agenttesla | d61fdb59b0176c8e329052c1b577dd366f17f206b79769bf3ae56ed6d52575de

Analysis

max time kernel
122s
max time network
125s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
12-12-2023 14:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Bank_Confirmation.exe
Size

882KB
MD5

f82b121e447bb312a0c383d78a90490f
SHA1

a2570c68231136bb0d7b260f906d1e5a78c25f48
SHA256

d61fdb59b0176c8e329052c1b577dd366f17f206b79769bf3ae56ed6d52575de
SHA512

cfcf833f59f3f47aea75ea62b79d5ca57fcad8e56943bb60cd4af0212baf3c6720d9f991a3dd8964a9e272b2b82f0416fa5d06988e90dc9fda2a0e56d649dc31
SSDEEP

12288:r6zcyAwHWZJOLMZ7vgg24T4xT0Wm6y7+uSm0POeB83mAQuaPc19LW1lVmt1XS/2E:r6TH2gK0xxm64+ut1F2fuaG35Cy

Score

10^/10

agenttesla zgrat keylogger persistence rat spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.bezzleauto.com
Port:
587
Username:
[email protected]
Password:
kex#-rHjHM4qKk52
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect ZGRat V1 34 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1680-2-0x0000000000E40000-0x0000000000EE8000-memory.dmp	family_zgrat_v1
behavioral1/memory/1680-4-0x0000000000E40000-0x0000000000EE3000-memory.dmp	family_zgrat_v1
behavioral1/memory/1680-5-0x0000000000E40000-0x0000000000EE3000-memory.dmp	family_zgrat_v1
behavioral1/memory/1680-7-0x0000000000E40000-0x0000000000EE3000-memory.dmp	family_zgrat_v1
behavioral1/memory/1680-9-0x0000000000E40000-0x0000000000EE3000-memory.dmp	family_zgrat_v1
behavioral1/memory/1680-11-0x0000000000E40000-0x0000000000EE3000-memory.dmp	family_zgrat_v1
behavioral1/memory/1680-13-0x0000000000E40000-0x0000000000EE3000-memory.dmp	family_zgrat_v1
behavioral1/memory/1680-15-0x0000000000E40000-0x0000000000EE3000-memory.dmp	family_zgrat_v1
behavioral1/memory/1680-17-0x0000000000E40000-0x0000000000EE3000-memory.dmp	family_zgrat_v1
behavioral1/memory/1680-19-0x0000000000E40000-0x0000000000EE3000-memory.dmp	family_zgrat_v1
behavioral1/memory/1680-21-0x0000000000E40000-0x0000000000EE3000-memory.dmp	family_zgrat_v1
behavioral1/memory/1680-23-0x0000000000E40000-0x0000000000EE3000-memory.dmp	family_zgrat_v1
behavioral1/memory/1680-27-0x0000000000E40000-0x0000000000EE3000-memory.dmp	family_zgrat_v1
behavioral1/memory/1680-25-0x0000000000E40000-0x0000000000EE3000-memory.dmp	family_zgrat_v1
behavioral1/memory/1680-31-0x0000000000E40000-0x0000000000EE3000-memory.dmp	family_zgrat_v1
behavioral1/memory/1680-29-0x0000000000E40000-0x0000000000EE3000-memory.dmp	family_zgrat_v1
behavioral1/memory/1680-41-0x0000000000E40000-0x0000000000EE3000-memory.dmp	family_zgrat_v1
behavioral1/memory/1680-43-0x0000000000E40000-0x0000000000EE3000-memory.dmp	family_zgrat_v1
behavioral1/memory/1680-39-0x0000000000E40000-0x0000000000EE3000-memory.dmp	family_zgrat_v1
behavioral1/memory/1680-37-0x0000000000E40000-0x0000000000EE3000-memory.dmp	family_zgrat_v1
behavioral1/memory/1680-35-0x0000000000E40000-0x0000000000EE3000-memory.dmp	family_zgrat_v1
behavioral1/memory/1680-33-0x0000000000E40000-0x0000000000EE3000-memory.dmp	family_zgrat_v1
behavioral1/memory/1680-47-0x0000000000E40000-0x0000000000EE3000-memory.dmp	family_zgrat_v1
behavioral1/memory/1680-45-0x0000000000E40000-0x0000000000EE3000-memory.dmp	family_zgrat_v1
behavioral1/memory/1680-49-0x0000000000E40000-0x0000000000EE3000-memory.dmp	family_zgrat_v1
behavioral1/memory/1680-51-0x0000000000E40000-0x0000000000EE3000-memory.dmp	family_zgrat_v1
behavioral1/memory/1680-55-0x0000000000E40000-0x0000000000EE3000-memory.dmp	family_zgrat_v1
behavioral1/memory/1680-53-0x0000000000E40000-0x0000000000EE3000-memory.dmp	family_zgrat_v1
behavioral1/memory/1680-57-0x0000000000E40000-0x0000000000EE3000-memory.dmp	family_zgrat_v1
behavioral1/memory/1680-59-0x0000000000E40000-0x0000000000EE3000-memory.dmp	family_zgrat_v1
behavioral1/memory/1680-61-0x0000000000E40000-0x0000000000EE3000-memory.dmp	family_zgrat_v1
behavioral1/memory/1680-63-0x0000000000E40000-0x0000000000EE3000-memory.dmp	family_zgrat_v1
behavioral1/memory/1680-67-0x0000000000E40000-0x0000000000EE3000-memory.dmp	family_zgrat_v1
behavioral1/memory/1680-65-0x0000000000E40000-0x0000000000EE3000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Bank_Confirmation.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows\CurrentVersion\Run\pdf = "C:\\Users\\Admin\\AppData\\Roaming\\pdf.exe"	Bank_Confirmation.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Bank_Confirmation.exe

