colibri | 4ab076abc768084e2243b0dde48747392fc5a0297ca340613c7dc8030a050e68

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
30-08-2022 09:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

579KB
MD5

ed2799ab6e7f6a2b10819ec9be7c81de
SHA1

89e811a0a9312e5454bba40fcb13c9059e37ae80
SHA256

4ab076abc768084e2243b0dde48747392fc5a0297ca340613c7dc8030a050e68
SHA512

b32d0c200935012247f4e560aea314dc9f69258cdcb3ee9debe7914f70a3948339bb2fd3296a36f4013dea05d545b15ba4efa674cb2925f584ce7ba6f8c2bbe7
SSDEEP

6144:ixQkRk2IRy6dKC34DyWzcPvuWke//FU5Qfl:ieWgteyH3uu/FBfl

Score

10^/10

colibri build1 discovery loader miner persistence spyware stealer

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

Signatures

Colibri Loader
A loader sold as MaaS first seen in August 2021.
loader colibri

Detectes Phoenix Miner Payload 2 IoCs

miner

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\MSEdge\svchost.exe	miner_phoenix
C:\Users\Admin\AppData\Roaming\MSEdge\svchost.exe	miner_phoenix

Downloads MZ/PE file

Executes dropped EXE 16 IoCs

Processes:

conhost.execonhost.exemsedge.exesvchost.exe8GEF450BM996I2I.exetmpA4C0.tmp.exetmpA4C0.tmp.exe58HA6C7B4J7E8ME.exeHEMGAM55D484BF8.exetmp518B.tmp.exetmp518B.tmp.exeA7B24DG9ABEGADK.exetmp58FD.tmp.exetmp58FD.tmp.exetmp58FD.tmp.exeA7B24DG9ABEGADK.exe

pid	process
4476	conhost.exe
5024	conhost.exe
1292	msedge.exe
4264	svchost.exe
1928	8GEF450BM996I2I.exe
3236	tmpA4C0.tmp.exe
4880	tmpA4C0.tmp.exe
4508	58HA6C7B4J7E8ME.exe
2828	HEMGAM55D484BF8.exe
1932	tmp518B.tmp.exe
4652	tmp518B.tmp.exe
1288	A7B24DG9ABEGADK.exe
4072	tmp58FD.tmp.exe
3336	tmp58FD.tmp.exe
3024	tmp58FD.tmp.exe
4368	A7B24DG9ABEGADK.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

A7B24DG9ABEGADK.exe8GEF450BM996I2I.exe58HA6C7B4J7E8ME.exeHEMGAM55D484BF8.exeA7B24DG9ABEGADK.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	A7B24DG9ABEGADK.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	8GEF450BM996I2I.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	58HA6C7B4J7E8ME.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	HEMGAM55D484BF8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	A7B24DG9ABEGADK.exe

Loads dropped DLL 5 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exe

pid process

1600 rundll32.exe
4068 rundll32.exe
4320 rundll32.exe
4320 rundll32.exe
4364 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1600	rundll32.exe
4068	rundll32.exe
4320	rundll32.exe
4320	rundll32.exe
4364	rundll32.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

file.exeHEMGAM55D484BF8.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	file.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSEdge = "C:\\Users\\Admin\\AppData\\Roaming\\MSEdge\\msedge.exe"	file.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Steam = "C:\\Users\\Admin\\AppData\\Roaming\\NVIDIA\\dllhost.exe"	HEMGAM55D484BF8.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

svchost.exe

pid process

4264 svchost.exe
4264 svchost.exe

pid	process
4264	svchost.exe
4264	svchost.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

conhost.exefile.exetmpA4C0.tmp.exetmp518B.tmp.exetmp58FD.tmp.exe

description	pid	process	target process
PID 4476 set thread context of 5024	4476	conhost.exe	conhost.exe
PID 5044 set thread context of 4924	5044	file.exe	file.exe
PID 3236 set thread context of 4880	3236	tmpA4C0.tmp.exe	tmpA4C0.tmp.exe
PID 1932 set thread context of 4652	1932	tmp518B.tmp.exe	tmp518B.tmp.exe
PID 3336 set thread context of 3024	3336	tmp58FD.tmp.exe	tmp58FD.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

