agenttesla | d61fdb59b0176c8e329052c1b577dd366f17f206b79769bf3ae56ed6d52575de

Analysis

max time kernel
117s
max time network
120s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
12-12-2023 14:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Bank_Confirmation.exe
Size

882KB
MD5

f82b121e447bb312a0c383d78a90490f
SHA1

a2570c68231136bb0d7b260f906d1e5a78c25f48
SHA256

d61fdb59b0176c8e329052c1b577dd366f17f206b79769bf3ae56ed6d52575de
SHA512

cfcf833f59f3f47aea75ea62b79d5ca57fcad8e56943bb60cd4af0212baf3c6720d9f991a3dd8964a9e272b2b82f0416fa5d06988e90dc9fda2a0e56d649dc31
SSDEEP

12288:r6zcyAwHWZJOLMZ7vgg24T4xT0Wm6y7+uSm0POeB83mAQuaPc19LW1lVmt1XS/2E:r6TH2gK0xxm64+ut1F2fuaG35Cy

Score

10^/10

agenttesla zgrat keylogger persistence rat spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.bezzleauto.com
Port:
587
Username:
[email protected]
Password:
kex#-rHjHM4qKk52
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect ZGRat V1 34 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2892-2-0x0000000001F40000-0x0000000001FE8000-memory.dmp	family_zgrat_v1
behavioral1/memory/2892-4-0x0000000001F40000-0x0000000001FE3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2892-5-0x0000000001F40000-0x0000000001FE3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2892-7-0x0000000001F40000-0x0000000001FE3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2892-9-0x0000000001F40000-0x0000000001FE3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2892-11-0x0000000001F40000-0x0000000001FE3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2892-13-0x0000000001F40000-0x0000000001FE3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2892-15-0x0000000001F40000-0x0000000001FE3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2892-17-0x0000000001F40000-0x0000000001FE3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2892-21-0x0000000001F40000-0x0000000001FE3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2892-19-0x0000000001F40000-0x0000000001FE3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2892-31-0x0000000001F40000-0x0000000001FE3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2892-29-0x0000000001F40000-0x0000000001FE3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2892-27-0x0000000001F40000-0x0000000001FE3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2892-25-0x0000000001F40000-0x0000000001FE3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2892-23-0x0000000001F40000-0x0000000001FE3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2892-33-0x0000000001F40000-0x0000000001FE3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2892-45-0x0000000001F40000-0x0000000001FE3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2892-49-0x0000000001F40000-0x0000000001FE3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2892-61-0x0000000001F40000-0x0000000001FE3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2892-65-0x0000000001F40000-0x0000000001FE3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2892-63-0x0000000001F40000-0x0000000001FE3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2892-59-0x0000000001F40000-0x0000000001FE3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2892-57-0x0000000001F40000-0x0000000001FE3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2892-55-0x0000000001F40000-0x0000000001FE3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2892-53-0x0000000001F40000-0x0000000001FE3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2892-51-0x0000000001F40000-0x0000000001FE3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2892-47-0x0000000001F40000-0x0000000001FE3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2892-43-0x0000000001F40000-0x0000000001FE3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2892-41-0x0000000001F40000-0x0000000001FE3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2892-39-0x0000000001F40000-0x0000000001FE3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2892-37-0x0000000001F40000-0x0000000001FE3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2892-35-0x0000000001F40000-0x0000000001FE3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2892-67-0x0000000001F40000-0x0000000001FE3000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Bank_Confirmation.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows\CurrentVersion\Run\pdf = "C:\\Users\\Admin\\AppData\\Roaming\\pdf.exe"	Bank_Confirmation.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Bank_Confirmation.exe

description pid process target process

PID 2892 set thread context of 2656 2892 Bank_Confirmation.exe Bank_Confirmation.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exeipconfig.exe

pid process

2588 ipconfig.exe
1336 ipconfig.exe

description	pid	process	target process
PID 2892 set thread context of 2656	2892	Bank_Confirmation.exe	Bank_Confirmation.exe

