	Explorer.EXE	cmd.exe
PID 3012 wrote to memory of 3464	3012	Explorer.EXE	RuntimeBroker.exe
PID 3012 wrote to memory of 3464	3012	Explorer.EXE	RuntimeBroker.exe
PID 2208 wrote to memory of 3036	2208	cmd.exe	PING.EXE
PID 2208 wrote to memory of 3036	2208	cmd.exe	PING.EXE
PID 2208 wrote to memory of 3036	2208	cmd.exe	PING.EXE
PID 2208 wrote to memory of 3036	2208	cmd.exe	PING.EXE
PID 2208 wrote to memory of 3036	2208	cmd.exe	PING.EXE
PID 3012 wrote to memory of 1244	3012	Explorer.EXE	cmd.exe
PID 3012 wrote to memory of 1244	3012	Explorer.EXE	cmd.exe
PID 3012 wrote to memory of 2180	3012	Explorer.EXE	cmd.exe
PID 3012 wrote to memory of 2180	3012	Explorer.EXE	cmd.exe
PID 3012 wrote to memory of 2148	3012	Explorer.EXE	WinMail.exe
PID 3012 wrote to memory of 2148	3012	Explorer.EXE	WinMail.exe
PID 3012 wrote to memory of 2148	3012	Explorer.EXE	WinMail.exe
PID 3012 wrote to memory of 3896	3012	Explorer.EXE	WinMail.exe
PID 3012 wrote to memory of 3896	3012	Explorer.EXE	WinMail.exe
PID 3012 wrote to memory of 3896	3012	Explorer.EXE	WinMail.exe
PID 3012 wrote to memory of 2148	3012	Explorer.EXE	WinMail.exe
PID 3012 wrote to memory of 2148	3012	Explorer.EXE	WinMail.exe
PID 3012 wrote to memory of 3896	3012	Explorer.EXE	WinMail.exe
PID 3012 wrote to memory of 3896	3012	Explorer.EXE	WinMail.exe
PID 2180 wrote to memory of 1320	2180	cmd.exe	systeminfo.exe
PID 2180 wrote to memory of 1320	2180	cmd.exe	systeminfo.exe
PID 1244 wrote to memory of 772	1244	cmd.exe	ipconfig.exe
PID 1244 wrote to memory of 772	1244	cmd.exe	ipconfig.exe
PID 3012 wrote to memory of 3528	3012	Explorer.EXE	cmd.exe
PID 3012 wrote to memory of 3528	3012	Explorer.EXE	cmd.exe
PID 3012 wrote to memory of 3528	3012	Explorer.EXE	cmd.exe
PID 3012 wrote to memory of 3528	3012	Explorer.EXE	cmd.exe
PID 3012 wrote to memory of 1172	3012	Explorer.EXE	cmd.exe
PID 3012 wrote to memory of 1172	3012	Explorer.EXE	cmd.exe
PID 3012 wrote to memory of 1172	3012	Explorer.EXE	cmd.exe
PID 3012 wrote to memory of 1172	3012	Explorer.EXE	cmd.exe
PID 3012 wrote to memory of 1956	3012	Explorer.EXE	cmd.exe
PID 3012 wrote to memory of 1956	3012	Explorer.EXE	cmd.exe
PID 3012 wrote to memory of 3528	3012	Explorer.EXE	cmd.exe
PID 3012 wrote to memory of 1172	3012	Explorer.EXE	cmd.exe
PID 3012 wrote to memory of 3528	3012	Explorer.EXE	cmd.exe
PID 3012 wrote to memory of 1172	3012	Explorer.EXE	cmd.exe
PID 3012 wrote to memory of 1748	3012	Explorer.EXE	cmd.exe

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3464

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3012

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\6.png.dll
2⤵
- Suspicious use of WriteProcessMemory
PID:2744

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\6.png.dll
3⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:3740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3740 -s 896
4⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3636

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "about:<hta:application><script>Dsfs='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Dsfs).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\AFB12D6D-42B3-B959-C453-96FD38372A81\\\ToolText'));if(!window.flag)close()</script>"
2⤵
- Suspicious use of WriteProcessMemory
PID:1416

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name eobsrde -value gp; new-alias -name utvaltfv -value iex; utvaltfv ([System.Text.Encoding]::ASCII.GetString((eobsrde "HKCU:Software\AppDataLow\Software\Microsoft\AFB12D6D-42B3-B959-C453-96FD38372A81").ToolLink))
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3592

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jmxd5b3t\jmxd5b3t.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:1144

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES559E.tmp" "c:\Users\Admin\AppData\Local\Temp\jmxd5b3t\CSC62E92555B96F41F2AD7F6BA98DAF72AB.TMP"
5⤵
PID:1360

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1mxcerxp\1mxcerxp.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:2400

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES59A5.tmp" "c:\Users\Admin\AppData\Local\Temp\1mxcerxp\CSC7EB9B45986C84CAC93CFDD68E252C0A2.TMP"
5⤵
PID:776