Processes:

A7B24DG9ABEGADK.exeA7B24DG9ABEGADK.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	A7B24DG9ABEGADK.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	A7B24DG9ABEGADK.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

8GEF450BM996I2I.exe

pid	process
1928	8GEF450BM996I2I.exe
1928	8GEF450BM996I2I.exe
1928	8GEF450BM996I2I.exe
1928	8GEF450BM996I2I.exe
1928	8GEF450BM996I2I.exe
1928	8GEF450BM996I2I.exe
1928	8GEF450BM996I2I.exe
1928	8GEF450BM996I2I.exe
1928	8GEF450BM996I2I.exe
1928	8GEF450BM996I2I.exe
1928	8GEF450BM996I2I.exe
1928	8GEF450BM996I2I.exe
1928	8GEF450BM996I2I.exe
1928	8GEF450BM996I2I.exe
1928	8GEF450BM996I2I.exe
1928	8GEF450BM996I2I.exe
1928	8GEF450BM996I2I.exe
1928	8GEF450BM996I2I.exe
1928	8GEF450BM996I2I.exe
1928	8GEF450BM996I2I.exe
1928	8GEF450BM996I2I.exe
1928	8GEF450BM996I2I.exe
1928	8GEF450BM996I2I.exe
1928	8GEF450BM996I2I.exe
1928	8GEF450BM996I2I.exe
1928	8GEF450BM996I2I.exe
1928	8GEF450BM996I2I.exe
1928	8GEF450BM996I2I.exe
1928	8GEF450BM996I2I.exe
1928	8GEF450BM996I2I.exe
1928	8GEF450BM996I2I.exe
1928	8GEF450BM996I2I.exe
1928	8GEF450BM996I2I.exe
1928	8GEF450BM996I2I.exe
1928	8GEF450BM996I2I.exe
1928	8GEF450BM996I2I.exe
1928	8GEF450BM996I2I.exe
1928	8GEF450BM996I2I.exe
1928	8GEF450BM996I2I.exe
1928	8GEF450BM996I2I.exe
1928	8GEF450BM996I2I.exe
1928	8GEF450BM996I2I.exe
1928	8GEF450BM996I2I.exe
1928	8GEF450BM996I2I.exe
1928	8GEF450BM996I2I.exe
1928	8GEF450BM996I2I.exe
1928	8GEF450BM996I2I.exe
1928	8GEF450BM996I2I.exe
1928	8GEF450BM996I2I.exe
1928	8GEF450BM996I2I.exe
1928	8GEF450BM996I2I.exe
1928	8GEF450BM996I2I.exe
1928	8GEF450BM996I2I.exe
1928	8GEF450BM996I2I.exe
1928	8GEF450BM996I2I.exe
1928	8GEF450BM996I2I.exe
1928	8GEF450BM996I2I.exe
1928	8GEF450BM996I2I.exe
1928	8GEF450BM996I2I.exe
1928	8GEF450BM996I2I.exe
1928	8GEF450BM996I2I.exe
1928	8GEF450BM996I2I.exe
1928	8GEF450BM996I2I.exe
1928	8GEF450BM996I2I.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

