agenttesla | c3c64f2edc0e3e59c0e1526910c08623981c8c8446f49c0887199f35c4a8f57b

Analysis

max time kernel
121s
max time network
126s
platform
windows7_x64
resource
win7-20231025-en
resource tags

arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
submitted
12-12-2023 15:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Bank_Confirmation.exe
Size

882KB
MD5

f82b121e447bb312a0c383d78a90490f
SHA1

a2570c68231136bb0d7b260f906d1e5a78c25f48
SHA256

d61fdb59b0176c8e329052c1b577dd366f17f206b79769bf3ae56ed6d52575de
SHA512

cfcf833f59f3f47aea75ea62b79d5ca57fcad8e56943bb60cd4af0212baf3c6720d9f991a3dd8964a9e272b2b82f0416fa5d06988e90dc9fda2a0e56d649dc31
SSDEEP

12288:r6zcyAwHWZJOLMZ7vgg24T4xT0Wm6y7+uSm0POeB83mAQuaPc19LW1lVmt1XS/2E:r6TH2gK0xxm64+ut1F2fuaG35Cy

Score

10^/10

agenttesla zgrat keylogger persistence rat spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.bezzleauto.com
Port:
587
Username:
[email protected]
Password:
kex#-rHjHM4qKk52
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect ZGRat V1 35 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2472-2-0x0000000004150000-0x00000000041F8000-memory.dmp	family_zgrat_v1
behavioral1/memory/2472-3-0x0000000004AC0000-0x0000000004B00000-memory.dmp	family_zgrat_v1
behavioral1/memory/2472-5-0x0000000004150000-0x00000000041F3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2472-4-0x0000000004150000-0x00000000041F3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2472-7-0x0000000004150000-0x00000000041F3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2472-9-0x0000000004150000-0x00000000041F3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2472-11-0x0000000004150000-0x00000000041F3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2472-13-0x0000000004150000-0x00000000041F3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2472-15-0x0000000004150000-0x00000000041F3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2472-17-0x0000000004150000-0x00000000041F3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2472-19-0x0000000004150000-0x00000000041F3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2472-21-0x0000000004150000-0x00000000041F3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2472-23-0x0000000004150000-0x00000000041F3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2472-25-0x0000000004150000-0x00000000041F3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2472-27-0x0000000004150000-0x00000000041F3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2472-29-0x0000000004150000-0x00000000041F3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2472-31-0x0000000004150000-0x00000000041F3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2472-33-0x0000000004150000-0x00000000041F3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2472-35-0x0000000004150000-0x00000000041F3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2472-37-0x0000000004150000-0x00000000041F3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2472-39-0x0000000004150000-0x00000000041F3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2472-41-0x0000000004150000-0x00000000041F3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2472-43-0x0000000004150000-0x00000000041F3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2472-45-0x0000000004150000-0x00000000041F3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2472-47-0x0000000004150000-0x00000000041F3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2472-49-0x0000000004150000-0x00000000041F3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2472-51-0x0000000004150000-0x00000000041F3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2472-53-0x0000000004150000-0x00000000041F3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2472-55-0x0000000004150000-0x00000000041F3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2472-57-0x0000000004150000-0x00000000041F3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2472-61-0x0000000004150000-0x00000000041F3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2472-59-0x0000000004150000-0x00000000041F3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2472-63-0x0000000004150000-0x00000000041F3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2472-67-0x0000000004150000-0x00000000041F3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2472-65-0x0000000004150000-0x00000000041F3000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Bank_Confirmation.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Run\pdf = "C:\\Users\\Admin\\AppData\\Roaming\\pdf.exe"	Bank_Confirmation.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Bank_Confirmation.exe

description pid process target process

PID 2472 set thread context of 2176 2472 Bank_Confirmation.exe Bank_Confirmation.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exeipconfig.exe

pid process

2916 ipconfig.exe
2024 ipconfig.exe

description	pid	process	target process
PID 2472 set thread context of 2176	2472	Bank_Confirmation.exe	Bank_Confirmation.exe

