agenttesla | d61fdb59b0176c8e329052c1b577dd366f17f206b79769bf3ae56ed6d52575de

Analysis

max time kernel
121s
max time network
124s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
12-12-2023 14:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Bank_Confirmation.exe
Size

882KB
MD5

f82b121e447bb312a0c383d78a90490f
SHA1

a2570c68231136bb0d7b260f906d1e5a78c25f48
SHA256

d61fdb59b0176c8e329052c1b577dd366f17f206b79769bf3ae56ed6d52575de
SHA512

cfcf833f59f3f47aea75ea62b79d5ca57fcad8e56943bb60cd4af0212baf3c6720d9f991a3dd8964a9e272b2b82f0416fa5d06988e90dc9fda2a0e56d649dc31
SSDEEP

12288:r6zcyAwHWZJOLMZ7vgg24T4xT0Wm6y7+uSm0POeB83mAQuaPc19LW1lVmt1XS/2E:r6TH2gK0xxm64+ut1F2fuaG35Cy

Score

10^/10

agenttesla zgrat keylogger persistence rat spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.bezzleauto.com
Port:
587
Username:
[email protected]
Password:
kex#-rHjHM4qKk52
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect ZGRat V1 35 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2600-2-0x00000000049B0000-0x0000000004A58000-memory.dmp	family_zgrat_v1
behavioral1/memory/2600-4-0x00000000049B0000-0x0000000004A53000-memory.dmp	family_zgrat_v1
behavioral1/memory/2600-5-0x00000000049B0000-0x0000000004A53000-memory.dmp	family_zgrat_v1
behavioral1/memory/2600-7-0x00000000049B0000-0x0000000004A53000-memory.dmp	family_zgrat_v1
behavioral1/memory/2600-9-0x00000000049B0000-0x0000000004A53000-memory.dmp	family_zgrat_v1
behavioral1/memory/2600-11-0x00000000049B0000-0x0000000004A53000-memory.dmp	family_zgrat_v1
behavioral1/memory/2600-13-0x00000000049B0000-0x0000000004A53000-memory.dmp	family_zgrat_v1
behavioral1/memory/2600-15-0x00000000049B0000-0x0000000004A53000-memory.dmp	family_zgrat_v1
behavioral1/memory/2600-17-0x00000000049B0000-0x0000000004A53000-memory.dmp	family_zgrat_v1
behavioral1/memory/2600-19-0x00000000049B0000-0x0000000004A53000-memory.dmp	family_zgrat_v1
behavioral1/memory/2600-23-0x00000000049B0000-0x0000000004A53000-memory.dmp	family_zgrat_v1
behavioral1/memory/2600-21-0x00000000049B0000-0x0000000004A53000-memory.dmp	family_zgrat_v1
behavioral1/memory/2600-25-0x00000000049B0000-0x0000000004A53000-memory.dmp	family_zgrat_v1
behavioral1/memory/2600-29-0x00000000049B0000-0x0000000004A53000-memory.dmp	family_zgrat_v1
behavioral1/memory/2600-27-0x00000000049B0000-0x0000000004A53000-memory.dmp	family_zgrat_v1
behavioral1/memory/2600-33-0x00000000049B0000-0x0000000004A53000-memory.dmp	family_zgrat_v1
behavioral1/memory/2600-31-0x00000000049B0000-0x0000000004A53000-memory.dmp	family_zgrat_v1
behavioral1/memory/2600-35-0x00000000049B0000-0x0000000004A53000-memory.dmp	family_zgrat_v1
behavioral1/memory/2600-37-0x00000000049B0000-0x0000000004A53000-memory.dmp	family_zgrat_v1
behavioral1/memory/2600-39-0x00000000049B0000-0x0000000004A53000-memory.dmp	family_zgrat_v1
behavioral1/memory/2600-41-0x00000000049B0000-0x0000000004A53000-memory.dmp	family_zgrat_v1
behavioral1/memory/2600-47-0x00000000049B0000-0x0000000004A53000-memory.dmp	family_zgrat_v1
behavioral1/memory/2600-49-0x00000000049B0000-0x0000000004A53000-memory.dmp	family_zgrat_v1
behavioral1/memory/2600-45-0x00000000049B0000-0x0000000004A53000-memory.dmp	family_zgrat_v1
behavioral1/memory/2600-53-0x00000000049B0000-0x0000000004A53000-memory.dmp	family_zgrat_v1
behavioral1/memory/2600-55-0x00000000049B0000-0x0000000004A53000-memory.dmp	family_zgrat_v1
behavioral1/memory/2600-51-0x00000000049B0000-0x0000000004A53000-memory.dmp	family_zgrat_v1
behavioral1/memory/2600-59-0x00000000049B0000-0x0000000004A53000-memory.dmp	family_zgrat_v1
behavioral1/memory/2600-61-0x00000000049B0000-0x0000000004A53000-memory.dmp	family_zgrat_v1
behavioral1/memory/2600-57-0x00000000049B0000-0x0000000004A53000-memory.dmp	family_zgrat_v1
behavioral1/memory/2600-43-0x00000000049B0000-0x0000000004A53000-memory.dmp	family_zgrat_v1
behavioral1/memory/2600-63-0x00000000049B0000-0x0000000004A53000-memory.dmp	family_zgrat_v1
behavioral1/memory/2600-65-0x00000000049B0000-0x0000000004A53000-memory.dmp	family_zgrat_v1
behavioral1/memory/2600-67-0x00000000049B0000-0x0000000004A53000-memory.dmp	family_zgrat_v1
behavioral1/memory/2600-930-0x0000000004B40000-0x0000000004B80000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Bank_Confirmation.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows\CurrentVersion\Run\pdf = "C:\\Users\\Admin\\AppData\\Roaming\\pdf.exe"	Bank_Confirmation.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Bank_Confirmation.exe