pid	process
2588	ipconfig.exe
1336	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008d5ea254cbc3cc499365b391a5fd66920000000002000000000010660000000100002000000000e930b7807a0324d939ef30a77ee745847dfbaa31f8f3c93d686cd3c0d3a665000000000e80000000020000200000000f93df6e908e96e02cbf295f9cd4d1300532b4373c5157ba60b26f2fe23b85b8200000002850d5a1f2c4d5e0d9a4a0486e0262f5cf3338baabd0c5ec6710b812f4ff434e40000000122077fd3cf35116ebf910f2b562e30ac3c562b9c6ba879237154cd6c296f9965262abcad6e47fc971df39844916ee448a796c9197478c14da956dbbe8324595	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30d8a55c052dda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{86EC42F1-98F8-11EE-BB7B-5AAA8EBA5435} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "408552235"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008d5ea254cbc3cc499365b391a5fd669200000000020000000000106600000001000020000000eb7f0c0ce50bd8f7c4df5b4c40cfd01909262ec0082db3f22a2353335e8f20a3000000000e8000000002000020000000cbb7dc1936becd027a1d8a8c105544322153054e1e7b5afa84c996aba27fe71990000000741335ac624899336654a97a20bbcc5ba04d6f0e4d779f64e4a288aadab2befe22aa1e6888e06e1219ef3ce05283e52bbff6037bee2254bd281248df4e9e6ac57e9888ae1c7a07994c31bdb97bfbbad4faefa0a4307acb6864eb3059eb93a42bccccc0950aecc6562558ce1aa68ff4b5541eb625b13bc01c2243e3b86c00280a39e7e62c7876c7e85620e40aae238dee400000004420d2a060f3276108e74a7d03d7232c86ba50d98f859625dec5f309884aaa292c11cf2f42443f8918eb6cf753435f06bdb297ad2742909d55d8efa5ea659237	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Bank_Confirmation.exepowershell.exeBank_Confirmation.exe

pid process

2892 Bank_Confirmation.exe
1880 powershell.exe
2656 Bank_Confirmation.exe
2656 Bank_Confirmation.exe

pid	process
2892	Bank_Confirmation.exe
1880	powershell.exe
2656	Bank_Confirmation.exe
2656	Bank_Confirmation.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Bank_Confirmation.exepowershell.exeBank_Confirmation.exe

description	pid	process
Token: SeDebugPrivilege	2892	Bank_Confirmation.exe
Token: SeDebugPrivilege	1880	powershell.exe
Token: SeDebugPrivilege	2656	Bank_Confirmation.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1836 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1836 iexplore.exe
1836 iexplore.exe
844 IEXPLORE.EXE
844 IEXPLORE.EXE
844 IEXPLORE.EXE
844 IEXPLORE.EXE

pid	process
1836	iexplore.exe

pid	process
1836	iexplore.exe
1836	iexplore.exe
844	IEXPLORE.EXE
844	IEXPLORE.EXE
844	IEXPLORE.EXE
844	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