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\6.png.dll"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2208

C:\Windows\system32\PING.EXE
ping localhost -n 5
3⤵
- Runs ping.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:3036

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE
2⤵
PID:3896

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE
2⤵
PID:2148

C:\Windows\system32\cmd.exe
cmd /C "systeminfo.exe > C:\Users\Admin\AppData\Local\Temp\5326.bin1"
2⤵
- Suspicious use of WriteProcessMemory
PID:2180

C:\Windows\system32\systeminfo.exe
systeminfo.exe
3⤵
- Gathers system information
PID:1320

C:\Windows\system32\cmd.exe
cmd /C "ipconfig /all >> C:\Users\Admin\AppData\Local\Temp\5CFB.bin1"
2⤵
- Suspicious use of WriteProcessMemory
PID:1244

C:\Windows\system32\ipconfig.exe
ipconfig /all
3⤵
- Gathers network information
PID:772

C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
2⤵
PID:3528

C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
2⤵
PID:1172

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\5CFB.bin1"
2⤵
PID:1956

C:\Windows\system32\cmd.exe
cmd /U /C "type C:\Users\Admin\AppData\Local\Temp\5CFB.bin1 > C:\Users\Admin\AppData\Local\Temp\5CFB.bin & del C:\Users\Admin\AppData\Local\Temp\5CFB.bin1"
2⤵
PID:1748

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\5326.bin1"
2⤵
PID:684

C:\Windows\system32\cmd.exe
cmd /C "net view >> C:\Users\Admin\AppData\Local\Temp\5326.bin1"
2⤵
PID:2168

C:\Windows\system32\net.exe
net view
3⤵
- Discovers systems in the same network
PID:1332

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\5326.bin1"
2⤵
PID:836

C:\Windows\system32\cmd.exe
cmd /C "nslookup 127.0.0.1 >> C:\Users\Admin\AppData\Local\Temp\5326.bin1"
2⤵
PID:2092

C:\Windows\system32\nslookup.exe
nslookup 127.0.0.1
3⤵
PID:3836

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\5326.bin1"
2⤵
PID:3432

C:\Windows\system32\cmd.exe
cmd /C "tasklist.exe /SVC >> C:\Users\Admin\AppData\Local\Temp\5326.bin1"
2⤵
PID:3096

C:\Windows\system32\tasklist.exe
tasklist.exe /SVC
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1284

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\5326.bin1"
2⤵
PID:2060

C:\Windows\system32\cmd.exe
cmd /C "driverquery.exe >> C:\Users\Admin\AppData\Local\Temp\5326.bin1"
2⤵
PID:1316

C:\Windows\system32\driverquery.exe
driverquery.exe
3⤵
PID:1168

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\5326.bin1"
2⤵
PID:3936

C:\Windows\system32\cmd.exe
cmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >> C:\Users\Admin\AppData\Local\Temp\5326.bin1"
2⤵
PID:704

C:\Windows\system32\reg.exe
reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s
3⤵
PID:2200

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\5326.bin1"
2⤵
PID:1344

C:\Windows\system32\cmd.exe
cmd /C "net config workstation >> C:\Users\Admin\AppData\Local\Temp\5326.bin1"
2⤵
PID:2420

C:\Windows\system32\net.exe
net config workstation
3⤵
PID:3664

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 config workstation
4⤵
PID:3488

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\5326.bin1"
2⤵
PID:3056

C:\Windows\system32\cmd.exe
cmd /C "nltest /domain_trusts >> C:\Users\Admin\AppData\Local\Temp\5326.bin1"
2⤵
PID:3036

C:\Windows\system32\nltest.exe
nltest /domain_trusts
3⤵
PID:2076

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\5326.bin1"
2⤵
PID:2180

C:\Windows\system32\cmd.exe
cmd /C "nltest /domain_trusts /all_trusts >> C:\Users\Admin\AppData\Local\Temp\5326.bin1"
2⤵
PID:2080

C:\Windows\system32\nltest.exe
nltest /domain_trusts /all_trusts
3⤵
PID:1040

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\5326.bin1"
2⤵
PID:2376

C:\Windows\system32\cmd.exe
cmd /C "net view /all /domain >> C:\Users\Admin\AppData\Local\Temp\5326.bin1"
2⤵
PID:2152

C:\Windows\system32\net.exe
net view /all /domain
3⤵
- Discovers systems in the same network
PID:1356

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\5326.bin1"
2⤵
PID:4060

C:\Windows\system32\cmd.exe
cmd /C "net view /all >> C:\Users\Admin\AppData\Local\Temp\5326.bin1"
2⤵
PID:1348

C:\Windows\system32\net.exe
net view /all
3⤵
- Discovers systems in the same network
PID:1492

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\5326.bin1"
2⤵
PID:3776

C:\Windows\system32\cmd.exe
cmd /U /C "type C:\Users\Admin\AppData\Local\Temp\5326.bin1 > C:\Users\Admin\AppData\Local\Temp\5326.bin & del C:\Users\Admin\AppData\Local\Temp\5326.bin1"
2⤵
PID:1244