description pid process target process

PID 1680 set thread context of 3068 1680 Bank_Confirmation.exe Bank_Confirmation.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exeipconfig.exe

pid process

1472 ipconfig.exe
1988 ipconfig.exe

description	pid	process	target process
PID 1680 set thread context of 3068	1680	Bank_Confirmation.exe	Bank_Confirmation.exe

pid	process
1472	ipconfig.exe
1988	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "408552107"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00a7c70f052dda01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008d5ea254cbc3cc499365b391a5fd669200000000020000000000106600000001000020000000fb0f788d25fd80b1c159a1718bd49fe3f86e86a1c593c9391e80200b20ed3c37000000000e8000000002000020000000155470967f25f3d76f137176f7014d796cb272bf4e86bb37cc6fe2406b9606ac90000000d3a8f9c17f3d01414320d6fc8994d8763f5e40160a620e90ccedee5a4c98b6653e787d05c71c08a970c6fd59faff1ac24954a6915c140b131b802d6b53368cda22a2676e5bc85783378b105f7c6f1574b1d75f359e69105f116b365f2cdd34307df7a7e5865955038f2fd073529c3bd3df7034d0456104c887c6be6976c54670df3fb16b23d76bf6504ffcfe87599c85400000008cf049be31db265f2f29456c55272e549c3064545de5328d8e5823fedaabccf934b30179c6821f2e8a840cd6c05aa921479cf639932aa0d42e5cc3e6c13824f5	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008d5ea254cbc3cc499365b391a5fd66920000000002000000000010660000000100002000000072e9702cbfe0ece783b1c2b3030eb4908e10645841091aab97c06ed7e13e829c000000000e80000000020000200000006b053107c2e54a2c9d80f3ee1d86fcbe35c38fac0d90a076e59a427b4103cb7020000000508cc6d7f96fa4a743224c1a89a489f9d489faa740c928047d2dbf5df44c7f634000000011cb29abc762918d7a9dfaa6d3bb8f9c3b00ff471524b7ff98d8988a8019ecffcf9d6f1fc4737bc7d24be44cbd59cd11eebf5f31cf8836602a9c4b24bbc7ef6f	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3A0E40A1-98F8-11EE-889F-76871049679A} = "0"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

Bank_Confirmation.exepowershell.exeBank_Confirmation.exe

pid	process
1680	Bank_Confirmation.exe
2152	powershell.exe
1680	Bank_Confirmation.exe
1680	Bank_Confirmation.exe
1680	Bank_Confirmation.exe
1680	Bank_Confirmation.exe
3068	Bank_Confirmation.exe
3068	Bank_Confirmation.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Bank_Confirmation.exepowershell.exeBank_Confirmation.exe

description	pid	process
Token: SeDebugPrivilege	1680	Bank_Confirmation.exe
Token: SeDebugPrivilege	2152	powershell.exe
Token: SeDebugPrivilege	3068	Bank_Confirmation.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1128 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1128 iexplore.exe
1128 iexplore.exe
1044 IEXPLORE.EXE
1044 IEXPLORE.EXE
1044 IEXPLORE.EXE
1044 IEXPLORE.EXE

pid	process
1128	iexplore.exe

pid	process
1128	iexplore.exe
1128	iexplore.exe
1044	IEXPLORE.EXE
1044	IEXPLORE.EXE
1044	IEXPLORE.EXE
1044	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