Bank_Confirmation.execmd.execmd.exepowershell.exeiexplore.exe

description	pid	process	target process
PID 2892 wrote to memory of 1664	2892	Bank_Confirmation.exe	cmd.exe
PID 2892 wrote to memory of 1664	2892	Bank_Confirmation.exe	cmd.exe
PID 2892 wrote to memory of 1664	2892	Bank_Confirmation.exe	cmd.exe
PID 2892 wrote to memory of 1664	2892	Bank_Confirmation.exe	cmd.exe
PID 1664 wrote to memory of 2588	1664	cmd.exe	ipconfig.exe
PID 1664 wrote to memory of 2588	1664	cmd.exe	ipconfig.exe
PID 1664 wrote to memory of 2588	1664	cmd.exe	ipconfig.exe
PID 1664 wrote to memory of 2588	1664	cmd.exe	ipconfig.exe
PID 2892 wrote to memory of 1880	2892	Bank_Confirmation.exe	powershell.exe
PID 2892 wrote to memory of 1880	2892	Bank_Confirmation.exe	powershell.exe
PID 2892 wrote to memory of 1880	2892	Bank_Confirmation.exe	powershell.exe
PID 2892 wrote to memory of 1880	2892	Bank_Confirmation.exe	powershell.exe
PID 2892 wrote to memory of 1472	2892	Bank_Confirmation.exe	cmd.exe
PID 2892 wrote to memory of 1472	2892	Bank_Confirmation.exe	cmd.exe
PID 2892 wrote to memory of 1472	2892	Bank_Confirmation.exe	cmd.exe
PID 2892 wrote to memory of 1472	2892	Bank_Confirmation.exe	cmd.exe
PID 1472 wrote to memory of 1336	1472	cmd.exe	ipconfig.exe
PID 1472 wrote to memory of 1336	1472	cmd.exe	ipconfig.exe
PID 1472 wrote to memory of 1336	1472	cmd.exe	ipconfig.exe
PID 1472 wrote to memory of 1336	1472	cmd.exe	ipconfig.exe
PID 1880 wrote to memory of 1836	1880	powershell.exe	iexplore.exe
PID 1880 wrote to memory of 1836	1880	powershell.exe	iexplore.exe
PID 1880 wrote to memory of 1836	1880	powershell.exe	iexplore.exe
PID 1880 wrote to memory of 1836	1880	powershell.exe	iexplore.exe
PID 1836 wrote to memory of 844	1836	iexplore.exe	IEXPLORE.EXE
PID 1836 wrote to memory of 844	1836	iexplore.exe	IEXPLORE.EXE
PID 1836 wrote to memory of 844	1836	iexplore.exe	IEXPLORE.EXE
PID 1836 wrote to memory of 844	1836	iexplore.exe	IEXPLORE.EXE
PID 2892 wrote to memory of 2656	2892	Bank_Confirmation.exe	Bank_Confirmation.exe
PID 2892 wrote to memory of 2656	2892	Bank_Confirmation.exe	Bank_Confirmation.exe
PID 2892 wrote to memory of 2656	2892	Bank_Confirmation.exe	Bank_Confirmation.exe
PID 2892 wrote to memory of 2656	2892	Bank_Confirmation.exe	Bank_Confirmation.exe
PID 2892 wrote to memory of 2656	2892	Bank_Confirmation.exe	Bank_Confirmation.exe
PID 2892 wrote to memory of 2656	2892	Bank_Confirmation.exe	Bank_Confirmation.exe
PID 2892 wrote to memory of 2656	2892	Bank_Confirmation.exe	Bank_Confirmation.exe
PID 2892 wrote to memory of 2656	2892	Bank_Confirmation.exe	Bank_Confirmation.exe
PID 2892 wrote to memory of 2656	2892	Bank_Confirmation.exe	Bank_Confirmation.exe
PID 2892 wrote to memory of 2656	2892	Bank_Confirmation.exe	Bank_Confirmation.exe
PID 2892 wrote to memory of 2656	2892	Bank_Confirmation.exe	Bank_Confirmation.exe
PID 2892 wrote to memory of 2656	2892	Bank_Confirmation.exe	Bank_Confirmation.exe

C:\Users\Admin\AppData\Local\Temp\Bank_Confirmation.exe
"C:\Users\Admin\AppData\Local\Temp\Bank_Confirmation.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2892

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ipconfig /release
2⤵
- Suspicious use of WriteProcessMemory
PID:1664

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /release
3⤵
- Gathers network information
PID:2588

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACcAaAB0AHQAcABzADoALwAvAGcAbwBvAGcAbABlAC4AYwBvAG0AJwA=
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1880

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://google.com/
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1836

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1836 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:844

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ipconfig /renew
2⤵
- Suspicious use of WriteProcessMemory
PID:1472

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /renew
3⤵
- Gathers network information
PID:1336

C:\Users\Admin\AppData\Local\Temp\Bank_Confirmation.exe
C:\Users\Admin\AppData\Local\Temp\Bank_Confirmation.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
d42bd8056a341091fda3ea685bb4ea5d