description pid process target process

PID 2600 set thread context of 1740 2600 Bank_Confirmation.exe Bank_Confirmation.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exeipconfig.exe

pid process

1516 ipconfig.exe
1636 ipconfig.exe

description	pid	process	target process
PID 2600 set thread context of 1740	2600	Bank_Confirmation.exe	Bank_Confirmation.exe

pid	process
1516	ipconfig.exe
1636	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e03b9392052dda01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "408552325"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008d5ea254cbc3cc499365b391a5fd669200000000020000000000106600000001000020000000d68f0d23a8a83f2ad1a5e7dee6f4073b0727be0c2655e503cad9f8159156ec2d000000000e8000000002000020000000d49b1282e7c15ca300d36d8e1f9119dfda1847455db84b32bbb26677507530cc900000002b0dc304a8f67761c98bb8fe65d802fcd2857b33d87891bea2f05529d22c0d8edb7eecfcd987229a7246119d3aafa400fd40501ddc2037397b3b49f21aadbebbf2a9e2f941741e87e342ae7d2ae82d06d17b773ee48c28ba3ee32781ca1c513385fb361e2ce6558ab7dd9c1dc09c0f2a88e5778d9f16afd668cfbe653decd83c1eed03cf0017b108f55bc313fc4dfa0c40000000d1f60caf58ad203583dc5a029ba1f4b3f9f7ce4e7db21349d4f86797ed0d8861780ce262002164fc1923b01a1f1e23cf1857a5f04db332ac945949bba40259f0	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{BC1368A1-98F8-11EE-A512-C6A71AF0F40E} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008d5ea254cbc3cc499365b391a5fd66920000000002000000000010660000000100002000000022aaf9a3395ffc24f5d2e1edad3e31e6978617ab15db61d9e6c7ac769b23bee5000000000e800000000200002000000071692305335d7f564e87270d7b49f5db79573a00ebe4c080a0b80cbb1978c936200000006515a1a3b34720445d12431d0c35d96b75403ee63ff3b50f9fbcffe252bbf9ad4000000002cb384eb5cd7cf4d3a11f0768ec0641ac0598753b26c055f26ce2cca1d3504f5b58f35b301571fafbfc1a157cc56afc222442610bba3fc6159bce4bd55764c3	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