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Process Discovery

T1057

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1mxcerxp\1mxcerxp.dll
MD5
ed68b0c57002185593cfc429bad090ac

SHA1
2e473edf526a3f5d6d4c4e0951dd6cf3d74783bd

SHA256
e381ffcee35aeae4ff1902d131b7e802f0acb037fc8ffccff5bc3ca06fb9da06

SHA512
d65976247f70bda9cf87d24216a42200c39433952a5a7cc63cec2bd9ff87c336a28b9096478eabe2b4ed3564071f3cb73daa267d6a6748799662096c556aec1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\5326.bin
MD5
7537f78209d9d0c9ba4e4ef17609b0d1

SHA1
f797eb924e1231f96f6ab142f5fd61f8cf87fb7c

SHA256
edbf385b6b9da57012579a0173d62fb288707ded9751f968b22adb7262d63f0e

SHA512
696366a6cca5c7510bce5c57a8b1cb387ccf049cbb3ea75ba3b0962647a0039000fb60a8828ddd1a77f8d371aa5e32b5ec55b160f4debca309cbee01238cf255

Download Submit
C:\Users\Admin\AppData\Local\Temp\5326.bin1
MD5
d8f93832ff020d629c8c82f3b9275fb3

SHA1
c4e45ce85fc693ac9d2197c1aa77499cdc4425f1

SHA256
c81fd0ef8e35a7bfc0909a1ae6cfc6fffd72fd5006d9357a2715595be1b95815

SHA512
84963d3404974d944f4485f5298435cfa3344aca967fb0b85bd6835002cbe4ec9a94b38151439f5f0bf6df83078081c3fa67e8df6473e8a8aa4a2315a22d9c41

Download Submit
C:\Users\Admin\AppData\Local\Temp\5326.bin1
MD5
d8f93832ff020d629c8c82f3b9275fb3

SHA1
c4e45ce85fc693ac9d2197c1aa77499cdc4425f1

SHA256
c81fd0ef8e35a7bfc0909a1ae6cfc6fffd72fd5006d9357a2715595be1b95815

SHA512
84963d3404974d944f4485f5298435cfa3344aca967fb0b85bd6835002cbe4ec9a94b38151439f5f0bf6df83078081c3fa67e8df6473e8a8aa4a2315a22d9c41

Download Submit
C:\Users\Admin\AppData\Local\Temp\5326.bin1
MD5
194a5458c647f84d51c0b871f621a9ee

SHA1
209783d7909a87c48c7c3296377b4b8c4b4c4441

SHA256
b69fde36a279e8787823d341046351ea7c2edf96ed0f5b1cbfc0b00cbf859200

SHA512
576665b575b673420ee7e185c3d3590b24be7a769db95d45c8c38c912f10db76642c234859d15d76ca306443c2f5d2ab75d823e7a835d73ab35b5c3cd0f93eb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\5326.bin1
MD5
194a5458c647f84d51c0b871f621a9ee

SHA1
209783d7909a87c48c7c3296377b4b8c4b4c4441

SHA256
b69fde36a279e8787823d341046351ea7c2edf96ed0f5b1cbfc0b00cbf859200

SHA512
576665b575b673420ee7e185c3d3590b24be7a769db95d45c8c38c912f10db76642c234859d15d76ca306443c2f5d2ab75d823e7a835d73ab35b5c3cd0f93eb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\5326.bin1
MD5
be4c844902c38d332e376ba60a1c2077

SHA1
85d93f41f7b20d8432919e295e36abd182a78c2f

SHA256
93c8a1d10fb2c7134898c8abf8880e076fe32a653b95f2dd2631202d4650dfcb

SHA512
e7c4bee2a0442b78817e0a5ae9fbb2f4197cb536e201e7335f49fe00d430f369fe9b825ecd5e658b6d1c58e29b9974b7077ee81ae530e65311de732462ca74b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\5326.bin1
MD5
be4c844902c38d332e376ba60a1c2077

SHA1
85d93f41f7b20d8432919e295e36abd182a78c2f

SHA256
93c8a1d10fb2c7134898c8abf8880e076fe32a653b95f2dd2631202d4650dfcb

SHA512
e7c4bee2a0442b78817e0a5ae9fbb2f4197cb536e201e7335f49fe00d430f369fe9b825ecd5e658b6d1c58e29b9974b7077ee81ae530e65311de732462ca74b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\5326.bin1
MD5
1a1a4acb5a24db6193ad3682ea412745

SHA1
16af41f15b262f1ab79adac97e7f6f99e0a67bd5

SHA256
5ffee7428bb8f8697c034a500b62200dcac80346eee03d347b8727b2d3bd4ac3

SHA512
e3c03fbf20e2dbcd0b7ca397cdeb0144c36e6bd4cf231f601c5c5cd82f84b1b90466ab8ef99b6489c1034610b65d95e2f9fce46b2ec6799c056b37c76aa7cb82