SHA1
e0c186e14490eeb6849b14258f380fc7cf96a4a4

SHA256
1db4c993d96490d9c5d1c884b7cafc96e76766c452631fcd4ad1e92254c55fb9

SHA512
a0a96e4643f77d2b5aa2256f354c60e0d881f6213d1aa30cb7d1aa906d51332663325f57644b26539efaf5a40265bae94ea0765efba1e36bad59c9dab4fd50a8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f45c5df30aee5c234b92b75033042b7b

SHA1
6d02a2df637efe61e1464272cbe3887d7a0fd32b

SHA256
684036ff9fe18b3bac005f748cac83e340ccfd298b48d6818949465559f48bc5

SHA512
53b1cd0b08305ba4b089c6e450b64af28b336f70bceaff0e12fa9d32b1dad533ac35dd2a83dd15d5a0a6eec5d7cecd532930a0f71a2830ecb327a9f57e37390d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
04a4c017347a068bf42ae0d90358bd01

SHA1
c35191431be4135a5b5b0c6de47128581ce54899

SHA256
66756cae9ffd238b63bb939adc35ed3453c86ae10da6e733b656e5bab33c9d96

SHA512
cb92737a8679fc559c02f7d1f737226f1426b51000cdcb7c082857d51e0cca65f543978bb54c56e4b833af8ef0e6cbdec713b2bb97d0d96d1a28d8b20ab1aedf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b4eb9e2466553c92245b31801d637616

SHA1
2ad89f79da1771e4682b11859e9fdf4f92b76b0d

SHA256
c3d2d1de5dabaad0fb705e0d685e5a68a954658acc76408e1a4231f152ce3574

SHA512
3d8228d7b0563a5bdc11d4809f2e0cf172e8eb27a1ca2dec088238dc0b48f87748cc200c553adeea0cc42f622a96cf291834a0c50ace947b8d00f6a837b77a4c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d200d9d72223a7da55b45336733aadd5

SHA1
9a7f26706719ba5ca43ec422e43a76b6e50d9a1e

SHA256
1c9156b84d6d991de8d35486ceb8246c75ec533c5ce45492ce4ba21ccc274128

SHA512
689fc188947700cff40e7d0ce03a80a638e44eb81452ec8a6e55b805256a67200e8645ac63e6f0c9d256399f475f9b5e1ab684efe03069d35f14b9b1775370e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8cad5ec63bde5c536d4d7875c2af8a42

SHA1
83d89c88c690a644c53c6d77fbab986fbea6e6f0

SHA256
f9dfc104a2afa72cc3a3f31aae4078a47e4c40a373d757753f804a0ed3df620b

SHA512
2660ad2959a16e43064925571e19d74a624bb60c073499718c913415a469df1f7b608e38f963df1a69b06b0b405609d843da3568edc50988a47356e094052bfa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2a82a79b8365fe5434e79e8e1b311f9f

SHA1
0533add82a86009894a15b3f301b48a666a0cf34

SHA256
798f6de26e4c28b8d131dd09a899b67e4ed88af7a5d0c61c175cd7b5d18b440b

SHA512
6af3afea5212eecd18ed5580164e319d5fcfd6b8ee62d1c17f1465bbfca9c7a34f17f0fba1d785702b79a7b731d2c33841ca83085fff3fc3762661cf88c7e0ae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
72eed6438185103d351ebfbb7622bc70

SHA1
dadd64dc8c5197bfdb57457ecad4863786352041

SHA256
d51201c22d0546fd12eec5cc73bdf1731568e377a3ff90ea37f5325187f67701

SHA512
8494ae6726b66f096f4974b6241ddf5a2b87ac1db240fe6d5ebeac57a15ebd6ecb7d9ae3c5bf9360c833025d931aa4374711257daf03fb5453c8b5a79e95e886

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b1b68dd4783acea4f30522f6f7d86a14