Bank_Confirmation.exepowershell.exeBank_Confirmation.exe

pid	process
2600	Bank_Confirmation.exe
1452	powershell.exe
2600	Bank_Confirmation.exe
2600	Bank_Confirmation.exe
1740	Bank_Confirmation.exe
1740	Bank_Confirmation.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Bank_Confirmation.exepowershell.exeBank_Confirmation.exe

description	pid	process
Token: SeDebugPrivilege	2600	Bank_Confirmation.exe
Token: SeDebugPrivilege	1452	powershell.exe
Token: SeDebugPrivilege	1740	Bank_Confirmation.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2200 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2200 iexplore.exe
2200 iexplore.exe
2196 IEXPLORE.EXE
2196 IEXPLORE.EXE
2196 IEXPLORE.EXE
2196 IEXPLORE.EXE

pid	process
2200	iexplore.exe

pid	process
2200	iexplore.exe
2200	iexplore.exe
2196	IEXPLORE.EXE
2196	IEXPLORE.EXE
2196	IEXPLORE.EXE
2196	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 47 IoCs

Processes:

Bank_Confirmation.execmd.execmd.exepowershell.exeiexplore.exe

description	pid	process	target process
PID 2600 wrote to memory of 1108	2600	Bank_Confirmation.exe	cmd.exe
PID 2600 wrote to memory of 1108	2600	Bank_Confirmation.exe	cmd.exe
PID 2600 wrote to memory of 1108	2600	Bank_Confirmation.exe	cmd.exe
PID 2600 wrote to memory of 1108	2600	Bank_Confirmation.exe	cmd.exe
PID 1108 wrote to memory of 1636	1108	cmd.exe	ipconfig.exe
PID 1108 wrote to memory of 1636	1108	cmd.exe	ipconfig.exe
PID 1108 wrote to memory of 1636	1108	cmd.exe	ipconfig.exe
PID 1108 wrote to memory of 1636	1108	cmd.exe	ipconfig.exe
PID 2600 wrote to memory of 1452	2600	Bank_Confirmation.exe	powershell.exe
PID 2600 wrote to memory of 1452	2600	Bank_Confirmation.exe	powershell.exe
PID 2600 wrote to memory of 1452	2600	Bank_Confirmation.exe	powershell.exe
PID 2600 wrote to memory of 1452	2600	Bank_Confirmation.exe	powershell.exe
PID 2600 wrote to memory of 940	2600	Bank_Confirmation.exe	cmd.exe
PID 2600 wrote to memory of 940	2600	Bank_Confirmation.exe	cmd.exe
PID 2600 wrote to memory of 940	2600	Bank_Confirmation.exe	cmd.exe
PID 2600 wrote to memory of 940	2600	Bank_Confirmation.exe	cmd.exe
PID 940 wrote to memory of 1516	940	cmd.exe	ipconfig.exe
PID 940 wrote to memory of 1516	940	cmd.exe	ipconfig.exe
PID 940 wrote to memory of 1516	940	cmd.exe	ipconfig.exe
PID 940 wrote to memory of 1516	940	cmd.exe	ipconfig.exe
PID 1452 wrote to memory of 2200	1452	powershell.exe	iexplore.exe
PID 1452 wrote to memory of 2200	1452	powershell.exe	iexplore.exe
PID 1452 wrote to memory of 2200	1452	powershell.exe	iexplore.exe
PID 1452 wrote to memory of 2200	1452	powershell.exe	iexplore.exe
PID 2200 wrote to memory of 2196	2200	iexplore.exe	IEXPLORE.EXE
PID 2200 wrote to memory of 2196	2200	iexplore.exe	IEXPLORE.EXE
PID 2200 wrote to memory of 2196	2200	iexplore.exe	IEXPLORE.EXE
PID 2200 wrote to memory of 2196	2200	iexplore.exe	IEXPLORE.EXE
PID 2600 wrote to memory of 2020	2600	Bank_Confirmation.exe	Bank_Confirmation.exe
PID 2600 wrote to memory of 2020	2600	Bank_Confirmation.exe	Bank_Confirmation.exe
PID 2600 wrote to memory of 2020	2600	Bank_Confirmation.exe	Bank_Confirmation.exe
PID 2600 wrote to memory of 2020	2600	Bank_Confirmation.exe	Bank_Confirmation.exe
PID 2600 wrote to memory of 2020	2600	Bank_Confirmation.exe	Bank_Confirmation.exe
PID 2600 wrote to memory of 2020	2600	Bank_Confirmation.exe	Bank_Confirmation.exe
PID 2600 wrote to memory of 2020	2600	Bank_Confirmation.exe	Bank_Confirmation.exe
PID 2600 wrote to memory of 1740	2600	Bank_Confirmation.exe	Bank_Confirmation.exe
PID 2600 wrote to memory of 1740	2600	Bank_Confirmation.exe	Bank_Confirmation.exe
PID 2600 wrote to memory of 1740	2600	Bank_Confirmation.exe	Bank_Confirmation.exe
PID 2600 wrote to memory of 1740	2600	Bank_Confirmation.exe	Bank_Confirmation.exe
PID 2600 wrote to memory of 1740	2600	Bank_Confirmation.exe	Bank_Confirmation.exe
PID 2600 wrote to memory of 1740	2600	Bank_Confirmation.exe	Bank_Confirmation.exe
PID 2600 wrote to memory of 1740	2600	Bank_Confirmation.exe	Bank_Confirmation.exe
PID 2600 wrote to memory of 1740	2600	Bank_Confirmation.exe	Bank_Confirmation.exe
PID 2600 wrote to memory of 1740	2600	Bank_Confirmation.exe	Bank_Confirmation.exe
PID 2600 wrote to memory of 1740	2600	Bank_Confirmation.exe	Bank_Confirmation.exe
PID 2600 wrote to memory of 1740	2600	Bank_Confirmation.exe	Bank_Confirmation.exe
PID 2600 wrote to memory of 1740	2600	Bank_Confirmation.exe	Bank_Confirmation.exe