Download Submit
C:\Users\Admin\AppData\Local\Temp\5326.bin1
MD5
1a1a4acb5a24db6193ad3682ea412745

SHA1
16af41f15b262f1ab79adac97e7f6f99e0a67bd5

SHA256
5ffee7428bb8f8697c034a500b62200dcac80346eee03d347b8727b2d3bd4ac3

SHA512
e3c03fbf20e2dbcd0b7ca397cdeb0144c36e6bd4cf231f601c5c5cd82f84b1b90466ab8ef99b6489c1034610b65d95e2f9fce46b2ec6799c056b37c76aa7cb82

Download Submit
C:\Users\Admin\AppData\Local\Temp\5326.bin1
MD5
4ac53cd9381b7cd67f4ed4efd1f69520

SHA1
a33793ae1ab1a8298195ab21cc0cbd1cd24be316

SHA256
9dca01a23aa5d0a74f7838078889e36c1840c7c6f308c4839faae629aec7b723

SHA512
da4349c41a0ee322ca9da9146d105289f781db8cafa9721a50070a0a4d3fa6c1fc52a93fc26f49b4285b84b4908ec1bcf53327193fcf7ae5e489c1a734c7d297

Download Submit
C:\Users\Admin\AppData\Local\Temp\5326.bin1
MD5
4ac53cd9381b7cd67f4ed4efd1f69520

SHA1
a33793ae1ab1a8298195ab21cc0cbd1cd24be316

SHA256
9dca01a23aa5d0a74f7838078889e36c1840c7c6f308c4839faae629aec7b723

SHA512
da4349c41a0ee322ca9da9146d105289f781db8cafa9721a50070a0a4d3fa6c1fc52a93fc26f49b4285b84b4908ec1bcf53327193fcf7ae5e489c1a734c7d297

Download Submit
C:\Users\Admin\AppData\Local\Temp\5326.bin1
MD5
319d1c1921b988e811678e9d08effd5d

SHA1
2f7d433e2b9d68b131747a83d984cd25d7676a12

SHA256
57d3b6deb929142d92463d74da5fe068d95f2a05e3a5be4f311c1688030a955f

SHA512
2812a415439061c15a47e09b9af4d34ab2bac90d5aa8e4a95260875f63fa1a65fd9c5abd53ebe0d92f6d9f12f6599ac000cb7687710f1ed7c111a3a332d6fcba

Download Submit
C:\Users\Admin\AppData\Local\Temp\5326.bin1
MD5
319d1c1921b988e811678e9d08effd5d

SHA1
2f7d433e2b9d68b131747a83d984cd25d7676a12

SHA256
57d3b6deb929142d92463d74da5fe068d95f2a05e3a5be4f311c1688030a955f

SHA512
2812a415439061c15a47e09b9af4d34ab2bac90d5aa8e4a95260875f63fa1a65fd9c5abd53ebe0d92f6d9f12f6599ac000cb7687710f1ed7c111a3a332d6fcba

Download Submit
C:\Users\Admin\AppData\Local\Temp\5326.bin1
MD5
95a6f14c6551435878b94975e29a69ca

SHA1
03bc5a81fd6a7f45fd0bdee4f97052fd60e5f06d

SHA256
5a8622411dd4374c2b68286280866c8331a9e9ea122a11f736827ce3d24d4488

SHA512
414c0fa68cd9405f90722f4a9d028b75a80de373efdc9109d2da9590be0a8b6f3deaf8cb730126b00bba21eef0742b19d61ee2d2f84e07663a36b14345e64acb

Download Submit
C:\Users\Admin\AppData\Local\Temp\5326.bin1
MD5
95a6f14c6551435878b94975e29a69ca

SHA1
03bc5a81fd6a7f45fd0bdee4f97052fd60e5f06d

SHA256
5a8622411dd4374c2b68286280866c8331a9e9ea122a11f736827ce3d24d4488

SHA512
414c0fa68cd9405f90722f4a9d028b75a80de373efdc9109d2da9590be0a8b6f3deaf8cb730126b00bba21eef0742b19d61ee2d2f84e07663a36b14345e64acb

Download Submit
C:\Users\Admin\AppData\Local\Temp\5326.bin1
MD5
e2a9d4067c5df05ecc6946ee7b83bdf0

SHA1
395b00c45cc9c19143fdc76e083c2bd84297e2c3

SHA256
f292c4e0b13f5e3bd4994e82da77e8225eaf95686f642ff4d70c0722abbb6433

SHA512
b3bf1ce81a5f56643be741aa9f789424ac4ab837e661c2c10b4b64f47e092e7b37e9852e517742aa4a20d27f46f88fdef2fa3c3b87779e1c5b6ce93bc6d1c16c

Download Submit
C:\Users\Admin\AppData\Local\Temp\5326.bin1
MD5
aa96cb6a45aa85ae997f79cc8139eaf5

