2aa9f15810e2c55dbc8522e386d76d1a8fb3a63a712b33e17bd2139a7b45c76b

Target

ZoomInfoContactContributor.exe
Size

259KB
MD5

0b5719e9fd40b85d4d95e475e9431cd0
SHA1

132151d26e61d2fda4e4b31eb376a41ea0d56e6d
SHA256

2aa9f15810e2c55dbc8522e386d76d1a8fb3a63a712b33e17bd2139a7b45c76b
SHA512

ed17497df8e53eb9a49ff3d6ed5bf8d84f17a045947a4b474204a8bf06254f8a801be1243599e526123ccc5e88af389f718021409567ac86ed28d988afd3d1cf

Score

8^/10

discovery persistence pyinstaller spyware

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

coordinator.exe

pid process

2316 coordinator.exe

pid	process
2316	coordinator.exe

Loads dropped DLL 16 IoCs

Processes:

ZoomInfoContactContributor.execmd.exe

pid	process
1756	ZoomInfoContactContributor.exe
1756	ZoomInfoContactContributor.exe
1756	ZoomInfoContactContributor.exe
1756	ZoomInfoContactContributor.exe
1756	ZoomInfoContactContributor.exe
1756	ZoomInfoContactContributor.exe
1756	ZoomInfoContactContributor.exe
1756	ZoomInfoContactContributor.exe
1756	ZoomInfoContactContributor.exe
1756	ZoomInfoContactContributor.exe
1756	ZoomInfoContactContributor.exe
1756	ZoomInfoContactContributor.exe
1756	ZoomInfoContactContributor.exe
1756	ZoomInfoContactContributor.exe
1756	ZoomInfoContactContributor.exe
2264	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ZoomInfoContactContributor.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\ZoomInfo Contact Contributor = "C:\\Users\\Admin\\AppData\\Local\\ZoomInfoCEUtility\\launch.bat"	ZoomInfoContactContributor.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	ZoomInfoContactContributor.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Drops file in Program Files directory 1 IoCs

Processes:

chrome.exe

description ioc process

File created C:\Program Files\Google\Chrome\Application\Dictionaries\en-US-9-0.bdic chrome.exe

description	ioc	process
File created	C:\Program Files\Google\Chrome\Application\Dictionaries\en-US-9-0.bdic	chrome.exe

Detects Pyinstaller 3 IoCs

pyinstaller

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\ZoomInfoCEUtility\2214\coordinator.exe	pyinstaller
C:\Users\Admin\AppData\Local\ZoomInfoCEUtility\2214\coordinator.exe	pyinstaller
\Users\Admin\AppData\Local\ZoomInfoCEUtility\2214\coordinator.exe	pyinstaller

NSIS installer 2 IoCs

installer

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\ZoomInfoCEUtility\uninstall.exe	nsis_installer_1
\Users\Admin\AppData\Local\ZoomInfoCEUtility\uninstall.exe	nsis_installer_2

Modifies Internet Explorer settings 1 TTPs 87 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "141"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{262D0321-2A97-11EB-9A79-FE442E565B8A} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000039e08b06c84715459283081ff7bb5a600000000002000000000010660000000100002000000061dd8e5192ca6d4455291e383c2676d3a5139b702c9ce50863689ffec5063317000000000e8000000002000020000000e44af35fa200f99140cae933c3b622b19b679771aefb9c802371ba170fe77ca02000000099b54028f13884fb952016505669825089f9e4c2967966004ca6f330bb79b46d400000006a7c229a3393e4c6d86ddd3e0d0096416b7c9a7f907e12aed50573a9491d261d167e722b548983029fbd88e0dfedf5fe710f41f2145ccd3cc63d7b0e333e42f1	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.zoominfo.com\ = "141"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DOMStorage\zoominfo.com\Total = "68"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{254C8E31-2A97-11EB-9A79-FE442E565B8A} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DOMStorage\zoominfo.com\Total = "141"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DOMStorage\zoominfo.com\Total = "32"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000039e08b06c84715459283081ff7bb5a60000000000200000000001066000000010000200000006ec55c3634d4e988e9817186bdbac977ab1caf95c864f91f74200b4378ab01ea000000000e8000000002000020000000d742977f4a76a914d65cf68a2c7fdfc4949c31259aa2e879925ab5360240a35790000000170ec09f82cfaa97aa2f58e7be6bd2b594e8425e60fde0e08215682722aa1322b35809830767240a8450f68ec043ff07fa7de81b37d74481344b6ad833c5b916c337551a1f8ea30940b9aa726a19b3d57e65595bd6f6f876ac2fed813e31abbdfb4a4f52eb012b3e30cd45c183e14cbe3671b481f16790f51fde02fdfe925565caf3c21b7780f662cab7f737647c5bc740000000d31cdc62961ac6288745c79aef0bfca9f16dc780a5e62eb43ef875ce64197b72506db021918ef3ecef7535013055dca315fc05bb582d30dcce3ba420149f5e6e	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DOMStorage\zoominfo.com\Total = "17"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.zoominfo.com\ = "128"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "17"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.zoominfo.com\ = "68"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "1007"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DOMStorage\zoominfo.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DOMStorage\zoominfo.com\Total = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "128"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.zoominfo.com\ = "1007"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.zoominfo.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DOMStorage\zoominfo.com\Total = "1007"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "312576401"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