8GEF450BM996I2I.exe58HA6C7B4J7E8ME.exeHEMGAM55D484BF8.exe

description	pid	process
Token: SeDebugPrivilege	1928	8GEF450BM996I2I.exe
Token: SeDebugPrivilege	4508	58HA6C7B4J7E8ME.exe
Token: SeDebugPrivilege	2828	HEMGAM55D484BF8.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

file.execonhost.exefile.exefile.exefile.execmd.exemsedge.exe8GEF450BM996I2I.exetmpA4C0.tmp.exe58HA6C7B4J7E8ME.exetmp518B.tmp.exeHEMGAM55D484BF8.exe

description	pid	process	target process
PID 2424 wrote to memory of 4476	2424	file.exe	conhost.exe
PID 2424 wrote to memory of 4476	2424	file.exe	conhost.exe
PID 2424 wrote to memory of 4476	2424	file.exe	conhost.exe
PID 2424 wrote to memory of 1248	2424	file.exe	file.exe
PID 2424 wrote to memory of 1248	2424	file.exe	file.exe
PID 2424 wrote to memory of 1248	2424	file.exe	file.exe
PID 4476 wrote to memory of 5024	4476	conhost.exe	conhost.exe
PID 4476 wrote to memory of 5024	4476	conhost.exe	conhost.exe
PID 4476 wrote to memory of 5024	4476	conhost.exe	conhost.exe
PID 4476 wrote to memory of 5024	4476	conhost.exe	conhost.exe
PID 4476 wrote to memory of 5024	4476	conhost.exe	conhost.exe
PID 4476 wrote to memory of 5024	4476	conhost.exe	conhost.exe
PID 4476 wrote to memory of 5024	4476	conhost.exe	conhost.exe
PID 1248 wrote to memory of 5044	1248	file.exe	file.exe
PID 1248 wrote to memory of 5044	1248	file.exe	file.exe
PID 1248 wrote to memory of 5044	1248	file.exe	file.exe
PID 5044 wrote to memory of 4924	5044	file.exe	file.exe
PID 5044 wrote to memory of 4924	5044	file.exe	file.exe
PID 5044 wrote to memory of 4924	5044	file.exe	file.exe
PID 5044 wrote to memory of 4924	5044	file.exe	file.exe
PID 5044 wrote to memory of 4924	5044	file.exe	file.exe
PID 5044 wrote to memory of 4924	5044	file.exe	file.exe
PID 5044 wrote to memory of 4924	5044	file.exe	file.exe
PID 5044 wrote to memory of 4924	5044	file.exe	file.exe
PID 5044 wrote to memory of 4924	5044	file.exe	file.exe
PID 4924 wrote to memory of 4512	4924	file.exe	cmd.exe
PID 4924 wrote to memory of 4512	4924	file.exe	cmd.exe
PID 4924 wrote to memory of 4512	4924	file.exe	cmd.exe
PID 4512 wrote to memory of 1292	4512	cmd.exe	msedge.exe
PID 4512 wrote to memory of 1292	4512	cmd.exe	msedge.exe
PID 1292 wrote to memory of 4264	1292	msedge.exe	svchost.exe
PID 1292 wrote to memory of 4264	1292	msedge.exe	svchost.exe
PID 4924 wrote to memory of 1928	4924	file.exe	8GEF450BM996I2I.exe
PID 4924 wrote to memory of 1928	4924	file.exe	8GEF450BM996I2I.exe
PID 1928 wrote to memory of 3236	1928	8GEF450BM996I2I.exe	tmpA4C0.tmp.exe
PID 1928 wrote to memory of 3236	1928	8GEF450BM996I2I.exe	tmpA4C0.tmp.exe
PID 1928 wrote to memory of 3236	1928	8GEF450BM996I2I.exe	tmpA4C0.tmp.exe
PID 3236 wrote to memory of 4880	3236	tmpA4C0.tmp.exe	tmpA4C0.tmp.exe
PID 3236 wrote to memory of 4880	3236	tmpA4C0.tmp.exe	tmpA4C0.tmp.exe
PID 3236 wrote to memory of 4880	3236	tmpA4C0.tmp.exe	tmpA4C0.tmp.exe
PID 3236 wrote to memory of 4880	3236	tmpA4C0.tmp.exe	tmpA4C0.tmp.exe
PID 3236 wrote to memory of 4880	3236	tmpA4C0.tmp.exe	tmpA4C0.tmp.exe
PID 3236 wrote to memory of 4880	3236	tmpA4C0.tmp.exe	tmpA4C0.tmp.exe
PID 3236 wrote to memory of 4880	3236	tmpA4C0.tmp.exe	tmpA4C0.tmp.exe
PID 4924 wrote to memory of 4508	4924	file.exe	58HA6C7B4J7E8ME.exe
PID 4924 wrote to memory of 4508	4924	file.exe	58HA6C7B4J7E8ME.exe
PID 4924 wrote to memory of 2828	4924	file.exe	HEMGAM55D484BF8.exe
PID 4924 wrote to memory of 2828	4924	file.exe	HEMGAM55D484BF8.exe
PID 4508 wrote to memory of 1932	4508	58HA6C7B4J7E8ME.exe	tmp518B.tmp.exe
PID 4508 wrote to memory of 1932	4508	58HA6C7B4J7E8ME.exe	tmp518B.tmp.exe
PID 4508 wrote to memory of 1932	4508	58HA6C7B4J7E8ME.exe	tmp518B.tmp.exe
PID 1932 wrote to memory of 4652	1932	tmp518B.tmp.exe	tmp518B.tmp.exe
PID 1932 wrote to memory of 4652	1932	tmp518B.tmp.exe	tmp518B.tmp.exe
PID 1932 wrote to memory of 4652	1932	tmp518B.tmp.exe	tmp518B.tmp.exe
PID 1932 wrote to memory of 4652	1932	tmp518B.tmp.exe	tmp518B.tmp.exe
PID 1932 wrote to memory of 4652	1932	tmp518B.tmp.exe	tmp518B.tmp.exe
PID 1932 wrote to memory of 4652	1932	tmp518B.tmp.exe	tmp518B.tmp.exe
PID 1932 wrote to memory of 4652	1932	tmp518B.tmp.exe	tmp518B.tmp.exe
PID 4924 wrote to memory of 1288	4924	file.exe	A7B24DG9ABEGADK.exe
PID 4924 wrote to memory of 1288	4924	file.exe	A7B24DG9ABEGADK.exe
PID 4924 wrote to memory of 1288	4924	file.exe	A7B24DG9ABEGADK.exe
PID 2828 wrote to memory of 4072	2828	HEMGAM55D484BF8.exe	tmp58FD.tmp.exe
PID 2828 wrote to memory of 4072	2828	HEMGAM55D484BF8.exe	tmp58FD.tmp.exe
PID 2828 wrote to memory of 4072	2828	HEMGAM55D484BF8.exe	tmp58FD.tmp.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2424