Bank_Confirmation.execmd.execmd.exepowershell.exeiexplore.exe

description	pid	process	target process
PID 1680 wrote to memory of 756	1680	Bank_Confirmation.exe	cmd.exe
PID 1680 wrote to memory of 756	1680	Bank_Confirmation.exe	cmd.exe
PID 1680 wrote to memory of 756	1680	Bank_Confirmation.exe	cmd.exe
PID 1680 wrote to memory of 756	1680	Bank_Confirmation.exe	cmd.exe
PID 756 wrote to memory of 1988	756	cmd.exe	ipconfig.exe
PID 756 wrote to memory of 1988	756	cmd.exe	ipconfig.exe
PID 756 wrote to memory of 1988	756	cmd.exe	ipconfig.exe
PID 756 wrote to memory of 1988	756	cmd.exe	ipconfig.exe
PID 1680 wrote to memory of 2152	1680	Bank_Confirmation.exe	powershell.exe
PID 1680 wrote to memory of 2152	1680	Bank_Confirmation.exe	powershell.exe
PID 1680 wrote to memory of 2152	1680	Bank_Confirmation.exe	powershell.exe
PID 1680 wrote to memory of 2152	1680	Bank_Confirmation.exe	powershell.exe
PID 1680 wrote to memory of 2892	1680	Bank_Confirmation.exe	cmd.exe
PID 1680 wrote to memory of 2892	1680	Bank_Confirmation.exe	cmd.exe
PID 1680 wrote to memory of 2892	1680	Bank_Confirmation.exe	cmd.exe
PID 1680 wrote to memory of 2892	1680	Bank_Confirmation.exe	cmd.exe
PID 2892 wrote to memory of 1472	2892	cmd.exe	ipconfig.exe
PID 2892 wrote to memory of 1472	2892	cmd.exe	ipconfig.exe
PID 2892 wrote to memory of 1472	2892	cmd.exe	ipconfig.exe
PID 2892 wrote to memory of 1472	2892	cmd.exe	ipconfig.exe
PID 2152 wrote to memory of 1128	2152	powershell.exe	iexplore.exe
PID 2152 wrote to memory of 1128	2152	powershell.exe	iexplore.exe
PID 2152 wrote to memory of 1128	2152	powershell.exe	iexplore.exe
PID 2152 wrote to memory of 1128	2152	powershell.exe	iexplore.exe
PID 1128 wrote to memory of 1044	1128	iexplore.exe	IEXPLORE.EXE
PID 1128 wrote to memory of 1044	1128	iexplore.exe	IEXPLORE.EXE
PID 1128 wrote to memory of 1044	1128	iexplore.exe	IEXPLORE.EXE
PID 1128 wrote to memory of 1044	1128	iexplore.exe	IEXPLORE.EXE
PID 1680 wrote to memory of 1184	1680	Bank_Confirmation.exe	Bank_Confirmation.exe
PID 1680 wrote to memory of 1184	1680	Bank_Confirmation.exe	Bank_Confirmation.exe
PID 1680 wrote to memory of 1184	1680	Bank_Confirmation.exe	Bank_Confirmation.exe
PID 1680 wrote to memory of 1184	1680	Bank_Confirmation.exe	Bank_Confirmation.exe
PID 1680 wrote to memory of 1184	1680	Bank_Confirmation.exe	Bank_Confirmation.exe
PID 1680 wrote to memory of 1184	1680	Bank_Confirmation.exe	Bank_Confirmation.exe
PID 1680 wrote to memory of 1184	1680	Bank_Confirmation.exe	Bank_Confirmation.exe
PID 1680 wrote to memory of 3064	1680	Bank_Confirmation.exe	Bank_Confirmation.exe
PID 1680 wrote to memory of 3064	1680	Bank_Confirmation.exe	Bank_Confirmation.exe
PID 1680 wrote to memory of 3064	1680	Bank_Confirmation.exe	Bank_Confirmation.exe
PID 1680 wrote to memory of 3064	1680	Bank_Confirmation.exe	Bank_Confirmation.exe
PID 1680 wrote to memory of 3064	1680	Bank_Confirmation.exe	Bank_Confirmation.exe
PID 1680 wrote to memory of 3064	1680	Bank_Confirmation.exe	Bank_Confirmation.exe
PID 1680 wrote to memory of 3064	1680	Bank_Confirmation.exe	Bank_Confirmation.exe
PID 1680 wrote to memory of 3068	1680	Bank_Confirmation.exe	Bank_Confirmation.exe
PID 1680 wrote to memory of 3068	1680	Bank_Confirmation.exe	Bank_Confirmation.exe
PID 1680 wrote to memory of 3068	1680	Bank_Confirmation.exe	Bank_Confirmation.exe
PID 1680 wrote to memory of 3068	1680	Bank_Confirmation.exe	Bank_Confirmation.exe
PID 1680 wrote to memory of 3068	1680	Bank_Confirmation.exe	Bank_Confirmation.exe
PID 1680 wrote to memory of 3068	1680	Bank_Confirmation.exe	Bank_Confirmation.exe
PID 1680 wrote to memory of 3068	1680	Bank_Confirmation.exe	Bank_Confirmation.exe
PID 1680 wrote to memory of 3068	1680	Bank_Confirmation.exe	Bank_Confirmation.exe
PID 1680 wrote to memory of 3068	1680	Bank_Confirmation.exe	Bank_Confirmation.exe
PID 1680 wrote to memory of 3068	1680	Bank_Confirmation.exe	Bank_Confirmation.exe
PID 1680 wrote to memory of 3068	1680	Bank_Confirmation.exe	Bank_Confirmation.exe
PID 1680 wrote to memory of 3068	1680	Bank_Confirmation.exe	Bank_Confirmation.exe