ZoomInfoContactContributor.exechrome.exechrome.exe

pid process

1756 ZoomInfoContactContributor.exe
1756 ZoomInfoContactContributor.exe
1880 chrome.exe
324 chrome.exe
324 chrome.exe
324 chrome.exe
324 chrome.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

ZoomInfoContactContributor.exe

pid process

1756 ZoomInfoContactContributor.exe
Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

chrome.exeiexplore.exeiexplore.exe

pid process

324 chrome.exe
324 chrome.exe
324 chrome.exe
2232 iexplore.exe
2384 iexplore.exe

pid	process
324	chrome.exe
324	chrome.exe
324	chrome.exe
2232	iexplore.exe
2384	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

iexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXE

pid	process
2232	iexplore.exe
2232	iexplore.exe
2384	iexplore.exe
2384	iexplore.exe
2488	IEXPLORE.EXE
2488	IEXPLORE.EXE
2452	IEXPLORE.EXE
2452	IEXPLORE.EXE
2488	IEXPLORE.EXE
2488	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 189 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 324 wrote to memory of 840	324	chrome.exe	chrome.exe
PID 324 wrote to memory of 840	324	chrome.exe	chrome.exe
PID 324 wrote to memory of 840	324	chrome.exe	chrome.exe
PID 324 wrote to memory of 1620	324	chrome.exe	chrome.exe
PID 324 wrote to memory of 1620	324	chrome.exe	chrome.exe
PID 324 wrote to memory of 1620	324	chrome.exe	chrome.exe
PID 324 wrote to memory of 1620	324	chrome.exe	chrome.exe
PID 324 wrote to memory of 1620	324	chrome.exe	chrome.exe
PID 324 wrote to memory of 1620	324	chrome.exe	chrome.exe
PID 324 wrote to memory of 1620	324	chrome.exe	chrome.exe
PID 324 wrote to memory of 1620	324	chrome.exe	chrome.exe
PID 324 wrote to memory of 1620	324	chrome.exe	chrome.exe
PID 324 wrote to memory of 1620	324	chrome.exe	chrome.exe
PID 324 wrote to memory of 1620	324	chrome.exe	chrome.exe
PID 324 wrote to memory of 1620	324	chrome.exe	chrome.exe
PID 324 wrote to memory of 1620	324	chrome.exe	chrome.exe
PID 324 wrote to memory of 1620	324	chrome.exe	chrome.exe
PID 324 wrote to memory of 1620	324	chrome.exe	chrome.exe
PID 324 wrote to memory of 1620	324	chrome.exe	chrome.exe
PID 324 wrote to memory of 1620	324	chrome.exe	chrome.exe
PID 324 wrote to memory of 1620	324	chrome.exe	chrome.exe
PID 324 wrote to memory of 1620	324	chrome.exe	chrome.exe
PID 324 wrote to memory of 1620	324	chrome.exe	chrome.exe
PID 324 wrote to memory of 1620	324	chrome.exe	chrome.exe
PID 324 wrote to memory of 1620	324	chrome.exe	chrome.exe
PID 324 wrote to memory of 1620	324	chrome.exe	chrome.exe
PID 324 wrote to memory of 1620	324	chrome.exe	chrome.exe
PID 324 wrote to memory of 1620	324	chrome.exe	chrome.exe
PID 324 wrote to memory of 1620	324	chrome.exe	chrome.exe
PID 324 wrote to memory of 1620	324	chrome.exe	chrome.exe
PID 324 wrote to memory of 1620	324	chrome.exe	chrome.exe
PID 324 wrote to memory of 1620	324	chrome.exe	chrome.exe
PID 324 wrote to memory of 1620	324	chrome.exe	chrome.exe
PID 324 wrote to memory of 1620	324	chrome.exe	chrome.exe
PID 324 wrote to memory of 1620	324	chrome.exe	chrome.exe
PID 324 wrote to memory of 1620	324	chrome.exe	chrome.exe
PID 324 wrote to memory of 1620	324	chrome.exe	chrome.exe
PID 324 wrote to memory of 1620	324	chrome.exe	chrome.exe