SHA1
b9dac8629d634f748b520e3e63716550c489d83a

SHA256
d3780edf8bf80c7af43064d1b1c6982ba37cff5e5060e6c9b187c4fda44c794c

SHA512
3e8a20e9b803919025573574c0ebf4dfaa31ac3c4e216111a61c6882f571bf2f29442b35326f7da640b7ec0c7c5ce5a632dbd6b6ca1a4eb4d3d60774a2e1bf85

Download Submit
C:\Users\Admin\AppData\Local\Temp\5326.bin1
MD5
4809659a496aa8793d803aa5a2806db6

SHA1
ae58861a96707415b209ee3c22cfb9bd1d6b4947

SHA256
8493170a1dd8e5c760521421050acb17d59872583698aa21365333f98a8f5b5b

SHA512
0533ef89d207544daf3a7b5f18b6fc0e46649e241f5062836247c4c508d9bb91a5a764cb3475a8f87926f8b0fda21cd7669cc1099971ceeaa6db9dd0fb3a5725

Download Submit
C:\Users\Admin\AppData\Local\Temp\5326.bin1
MD5
4809659a496aa8793d803aa5a2806db6

SHA1
ae58861a96707415b209ee3c22cfb9bd1d6b4947

SHA256
8493170a1dd8e5c760521421050acb17d59872583698aa21365333f98a8f5b5b

SHA512
0533ef89d207544daf3a7b5f18b6fc0e46649e241f5062836247c4c508d9bb91a5a764cb3475a8f87926f8b0fda21cd7669cc1099971ceeaa6db9dd0fb3a5725

Download Submit
C:\Users\Admin\AppData\Local\Temp\5326.bin1
MD5
d48aa47cacfd258848dfda15a15851dd

SHA1
4c60d10d21d64f5676b32ead5b27f0577250da8b

SHA256
db9ec327eb3b51e045442c168f5de279fdaa149beadf1ad29ec6f99baa32302c

SHA512
3a12541ecf0d094b9aec73681357f2fe661d1fbf765b18f1254d16bed76c581a1ef4c75310bae212ec16812799fe08d9e5b4e38d01d634c8b1149b6abd2fa27a

Download Submit
C:\Users\Admin\AppData\Local\Temp\5326.bin1
MD5
d48aa47cacfd258848dfda15a15851dd

SHA1
4c60d10d21d64f5676b32ead5b27f0577250da8b

SHA256
db9ec327eb3b51e045442c168f5de279fdaa149beadf1ad29ec6f99baa32302c

SHA512
3a12541ecf0d094b9aec73681357f2fe661d1fbf765b18f1254d16bed76c581a1ef4c75310bae212ec16812799fe08d9e5b4e38d01d634c8b1149b6abd2fa27a

Download Submit
C:\Users\Admin\AppData\Local\Temp\5CFB.bin
MD5
ebca12713c0864663539926578f467d3

SHA1
29c550c0b4d59700ac3912b2d7e2693fbbab56c3

SHA256
d39346fe2ed334b5ecde97c5b57c80c415908d3b82f38525b00b04a33552ae3d

SHA512
8fdedf417a9f08a939f2114b764666716a6dc9b4a126a27b8b7075f875f6ac2cb0f5b8984f497df8617dc613a0c3c56d9f9b335739912617d869300f9e7c5626

Download Submit
C:\Users\Admin\AppData\Local\Temp\5CFB.bin1
MD5
ebca12713c0864663539926578f467d3

SHA1
29c550c0b4d59700ac3912b2d7e2693fbbab56c3

SHA256
d39346fe2ed334b5ecde97c5b57c80c415908d3b82f38525b00b04a33552ae3d

SHA512
8fdedf417a9f08a939f2114b764666716a6dc9b4a126a27b8b7075f875f6ac2cb0f5b8984f497df8617dc613a0c3c56d9f9b335739912617d869300f9e7c5626

Download Submit
C:\Users\Admin\AppData\Local\Temp\5CFB.bin1
MD5
ebca12713c0864663539926578f467d3

SHA1
29c550c0b4d59700ac3912b2d7e2693fbbab56c3

SHA256
d39346fe2ed334b5ecde97c5b57c80c415908d3b82f38525b00b04a33552ae3d

SHA512
8fdedf417a9f08a939f2114b764666716a6dc9b4a126a27b8b7075f875f6ac2cb0f5b8984f497df8617dc613a0c3c56d9f9b335739912617d869300f9e7c5626

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES559E.tmp
MD5
2d9931b251b82b3cc56ab3968435c50e

SHA1
67fce2377ae65698bb502f1c7eb9666661ff8432

SHA256
ce8879d902bb1930ec09955b4c1d95a2eda1a85c5cc09b98b626d5d51c31fa95

SHA512
21461ddb1324dddbbe6597a282034def444cbc5e83fe29ce1a1c6dd99416c4bf59a5cb75823e1f37bf2d98a275f1a3d1b152f100bfb67335780c84817e9fcd36