C:\Users\Admin\AppData\Local\Temp\Bank_Confirmation.exe
"C:\Users\Admin\AppData\Local\Temp\Bank_Confirmation.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1680

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ipconfig /release
2⤵
- Suspicious use of WriteProcessMemory
PID:756

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /release
3⤵
- Gathers network information
PID:1988

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACcAaAB0AHQAcABzADoALwAvAGcAbwBvAGcAbABlAC4AYwBvAG0AJwA=
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2152

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://google.com/
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1128

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1128 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1044

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ipconfig /renew
2⤵
- Suspicious use of WriteProcessMemory
PID:2892

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /renew
3⤵
- Gathers network information
PID:1472

C:\Users\Admin\AppData\Local\Temp\Bank_Confirmation.exe
C:\Users\Admin\AppData\Local\Temp\Bank_Confirmation.exe
2⤵
PID:1184

C:\Users\Admin\AppData\Local\Temp\Bank_Confirmation.exe
C:\Users\Admin\AppData\Local\Temp\Bank_Confirmation.exe
2⤵
PID:3064

C:\Users\Admin\AppData\Local\Temp\Bank_Confirmation.exe
C:\Users\Admin\AppData\Local\Temp\Bank_Confirmation.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
f0235ac0f702e92cbd3e7d519a115e19

SHA1
624350050515b4752e3aa9975c9fc05445c15cd6

SHA256
0ec6390e79cb234955872d9bfb886fbd3ebf3df6d86a684dd1d0a9c357362731

SHA512
e32c1c8428d37cfdc531a537fb99904b6bc0dc4d372fced4512dcbf6009a56109672c07a186a4e66b673f5796ea66e823265f8a95d9dbe5ed97640b4b52527d6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
120062b9f0b11babc8110882efa0abc7

SHA1
5b745dbc264e5a836ddf575c24550a4f7772e103

SHA256
8a5bdffb8aa029b1a03b9382e46ab64fa6c5b84e376fced607c43b0ae1d5acc2

SHA512
d31380f376422902e907e15a5acc79ab6376b11e8b88d9c11d08679e8d63eee85d15df08bd7eba3b9ce25a7c4ccfe9d92b36184651336a0c52bdb86b2f7af76d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3a653d90e76c412f50f50f278dc0cdbc

SHA1
64e0fbacb37e3703adc499ab99bc7600b5484b25

SHA256
b5bb90bd3b37b37420b98acf8bb2f07327d96b35956e21286644f0c67963c167

SHA512
b4b1e91c652308dc961f3c1050ae6f87d009b02a3b45f7dc4969ef87292a381816609a860874779fd0fdd90b99c7cc61484c76781d8633a8adaf2c02a2b04779