C:\Users\Admin\AppData\Local\Temp\Bank_Confirmation.exe
"C:\Users\Admin\AppData\Local\Temp\Bank_Confirmation.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2600

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ipconfig /release
2⤵
- Suspicious use of WriteProcessMemory
PID:1108

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /release
3⤵
- Gathers network information
PID:1636

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACcAaAB0AHQAcABzADoALwAvAGcAbwBvAGcAbABlAC4AYwBvAG0AJwA=
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1452

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://google.com/
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2200

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2200 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2196

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ipconfig /renew
2⤵
- Suspicious use of WriteProcessMemory
PID:940

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /renew
3⤵
- Gathers network information
PID:1516

C:\Users\Admin\AppData\Local\Temp\Bank_Confirmation.exe
C:\Users\Admin\AppData\Local\Temp\Bank_Confirmation.exe
2⤵
PID:2020

C:\Users\Admin\AppData\Local\Temp\Bank_Confirmation.exe
C:\Users\Admin\AppData\Local\Temp\Bank_Confirmation.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
9e5e1e9d8e0dfb7971c21e387e2d2308

SHA1
6babcdb729655e5be11ff9382b31058d24fcf360

SHA256
ad665292607d0ad47046d4c82cd7a2e11b3b9ba19d0cef1fff072adfb07edaa6

SHA512
b67bc754430d7f4a1b09a7053e576bdec537e5ce751dcc14fc7cc1b4f9a10693a61def30bf0e2de5e56036a0878349adf532839fec700669129b096366e5568c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
50b6277b8f3ed547d480509448db89fb

SHA1
b2cdd5193eae5bb7676a5c90a3f1ad731352d014

SHA256
4b38069559c83dc82f50c3dcce689e3138aa4ae2bc192513a52465dc2166be2b

SHA512
9b42390190f39a0e51a7e8f836fba2fdafa807f385b5e2693acd07d51f7ad390600582328f35aeb345bcfa6e0b20f2d85367497ea7e2d7c31113186307d7d344

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b380565edfcfa71258e11134924463de

SHA1
221d13e439018e6511be6e77fe07649056ec3299

SHA256
e5f9fbda751352b560522f276191e6c03fcb196ff348d7a729bea4d62408c1bb

SHA512
5a32eaa0883a7606e0149c2408559aba076e2c8d13fc68ae7655705eba62d08e05431e7c910031a8824b3fc4c738f18a5916b2fc3f02d30005c6858e3da26332

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
59220b24a4b410f16e57d937088eb9ad