SHA1
6f8078052d02d926b7de2f48b0b6724c0484d591

SHA256
25315712c1589428c35413bd2c842d011c111fdebf14470bea148b06c64075ba

SHA512
1a7f45cf50f75f8f992cb8db20d8a242c0d919a39789b8a20e6918f14df7bf621779b94259ec14f3e1dded2fdae6dad513efcb3e22b974ff7d3ec334012fd93d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5ca34da0942f22d877cc03a9d40564bc

SHA1
754ce89716c4aac94d1f35b8e32f47f8525055e8

SHA256
7336c3642227977ce87a0b185e268979ac89caab29dc205d5645a834a2e5d566

SHA512
634f950fc99700451a03d0af84a50fbd9c412a60a083f5d8e0000a094a5de73b4ef393052152ce292d41c7c8d55f45ed6b27af10937d6ebd40c1e8d91ed06681

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2c3d579212262e67a758371deb4793c0

SHA1
b86f04cfad19dacbb1a28d9ac9c907bebb67d8e2

SHA256
7cf9c532a77c4403bc45613fa736fea78c2db9d0f35855b7f012a18fe76c4fee

SHA512
6c7865cea0df0da9004c36a69cd75f42b5b2aee16219f524ee943b4636eee7f3c54ed6ab2ad434488e387b49a7177a0aa9431a93e6f97425fbe638b4dd8756e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cc1c846d811ee2d2a341352cb9276120

SHA1
176718c1610ee798a8b6ea88b1ef7815dd87c54e

SHA256
181e49d4e21abf974121518914ca7d9160e6cdc32aae535c7ca6a96e0a7cfa49

SHA512
c0ff60489650b29ad30a3db79a6b5178c145503461e53ee9dcffb17802eb538f13b2daa9522965dc865826779ce463173ce059deebc8e9c3263daec38467aef8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
46c6010d150455f332ecea05078bfbef

SHA1
2a6a4d4b3633b8dec82178957fff54835a5f785c

SHA256
85e5129540ad45ffeb2746bdd54a605ee3aa66c0c1b3f1d451668446e31bb743

SHA512
daa77753ef66c744b3244c5f0430cb80cedab7d4dcd27434f8688c3768d879692a975073405c74e303789e8f5e125125afd09053b9be50cfd4b814cb0ee1b203

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cb89cbdbdb434ad874cc686a0bbe65a9

SHA1
8d5073ed40087fe83438fb1175cf04af28dd0b06

SHA256
27b691935517d6e101f39e38a342813c6ae79e94658e14d04b2d036edf7410f8

SHA512
f1ea464711411cf5be06e3d4f9a40e46347a8dd9af2583744f28966f9ad3ab69c12b487ad1db423b3f5275209b5a4b84bfd177449e5d84793c5750f59d8f6a26

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7043427cefe4c08324445469d0a944ec

SHA1
37d5eb15692ab1e3bdb96e41fbc4c9baafccf898

SHA256
c9e7193e047b16f932fbe78b980473abebad009e653577d55d3d64b6fb1aae47

SHA512
6a2c688c777e48c0ffeb9212050b8dbc575966566368dafaf415cbb1d6d61f2ba83fc02b746ef6ab175fd16d42410fc7ca5e24ec9d8dfc68ad9646d3c67e0b6e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
be14303c3fe0e1cd24078a10dc5e5252

SHA1
f9af50da8778bc83d6790cc38c6d48488396f59b

SHA256
9d80f18ba5314b76a5d756eb3cdd8b7faca7dba80f3695b388e55eddb8d0e084

SHA512
102c4d31ec7800346fe658f6d4490ab70e0df823d09acbd10f68414d1c30588484a283605959e0298631d473f0d4f6633febd50ad84a4c5651d7ff56d5adff29

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
06a22fc8a4776c0748f95b6b45021927

SHA1
04dc9b4132617e0cc95046d69292257d37d7a185

SHA256
ce453ef503458a31303bb5dad360bdeb2a2d3dd51ca8f83ce51f90c3d21bffb6

SHA512
a9baecca078f2d7ffffbb7076e6127654c427f8fb361e6d0ad923e0688f2fac83e40bdc3760268e55253cfb5bf1c78792a14d624850a24195ff0c272ede07d05