PID 324 wrote to memory of 1620	324	chrome.exe	chrome.exe
PID 324 wrote to memory of 1620	324	chrome.exe	chrome.exe
PID 324 wrote to memory of 1620	324	chrome.exe	chrome.exe
PID 324 wrote to memory of 1620	324	chrome.exe	chrome.exe
PID 324 wrote to memory of 1620	324	chrome.exe	chrome.exe
PID 324 wrote to memory of 1620	324	chrome.exe	chrome.exe
PID 324 wrote to memory of 1880	324	chrome.exe	chrome.exe
PID 324 wrote to memory of 1880	324	chrome.exe	chrome.exe
PID 324 wrote to memory of 1880	324	chrome.exe	chrome.exe
PID 324 wrote to memory of 1600	324	chrome.exe	chrome.exe
PID 324 wrote to memory of 1600	324	chrome.exe	chrome.exe
PID 324 wrote to memory of 1600	324	chrome.exe	chrome.exe
PID 324 wrote to memory of 1600	324	chrome.exe	chrome.exe
PID 324 wrote to memory of 1600	324	chrome.exe	chrome.exe
PID 324 wrote to memory of 1600	324	chrome.exe	chrome.exe
PID 324 wrote to memory of 1600	324	chrome.exe	chrome.exe
PID 324 wrote to memory of 1600	324	chrome.exe	chrome.exe
PID 324 wrote to memory of 1600	324	chrome.exe	chrome.exe
PID 324 wrote to memory of 1600	324	chrome.exe	chrome.exe
PID 324 wrote to memory of 1600	324	chrome.exe	chrome.exe
PID 324 wrote to memory of 1600	324	chrome.exe	chrome.exe
PID 324 wrote to memory of 1600	324	chrome.exe	chrome.exe
PID 324 wrote to memory of 1600	324	chrome.exe	chrome.exe
PID 324 wrote to memory of 1600	324	chrome.exe	chrome.exe
PID 324 wrote to memory of 1600	324	chrome.exe	chrome.exe
PID 324 wrote to memory of 1600	324	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\ZoomInfoContactContributor.exe
"C:\Users\Admin\AppData\Local\Temp\ZoomInfoContactContributor.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:1756

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\ZoomInfoCEUtility\launch.bat""
2⤵
- Loads dropped DLL
PID:2264

C:\Users\Admin\AppData\Local\ZoomInfoCEUtility\2214\coordinator.exe
"C:\Users\Admin\AppData\Local\ZoomInfoCEUtility\2214\coordinator.exe"
3⤵
- Executes dropped EXE
PID:2316

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://cswapper.freshcontacts.com/client/installsuccess?client_version=62&os_version=Windows 6.1 Service Pack 1 7601 64 [ ]&outlook_version=14&outlook_bitness=32&autostart=1&client_id={B5D60346-1775-4B46-802E-986BFA94921A}&reachout=true&appid=3
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2384

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2384 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2488

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:324

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xbc,0xc0,0xc4,0x90,0xc8,0x7fef5bd6e00,0x7fef5bd6e10,0x7fef5bd6e20
2⤵
PID:840

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1096,2158292486174966766,9104182733869651485,131072 --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1104 /prefetch:2
2⤵
PID:1620

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1096,2158292486174966766,9104182733869651485,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1220 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1880

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1096,2158292486174966766,9104182733869651485,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1844 /prefetch:8
2⤵
PID:1600