SHA1
02216e53376f4de7d978cf7c7f8941eecea6ede8

SHA256
827e5886bf4b44a32131dbc57cf9e7ec793546319fc8aff5af64e0ed04a8371a

SHA512
b99c6f0092e18bac6d2cc42b6da78176a055c2f9950d50c3590fb2c89af49b7c9967179a0ffda7fb703ce3b4cc4325f8fc32f9952f648c8d7c165e9cf410eab6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9e4bf683450afbd43050392d5994bc62

SHA1
b8fa8ad4b1de300298d72c2452e47d2e88e5b53b

SHA256
1a552128c103a4c0b2bb1b39d2688114263e6de22ae1c41a0a62ad5fc975a929

SHA512
66657d6cb769b13810619ebe89f4da029cd81b591df45d7e750fd044d840c3ce083a0b5ce90208fb6a9465cc46716d2028261b7d093ada04e0354e9ee68f2b9f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3f2fa9c0932690ea6cc18703f42273fc

SHA1
261d8b2664855ebac2be107c8ac151bda853ccd5

SHA256
f92e371760a31e239c6fd553cce46fd39304214adb38f97587d7b32038304295

SHA512
bc3c8d14b807cce3814130fbc397daea25571bf78b91333cbf7db2524bb90306e63c0769873e3e0f35300ca452ddf538410569ed394c0f6eaaf4d4f45549b842

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e38665eab8a1184dcd2204a254d598d1

SHA1
8d254594a28d40ced037e56140893b8a166e4d18

SHA256
0a3a23fcea40c669751cfc2bd3f1c045231cabcf42675b5b27b301ce5e23d359

SHA512
539c6e5cb81faebf20d9012cff12b4561ba1ac38bf3e0629f5912452f86c0908094c408f3ae15190c3f50716c6004732defc9469f255bbabdd923b7cbc535b9e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3609cf8334de71d2d22cdc1eb8f8dbe2

SHA1
e025c8a1c2f15644f3d5b0869ee6552ba38b8da2

SHA256
e24315701f87d63b5d182ca1c7129c3af5f2225008a41b10a4dd8d8b7c6e71b7

SHA512
5637672bab3f54cf902c2838e692b5bacc646d26e7f617da38360b0e96839b735406f50ff1d859946ab2143a67cacc02c7b4db173298ffd1577341f57767902f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1399a75b42ed0dba2f093abfaf85e6b2

SHA1
fde50ea3663cc43c6ea89f846824164156a40c7d

SHA256
275b0b2ee69c9caa3e4daac405debf50602768d9d8f138082e5e829afdb6b3e6

SHA512
a32b437e21ab88c18045084f8488a038687781835583dee4604f8c38d5daadcdc0b629f41ac2d105a57be72f964c8ee7786db08c870ff1805fc452dffbe51191

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d5637c60101a05ec80adbcdf22d66063

SHA1
a75f444dd41fa3df316a795f3be23fce311dccc8

SHA256
119fd0f320c598192983f2d173394dad943652c9ca170b4e5d85deca4b60047e

SHA512
3e6fb31172bce7e1f794016952bcb631960be8a488348c8a4e2bad8e9607f0103dd149f400309fc22101c7127f6c762de47c2e4552b3ef0f87e13e520ef14a7d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8d6c7e33e900cd693cbed4701a8ef192

SHA1
d811c7afb16482cb112e59a8956902928fd58d77

SHA256
b0a53afa195b8ee6dc2651b08e8bb553e85c75d37cccdd835c2130c71cc23d69

SHA512
715d20de9b8aeb42d54ee543f965fd7c33bbbd6fd4c526e1c7099a6c510399257375fa0cc728995cf907f0fe5ee415541eeecad190672d51d59573c56e3bbbc9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f17bee433964893efcf32e6263a26ba4

SHA1
bde01347c0f5dc6ccc1806c0f1876c3676ea0acd

SHA256
dcc69cb203173cc097f3b202b0c8b1fa0b6145f54e7188fa1ba49792215390ad

SHA512
abe015b7a2a17140a8b98832fd003b81bc9c46f4c702e2b35217867f593bbfe48d0e27e5ecacb8732101e643d33e2a69118c596fbe8fe319109c7058a8f5b639

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a92c6acdbbf6525293e8e1c27b59a6f8