pid	process
2916	ipconfig.exe
2024	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002e1e81ecbc95de49994f369c3e717184000000000200000000001066000000010000200000008f313b66588fa0c8e48bac0a9d62d9d98152413a0929663660f8f2c2bbc32861000000000e80000000020000200000002d3baf78867d55893566677fad2949e6c6e9da4ab6dac2487a766bfbca76fd56900000004059688f1b67c3e9ef0c72287b22ad9b70ef4d1e96bb59d657272ab5479528c57d1a872183ea3628cb9361460bff65c9b1a218944c90038889a1e22d3d657dd02e34be6eafe8f6c3bb5442af876b61099574fdde28aa17ebf43c3900b14eba30a9e08b4acbc1cca3adef6c7817358176f01cfd9377b20a1183c64099b67a7a2d0ba11537795646241656ed45fc4881094000000029ce8e924ce08a3dd4d38768097d7685b1e727d6ae7d382021365fe7fdf8a591c713b649118081ff45e2ad2d68bdadc776d7a429edc45c86d7540806d23dd59f	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70b473f8102dda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002e1e81ecbc95de49994f369c3e71718400000000020000000000106600000001000020000000ba64aac93791677bb9c9cecf7135f1f3a3e6ba0d7e5a143dd6616dac5ee57359000000000e80000000020000200000001264c8d5093a22febd7374b853ff06699abd4ebf9f028671de94ea6b1f24ddef200000001e59844ad3f2ec79ad131b35a04ee7a8fbf808faccfdba59519caaaa7e90f1b5400000000c2512fed4bbee1bfa911ecdd7c93a6f244c4df2a4806ceba4d68492f7ddcdcf57359f7ac654b0a345d30c056c9228dd1ec8f6d8bf6763cb3bd839b4edeaa082	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "408557221"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{225A9241-9904-11EE-BBB0-CA1D426CB735} = "0"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

Bank_Confirmation.exepowershell.exeBank_Confirmation.exe

pid	process
2472	Bank_Confirmation.exe
372	powershell.exe
2472	Bank_Confirmation.exe
2472	Bank_Confirmation.exe
2472	Bank_Confirmation.exe
2472	Bank_Confirmation.exe
2472	Bank_Confirmation.exe
2472	Bank_Confirmation.exe
2176	Bank_Confirmation.exe
2176	Bank_Confirmation.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Bank_Confirmation.exepowershell.exeBank_Confirmation.exe

description	pid	process
Token: SeDebugPrivilege	2472	Bank_Confirmation.exe
Token: SeDebugPrivilege	372	powershell.exe
Token: SeDebugPrivilege	2176	Bank_Confirmation.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1488 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1488 iexplore.exe
1488 iexplore.exe
700 IEXPLORE.EXE
700 IEXPLORE.EXE
700 IEXPLORE.EXE
700 IEXPLORE.EXE

pid	process
1488	iexplore.exe

pid	process
1488	iexplore.exe
1488	iexplore.exe
700	IEXPLORE.EXE
700	IEXPLORE.EXE
700	IEXPLORE.EXE
700	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 61 IoCs

Processes:

Bank_Confirmation.execmd.execmd.exepowershell.exeiexplore.exe

description	pid	process	target process
PID 2472 wrote to memory of 2756	2472	Bank_Confirmation.exe	cmd.exe
PID 2472 wrote to memory of 2756	2472	Bank_Confirmation.exe	cmd.exe
PID 2472 wrote to memory of 2756	2472	Bank_Confirmation.exe	cmd.exe
PID 2472 wrote to memory of 2756	2472	Bank_Confirmation.exe	cmd.exe
PID 2756 wrote to memory of 2916	2756	cmd.exe	ipconfig.exe
PID 2756 wrote to memory of 2916	2756	cmd.exe	ipconfig.exe
PID 2756 wrote to memory of 2916	2756	cmd.exe	ipconfig.exe
PID 2756 wrote to memory of 2916	2756	cmd.exe	ipconfig.exe
PID 2472 wrote to memory of 372	2472	Bank_Confirmation.exe	powershell.exe
PID 2472 wrote to memory of 372	2472	Bank_Confirmation.exe	powershell.exe
PID 2472 wrote to memory of 372	2472	Bank_Confirmation.exe	powershell.exe
PID 2472 wrote to memory of 372	2472	Bank_Confirmation.exe	powershell.exe
PID 2472 wrote to memory of 2148	2472	Bank_Confirmation.exe	cmd.exe
PID 2472 wrote to memory of 2148	2472	Bank_Confirmation.exe	cmd.exe
PID 2472 wrote to memory of 2148	2472	Bank_Confirmation.exe	cmd.exe
PID 2472 wrote to memory of 2148	2472	Bank_Confirmation.exe	cmd.exe
PID 2148 wrote to memory of 2024	2148	cmd.exe	ipconfig.exe
PID 2148 wrote to memory of 2024	2148	cmd.exe	ipconfig.exe
PID 2148 wrote to memory of 2024	2148	cmd.exe	ipconfig.exe
PID 2148 wrote to memory of 2024	2148	cmd.exe	ipconfig.exe
PID 372 wrote to memory of 1488	372	powershell.exe	iexplore.exe
PID 372 wrote to memory of 1488	372	powershell.exe	iexplore.exe
PID 372 wrote to memory of 1488	372	powershell.exe	iexplore.exe
PID 372 wrote to memory of 1488	372	powershell.exe	iexplore.exe
PID 1488 wrote to memory of 700	1488	iexplore.exe	IEXPLORE.EXE
PID 1488 wrote to memory of 700	1488	iexplore.exe	IEXPLORE.EXE
PID 1488 wrote to memory of 700	1488	iexplore.exe	IEXPLORE.EXE
PID 1488 wrote to memory of 700	1488	iexplore.exe	IEXPLORE.EXE
PID 2472 wrote to memory of 2240	2472	Bank_Confirmation.exe	Bank_Confirmation.exe
PID 2472 wrote to memory of 2240	2472	Bank_Confirmation.exe	Bank_Confirmation.exe
PID 2472 wrote to memory of 2240	2472	Bank_Confirmation.exe	Bank_Confirmation.exe
PID 2472 wrote to memory of 2240	2472	Bank_Confirmation.exe	Bank_Confirmation.exe
PID 2472 wrote to memory of 2240	2472	Bank_Confirmation.exe	Bank_Confirmation.exe
PID 2472 wrote to memory of 2240	2472	Bank_Confirmation.exe	Bank_Confirmation.exe
PID 2472 wrote to memory of 2240	2472	Bank_Confirmation.exe	Bank_Confirmation.exe
PID 2472 wrote to memory of 388	2472	Bank_Confirmation.exe	Bank_Confirmation.exe
PID 2472 wrote to memory of 388	2472	Bank_Confirmation.exe	Bank_Confirmation.exe
PID 2472 wrote to memory of 388	2472	Bank_Confirmation.exe	Bank_Confirmation.exe
PID 2472 wrote to memory of 388	2472	Bank_Confirmation.exe	Bank_Confirmation.exe
PID 2472 wrote to memory of 388	2472	Bank_Confirmation.exe	Bank_Confirmation.exe
PID 2472 wrote to memory of 388	2472	Bank_Confirmation.exe	Bank_Confirmation.exe
PID 2472 wrote to memory of 388	2472	Bank_Confirmation.exe	Bank_Confirmation.exe
PID 2472 wrote to memory of 1736	2472	Bank_Confirmation.exe	Bank_Confirmation.exe
PID 2472 wrote to memory of 1736	2472	Bank_Confirmation.exe	Bank_Confirmation.exe
PID 2472 wrote to memory of 1736	2472	Bank_Confirmation.exe	Bank_Confirmation.exe
PID 2472 wrote to memory of 1736	2472	Bank_Confirmation.exe	Bank_Confirmation.exe
PID 2472 wrote to memory of 1736	2472	Bank_Confirmation.exe	Bank_Confirmation.exe
PID 2472 wrote to memory of 1736	2472	Bank_Confirmation.exe	Bank_Confirmation.exe
PID 2472 wrote to memory of 1736	2472	Bank_Confirmation.exe	Bank_Confirmation.exe
PID 2472 wrote to memory of 2176	2472	Bank_Confirmation.exe	Bank_Confirmation.exe
PID 2472 wrote to memory of 2176	2472	Bank_Confirmation.exe	Bank_Confirmation.exe
PID 2472 wrote to memory of 2176	2472	Bank_Confirmation.exe	Bank_Confirmation.exe
PID 2472 wrote to memory of 2176	2472	Bank_Confirmation.exe	Bank_Confirmation.exe
PID 2472 wrote to memory of 2176	2472	Bank_Confirmation.exe	Bank_Confirmation.exe
PID 2472 wrote to memory of 2176	2472	Bank_Confirmation.exe	Bank_Confirmation.exe
PID 2472 wrote to memory of 2176	2472	Bank_Confirmation.exe	Bank_Confirmation.exe
PID 2472 wrote to memory of 2176	2472	Bank_Confirmation.exe	Bank_Confirmation.exe
PID 2472 wrote to memory of 2176	2472	Bank_Confirmation.exe	Bank_Confirmation.exe
PID 2472 wrote to memory of 2176	2472	Bank_Confirmation.exe	Bank_Confirmation.exe
PID 2472 wrote to memory of 2176	2472	Bank_Confirmation.exe	Bank_Confirmation.exe
PID 2472 wrote to memory of 2176	2472	Bank_Confirmation.exe	Bank_Confirmation.exe