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1096,2158292486174966766,9104182733869651485,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2024 /prefetch:1
2⤵
PID:1968

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1096,2158292486174966766,9104182733869651485,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2064 /prefetch:1
2⤵
PID:524

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2232

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2232 CREDAT:275458 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2452

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CFE86DBBE02D859DC92F1E17E0574EE8_46766FC45507C0B9E264E4C18BC7288B
MD5
48d7b88f7986388169c9f46bd8d48050

SHA1
f34113edae5d2fe7046d9250a019bc19cf6534cc

SHA256
679a3247b5f50991c3aef6f491cd5a5b0c55f11693a886f6a7cfed811f108cc8

SHA512
fb43568a8419777a45ebf4a6325e3c256ce0c464fc9ecb88fd924709aa0ab2b631c027fc258e66e1fc5616f4d252029d926d31b29c445c8af31e4aa70fb0d21c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
0dc9e07b2a91d973527e00757d4d7845

SHA1
3921376fe44b805d4dfe6e36a2f80555958d7d12

SHA256
1ff6fed235c2b16812d2d700c10b789522df3d95baa24cd3355c680a57aaa86f

SHA512
7853f213148657d3dc1f19583ae3413f46152af008a863a2ad7381b043d09d6c24ae19b3e2c32a5ced120547b147e5f92b0229848804425c74a53bcaa9fc1dd5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CFE86DBBE02D859DC92F1E17E0574EE8_46766FC45507C0B9E264E4C18BC7288B
MD5
907f128286da7606f1d66f6e6685ef75

SHA1
815438bc827615e9c0f3cc5d5cd0c99942ab4785

SHA256
59dc0676c81024c29da00c6fcd74930840f1d2d3b1d6064b2c03a51ebee65106

SHA512
a5863d05ab8aebcbc5c52c7784a40f3bcb76ae853d93c283de933d18a2f3fedbc6576e441582f0d83c729be07e91215605e033dfb7c14e0f4c772a9cbfd5c684

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
MD5
5d2b7c357f78b285e1a146dc1c4f2a5c

SHA1
3ef93437ece38fd575e34a202c3ae798a6caa16d

SHA256
6b639fb29ad165ce788d1ad95a3c2bc543e284dde4611337c4139b46c387cfb9

SHA512
d27aa94000ec6b12260b80cbe9a209d2a571da04cb2254adae59c28a23b24fa1d716b8636476edb2b319711901421adb9b3908738e03bfd613d0da6b5f6a97fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{254C8E31-2A97-11EB-9A79-FE442E565B8A}.dat
MD5
8a8fa2e4909aa7f8182b272d0ac18cba

SHA1
72d24b4b49498122176d79123d91b399a651091f

SHA256
0a1a0f50fa5cb9f591d74f06ca2974cfe577b75b6c8f9b78ae784a2e05d07a99

SHA512
bb878e7d4b184e4bf956116c174cd4563b48433369f83b2b47457bca174274c28e0d650ad3897783c7e102bec4e144aaaf13789df45d21e487b274daaf3693f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{262D0321-2A97-11EB-9A79-FE442E565B8A}.dat
MD5
06231dfb664c370552354c5edd8004bf

SHA1
e8a64a38ef1c85c343e84d95c494f788235b74c2

SHA256
ca5d756b8b014fc1f16cc4769fa330408ba0ac1da95168b2bbcd91b2d5801339

SHA512
40ff0447d1ba41dc636e7c1ffc516731900eead272b3fb440cea831e2de62dafb5f5dd8f42ce4196897bc604273ef3ade48f31a5a26ba6a97021ad7f546b49a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\w5ukms8\imagestore.dat
MD5
a94db8ab2107ed85e767cf8263bb9dae

SHA1
2247bd03370d18ba9e5bded9ccbfa8b57694d580

SHA256
e60ae8e6236a5bed170ccb911edd8c7594ec5fc459cfa05121eff168ccb8abc9

SHA512
b8a7277f601e6bb0751a74016de929cba9d7ac926bc569619df0a313fdcf08c7c0e7492bf34bae400335077de3ec7c388aa8e2bf4a372dfc22229970e15e92a2

Download Submit
C:\Users\Admin\AppData\Local\ZoomInfoCEUtility\2214\coordinator.exe
MD5
d4ead13be3274f2b42fb3b53ff142cd9