SHA1
f869b70a5a027e43d3420ee9a0d0cb3ddf510bdf

SHA256
d757b9e5aa1fd582ecbd12fad0399a2aceaf1b0dbba19abb2e020989fca4ac8f

SHA512
b1afb56096f0973a305ea0d4c1f6e0319f8642318714456587f16076d57c7c79563d0162e9e644d70e85c9d4b4234530f06ede25861db84a3ed6e2e1e1a040a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
dd94dce95555945dfe528dbd8adf217c

SHA1
1970335fe87253214e0c87af5fe08989a2c15200

SHA256
2537156a9719e720249a8523e3ba3bce74dde85c63de1742368acc1094a22b89

SHA512
7fa69f6fd40b9612cca690ed9bec0e755b5cba2d4a170da8a5ade9b4b7eb4b7547d1f81466bcd155a66782370b1f195eed637abbe2f2f2c1957d3a7b617fb3d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7009a959129a91dea1983539d5189588

SHA1
74a6e61a303315adc40aa67eb3c45e7dff15d507

SHA256
bcddf5b50d12df41e0117ea7d89773225f3cf076adce1fcc2eff3ced45201dd7

SHA512
5c1ebf2e800d50393c73836cd340e7a9574f26b94e541f883dc646dc3ff25d08ea1f642a18ea87fbe52800f6e4a6393fe1d3dca9001d944ecde0a0475c30fbd6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f3b3ad0f52914319f2f32c24059f8c37

SHA1
26f7f0831732451bcf91f23d1f0a2d9137ba3507

SHA256
e01b806c8caac0f6607dfc2bf90b84bdf7b415e064e5a7b3751ba1d57fa6b523

SHA512
daad61e8b2421eb1a60cf8534ce6868b8055be60ca389dd05ddece821f486285f0dccabb01ed3ea478b5d54483b7a4df89b61c9a03ed67e0da736b17ce1e3792

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e88f56e38381283f300466ef0edcbde6

SHA1
beb4e630f8f40e1ea24bfc763e8ff98bd5b211a4

SHA256
2b2fe79c14a413c7e251abe2bbbc78d8832d8bbdadfef040359f4d524d2ab17c

SHA512
99a1e530c4622d9c40793e4de8195d95d71a5e5b117bef30fd2eb02c3dfd4ff0d73543acbb94364f9b3a9e8b4314de72238da91900868d50d17548611271b3f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
857141e081b0c2501415490c8b5c9a65

SHA1
3646211c31dd3a3ca4f7ce456d02d7f72b288ecc

SHA256
e38d9b161961ae0a8fca26309871d744097e41aaf45a30406d0518438c96826b

SHA512
fd78faaf64a873206b9bf055993bb6d27722b2e047a7d0a1ed92ec103f0f04e21043ab98df8434e7bb9101fb74babc3a1da6b4726c904507cae120cfa11ee5ef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
792ddd3afa3579a1fb49f6fcdf659e39

SHA1
927022ba36d9033f183d37965147ed863433cd1f

SHA256
4e6e74fbab44e722d24a72d636bd6e0b4b59287d36d87a08ffddc3ead257cfd4

SHA512
c8109b2c4a2753591a043aea5b6e25f2734fb1d34b932c7ef1681bf2b4b471f4d28a4c44d5d529f08b8cb117283537bd8bd020fb2842c34bb522ebb7fb73aaf8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
720ea0ccf7a919636653d9f0d764b5ca

SHA1
9663e775c4fc870c5e52dd5f77aa2f244a47f3e6

SHA256
6a4531b1b2891a4d761735548777ca506430f5e2b7917a40995dd79acc68e60d

SHA512
d434f2e1f3fdb6973a028fe010940d5a3dd11ad1920464b6275f4131f475506cd85b33ec7a4a780ea6eecae5897149b04af909e01983c995e7872d8258a1c266

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5c35b1d4e5376dd73ae111f4dfa81946

SHA1
c0979ed612d3da27666aa16766a99c1057a04287

SHA256
b3252bff0280cc2a41e44031adab681595c9636ee1b1360e807fb2e0e9bbccd7

SHA512
99b2213151b7a635843fc6f6b651e22a77a9cd17cdb143d9ada3504816e4ceed538b3e7f2c6b9ced21b90d5faed3ff9b2183bb036199e0a76f45e743698f6423