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6ff6c1f4ffac2203c3b704cead79e1a3

SHA1
f8e51514038910f9722ffe1d9cdeb6e11ee41c8e

SHA256
243d88ca255783c411b6f55750a87358ad553b9a0af767f99464ab246ed05659

SHA512
605fe308ef16f30553f17246eb6e346b69da7e9ce60301db14d1b04dc837cdafc141aacb04f5ce32cdd6dfca9fe3fc3870e010c5ecd344e694881bd819f635f1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fca0a4fb06cb280c88bb544bcf4862c4

SHA1
2b58382a3f53c46d1e114fe7cd305c36e167599e

SHA256
04a47aceb5f421bf10413b59c36c78d671bc7f0ee36d84fb2af415afa136c721

SHA512
05c07d415f2b9fe701faffc8b43a8c1eb68c74526a6842c16572b8ff192706ca3994287c1c91c45f6c3278519b2a478e098eb790c2a0b633631fe2b10975650a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9c728a7eb9d93353bb0f1202f211e50e

SHA1
7e0b298e01ea347b3d2b1096a2c70151337674ce

SHA256
b85611dc48270d3aee38781c6a135ae1d58216d14eff0c15788ae78fa9f0d5b2

SHA512
d3fe1d4e94411e027a3346cfc0ebe27643443025277a983e6efc44b8a7b10ae638da94bca3626a72bd7ff58fad1c88c4745ad3729a95f626c084e122fce26321

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5a6d06d8889927d26230e270fa69e23c

SHA1
3ef9191f07952c1daf8cdc2f8a0ec3ac8bdf7356

SHA256
038bc53bfe323a6ae8da5e9fc8657385dcf48035a1148e625166a2991e9b0b10

SHA512
b85b3b4695c167e10256fc4774832128b12156110ad8a8c02219e6da869accc60243338e818d8344281f450f4b8322c8c9a6e1467b6104f5fdb027687ca5ff4a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
65357e2f5d76bf957afae8242a705ae9

SHA1
bd94fd68a065516012cdc799146dde48222fe173

SHA256
4301600f1fdf3917c6641faa7a484c12372fdfa75dfde0d03cee8d15793b597f

SHA512
19490a6bb089a9ae4b47cf6b064ca176f23682c0ebb3def0d0a6393d26a91e036cf5328c9d2a06c3796b75b3541e62af882e5e2f95cd51a65c7adf5f0e2ff8e9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
edacba93360964f05895a244d6f95874

SHA1
bce52fe2bb728c61c93cfa28b15982fee3db911c

SHA256
ee976f372d37cfc08084fb4e20d0fe8809797470a8b8ab9263baf6fb9241dd11

SHA512
7bf40a7361a6e921612debb46ec4b92849925d9c1aeff0ed3025d4c9a12559f3b76e5ac5b21a1cacda8b34cabcddc94ad26856ab207e2c75267e7304df3abb90

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9830d945656fa87e00583f3220e07403

SHA1
02093da42235874a1c3cf3d8f3d8d89fb4ec6329

SHA256
2d8b9b1d96a2ff122082faeb67553b30e451fca51b12bc3f9d585ef9933ebf0d

SHA512
067274227de83cd8503b05666e8a15909b26401ca7e062d3fa77944081d5f637e083662475c845316805b152c42a3d300692a46e8db69d7bbcc2e3fc5b18d8ad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3197a6fcd958f30e080e0b04e83cce7a

SHA1
e065dc198e289ea534dbe28307c4690f44afde92

SHA256
0dc4878c2950827c3d89e92ffc4cbba57444fa52537f11c77bd105c27a4d2b79

SHA512
e8d152c5d17a75743d3db006f9c92c9ce8b5c29c072bc91db6d7f8b39f7232057ce50ae6e8aadb20de94e30a73ced6d5ade0f27fcd081b1146a03f7438cb70a7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d57de1b2f0bc277c47890c0085d47567