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES59A5.tmp
MD5
b5e75f9b3d9e7bf50125233f616c8d95

SHA1
0638f29f1fa8936221481fe2403009f945304ca1

SHA256
0061c50bd0f646dae0d116720c1a5aac91791aa355abfb3a56a12e8e54b8c0b1

SHA512
52b15dd48db4235100577f7083738997b8f8da6218959ab372cff806b69997678e61dbea8d051ca736a0ff1d456fb32448a18013cc1ff51c83c1b517075063f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\jmxd5b3t\jmxd5b3t.dll
MD5
8402e14b5ecdca982cf5f2270c29bb63

SHA1
b1edf2ebee4fb5dfc01b49a0ea64fe0bf09106ab

SHA256
bd12c4f581d594a8526c679925901a88437e3f842362fc3378b62aebe99947a1

SHA512
28b042082b6186e18ec812ecf0483e1a8ace35454e6268c2a69b8a16b4d916527720fbec8291a098a7d888ea5d55b9fe5b456f8bc507e0643e804806669d256c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1mxcerxp\1mxcerxp.0.cs
MD5
b1da1ef961aa0ce50c236459261d955a

SHA1
99cf19f188248557193608fe42c1cb88fcf234e1

SHA256
139659d9c1d794242de8defb1e33c785b3b63a691230874656b2b1afc9e0b26b

SHA512
27c4e9d4d1926a87eb5a2cafd768d80a9d566c5fe9c7eb17f87453698415b30e251816738388c3171519a74b20ab0919c47c04a1e6cf9e1d82547540df5e1682

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1mxcerxp\1mxcerxp.cmdline
MD5
9f410b58b9b26317568a0cd3c3449b21

SHA1
283f873f27c8176677a7ee0ce52ffa172a89435f

SHA256
fd6e88dfb04875524e06a35d0cfed6e77afa86709a6504e7b1c37bc79703e34a

SHA512
203b797b2454fd45d89f2814e8d3b8cfce99c1b6d51c7704d394e8fd7629ea7f70b6191dae64fd4faad9d7d074abcc5f107529bff032b4c5d15d8dfe0f8a4626

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1mxcerxp\CSC7EB9B45986C84CAC93CFDD68E252C0A2.TMP
MD5
aef41657a848e686dafbb976fc9f5cb0

SHA1
985742824834bb22a14464c7e557b5079d846118

SHA256
e57590de92cd2dc23b7b18fd8c8aa143546db0fa589a8e06ee633ae303ef7d5e

SHA512
fbfaea53f9a3ec00aa3b2fae8fcc8cfe6f737623fb829982906f9cd1de744cb871d9bbc99ff7fb21531519506221683bd5713274b75c17511b0f453a7209c7e0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jmxd5b3t\CSC62E92555B96F41F2AD7F6BA98DAF72AB.TMP
MD5
50f35e9db9883e4501624f8e6f692f75

SHA1
7b49698d7eda9cb1ccc3d50d130b39baf320ff66

SHA256
5cb248a10c2b9500eaabba7b674797fee6161daa3a452086c2366af8f3b59de0

SHA512
64b379c789eb760c749f4b1c933b55aa45875e397de8f9ba124a66faccc5b0310b03921627948655ad6b97d2176cec5a4ac54a8aedbde0748bf104c5f0197030

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jmxd5b3t\jmxd5b3t.0.cs
MD5
66d77ea7a947b910d56cfb0fc4b85be6

SHA1
9d503a2c0ddaee23a81802ca8444d8b7039ece6b

SHA256
66e86036222f5d3b474370bbba04c4a7decc42d05d25675846cba63f16877d8b

SHA512
a53181798e577abd31ee4063903e62171903b369b4ff26c337cc0108be8883bee39000a858fb24e92d13cdb89ef5782aadf06b7bd6807dd2d46458f813ee772b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jmxd5b3t\jmxd5b3t.cmdline
MD5
aeca52434ce7987089a728641eabd4a2

SHA1
6c7e3381fac6dc2268270e68be20fe5cc73c1fbd

SHA256
4a96b9ff9c83101e9ab343a9c3a2f5f745ad28f69377b41cd99a52a76c2f7154

SHA512
1249f38eba7b5cc25ebeb8e8a3a4ad0e0e7c297d470f08f9a90dd54c854d4e287a16c527ddcb6daff7c1ecbb1d269c4cea67596f711c1ef4f96b10d6275443ac