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f4d8884332932adcfb037b5ea3f20bb6

SHA1
b60a869b170a637337670208440a5ecbeb98305b

SHA256
2248174e668ae5d8075ff31723bdd95685a4a1214197bed89020d73035816a71

SHA512
c5eb01109216be4535c5e35404fe81001977a8f92ef0622e86ed1e15274695265fd154c649299f25e108cff6ff5b0f5f385f0cd7e1a46ba350ee69064eb1e1bd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
45b1a799373407ebd62ec99143736f3d

SHA1
7b4338835550345776146b45fb99296d2fae3da5

SHA256
df17d64add74e7fe16cc99d736e9300d716a3a00249efa99bfa0aac45aa09304

SHA512
8fe15bea2cb77e1fe6bd46077e91ea6bbc25381c9970c76b538325a521abc47d14524d6262275613e26a09ff293d3d8b6e65c950f76b2a804555df3dcca654ea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f5cbb84b4259f93d19186c715d17ebb8

SHA1
9dfe834de9aec0254220195db79c452dbd2469b3

SHA256
03e03bd3bc35906796009e90c411615a36347c5b70af463233a5c2fbe88831a4

SHA512
a3cdb2ac4e04a7a7f552a7c8f39af25d54a013b31d2619ac80eda07bdc90b52872d32297fcaa90ec0f2c3860d44145908f71c528a46de4be030bb058d5c48766

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
405f20a08ba13b934c0e10a0d431977d

SHA1
aa47bfa81f6eba4cbc76eac8075832b21127b1c3

SHA256
43b04a21c3ae84ab42567fbfc044aa3b859fbeb38a78a25d7d2147d439c7e24b

SHA512
a2674c4401b2d71cd5c3118351e50ce6b1779ab2f6766d1d806c6c578e8663b5f49ed50401864d93610af395dba043a66dfa45589ec44309e8e0417e3c485c32

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
18c768078ef6e0906e7e6216e7685615

SHA1
0c0dcc355c1fbb7820d8093abaf05d9213706f8c

SHA256
83ffe225591898b0a620cba5bc962adcd88d2a7f7740c05476667906aa50f042

SHA512
5dd8f6cb565dda84cbc1c6df0791d16e41dc6b39fb762b55250083c4e3fb1f7bdecdeb63f16b3dad097873b3bf550f8f7c1a2a6271aaaf82d8973aa669b2e02f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2c6de335842713aaa3443690a59122c9

SHA1
4e054c082635f49273c4b6fb4adcc1b723edc1da

SHA256
2155e31ef7f48d5727dd41db656e5d0e0af23a88de5dc2293819f2d8e1023c5d

SHA512
9c19464d2137bc04d5dfa9aa41956d9b18516172ea737648d7dd6b4b40484a712b67148eba75b48c4bc85dd49015e2907986b17d4076db5f1fa62a3554c43f7b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d96549e73c069693dd1daee2dc139db1

SHA1
240ca230c5f62c862159458b6ec5621388b9fa78

SHA256
2595244d8f1fcdd70f656e4b7140a52f0a628565778be913ba66e499ed0189b7

SHA512
3d2ed372fff33bd4760c1c2b46d7d683296e912d4985efafc1205bfc13d348a3d01e9a09bf83af733e2a79888a914f4361735501e2040e1960034b447f499bb7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
12a17889565d057ae6105a6022402535

SHA1
57b2c72cf85ebfa4b47c6976dd1679f7328f98e8

SHA256
207de28f063ab174589b6760df9fef8fc31643d2cb8022f536b53e9f2d9d9728

SHA512
3f8501161dab400528fc6e41c24c08429ddce85dfb8df0a9214823c1a768f019579e08db38b518a4480d71e92b994cf842e5287e8f1c12ffbf3f22f8ec5bde45

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1e3cbc9867973eb9db60c9574f80e0a8

SHA1
20ae688a156968247abb8038facdc048428fe905

SHA256
87636c09dca3a0866df841d6a315c6cbef80c411ab465fb49b7a794b9993ec48

SHA512
314de393c04c4362269ea1582259590a7a56acfe6c76444f3de7141ab79fb1b885199f5fddfdb36a8cc2ca5671a1266f612aa56f3d68b39da8476ca1ff38c01b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7e4eddd318ad3497a023a5f8e3fa813b