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ffcb3285442d2e37572262e3135b7e9e

SHA1
a393357de9408d76b4a1dca003faccb9c81dbbed

SHA256
4464443e8a45aa531cd387b96b469aa077b80ae0938eea1e887731dbb52188b9

SHA512
c149c73a4a7a7dbcd711ecc0401282ae019e42f3271469cda503b0a758c789626efd5f2d147852fd297c9ce33b55031d925db903d207799f9e3b8e6415f3b35a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9b7b5557ad7663833594a4bba80222e2

SHA1
ae632e4a004235d721ad494838c059caf3880136

SHA256
f56d4a8d38e8b88e1968f9286f223a9ab5c0f6ff6bf0e87988dd671360202190

SHA512
4e40d6fadfd810c5ecc26871b16b44a4837b65ba8a2556c191ac8e9989cc0e1d40cf9706c64d78df42148e8f47d873d23df194f635a488fe58f1cd05d27436aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
ecf3d4ea0c8e211616ce7fad7bc5314c

SHA1
532eb9c21bb6322a78d955a33ebbd68e868a9903

SHA256
403e1278dcb26e5b9569117df777c334c4cc5bfaecab20d0854b7011e3b633e4

SHA512
10d8e583c156369bb791470f902a71a54e1d24f78e772d6407d70547004764af625fd239f0332594cdb391c9be8efd49602e245c18fc00e8777926659f359506

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\rpg4tgz\imagestore.dat

Filesize
5KB

MD5
1996955094460396703bb89f85cfd633

SHA1
d1732e25c382e22eb23fe7be8f8705809c541c27

SHA256
b5ea1410107f62b5a6464f0222260b3b29004249c6307a4dcbf210c9d9fd22b9

SHA512
98e8c0b47f87186c09efbbd00a5f62aeebd6275b3a775b61780985f667122be5ba722f08fc9d52ac519cb3c2126d27a6769197a0bc2addf69d639c1167d98d23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T2C485U7\favicon[1].ico

Filesize
5KB

MD5
f3418a443e7d841097c714d69ec4bcb8

SHA1
49263695f6b0cdd72f45cf1b775e660fdc36c606

SHA256
6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

SHA512
82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabAF.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar181.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB0.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
memory/1452-935-0x000000006F7A0000-0x000000006FD4B000-memory.dmp

Filesize
5.7MB

Download
memory/1452-934-0x000000006F7A0000-0x000000006FD4B000-memory.dmp

Filesize
5.7MB

Download
memory/1452-938-0x000000006F7A0000-0x000000006FD4B000-memory.dmp

Filesize
5.7MB

Download
memory/1452-937-0x00000000026C0000-0x0000000002700000-memory.dmp

Filesize
256KB

Download
memory/1452-936-0x00000000026C0000-0x0000000002700000-memory.dmp

Filesize
256KB

Download
memory/1740-1498-0x0000000000AF0000-0x0000000000B30000-memory.dmp

Filesize
256KB

Download
memory/1740-1497-0x00000000742F0000-0x00000000749DE000-memory.dmp

Filesize
6.9MB

Download
memory/1740-1000-0x0000000000AF0000-0x0000000000B30000-memory.dmp

Filesize
256KB

Download
memory/1740-999-0x00000000742F0000-0x00000000749DE000-memory.dmp

Filesize
6.9MB

Download
memory/1740-998-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2600-47-0x00000000049B0000-0x0000000004A53000-memory.dmp

Filesize
652KB

Download
memory/2600-35-0x00000000049B0000-0x0000000004A53000-memory.dmp

Filesize
652KB

Download
memory/2600-930-0x0000000004B40000-0x0000000004B80000-memory.dmp

Filesize
256KB

Download
memory/2600-929-0x0000000074370000-0x0000000074A5E000-memory.dmp

Filesize
6.9MB

Download
memory/2600-928-0x00000000005C0000-0x000000000060C000-memory.dmp

Filesize
304KB

Download
memory/2600-994-0x0000000074370000-0x0000000074A5E000-memory.dmp

Filesize
6.9MB

Download
memory/2600-927-0x0000000000540000-0x0000000000582000-memory.dmp

Filesize
264KB

Download
memory/2600-926-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2600-67-0x00000000049B0000-0x0000000004A53000-memory.dmp