C:\Users\Admin\AppData\Local\Temp\Bank_Confirmation.exe
"C:\Users\Admin\AppData\Local\Temp\Bank_Confirmation.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2472

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ipconfig /release
2⤵
- Suspicious use of WriteProcessMemory
PID:2756

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /release
3⤵
- Gathers network information
PID:2916

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACcAaAB0AHQAcABzADoALwAvAGcAbwBvAGcAbABlAC4AYwBvAG0AJwA=
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:372

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://google.com/
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1488

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1488 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:700

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ipconfig /renew
2⤵
- Suspicious use of WriteProcessMemory
PID:2148

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /renew
3⤵
- Gathers network information
PID:2024

C:\Users\Admin\AppData\Local\Temp\Bank_Confirmation.exe
C:\Users\Admin\AppData\Local\Temp\Bank_Confirmation.exe
2⤵
PID:2240

C:\Users\Admin\AppData\Local\Temp\Bank_Confirmation.exe
C:\Users\Admin\AppData\Local\Temp\Bank_Confirmation.exe
2⤵
PID:388

C:\Users\Admin\AppData\Local\Temp\Bank_Confirmation.exe
C:\Users\Admin\AppData\Local\Temp\Bank_Confirmation.exe
2⤵
PID:1736

C:\Users\Admin\AppData\Local\Temp\Bank_Confirmation.exe
C:\Users\Admin\AppData\Local\Temp\Bank_Confirmation.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
9f277b4f1ff6086564d61e6e985faace

SHA1
db7b08d37d98503a2054493c53454797ab92b486

SHA256
6a7faf91488a688b3fff47936fd1c710061ad26e84e2ee34bb5209ae1fa21a33

SHA512
6ac145601eede263393d3a8142a325fef29e345434a78f1c6a81f350b2646db7d65bd97c56280071d47e8fd2f208bcde51de5a6cebd399c57f4a9015d4eec884

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c8ec4124a7325fe45ecfd37706b5d082

SHA1
a059b39cc44e5f7295abf74391cb705af3daaf5d

SHA256
74055959d20bfef0a24d9e069e986ccb3dde11dced92203b44e4a35292678ea3

SHA512
572998484c7e2a303cd2a9cfde670602ea0cdb24b409113ac80295ecc24f50805dfd3a4b8caec4f8f139eac34d7a39b74948ca17a2fe6c59672a6fe42b4ebd03

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cec2c7a2ec2d26961eb706356da073ed

SHA1
5e1678e880d667732c677b93f7e81d3c4eb3478a

SHA256
19d2c7e2109420230f4e0a96597e1c67bf1b8cf2f3db0d16bf86d368b0f38c60

SHA512
8d2c1a05f13bd892959ff1917c1b803a5ebffae10ffb166f026ce6820b7b2a1ab6376126ab04ab935371b964012437f026437d2f6c6fa698ec580b95eeb3353d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9d9dbc30fd4732559f64ff836809085e