C:\ProgramData\conhost.exe
"C:\ProgramData\conhost.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4476

C:\ProgramData\conhost.exe
"C:\ProgramData\conhost.exe"
3⤵
- Executes dropped EXE
PID:5024

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1248

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5044

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
4⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Roaming\MSEdge\msedge.exe
5⤵
- Suspicious use of WriteProcessMemory
PID:4512

C:\Users\Admin\AppData\Roaming\MSEdge\msedge.exe
C:\Users\Admin\AppData\Roaming\MSEdge\msedge.exe
6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1292

C:\Users\Admin\AppData\Roaming\MSEdge\svchost.exe
-pool us-eth.2miners.com:2020 -wal 0x298a98736156cdffdfaf4580afc4966904f1e12e -worker ferma -epsw x -mode 1 -log 0 -mport 0 -etha 0 -ftime 55 -retrydelay 1 -coin eth
7⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4264

C:\Users\Admin\AppData\Local\Temp\8GEF450BM996I2I.exe
"C:\Users\Admin\AppData\Local\Temp\8GEF450BM996I2I.exe"
5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1928

C:\Users\Admin\AppData\Local\Temp\tmpA4C0.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpA4C0.tmp.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3236

C:\Users\Admin\AppData\Local\Temp\tmpA4C0.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpA4C0.tmp.exe"
7⤵
- Executes dropped EXE
PID:4880