SHA1
d7cb84bcb2c3e4f57171462000c125f35e63f7e8

SHA256
554f8fea1460df263070edd9f0b5cf2905fa677e744b53734ffc0b321ca311b2

SHA512
6aada02815a75297f57c81cb8ac3db54b8cfd4888d586445f23b6f7296c9a9a167bafe5a3f581bd795e4f18e7a0cde660c9552612d706dbd88e3121477111233

Download Submit
C:\Users\Admin\AppData\Local\ZoomInfoCEUtility\2214\coordinator.exe
MD5
d4ead13be3274f2b42fb3b53ff142cd9

SHA1
d7cb84bcb2c3e4f57171462000c125f35e63f7e8

SHA256
554f8fea1460df263070edd9f0b5cf2905fa677e744b53734ffc0b321ca311b2

SHA512
6aada02815a75297f57c81cb8ac3db54b8cfd4888d586445f23b6f7296c9a9a167bafe5a3f581bd795e4f18e7a0cde660c9552612d706dbd88e3121477111233

Download Submit
C:\Users\Admin\AppData\Local\ZoomInfoCEUtility\launch.bat
MD5
fd4594751cb4a3b23e54ae582c4dd0e8

SHA1
13218cd2470e14221f6fce227a056ca489c98fa7

SHA256
5d7a9c239af404e403f16dd2f1383aee58721c5cfd66e4e1a40e41aec2da057e

SHA512
34af0afd31ad70d21f642c56d1d14491a82213c2f524c9c24037173109ce88267257a33ee0a03cc8ce430697823833c4567b5fa457c9e8ab29ca638dff85131e

Download Submit
C:\Users\Admin\AppData\Local\ZoomInfoCEUtility\version.dat
MD5
f3d9de86462c28781cbe5c47ef22c3e5

SHA1
5ec475005d2a5e68419080231b038c154aefaeed

SHA256
4ff57f0bce33b3f1663fb61a77e73fa4a65692726efb43b547ce6ceaa37145f6

SHA512
b47286c41cab48b98af5facde13b16de6873b1f0708ec173c9a8a087c9b6c54e8be836aca17d5b0cfb4fc6d963787a8d995b85bf2c8b90249edb91eb005799e3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\9N8XAQUA.txt
MD5
81633686fb4ea07e21dc881781874c80

SHA1
5ac2dbcf0f74c80b7b5d220e10bcf1ec9c1ceea7

SHA256
d5558e3b4b16a72f2aa9ccaf3129f64e362b07e6fc15a17248a56b609ce93be6

SHA512
ffe735c3947ee74eb86b5556db8a123900ba4a251143f9ff6fe11b7916ed3369e91ef14413f3b101b0d07cea3f35b1b3e51dec35f859a77f55e814bd05eccb86

Download Submit
\??\pipe\crashpad_324_HPBXCKETDALKISBC
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\nscF9AB.tmp\FindProcDLL.dll
MD5
83cd62eab980e3d64c131799608c8371

SHA1
5b57a6842a154997e31fab573c5754b358f5dd1c

SHA256
a6122e80f1c51dc72770b4f56c7c482f7a9571143fbf83b19c4d141d0cb19294

SHA512
91cfbcc125600ec341f5571dcf1e4a814cf7673f82cf42f32155bd54791bbf32619f2bb14ae871d7996e9ddecdfcc5db40caa0979d6dfba3e73cfe8e69c163c9

Download Submit
\Users\Admin\AppData\Local\Temp\nscF9AB.tmp\GetVersion.dll
MD5
2e2412281a205ed8d53aafb3ef770a2d

SHA1
3cae4138e8226866236cf34f8fb00dafb0954d97

SHA256
db09adb6e17b6a0b31823802431ff5209018ee8c77a193ac8077e42e5f15fb00

SHA512
6d57249b7e02e1dfed2e297ec35fb375ecf3abc893d68694f4fa5f2e82ec68c129af9cc5ce3dd4025147309c0832a2847b69334138f3d29c5572ff4e1b16f219

Download Submit
\Users\Admin\AppData\Local\Temp\nscF9AB.tmp\GetVersion.dll
MD5
2e2412281a205ed8d53aafb3ef770a2d