SHA1
41753c65d6c1a7d93769d749a67da7885842b6b5

SHA256
405328eba9dace00e1e346bda2303abbfff8d1c5a878c59ceb9dee58c22b86b6

SHA512
8df32f234b939e26db8e145bcb1d08cd3ffdbd888a6bdcb9c14de8655f68f5eb6494a2ba3a5ace6ff703b83fa562530cedbc2bf42ec72e0ded5e552fe4031815

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4b7ca4e08e3c1b0fa689f359945b4be7

SHA1
35cd7d693e8c39c36b9f247aa3ec67a9df05abe8

SHA256
456f383009f72dbcce1a7e781044df42689e63ba2694f816b23405a1cb3515fe

SHA512
e2deeb4b5be024eb879896cb4ef746061dce67e0f6c8bdfb394bd20e8ef7f780210c964d20caf1da3f3af228f0ba28ca3d8ce4180d88f25c18efb9b9dcd39946

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e577f3ac9f3f584d6883f288e87febac

SHA1
c03ea38b7fdb1c82a807be88da548cb42051b95c

SHA256
9c73a6f6273df5ee4048521f105f4994469df10423069ef455fb521c6bf804f2

SHA512
2e93c582684bd73b01dc8cae39a6d2a4368c327e86cb8e2a73a275100fdc5babe23840ab13bfaecdd3a66be21927690022ad4b0689b3d5752927a695a3567aaf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
29d43441047c0940dab237ab371a4893

SHA1
0f1956f418dd3f653fdceb70fabadc4023f404a4

SHA256
44e9e440580cf2245395165a8d3812cd22cb1a99213947845a114dffc987bd97

SHA512
fd54c213d240c1a31a1e1e0d67bbe1334370a82bee0f12da5056f97c9e10306cb04dbd8c916744ada37fa2c62c471647954d1af7f20bb65db30e053e20f2b117

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
10cc2c64c7578d3f2cec15ecfb8169aa

SHA1
fa48043ded84e1a4b421203ce64063777f3aafeb

SHA256
799c0a5bb25d1951585c4cd71d866c01c780cc1396e04e9a51dd7f5cf1f62fd7

SHA512
37e02a73787220459df47633d8cdc99836d4f7c0a57f4f24fe5fa066957fc32ff644d84c3cdcad508aa3dc4e2443708546a0d3b74f706c44534ad171848d6596

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e6359ef101f6338fecc206da32f6316f

SHA1
05638be1f342fa4dc9fe4a4ac481517ded074d2f

SHA256
331d7d6819259917cfc460ed4454ea560b64860a22f9ab9771e97471ef2f0de5

SHA512
3107381799748a50f0c7cfd796353103e70471268696db938396713744aeed449008e65d39453442153bc45cb4b8c54c9d5f8b39166deae37b320216fc262ce6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fceb60951a136f7a2585cc3a074cc769

SHA1
0c2f889314caec59b6bb440b392058903d0a28f3

SHA256
fc1b88e798805d2f788ffab177bf1656a3c6dddeec90104b6e1e1fd3241032b5

SHA512
2e78f20632c5c9a2545e10a2d7fed5d4a2daded2ea5d646eb37c85708affac4b4f814eefd015a36478f27a16edf60eeda2bb6d8f06f2c62f743d276eeebb62ea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f39248a85f2da0eb2c70b3777b3b4381

SHA1
ab7a3fa16a0aa033d795a81ca2af34b94ebc3db9

SHA256
b4cfb5329691c9810aa228ae9839431b5f01d2aaa553e2834bce4a44c64930b4

SHA512
abfe3588d3448ad73992f6402b711c05a3c40cdbbfe3fb6b2c4f9b680676678dd1be6b69a2c88b486320980e3723a1cdb97a4e2195f65c21acac5ab9b8222356

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
126bde28afd49dc13bc2fe0d2043e1f4

SHA1
042524cd526d396b114d3fe4dd81680bdf439280

SHA256
e6ed49cb93ba0c425b48b04c84752e974d84de80f6a169de500e344463250c56

SHA512
540a3b27f77134ddec9e02d5077ee9e635d487ad09751976df161962840ce4ca1e0976ea995297dac218f40e13c0253799fc6fc0c4ca8cff8e4109d012d04ea4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6a1f5d7bd5222d65145ed66b04f408d8