C:\Users\Admin\AppData\Local\Temp\58HA6C7B4J7E8ME.exe
"C:\Users\Admin\AppData\Local\Temp\58HA6C7B4J7E8ME.exe"
5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4508

C:\Users\Admin\AppData\Local\Temp\tmp518B.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp518B.tmp.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1932

C:\Users\Admin\AppData\Local\Temp\tmp518B.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp518B.tmp.exe"
7⤵
- Executes dropped EXE
PID:4652

C:\Users\Admin\AppData\Local\Temp\HEMGAM55D484BF8.exe
"C:\Users\Admin\AppData\Local\Temp\HEMGAM55D484BF8.exe"
5⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2828

C:\Users\Admin\AppData\Local\Temp\tmp58FD.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp58FD.tmp.exe"
6⤵
- Executes dropped EXE
PID:4072

C:\Users\Admin\AppData\Local\Temp\tmp58FD.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp58FD.tmp.exe"
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3336

C:\Users\Admin\AppData\Local\Temp\tmp58FD.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp58FD.tmp.exe"
8⤵
- Executes dropped EXE
PID:3024

C:\Users\Admin\AppData\Local\Temp\A7B24DG9ABEGADK.exe
"C:\Users\Admin\AppData\Local\Temp\A7B24DG9ABEGADK.exe"
5⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
PID:1288

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\~MUVpA.CPl",
6⤵
PID:4964

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\~MUVpA.CPl",
7⤵
- Loads dropped DLL
PID:4068

C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\~MUVpA.CPl",
8⤵
PID:3932

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\~MUVpA.CPl",
9⤵
- Loads dropped DLL
PID:4364

C:\Users\Admin\AppData\Local\Temp\A7B24DG9ABEGADK.exe
https://iplogger.org/1x5az7
5⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
PID:4368

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\~MUVpA.CPl",
6⤵
PID:1732

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\~MUVpA.CPl",
7⤵
- Loads dropped DLL
PID:1600

C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\~MUVpA.CPl",
8⤵
PID:5028

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\~MUVpA.CPl",
9⤵
- Loads dropped DLL
PID:4320

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\conhost.exe
Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
C:\ProgramData\conhost.exe
Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
C:\ProgramData\conhost.exe
Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\58HA6C7B4J7E8ME.exe
Filesize
726KB

MD5
da97861ab4908d8d97d6b4b22bd327a8

SHA1
f1f1663890d90a8db2337d47750050bebe475c96

SHA256
a034d8779acb72748b3ed189cf89b4dbcd693dce83385fb5af0677117f1da9e1

SHA512
ce2906c616f0989825fd3b4aa4cd5760514ab31af5766744b4c0b95d50b85749579d96a7860b7f7034e577681c1f3d6e397e0dcfc645058f87ec65ea6729a930

Download Submit
C:\Users\Admin\AppData\Local\Temp\58HA6C7B4J7E8ME.exe
Filesize
726KB

MD5
da97861ab4908d8d97d6b4b22bd327a8

SHA1
f1f1663890d90a8db2337d47750050bebe475c96

SHA256
a034d8779acb72748b3ed189cf89b4dbcd693dce83385fb5af0677117f1da9e1

SHA512
ce2906c616f0989825fd3b4aa4cd5760514ab31af5766744b4c0b95d50b85749579d96a7860b7f7034e577681c1f3d6e397e0dcfc645058f87ec65ea6729a930

Download Submit
C:\Users\Admin\AppData\Local\Temp\8GEF450BM996I2I.exe
Filesize
726KB

MD5
77094fdf5ddaa0b50dab615eddb267fa

SHA1
3840de5e390d216614e1af34dd5402bafc739a9b

SHA256
6e13805b2d48183881001fb404a52afa668dbb1a88cef942a44d3870b0e325b0

SHA512
b24a6f39ef67852c1ccfcf252744bff0e9fa83831a59331e44ccde2f703a603247d34b48a9719563b91d88c68ade719de53bf8b395324af71098bf5a68dc3620