SHA1
ebe1c3d86dc97971ab9b5db98dd0024aab25ef49

SHA256
b42dd30c760be8ee8a8f765158869e13106021840bbd783283b52bce18e3abc5

SHA512
44d5b68d311935d254c7582f895ce4d07b99268cc910004d7a76f6f7d9a72789332d1699306ae019f6678c263106c642973e8467c485ff8df63bdf80c22b7ed0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e8180964b2a87b9f41f0b657b2832ea6

SHA1
142c0b85ce8e1808020ad206c202539cc8df000b

SHA256
852dc8dff2cdb39849c5a58739b2e2f48f877371b282518618d3b4165509fb30

SHA512
e31518c47b4c827fd0e720ebd54263e521defc189da4d5d423db125499ef0e5abf04f83b341a201a2128478a3b986ca9b7dc467e2246c2bb3a0aa9cac217a2f0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f11d853955eb1fbc1b75b165b4c9aaf2

SHA1
586e4f1381bf1c8bc180934b7486e4ec31e85087

SHA256
e5890f77efbb670f652ba3cf801fdedaffa16697a0c3899c0dedd68c4b1c2e9f

SHA512
da4640d210a7198571122e95b03b70b9a7798c2b66725c5f9ad22c2fe548f298989264f004c88626bd2a9a40f2d36ffc1eaa18d46e779bcb68f80adb559f84a7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3dfba3cbb494c336509c19d09138ecc7

SHA1
e71d6de943ab6ed4644fe1ce195ef460b550ff91

SHA256
a4743f378a2088b6a0923fbb84693ab3ffac6872c0d083c6f5944db40a09c7dc

SHA512
654fc869121a67ad3e6a54ea3ca28c839ae3e1584674bc9b6d1a0b9ace0dffa516772822980f61ef6602d2fc8218ed8a307430a73f7444938dbebe63dc232132

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
19fd7c726f4756eb83956f4dca60965f

SHA1
062311d69ed3beec890b84309b5f62a6db27641a

SHA256
51c01622557d0b208e658feba053947de4b8ec609b6cbc83356ed3e11f9227b4

SHA512
bbfe6587f0550396fa542657e0753c13d116f572dd6f9326c71519f683cdd2beff108cdf034132ebeea7a8444691b26791c1f899917a6ef8c74105dcdf7ce8b0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fc150e1c99f4165fe0db42765b7047e9

SHA1
acbc2ed05d3df8ea78ab95f10dc1a26ac710f30f

SHA256
6d52d24987ddaf947030fe88e06e56132254a0643dd345d3ddd6977236b8ef2c

SHA512
13ff56045302e5bd36aa48ac81992f773f3f2abf002a0161809491d127941c018448cb2556a24aeaf622e0d5c32da19b305736079123a88fbf2526998010be5d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4dc1e1ce96e34c7c9601faad917fc6be

SHA1
b435eeb34b507f6bdb3f2422a99c65fa617df618

SHA256
facfe774807793dec698033089fe7f84028e304a746d360a50764f35c702b9a1

SHA512
af1638e109d38dc2594766c96e5287c0ce2ca30dd81135c9592d391d866412a553c2258bd6f862ca9d5e7cfcd100d11d6b56070e412e8a7597c1398134bb9148

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
84a6266da3f4b9810ea846cae52c0a63

SHA1
194bfb94bac5865387b305adfdb741b1841ee4a1

SHA256
01e5be6a96a606ff06b508864680eaa8c6fb8a99294fb296df2bdd0ef53f6c30

SHA512
f9add817f43048e1de97059e296b70066d8f6757773167bdad7fc41aa22e1451ac14bcc0068be4bc397c012d6cae693ac128d61258d4c83749986158364dc97f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6e1025a2f3221a3857ba6655ebefcdec