SHA1
e80f10d1caacc7cdc427bcafa67095e5b1a706c7

SHA256
a06c908f3d090ba3db9ae38a22f887e4379445152791b2d5ac4ac2ffea232ba4

SHA512
9f96a280ac10f622dc899cfee1e3b355972e68354417c63cf566bfbbb0527ba5ccc74a5f7ce0901021978d85c93c0c704f78e47fc1e6244095afdf614a320293

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ee1d0217dbabafd64ec565176243efc2

SHA1
79495d6e3a86b9532b4ac87fbfae4c52c988b3ec

SHA256
96ef90eeb834be0b63d1eaeab44aca15fa01b52bc44ea8e31d91f4d703023031

SHA512
ff55e9567200c2ce574a12ff718cbfeba290b00caf4630fbd41b216e340ddc3e1a73eb287af3248b8de22cfe3351c4d8048ae937b0f773418d9070f4afda716e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ab07e67e2fdf43105a255085be612ce5

SHA1
88b22e9c9957973b94b81e527a59c49dbb3e0dd1

SHA256
1273e23bd392ac2c563ea2707e4cedac67ffae84e32ad0dd2a9c14707329de68

SHA512
b92bc1d4141e3d4b176d64f60cd718f41e44061a32d91537d3823b8b7dd7fa45b28c8959a9ef233f88472538c16bb4ea3b2d65a3bf623f259f333e5d0b223143

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
b3120ad04693287aa7008bcfa5e99a63

SHA1
0db618bb468ada85753fb8cc29dc09ed6dc93439

SHA256
0c90234c43cd6028ca3b051e3ea4f39d2cee2c951e9bff213d54bf725c765e4a

SHA512
810fc219fc79759ec7a4d5b44cd73dc46c488a089302345578a69bd0de1981e54dcc29f1e6b9724e5af208d9b62751d000003724d8b0d18fedf010150f74b738

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\rpg4tgz\imagestore.dat

Filesize
5KB

MD5
4b104cba8175d47531edc3ba8f1697c5

SHA1
ee11577b569b55e5ecb171cbe81a5b88b37ab88f

SHA256
cb5c99b2c127c0456837daf593d96949dd2f3a1e7f2918d7d8de2cfcf82fdf56

SHA512
f3d728f2089b1ceec50ea678a8a12aa2bcc2319632cbbc56a44448a7a965a0e3a3d69aae9e9d8a2e262bc59abede2b87b913ed5ac0e22f9b59129c768d43b8f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3FH71F1O\favicon[1].ico

Filesize
5KB

MD5
f3418a443e7d841097c714d69ec4bcb8

SHA1
49263695f6b0cdd72f45cf1b775e660fdc36c606

SHA256
6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

SHA512
82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF75B.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF75E.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF80F.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
memory/1680-39-0x0000000000E40000-0x0000000000EE3000-memory.dmp

Filesize
652KB

Download
memory/1680-33-0x0000000000E40000-0x0000000000EE3000-memory.dmp

Filesize
652KB

Download
memory/1680-67-0x0000000000E40000-0x0000000000EE3000-memory.dmp

Filesize
652KB

Download
memory/1680-65-0x0000000000E40000-0x0000000000EE3000-memory.dmp

Filesize
652KB

Download
memory/1680-926-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/1680-927-0x0000000000840000-0x0000000000882000-memory.dmp