Download Submit
C:\Users\Admin\AppData\Local\Temp\8GEF450BM996I2I.exe
Filesize
726KB

MD5
77094fdf5ddaa0b50dab615eddb267fa

SHA1
3840de5e390d216614e1af34dd5402bafc739a9b

SHA256
6e13805b2d48183881001fb404a52afa668dbb1a88cef942a44d3870b0e325b0

SHA512
b24a6f39ef67852c1ccfcf252744bff0e9fa83831a59331e44ccde2f703a603247d34b48a9719563b91d88c68ade719de53bf8b395324af71098bf5a68dc3620

Download Submit
C:\Users\Admin\AppData\Local\Temp\A7B24DG9ABEGADK.exe
Filesize
1.5MB

MD5
d6d18f597f6742c7dc3ff931fbaabf6b

SHA1
b69fe61de3114a5dbdaa6c1361e8efcf43982e73

SHA256
b8f17058e1ee852188ccd1660719cffef2be5ecccf2fd27efae6b4fc168e1d79

SHA512
1f958c8dabe621b48389178e296f1d0a4435975705d286bd36c0754b5db083d95be231675eacc4be9fc5d534a40bdede42581c33924ad21a2229bbf954b2da49

Download Submit
C:\Users\Admin\AppData\Local\Temp\A7B24DG9ABEGADK.exe
Filesize
1.5MB

MD5
d6d18f597f6742c7dc3ff931fbaabf6b

SHA1
b69fe61de3114a5dbdaa6c1361e8efcf43982e73

SHA256
b8f17058e1ee852188ccd1660719cffef2be5ecccf2fd27efae6b4fc168e1d79

SHA512
1f958c8dabe621b48389178e296f1d0a4435975705d286bd36c0754b5db083d95be231675eacc4be9fc5d534a40bdede42581c33924ad21a2229bbf954b2da49

Download Submit
C:\Users\Admin\AppData\Local\Temp\A7B24DG9ABEGADK.exe
Filesize
1.5MB

MD5
d6d18f597f6742c7dc3ff931fbaabf6b

SHA1
b69fe61de3114a5dbdaa6c1361e8efcf43982e73

SHA256
b8f17058e1ee852188ccd1660719cffef2be5ecccf2fd27efae6b4fc168e1d79

SHA512
1f958c8dabe621b48389178e296f1d0a4435975705d286bd36c0754b5db083d95be231675eacc4be9fc5d534a40bdede42581c33924ad21a2229bbf954b2da49

Download Submit
C:\Users\Admin\AppData\Local\Temp\HEMGAM55D484BF8.exe
Filesize
433KB

MD5
0554658e3f66830bf3852f85fdcca79a

SHA1
955949e9f7efa7da339ab84249734f7729e3ebd4

SHA256
9af6a7d54d21e69db7626405dcc8ec5450000a46db7924cedeaa643cd87ff8e7

SHA512
e37d7c04bc9d02f066626f3fae0a02407b50537792f40a4854260f727fa5fca1c2df9846bf3c2c027be34492b1f78b86a836d20021ec1e8f4f9c1d500b6e736f

Download Submit
C:\Users\Admin\AppData\Local\Temp\HEMGAM55D484BF8.exe
Filesize
433KB

MD5
0554658e3f66830bf3852f85fdcca79a

SHA1
955949e9f7efa7da339ab84249734f7729e3ebd4

SHA256
9af6a7d54d21e69db7626405dcc8ec5450000a46db7924cedeaa643cd87ff8e7

SHA512
e37d7c04bc9d02f066626f3fae0a02407b50537792f40a4854260f727fa5fca1c2df9846bf3c2c027be34492b1f78b86a836d20021ec1e8f4f9c1d500b6e736f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp518B.tmp.exe
Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp518B.tmp.exe
Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp518B.tmp.exe
Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp58FD.tmp.exe
Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp58FD.tmp.exe
Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp58FD.tmp.exe
Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp58FD.tmp.exe
Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA4C0.tmp.exe
Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA4C0.tmp.exe
Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA4C0.tmp.exe
Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\~MUVpA.CPl
Filesize
1.6MB