SHA1
61f92ebbea2c8451991eadc0b5cb3d2ef12be751

SHA256
1a580589fc8ebede4460c52cbec9e2f01b22d617a5e08b7b11281e2f42c63c59

SHA512
1d997996d09f085df5733154f71fdaaa76eed643a38f3ea039df5200221f96390dda19f3484197e64cb090ac570831cfc40985f6f4955162d5cf45293f167f61

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
59ecbe6627c92b2fc21357cdf9fa4968

SHA1
22cbbb1a71d26c509ba212f6db7a5424bbd37939

SHA256
3cb68333cbf3cefbb547b4129cf86e4438270e42bf2ea2a3a80d9d5c5bbbab7f

SHA512
a82ea05a1d98d02756a05ef3885e2b245d822da3378ec2554c6d1358c18cc8613000bdb25c9d3eee69939372216326fec190ce6e7fa2bb2eecfbac575aabeae6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5ee542e2a659ba202a66542c0d535d70

SHA1
ade096450e0fa8acc6881678e2c0a62c98bc1124

SHA256
4f34873c988897e10239a48951bd8f011969235712546888092e57474c10cd58

SHA512
67f51e2441db4eb702146c2630f5b618e903084906de37d3e6932420b480a62c1ca47859dfe84e48ed3c542a6a2d54db0573e916cb200a13eefa9242fc3f00e8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1f16835f9769b10c07b583c1f35fe843

SHA1
b0546f762176a43462992858b7bd65890a108219

SHA256
36059ff154d4bdabfc2b7faa2b976f0e658c1f9ad92fce37993455a99b32a249

SHA512
b4a81d388752f6c0823862345d4a885708846cf125c99a1aaa0edfad2d74826aea1800194be8b11e03626f58c5498f5902c8298c7aff692ffdd313e1585f701f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
df7c483240a5cea8161eb870d20564fb

SHA1
ec5ff53f3a6622becd1a61bd4f5e4c68527c50f7

SHA256
7c25246c7ee6bfdf82373395b6a5755e30a0506ba40a9f660410ced83e937e20

SHA512
bda76de0ae3f22170b0363e45aeff8fcea23ca71384372878041163c5b90accce11e53b2c27629c79e25469768040c9cd51912f35b8462515b042e0efeff8ab5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fb5ee9ee596402a0b955ee00cfca6d9c

SHA1
e5ffd1df03aa5202e63bd2459fb646e4c0b4714c

SHA256
0c8fefd8197a0fee105fb5e37bb7d803c3abcd0ffe384e381e5fd84a29f79cd6

SHA512
871b9892c0ac9b4f29300e386e75d6f809142e6054bdae6b4fce966dc51985da884edf5d0683a720cfe7bcc7c31e4bc5fcab606f77be5eb042a2d72df4b316e2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f00eb5cbdf63f3f620b9bd3b7f12c887

SHA1
d2b6fbf2f6d0bdde6e447b5b64755939f54e1834

SHA256
87ab16aeaaf18c1ad4b60b59f6fe9c7998e0049da7757f5b5d3dd697f4fa3c4b

SHA512
4d64928a7ec1a9f34281092387ec879f99802e05b9bfc3ebaebe806d34385692a7e1543f54dbe283ef99a8920b91db7617c2dfa64bd59a4cc2a9ca28e358dabc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
17aeb78b383fc3a8a80ec33a97fe29c3

SHA1
16a9bb45b75809210994785b4d19d976065b44a6

SHA256
02bf31f04efecd0bccf38bc6df0fe4ff8b09e67b6532b69fcdc11de860c304e3

SHA512
e23016e555dc7fca50e2d88520043db181dabc560a8d60319336a2677af4fbd3612510c99606424bddff57c2a8ec058865ec4d9c5964bf7b1cef99ee6e6a872f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0d125b1c7d3a96de21c53303ebef2f41

SHA1
33b084ca6788a3fc1e4e02eb44e0e5b43b5d8ba4

SHA256
b1b9ce2a491d6314255eb010da08e3c4683b41e3c65136a3e1c295b322f3ba93

SHA512
10f0711b1eef5994921ed8718b67123c7d08c6db7f9badcdb7690714c751a6db72ba788932fb1b95f66292a05b0ffaa112d360a1907217e99629439e9e76e57f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
67ba074bb5756dd2fe222646342a7385