Download Submit
memory/684-230-0x0000000000000000-mapping.dmp

Download
memory/704-252-0x0000000000000000-mapping.dmp

Download
memory/772-195-0x0000000000000000-mapping.dmp

Download
memory/776-155-0x0000000000000000-mapping.dmp

Download
memory/836-235-0x0000000000000000-mapping.dmp

Download
memory/1040-269-0x0000000000000000-mapping.dmp

Download
memory/1144-144-0x0000000000000000-mapping.dmp

Download
memory/1168-249-0x0000000000000000-mapping.dmp

Download
memory/1172-215-0x0000000002660000-0x0000000002661000-memory.dmp

Filesize
4KB

Download
memory/1172-222-0x0000000002920000-0x00000000029CF000-memory.dmp

Filesize
700KB

Download
memory/1172-214-0x0000000002660000-0x0000000002661000-memory.dmp

Filesize
4KB

Download
memory/1172-209-0x0000000000000000-mapping.dmp

Download
memory/1172-219-0x0000000002170000-0x0000000002171000-memory.dmp

Filesize
4KB

Download
memory/1244-186-0x0000000000000000-mapping.dmp

Download
memory/1244-281-0x0000000000000000-mapping.dmp

Download
memory/1284-244-0x0000000000000000-mapping.dmp

Download
memory/1316-247-0x0000000000000000-mapping.dmp

Download
memory/1320-194-0x0000000000000000-mapping.dmp

Download
memory/1332-234-0x0000000000000000-mapping.dmp

Download
memory/1344-255-0x0000000000000000-mapping.dmp

Download
memory/1348-276-0x0000000000000000-mapping.dmp

Download
memory/1356-273-0x0000000000000000-mapping.dmp

Download
memory/1360-147-0x0000000000000000-mapping.dmp

Download
memory/1416-119-0x0000026439688000-0x0000026439690000-memory.dmp

Filesize
32KB

Download
memory/1492-278-0x0000000000000000-mapping.dmp

Download
memory/1748-223-0x0000000000000000-mapping.dmp

Download
memory/1956-210-0x0000000000000000-mapping.dmp

Download
memory/2060-245-0x0000000000000000-mapping.dmp

Download
memory/2076-265-0x0000000000000000-mapping.dmp

Download
memory/2080-267-0x0000000000000000-mapping.dmp

Download
memory/2092-237-0x0000000000000000-mapping.dmp

Download
memory/2148-203-0x000002BACED20000-0x000002BACED21000-memory.dmp

Filesize
4KB

Download
memory/2148-191-0x000002BAD0430000-0x000002BAD0432000-memory.dmp

Filesize
8KB

Download
memory/2148-188-0x0000000000000000-mapping.dmp

Download
memory/2148-206-0x000002BAD0370000-0x000002BAD042C000-memory.dmp

Filesize
752KB

Download
memory/2148-190-0x000002BAD0430000-0x000002BAD0432000-memory.dmp

Filesize
8KB

Download
memory/2152-271-0x0000000000000000-mapping.dmp

Download
memory/2168-232-0x0000000000000000-mapping.dmp

Download
memory/2180-187-0x0000000000000000-mapping.dmp

Download
memory/2180-266-0x0000000000000000-mapping.dmp

Download
memory/2200-254-0x0000000000000000-mapping.dmp

Download
memory/2208-170-0x0000000000000000-mapping.dmp

Download
memory/2208-173-0x000002D188FB0000-0x000002D188FB2000-memory.dmp

Filesize
8KB

Download
memory/2208-171-0x000002D188FB0000-0x000002D188FB2000-memory.dmp

Filesize
8KB

Download
memory/2208-180-0x000002D188E30000-0x000002D188E31000-memory.dmp

Filesize
4KB

Download
memory/2208-181-0x000002D188D70000-0x000002D188E2C000-memory.dmp

Filesize
752KB

Download
memory/2376-270-0x0000000000000000-mapping.dmp

Download
memory/2400-152-0x0000000000000000-mapping.dmp

Download
memory/2420-257-0x0000000000000000-mapping.dmp

Download
memory/3012-199-0x0000000000580000-0x0000000000582000-memory.dmp

Filesize
8KB

Download
memory/3012-179-0x0000000001F80000-0x000000000203C000-memory.dmp

Filesize
752KB

Download
memory/3012-165-0x0000000000580000-0x0000000000582000-memory.dmp

Filesize
8KB

Download
memory/3012-178-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/3012-166-0x0000000000580000-0x0000000000582000-memory.dmp