MD5
eacb88395a3779397d1bd7c6def44135

SHA1
c8adbad9581526e6b7788ea14c2f4b041d679d3e

SHA256
c4aa78b97887372544f245ff478d87ceacb265326451cfbebcfe9453cf295079

SHA512
85dc473533d36486005a30cabbe6805208be1de0727442c6d71a9feed8fb70efd5f40dd4c8583058d59b9fa6e7770cfc28403fc5fcd6b5aa864b479df9735efc

Download Submit
C:\Users\Admin\AppData\Local\Temp\~muvpA.cpl
Filesize
1.6MB

MD5
eacb88395a3779397d1bd7c6def44135

SHA1
c8adbad9581526e6b7788ea14c2f4b041d679d3e

SHA256
c4aa78b97887372544f245ff478d87ceacb265326451cfbebcfe9453cf295079

SHA512
85dc473533d36486005a30cabbe6805208be1de0727442c6d71a9feed8fb70efd5f40dd4c8583058d59b9fa6e7770cfc28403fc5fcd6b5aa864b479df9735efc

Download Submit
C:\Users\Admin\AppData\Local\Temp\~muvpA.cpl
Filesize
1.6MB

MD5
eacb88395a3779397d1bd7c6def44135

SHA1
c8adbad9581526e6b7788ea14c2f4b041d679d3e

SHA256
c4aa78b97887372544f245ff478d87ceacb265326451cfbebcfe9453cf295079

SHA512
85dc473533d36486005a30cabbe6805208be1de0727442c6d71a9feed8fb70efd5f40dd4c8583058d59b9fa6e7770cfc28403fc5fcd6b5aa864b479df9735efc

Download Submit
C:\Users\Admin\AppData\Local\Temp\~muvpA.cpl
Filesize
1.6MB

MD5
eacb88395a3779397d1bd7c6def44135

SHA1
c8adbad9581526e6b7788ea14c2f4b041d679d3e

SHA256
c4aa78b97887372544f245ff478d87ceacb265326451cfbebcfe9453cf295079

SHA512
85dc473533d36486005a30cabbe6805208be1de0727442c6d71a9feed8fb70efd5f40dd4c8583058d59b9fa6e7770cfc28403fc5fcd6b5aa864b479df9735efc

Download Submit
C:\Users\Admin\AppData\Local\Temp\~muvpA.cpl
Filesize
1.6MB

MD5
eacb88395a3779397d1bd7c6def44135

SHA1
c8adbad9581526e6b7788ea14c2f4b041d679d3e

SHA256
c4aa78b97887372544f245ff478d87ceacb265326451cfbebcfe9453cf295079

SHA512
85dc473533d36486005a30cabbe6805208be1de0727442c6d71a9feed8fb70efd5f40dd4c8583058d59b9fa6e7770cfc28403fc5fcd6b5aa864b479df9735efc

Download Submit
C:\Users\Admin\AppData\Local\Temp\~muvpA.cpl
Filesize
1.6MB

MD5
eacb88395a3779397d1bd7c6def44135

SHA1
c8adbad9581526e6b7788ea14c2f4b041d679d3e

SHA256
c4aa78b97887372544f245ff478d87ceacb265326451cfbebcfe9453cf295079

SHA512
85dc473533d36486005a30cabbe6805208be1de0727442c6d71a9feed8fb70efd5f40dd4c8583058d59b9fa6e7770cfc28403fc5fcd6b5aa864b479df9735efc

Download Submit
C:\Users\Admin\AppData\Roaming\MSEdge\msedge.exe
Filesize
16KB

MD5
e8ac4929d4ef413e3c45abe2531cae95

SHA1
9ccd6320f053402699c802425e395010ef915740

SHA256
7245d7d5573bfbd93e7939ad685b071d7755ebb62d8411f1984ce9dcc195f588

SHA512
be3e14f1441839001f41f7c62ce3a5b7fb26927a0d8cd532eab7d000382e143b4f5b5468a60f6223dfecae3d4ad556a7f72b7e5d318783fc1d1858241bfb93e7