SHA1
27580e3e46a1f15382c006dcaa5a3b3b49249db0

SHA256
4492ff00050a86a13049e3b17d5f11fcbde82a1866b28252693c8ad9b85d79e2

SHA512
e1900f8cf4cf20e76f94adacb0de776b258008ef452af36389183acdcf016bfe71716ecae779a46fcc881bec96d2dd846b1c91957ff4cf42923295eb25af7483

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0b28248f01b6e4d84ee5027dc32e809f

SHA1
97975f7fe90fa55b9c551ed320d1cde4b8a6df8d

SHA256
202d5f852d6ad30209776852bcf6c9a7a37460cffee206e9a913be4f212fbe34

SHA512
1fdd40d9e6a9e26d78bcba83f21c5b90b1f3f92450a627bde7022ba43609576d192d17ddde0ed9351095d7642e7308d6df6f2db8ea8c20e036557c6d21cfe3d1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
9bcf223eb78772cf36e06206de9e5efe

SHA1
b637a9c55c5848f9c57663276613339a6282561a

SHA256
4f02dc5ff4c5df6fd7f444e8de4a1f56f7b041f542819a1e1106feb7af2c4537

SHA512
54ce03e2885ad65ee8832216607bfa7cffa2520dc48a601c4cc4404a9e58da468a94754b5485461efd72e57ca1c97aac34f11f8762cfa5a96cbe110e7f8c4755

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\pagsbca\imagestore.dat

Filesize
5KB

MD5
1d9a819c2c9b75a31de694fdf6c50f6b

SHA1
82fd72138dca5507f5677d79b808c394dcc6b56e

SHA256
753203ce3907cb68982329364a21b7960ca745f8fec187c5bbc96accc50960e0

SHA512
1fa202260bb04a5d54106c314f8ce212f68517d0bfcd410878c34158262559001c29d561ce299d4bd36d8d5f6faba44cbdbd0952a9daad1fd920d67668966c92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9G8QJ0N4\favicon[1].ico

Filesize
5KB

MD5
f3418a443e7d841097c714d69ec4bcb8

SHA1
49263695f6b0cdd72f45cf1b775e660fdc36c606

SHA256
6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

SHA512
82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabFA87.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabFB45.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarFA98.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarFB69.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
memory/372-934-0x000000006F850000-0x000000006FDFB000-memory.dmp

Filesize
5.7MB

Download
memory/372-937-0x000000006F850000-0x000000006FDFB000-memory.dmp

Filesize
5.7MB

Download
memory/372-936-0x0000000002630000-0x0000000002670000-memory.dmp

Filesize
256KB

Download
memory/372-935-0x000000006F850000-0x000000006FDFB000-memory.dmp

Filesize
5.7MB

Download
memory/2176-1510-0x0000000000310000-0x0000000000350000-memory.dmp

Filesize
256KB

Download
memory/2176-1012-0x0000000000310000-0x0000000000350000-memory.dmp

Filesize
256KB

Download
memory/2176-1010-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2176-1009-0x0000000074600000-0x0000000074CEE000-memory.dmp

Filesize
6.9MB

Download
memory/2176-1509-0x0000000074600000-0x0000000074CEE000-memory.dmp

Filesize
6.9MB

Download
memory/2472-35-0x0000000004150000-0x00000000041F3000-memory.dmp

Filesize
652KB

Download
memory/2472-39-0x0000000004150000-0x00000000041F3000-memory.dmp

Filesize
652KB

Download
memory/2472-929-0x0000000074680000-0x0000000074D6E000-memory.dmp

Filesize
6.9MB

Download
memory/2472-928-0x0000000004320000-0x000000000436C000-memory.dmp

Filesize
304KB

Download
memory/2472-927-0x0000000000AC0000-0x0000000000B02000-memory.dmp

Filesize
264KB

Download
memory/2472-926-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/2472-994-0x0000000074680000-0x0000000074D6E000-memory.dmp