SHA1
3cae4138e8226866236cf34f8fb00dafb0954d97

SHA256
db09adb6e17b6a0b31823802431ff5209018ee8c77a193ac8077e42e5f15fb00

SHA512
6d57249b7e02e1dfed2e297ec35fb375ecf3abc893d68694f4fa5f2e82ec68c129af9cc5ce3dd4025147309c0832a2847b69334138f3d29c5572ff4e1b16f219

Download Submit
\Users\Admin\AppData\Local\Temp\nscF9AB.tmp\GetVersion.dll
MD5
2e2412281a205ed8d53aafb3ef770a2d

SHA1
3cae4138e8226866236cf34f8fb00dafb0954d97

SHA256
db09adb6e17b6a0b31823802431ff5209018ee8c77a193ac8077e42e5f15fb00

SHA512
6d57249b7e02e1dfed2e297ec35fb375ecf3abc893d68694f4fa5f2e82ec68c129af9cc5ce3dd4025147309c0832a2847b69334138f3d29c5572ff4e1b16f219

Download Submit
\Users\Admin\AppData\Local\Temp\nscF9AB.tmp\GetVersion.dll
MD5
2e2412281a205ed8d53aafb3ef770a2d

SHA1
3cae4138e8226866236cf34f8fb00dafb0954d97

SHA256
db09adb6e17b6a0b31823802431ff5209018ee8c77a193ac8077e42e5f15fb00

SHA512
6d57249b7e02e1dfed2e297ec35fb375ecf3abc893d68694f4fa5f2e82ec68c129af9cc5ce3dd4025147309c0832a2847b69334138f3d29c5572ff4e1b16f219

Download Submit
\Users\Admin\AppData\Local\Temp\nscF9AB.tmp\GetVersion.dll
MD5
2e2412281a205ed8d53aafb3ef770a2d

SHA1
3cae4138e8226866236cf34f8fb00dafb0954d97

SHA256
db09adb6e17b6a0b31823802431ff5209018ee8c77a193ac8077e42e5f15fb00

SHA512
6d57249b7e02e1dfed2e297ec35fb375ecf3abc893d68694f4fa5f2e82ec68c129af9cc5ce3dd4025147309c0832a2847b69334138f3d29c5572ff4e1b16f219

Download Submit
\Users\Admin\AppData\Local\Temp\nscF9AB.tmp\GetVersion.dll
MD5
2e2412281a205ed8d53aafb3ef770a2d

SHA1
3cae4138e8226866236cf34f8fb00dafb0954d97

SHA256
db09adb6e17b6a0b31823802431ff5209018ee8c77a193ac8077e42e5f15fb00

SHA512
6d57249b7e02e1dfed2e297ec35fb375ecf3abc893d68694f4fa5f2e82ec68c129af9cc5ce3dd4025147309c0832a2847b69334138f3d29c5572ff4e1b16f219

Download Submit
\Users\Admin\AppData\Local\Temp\nscF9AB.tmp\GetVersion.dll
MD5
2e2412281a205ed8d53aafb3ef770a2d

SHA1
3cae4138e8226866236cf34f8fb00dafb0954d97

SHA256
db09adb6e17b6a0b31823802431ff5209018ee8c77a193ac8077e42e5f15fb00

SHA512
6d57249b7e02e1dfed2e297ec35fb375ecf3abc893d68694f4fa5f2e82ec68c129af9cc5ce3dd4025147309c0832a2847b69334138f3d29c5572ff4e1b16f219

Download Submit
\Users\Admin\AppData\Local\Temp\nscF9AB.tmp\GetVersion.dll
MD5
2e2412281a205ed8d53aafb3ef770a2d

SHA1
3cae4138e8226866236cf34f8fb00dafb0954d97

SHA256
db09adb6e17b6a0b31823802431ff5209018ee8c77a193ac8077e42e5f15fb00

SHA512
6d57249b7e02e1dfed2e297ec35fb375ecf3abc893d68694f4fa5f2e82ec68c129af9cc5ce3dd4025147309c0832a2847b69334138f3d29c5572ff4e1b16f219

Download Submit
\Users\Admin\AppData\Local\Temp\nscF9AB.tmp\NSISdl.dll
MD5
a5f8399a743ab7f9c88c645c35b1ebb5