Filesize
652KB

Download
memory/2600-57-0x00000000049B0000-0x0000000004A53000-memory.dmp

Filesize
652KB

Download
memory/2600-61-0x00000000049B0000-0x0000000004A53000-memory.dmp

Filesize
652KB

Download
memory/2600-59-0x00000000049B0000-0x0000000004A53000-memory.dmp

Filesize
652KB

Download
memory/2600-51-0x00000000049B0000-0x0000000004A53000-memory.dmp

Filesize
652KB

Download
memory/2600-55-0x00000000049B0000-0x0000000004A53000-memory.dmp

Filesize
652KB

Download
memory/2600-53-0x00000000049B0000-0x0000000004A53000-memory.dmp

Filesize
652KB

Download
memory/2600-45-0x00000000049B0000-0x0000000004A53000-memory.dmp

Filesize
652KB

Download
memory/2600-49-0x00000000049B0000-0x0000000004A53000-memory.dmp

Filesize
652KB

Download
memory/2600-43-0x00000000049B0000-0x0000000004A53000-memory.dmp

Filesize
652KB

Download
memory/2600-41-0x00000000049B0000-0x0000000004A53000-memory.dmp

Filesize
652KB

Download
memory/2600-39-0x00000000049B0000-0x0000000004A53000-memory.dmp

Filesize
652KB

Download
memory/2600-37-0x00000000049B0000-0x0000000004A53000-memory.dmp

Filesize
652KB

Download
memory/2600-0-0x0000000000B30000-0x0000000000C12000-memory.dmp

Filesize
904KB

Download
memory/2600-31-0x00000000049B0000-0x0000000004A53000-memory.dmp

Filesize
652KB

Download
memory/2600-33-0x00000000049B0000-0x0000000004A53000-memory.dmp

Filesize
652KB

Download
memory/2600-27-0x00000000049B0000-0x0000000004A53000-memory.dmp

Filesize
652KB

Download
memory/2600-29-0x00000000049B0000-0x0000000004A53000-memory.dmp

Filesize
652KB

Download
memory/2600-65-0x00000000049B0000-0x0000000004A53000-memory.dmp

Filesize
652KB

Download
memory/2600-63-0x00000000049B0000-0x0000000004A53000-memory.dmp

Filesize
652KB

Download
memory/2600-25-0x00000000049B0000-0x0000000004A53000-memory.dmp

Filesize
652KB

Download
memory/2600-21-0x00000000049B0000-0x0000000004A53000-memory.dmp

Filesize
652KB

Download
memory/2600-23-0x00000000049B0000-0x0000000004A53000-memory.dmp

Filesize
652KB

Download
memory/2600-19-0x00000000049B0000-0x0000000004A53000-memory.dmp

Filesize
652KB

Download
memory/2600-17-0x00000000049B0000-0x0000000004A53000-memory.dmp

Filesize
652KB

Download
memory/2600-15-0x00000000049B0000-0x0000000004A53000-memory.dmp

Filesize
652KB

Download
memory/2600-13-0x00000000049B0000-0x0000000004A53000-memory.dmp

Filesize
652KB

Download
memory/2600-11-0x00000000049B0000-0x0000000004A53000-memory.dmp

Filesize
652KB

Download
memory/2600-9-0x00000000049B0000-0x0000000004A53000-memory.dmp

Filesize
652KB

Download
memory/2600-7-0x00000000049B0000-0x0000000004A53000-memory.dmp

Filesize
652KB

Download
memory/2600-5-0x00000000049B0000-0x0000000004A53000-memory.dmp

Filesize
652KB

Download
memory/2600-4-0x00000000049B0000-0x0000000004A53000-memory.dmp

Filesize
652KB

Download
memory/2600-3-0x0000000004B40000-0x0000000004B80000-memory.dmp

Filesize
256KB

Download
memory/2600-2-0x00000000049B0000-0x0000000004A58000-memory.dmp

Filesize
672KB

Download
memory/2600-1-0x0000000074370000-0x0000000074A5E000-memory.dmp

Filesize
6.9MB

Download