Filesize
6.9MB

Download
memory/2472-65-0x0000000004150000-0x00000000041F3000-memory.dmp

Filesize
652KB

Download
memory/2472-67-0x0000000004150000-0x00000000041F3000-memory.dmp

Filesize
652KB

Download
memory/2472-63-0x0000000004150000-0x00000000041F3000-memory.dmp

Filesize
652KB

Download
memory/2472-59-0x0000000004150000-0x00000000041F3000-memory.dmp

Filesize
652KB

Download
memory/2472-61-0x0000000004150000-0x00000000041F3000-memory.dmp

Filesize
652KB

Download
memory/2472-57-0x0000000004150000-0x00000000041F3000-memory.dmp

Filesize
652KB

Download
memory/2472-55-0x0000000004150000-0x00000000041F3000-memory.dmp

Filesize
652KB

Download
memory/2472-53-0x0000000004150000-0x00000000041F3000-memory.dmp

Filesize
652KB

Download
memory/2472-51-0x0000000004150000-0x00000000041F3000-memory.dmp

Filesize
652KB

Download
memory/2472-49-0x0000000004150000-0x00000000041F3000-memory.dmp

Filesize
652KB

Download
memory/2472-47-0x0000000004150000-0x00000000041F3000-memory.dmp

Filesize
652KB

Download
memory/2472-45-0x0000000004150000-0x00000000041F3000-memory.dmp

Filesize
652KB

Download
memory/2472-43-0x0000000004150000-0x00000000041F3000-memory.dmp

Filesize
652KB

Download
memory/2472-41-0x0000000004150000-0x00000000041F3000-memory.dmp

Filesize
652KB

Download
memory/2472-930-0x0000000004AC0000-0x0000000004B00000-memory.dmp

Filesize
256KB

Download
memory/2472-37-0x0000000004150000-0x00000000041F3000-memory.dmp

Filesize
652KB

Download
memory/2472-1-0x0000000074680000-0x0000000074D6E000-memory.dmp

Filesize
6.9MB

Download
memory/2472-33-0x0000000004150000-0x00000000041F3000-memory.dmp

Filesize
652KB

Download
memory/2472-31-0x0000000004150000-0x00000000041F3000-memory.dmp

Filesize
652KB

Download
memory/2472-29-0x0000000004150000-0x00000000041F3000-memory.dmp

Filesize
652KB

Download
memory/2472-27-0x0000000004150000-0x00000000041F3000-memory.dmp

Filesize
652KB

Download
memory/2472-25-0x0000000004150000-0x00000000041F3000-memory.dmp

Filesize
652KB

Download
memory/2472-23-0x0000000004150000-0x00000000041F3000-memory.dmp

Filesize
652KB

Download
memory/2472-21-0x0000000004150000-0x00000000041F3000-memory.dmp

Filesize
652KB

Download
memory/2472-19-0x0000000004150000-0x00000000041F3000-memory.dmp

Filesize
652KB

Download
memory/2472-17-0x0000000004150000-0x00000000041F3000-memory.dmp

Filesize
652KB

Download
memory/2472-15-0x0000000004150000-0x00000000041F3000-memory.dmp

Filesize
652KB

Download
memory/2472-13-0x0000000004150000-0x00000000041F3000-memory.dmp

Filesize
652KB

Download
memory/2472-11-0x0000000004150000-0x00000000041F3000-memory.dmp

Filesize
652KB

Download
memory/2472-9-0x0000000004150000-0x00000000041F3000-memory.dmp

Filesize
652KB

Download
memory/2472-7-0x0000000004150000-0x00000000041F3000-memory.dmp

Filesize
652KB

Download
memory/2472-4-0x0000000004150000-0x00000000041F3000-memory.dmp

Filesize
652KB

Download
memory/2472-5-0x0000000004150000-0x00000000041F3000-memory.dmp

Filesize
652KB

Download
memory/2472-3-0x0000000004AC0000-0x0000000004B00000-memory.dmp

Filesize
256KB

Download
memory/2472-2-0x0000000004150000-0x00000000041F8000-memory.dmp

Filesize
672KB

Download
memory/2472-0-0x0000000000170000-0x0000000000252000-memory.dmp

Filesize
904KB

Download