Filesize
8KB

Download
memory/3012-163-0x0000000000580000-0x0000000000582000-memory.dmp

Filesize
8KB

Download
memory/3036-184-0x0000025101A40000-0x0000025101A41000-memory.dmp

Filesize
4KB

Download
memory/3036-185-0x0000025101D70000-0x0000025101E2C000-memory.dmp

Filesize
752KB

Download
memory/3036-177-0x0000025101A90000-0x0000025101A92000-memory.dmp

Filesize
8KB

Download
memory/3036-176-0x0000025101A90000-0x0000025101A92000-memory.dmp

Filesize
8KB

Download
memory/3036-175-0x0000000000000000-mapping.dmp

Download
memory/3036-263-0x0000000000000000-mapping.dmp

Download
memory/3056-261-0x0000000000000000-mapping.dmp

Download
memory/3096-242-0x0000000000000000-mapping.dmp

Download
memory/3432-240-0x0000000000000000-mapping.dmp

Download
memory/3464-182-0x000001D330A00000-0x000001D330A01000-memory.dmp

Filesize
4KB

Download
memory/3464-172-0x000001D330A20000-0x000001D330A22000-memory.dmp

Filesize
8KB

Download
memory/3464-183-0x000001D330940000-0x000001D3309FC000-memory.dmp

Filesize
752KB

Download
memory/3464-174-0x000001D330A20000-0x000001D330A22000-memory.dmp

Filesize
8KB

Download
memory/3488-260-0x0000000000000000-mapping.dmp

Download
memory/3528-216-0x0000000002ED0000-0x0000000002ED1000-memory.dmp

Filesize
4KB

Download
memory/3528-202-0x0000000000000000-mapping.dmp

Download
memory/3528-220-0x0000000002B00000-0x0000000002C4A000-memory.dmp

Filesize
1.3MB

Download
memory/3528-218-0x0000000002700000-0x0000000002701000-memory.dmp

Filesize
4KB

Download
memory/3528-217-0x0000000002ED0000-0x0000000002ED1000-memory.dmp

Filesize
4KB

Download
memory/3528-211-0x0000000000076CD0-0x0000000000076CD4-memory.dmp

Filesize
4B

Download
memory/3592-140-0x00000209A37C0000-0x00000209A37C2000-memory.dmp

Filesize
8KB

Download
memory/3592-125-0x000002098B100000-0x000002098B102000-memory.dmp

Filesize
8KB

Download
memory/3592-160-0x000002098B100000-0x000002098B102000-memory.dmp

Filesize
8KB

Download
memory/3592-159-0x00000209A59A0000-0x00000209A59A1000-memory.dmp

Filesize
4KB

Download
memory/3592-120-0x0000000000000000-mapping.dmp

Download
memory/3592-121-0x000002098B100000-0x000002098B102000-memory.dmp

Filesize
8KB

Download
memory/3592-151-0x000002098B2A0000-0x000002098B2A1000-memory.dmp

Filesize
4KB

Download
memory/3592-161-0x00000209A37C6000-0x00000209A37C8000-memory.dmp

Filesize
8KB

Download
memory/3592-142-0x00000209A37C3000-0x00000209A37C5000-memory.dmp

Filesize
8KB

Download
memory/3592-122-0x000002098B100000-0x000002098B102000-memory.dmp

Filesize
8KB

Download
memory/3592-164-0x000002098B100000-0x000002098B102000-memory.dmp

Filesize
8KB

Download
memory/3592-123-0x000002098B100000-0x000002098B102000-memory.dmp

Filesize
8KB

Download
memory/3592-124-0x000002098B100000-0x000002098B102000-memory.dmp

Filesize
8KB

Download
memory/3592-162-0x00000209A59B0000-0x00000209A59F5000-memory.dmp

Filesize
276KB

Download
memory/3592-132-0x000002098B100000-0x000002098B102000-memory.dmp

Filesize
8KB

Download
memory/3592-131-0x00000209A5A20000-0x00000209A5A21000-memory.dmp

Filesize
4KB

Download
memory/3592-126-0x00000209A3780000-0x00000209A3781000-memory.dmp

Filesize
4KB

Download
memory/3592-130-0x000002098B100000-0x000002098B102000-memory.dmp

Filesize
8KB

Download
memory/3592-129-0x000002098B100000-0x000002098B102000-memory.dmp

Filesize
8KB

Download
memory/3592-128-0x000002098B100000-0x000002098B102000-memory.dmp

Filesize
8KB

Download
memory/3592-127-0x000002098B100000-0x000002098B102000-memory.dmp

Filesize
8KB

Download
memory/3664-259-0x0000000000000000-mapping.dmp

Download
memory/3740-118-0x0000000010000000-0x00000000101B8000-memory.dmp

Filesize
1.7MB

Download
memory/3740-115-0x0000000000000000-mapping.dmp

Download
memory/3740-117-0x0000000000E00000-0x0000000000F4A000-memory.dmp

Filesize
1.3MB

Download
memory/3776-279-0x0000000000000000-mapping.dmp

Download
memory/3836-239-0x0000000000000000-mapping.dmp

Download
memory/3896-189-0x0000000000000000-mapping.dmp

Download
memory/3896-207-0x0000026DE0AB0000-0x0000026DE0AB1000-memory.dmp

Filesize
4KB

Download
memory/3896-208-0x0000026DE0CF0000-0x0000026DE0DAC000-memory.dmp

Filesize
752KB

Download
memory/3896-193-0x0000026DE0AE0000-0x0000026DE0AE2000-memory.dmp

Filesize
8KB

Download
memory/3896-192-0x0000026DE0AE0000-0x0000026DE0AE2000-memory.dmp

Filesize
8KB

Download
memory/3936-250-0x0000000000000000-mapping.dmp

Download
memory/4060-274-0x0000000000000000-mapping.dmp

Download