SHA1
2b12a57a1ca9370ef52634e1e97a74329e8cc8b9

SHA256
c3273dc59a68152fd30024ee8ddd78d023e2496e6ad041dedbe6bd07370f8f61

SHA512
1d16f140dbd96bc6dde7dde95ca40407dd492a6b362046f36e59f613380444f3720c57009f2c74079d7fd2a63ce0524abb6510d92f8917e33fde645c12a78565

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
43ddd69423e5248937974894103b5ba8

SHA1
1a28bb5503eafa87863440511cbb9019140f9156

SHA256
47bee53f5bc83fcb1568e1f6733975f46a42a0da727b806eed7c52b2b537264a

SHA512
c5e3ea5c11b4b7c485549e5725f6d9af98b3732861b053633ed85d8c1020d5faf6b27a167e42fa93d7b4a43fa4b991712660d86604d7f0d80ea58b9f4a742003

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\rpg4tgz\imagestore.dat

Filesize
5KB

MD5
dc158c46f649d4fd7e46bafa0b179f5f

SHA1
b5a859cd78f180aea2b7063c6b15d66e2cbe54bc

SHA256
4494d6d28bb05319296c4036a5777c4b969aab1aace4d55707177467186e0834

SHA512
c8a39ee868fdaddc147fff05b1a2ca4b9bd29f0bd6c9331fb18f98c0d8c7e1fc31d82de3f136562dad00150682971561ab6a49483c661ea05427e19de6c79432

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3FH71F1O\favicon[1].ico

Filesize
5KB

MD5
f3418a443e7d841097c714d69ec4bcb8

SHA1
49263695f6b0cdd72f45cf1b775e660fdc36c606

SHA256
6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

SHA512
82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF577.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF5E8.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF57A.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF61C.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
memory/1880-937-0x00000000025B0000-0x00000000025F0000-memory.dmp

Filesize
256KB

Download
memory/1880-936-0x00000000025B0000-0x00000000025F0000-memory.dmp

Filesize
256KB

Download
memory/1880-934-0x000000006FB60000-0x000000007010B000-memory.dmp

Filesize
5.7MB

Download
memory/1880-935-0x000000006FB60000-0x000000007010B000-memory.dmp

Filesize
5.7MB

Download
memory/1880-938-0x000000006FB60000-0x000000007010B000-memory.dmp

Filesize
5.7MB

Download
memory/2656-1500-0x00000000048A0000-0x00000000048E0000-memory.dmp

Filesize
256KB

Download
memory/2656-1499-0x0000000074170000-0x000000007485E000-memory.dmp

Filesize
6.9MB

Download
memory/2656-1023-0x00000000048A0000-0x00000000048E0000-memory.dmp

Filesize
256KB

Download
memory/2656-1021-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2656-1022-0x0000000074170000-0x000000007485E000-memory.dmp