SHA1
168f3c158913b0367bf79fa413357fbe97018191

SHA256
dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9

SHA512
824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

Download Submit
\Users\Admin\AppData\Local\Temp\nscF9AB.tmp\NSISdl.dll
MD5
a5f8399a743ab7f9c88c645c35b1ebb5

SHA1
168f3c158913b0367bf79fa413357fbe97018191

SHA256
dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9

SHA512
824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

Download Submit
\Users\Admin\AppData\Local\Temp\nscF9AB.tmp\System.dll
MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nscF9AB.tmp\nsDialogs.dll
MD5
c10e04dd4ad4277d5adc951bb331c777

SHA1
b1e30808198a3ae6d6d1cca62df8893dc2a7ad43

SHA256
e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a

SHA512
853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e

Download Submit
\Users\Admin\AppData\Local\Temp\nscF9AB.tmp\nsisunz.dll
MD5
5f13dbc378792f23e598079fc1e4422b

SHA1
5813c05802f15930aa860b8363af2b58426c8adf

SHA256
6e87ecb7f62039fbb6e7676422d1a5e75a32b90dde6865dcb68ee658ba8df61d

SHA512
9270635a5294482f49e0292e26d45dd103b85fe27dc163d44531b095c5f9dbde6b904adaf1a888ba3c112a094380394713c796f5195b2566a20f00b42b6578e5

Download Submit
\Users\Admin\AppData\Local\ZoomInfoCEUtility\2214\coordinator.exe
MD5
d4ead13be3274f2b42fb3b53ff142cd9

SHA1
d7cb84bcb2c3e4f57171462000c125f35e63f7e8

SHA256
554f8fea1460df263070edd9f0b5cf2905fa677e744b53734ffc0b321ca311b2

SHA512
6aada02815a75297f57c81cb8ac3db54b8cfd4888d586445f23b6f7296c9a9a167bafe5a3f581bd795e4f18e7a0cde660c9552612d706dbd88e3121477111233

Download Submit
\Users\Admin\AppData\Local\ZoomInfoCEUtility\uninstall.exe
MD5
80c52c4e77d49a21c61cd1f2809e82c2

SHA1
ffc2bdc4c18c60340c04b65e19b19479e3447f52

SHA256
4e12c7c834cc57263432dd0925de522a4aab07a0532a4693ea5d90aca6aaaa38

SHA512
1a96e0978f9837f870fb95e9922b54263852a814a444a9dd692d41671f2e711080940734327eba32cdd12e71048fbe250b3ea7b4033ff834f4beff26b0939fea

Download Submit
memory/840-13-0x0000000000000000-mapping.dmp

Download
memory/1600-27-0x0000000000000000-mapping.dmp

Download
memory/1620-15-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/1620-16-0x000000013FF43F60-0x000000013FF44020-memory.dmp

Filesize
192B

Download
memory/1620-19-0x0000000000000000-mapping.dmp

Download
memory/1620-21-0x00000000772C0000-0x00000000772C1000-memory.dmp

Filesize
4KB

Download
memory/1756-56-0x00000000007B0000-0x00000000007B1000-memory.dmp

Filesize
4KB

Download
memory/1756-55-0x00000000007B0000-0x00000000007B1000-memory.dmp

Filesize
4KB

Download
memory/1756-45-0x00000000034D0000-0x00000000035D1000-memory.dmp

Filesize
1.0MB

Download
memory/1880-20-0x0000000000000000-mapping.dmp

Download
memory/1968-35-0x0000000000000000-mapping.dmp

Download
memory/1968-43-0x0000000000080000-0x00000000000800B0-memory.dmp

Filesize
176B

Download
memory/1968-41-0x0000070000040000-0x0000070000041000-memory.dmp

Filesize
4KB

Download
memory/1968-42-0x0000000008E00000-0x0000000008E11000-memory.dmp

Filesize
68KB

Download
memory/2264-46-0x0000000000000000-mapping.dmp

Download
memory/2316-52-0x0000000000000000-mapping.dmp

Download
memory/2316-53-0x0000000000000000-mapping.dmp

Download
memory/2344-58-0x000007FEF6010000-0x000007FEF628A000-memory.dmp

Filesize
2.5MB

Download
memory/2384-57-0x0000000000000000-mapping.dmp

Download
memory/2452-59-0x0000000000000000-mapping.dmp

Download
memory/2488-60-0x0000000000000000-mapping.dmp

Download