Filesize
264KB

Download
memory/1680-928-0x00000000043F0000-0x000000000443C000-memory.dmp

Filesize
304KB

Download
memory/1680-929-0x0000000074DA0000-0x000000007548E000-memory.dmp

Filesize
6.9MB

Download
memory/1680-930-0x0000000004BC0000-0x0000000004C00000-memory.dmp

Filesize
256KB

Download
memory/1680-1-0x0000000074DA0000-0x000000007548E000-memory.dmp

Filesize
6.9MB

Download
memory/1680-2-0x0000000000E40000-0x0000000000EE8000-memory.dmp

Filesize
672KB

Download
memory/1680-3-0x0000000004BC0000-0x0000000004C00000-memory.dmp

Filesize
256KB

Download
memory/1680-4-0x0000000000E40000-0x0000000000EE3000-memory.dmp

Filesize
652KB

Download
memory/1680-5-0x0000000000E40000-0x0000000000EE3000-memory.dmp

Filesize
652KB

Download
memory/1680-61-0x0000000000E40000-0x0000000000EE3000-memory.dmp

Filesize
652KB

Download
memory/1680-59-0x0000000000E40000-0x0000000000EE3000-memory.dmp

Filesize
652KB

Download
memory/1680-1018-0x0000000074DA0000-0x000000007548E000-memory.dmp

Filesize
6.9MB

Download
memory/1680-7-0x0000000000E40000-0x0000000000EE3000-memory.dmp

Filesize
652KB

Download
memory/1680-9-0x0000000000E40000-0x0000000000EE3000-memory.dmp

Filesize
652KB

Download
memory/1680-11-0x0000000000E40000-0x0000000000EE3000-memory.dmp

Filesize
652KB

Download
memory/1680-57-0x0000000000E40000-0x0000000000EE3000-memory.dmp

Filesize
652KB

Download
memory/1680-53-0x0000000000E40000-0x0000000000EE3000-memory.dmp

Filesize
652KB

Download
memory/1680-55-0x0000000000E40000-0x0000000000EE3000-memory.dmp

Filesize
652KB

Download
memory/1680-51-0x0000000000E40000-0x0000000000EE3000-memory.dmp

Filesize
652KB

Download
memory/1680-49-0x0000000000E40000-0x0000000000EE3000-memory.dmp

Filesize
652KB

Download
memory/1680-45-0x0000000000E40000-0x0000000000EE3000-memory.dmp

Filesize
652KB

Download
memory/1680-47-0x0000000000E40000-0x0000000000EE3000-memory.dmp

Filesize
652KB

Download
memory/1680-63-0x0000000000E40000-0x0000000000EE3000-memory.dmp

Filesize
652KB

Download
memory/1680-35-0x0000000000E40000-0x0000000000EE3000-memory.dmp

Filesize
652KB

Download
memory/1680-37-0x0000000000E40000-0x0000000000EE3000-memory.dmp

Filesize
652KB

Download
memory/1680-0-0x0000000000F00000-0x0000000000FE2000-memory.dmp

Filesize
904KB

Download
memory/1680-43-0x0000000000E40000-0x0000000000EE3000-memory.dmp

Filesize
652KB

Download
memory/1680-41-0x0000000000E40000-0x0000000000EE3000-memory.dmp

Filesize
652KB

Download
memory/1680-29-0x0000000000E40000-0x0000000000EE3000-memory.dmp

Filesize
652KB

Download
memory/1680-31-0x0000000000E40000-0x0000000000EE3000-memory.dmp

Filesize
652KB

Download
memory/1680-25-0x0000000000E40000-0x0000000000EE3000-memory.dmp

Filesize
652KB

Download
memory/1680-13-0x0000000000E40000-0x0000000000EE3000-memory.dmp

Filesize
652KB

Download
memory/1680-15-0x0000000000E40000-0x0000000000EE3000-memory.dmp

Filesize
652KB

Download
memory/1680-27-0x0000000000E40000-0x0000000000EE3000-memory.dmp

Filesize
652KB

Download
memory/1680-23-0x0000000000E40000-0x0000000000EE3000-memory.dmp

Filesize
652KB

Download
memory/1680-21-0x0000000000E40000-0x0000000000EE3000-memory.dmp

Filesize
652KB

Download
memory/1680-19-0x0000000000E40000-0x0000000000EE3000-memory.dmp

Filesize
652KB

Download
memory/1680-17-0x0000000000E40000-0x0000000000EE3000-memory.dmp

Filesize
652KB

Download
memory/2152-938-0x000000006FF40000-0x00000000704EB000-memory.dmp

Filesize
5.7MB

Download
memory/2152-937-0x00000000025E0000-0x0000000002620000-memory.dmp

Filesize
256KB

Download
memory/2152-936-0x00000000025E0000-0x0000000002620000-memory.dmp

Filesize
256KB

Download
memory/2152-934-0x000000006FF40000-0x00000000704EB000-memory.dmp

Filesize
5.7MB

Download
memory/2152-935-0x000000006FF40000-0x00000000704EB000-memory.dmp

Filesize
5.7MB

Download
memory/3068-1501-0x0000000004C40000-0x0000000004C80000-memory.dmp

Filesize
256KB

Download
memory/3068-1500-0x0000000074D20000-0x000000007540E000-memory.dmp

Filesize
6.9MB

Download
memory/3068-1024-0x0000000004C40000-0x0000000004C80000-memory.dmp

Filesize
256KB

Download
memory/3068-1023-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3068-1022-0x0000000074D20000-0x000000007540E000-memory.dmp

Filesize
6.9MB

Download