Filesize
6.9MB

Download
memory/2892-63-0x0000000001F40000-0x0000000001FE3000-memory.dmp

Filesize
652KB

Download
memory/2892-45-0x0000000001F40000-0x0000000001FE3000-memory.dmp

Filesize
652KB

Download
memory/2892-35-0x0000000001F40000-0x0000000001FE3000-memory.dmp

Filesize
652KB

Download
memory/2892-37-0x0000000001F40000-0x0000000001FE3000-memory.dmp

Filesize
652KB

Download
memory/2892-1017-0x0000000074860000-0x0000000074F4E000-memory.dmp

Filesize
6.9MB

Download
memory/2892-930-0x0000000004AF0000-0x0000000004B30000-memory.dmp

Filesize
256KB

Download
memory/2892-929-0x0000000074860000-0x0000000074F4E000-memory.dmp

Filesize
6.9MB

Download
memory/2892-927-0x00000000041C0000-0x0000000004202000-memory.dmp

Filesize
264KB

Download
memory/2892-39-0x0000000001F40000-0x0000000001FE3000-memory.dmp

Filesize
652KB

Download
memory/2892-41-0x0000000001F40000-0x0000000001FE3000-memory.dmp

Filesize
652KB

Download
memory/2892-43-0x0000000001F40000-0x0000000001FE3000-memory.dmp

Filesize
652KB

Download
memory/2892-47-0x0000000001F40000-0x0000000001FE3000-memory.dmp

Filesize
652KB

Download
memory/2892-51-0x0000000001F40000-0x0000000001FE3000-memory.dmp

Filesize
652KB

Download
memory/2892-53-0x0000000001F40000-0x0000000001FE3000-memory.dmp

Filesize
652KB

Download
memory/2892-55-0x0000000001F40000-0x0000000001FE3000-memory.dmp

Filesize
652KB

Download
memory/2892-57-0x0000000001F40000-0x0000000001FE3000-memory.dmp

Filesize
652KB

Download
memory/2892-59-0x0000000001F40000-0x0000000001FE3000-memory.dmp

Filesize
652KB

Download
memory/2892-67-0x0000000001F40000-0x0000000001FE3000-memory.dmp

Filesize
652KB

Download
memory/2892-65-0x0000000001F40000-0x0000000001FE3000-memory.dmp

Filesize
652KB

Download
memory/2892-61-0x0000000001F40000-0x0000000001FE3000-memory.dmp

Filesize
652KB

Download
memory/2892-49-0x0000000001F40000-0x0000000001FE3000-memory.dmp

Filesize
652KB

Download
memory/2892-0-0x00000000009F0000-0x0000000000AD2000-memory.dmp

Filesize
904KB

Download
memory/2892-928-0x0000000004720000-0x000000000476C000-memory.dmp

Filesize
304KB

Download
memory/2892-926-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2892-33-0x0000000001F40000-0x0000000001FE3000-memory.dmp

Filesize
652KB

Download
memory/2892-23-0x0000000001F40000-0x0000000001FE3000-memory.dmp

Filesize
652KB

Download
memory/2892-25-0x0000000001F40000-0x0000000001FE3000-memory.dmp

Filesize
652KB

Download
memory/2892-27-0x0000000001F40000-0x0000000001FE3000-memory.dmp

Filesize
652KB

Download
memory/2892-29-0x0000000001F40000-0x0000000001FE3000-memory.dmp

Filesize
652KB

Download
memory/2892-31-0x0000000001F40000-0x0000000001FE3000-memory.dmp

Filesize
652KB

Download
memory/2892-19-0x0000000001F40000-0x0000000001FE3000-memory.dmp

Filesize
652KB

Download
memory/2892-21-0x0000000001F40000-0x0000000001FE3000-memory.dmp

Filesize
652KB

Download
memory/2892-17-0x0000000001F40000-0x0000000001FE3000-memory.dmp

Filesize
652KB

Download
memory/2892-15-0x0000000001F40000-0x0000000001FE3000-memory.dmp

Filesize
652KB

Download
memory/2892-13-0x0000000001F40000-0x0000000001FE3000-memory.dmp

Filesize
652KB

Download
memory/2892-11-0x0000000001F40000-0x0000000001FE3000-memory.dmp

Filesize
652KB

Download
memory/2892-9-0x0000000001F40000-0x0000000001FE3000-memory.dmp

Filesize
652KB

Download
memory/2892-7-0x0000000001F40000-0x0000000001FE3000-memory.dmp

Filesize
652KB

Download
memory/2892-5-0x0000000001F40000-0x0000000001FE3000-memory.dmp

Filesize
652KB

Download
memory/2892-4-0x0000000001F40000-0x0000000001FE3000-memory.dmp

Filesize
652KB

Download
memory/2892-3-0x0000000004AF0000-0x0000000004B30000-memory.dmp

Filesize
256KB

Download
memory/2892-2-0x0000000001F40000-0x0000000001FE8000-memory.dmp

Filesize
672KB

Download
memory/2892-1-0x0000000074860000-0x0000000074F4E000-memory.dmp

Filesize
6.9MB

Download