Download Submit
C:\Users\Admin\AppData\Roaming\MSEdge\msedge.exe
Filesize
16KB

MD5
e8ac4929d4ef413e3c45abe2531cae95

SHA1
9ccd6320f053402699c802425e395010ef915740

SHA256
7245d7d5573bfbd93e7939ad685b071d7755ebb62d8411f1984ce9dcc195f588

SHA512
be3e14f1441839001f41f7c62ce3a5b7fb26927a0d8cd532eab7d000382e143b4f5b5468a60f6223dfecae3d4ad556a7f72b7e5d318783fc1d1858241bfb93e7

Download Submit
C:\Users\Admin\AppData\Roaming\MSEdge\svchost.exe
Filesize
8.1MB

MD5
51ff42d909a879d42eb5f0e643aab806

SHA1
affce62499d0f923f115228643a87ba5daece4e5

SHA256
c0e187a0974b337fe6990e9a929c472dcf491282b8171322291a0ed6c1c653c3

SHA512
bc948edfb59e58cc7f9a4c8e9052989e8d655323f79b29ac1a0ae5152bffd0847f8838091a51a33ffd0d1414b5afeed34870587931801f47da1ecff8915f9baf

Download Submit
C:\Users\Admin\AppData\Roaming\MSEdge\svchost.exe
Filesize
8.1MB

MD5
51ff42d909a879d42eb5f0e643aab806

SHA1
affce62499d0f923f115228643a87ba5daece4e5

SHA256
c0e187a0974b337fe6990e9a929c472dcf491282b8171322291a0ed6c1c653c3

SHA512
bc948edfb59e58cc7f9a4c8e9052989e8d655323f79b29ac1a0ae5152bffd0847f8838091a51a33ffd0d1414b5afeed34870587931801f47da1ecff8915f9baf

Download Submit
memory/1248-140-0x000000000080E000-0x0000000000821000-memory.dmp

Filesize
76KB

Download
memory/1248-136-0x0000000000000000-mapping.dmp

Download
memory/1288-194-0x0000000000000000-mapping.dmp

Download
memory/1292-150-0x0000000000000000-mapping.dmp

Download
memory/1600-213-0x0000000000000000-mapping.dmp

Download
memory/1600-232-0x00000000033B0000-0x000000000345A000-memory.dmp

Filesize
680KB

Download
memory/1600-230-0x00000000033B0000-0x000000000345A000-memory.dmp

Filesize
680KB

Download
memory/1600-229-0x00000000032F0000-0x00000000033B0000-memory.dmp

Filesize
768KB

Download
memory/1600-225-0x0000000001560000-0x0000000001566000-memory.dmp

Filesize
24KB

Download
memory/1732-211-0x0000000000000000-mapping.dmp

Download
memory/1928-159-0x0000000000AC0000-0x0000000000B7A000-memory.dmp

Filesize
744KB

Download
memory/1928-156-0x0000000000000000-mapping.dmp

Download
memory/1928-160-0x000000001C8E0000-0x000000001C9EA000-memory.dmp

Filesize
1.0MB

Download
memory/1928-172-0x00007FF833920000-0x00007FF8343E1000-memory.dmp

Filesize
10.8MB

Download
memory/1928-163-0x0000000002E70000-0x0000000002EAC000-memory.dmp

Filesize
240KB

Download
memory/1928-162-0x0000000002CC0000-0x0000000002CD2000-memory.dmp

Filesize
72KB

Download
memory/1928-161-0x00007FF833920000-0x00007FF8343E1000-memory.dmp

Filesize
10.8MB

Download
memory/1932-184-0x0000000000000000-mapping.dmp

Download
memory/2424-133-0x00000000010DB000-0x00000000010EE000-memory.dmp

Filesize
76KB

Download
memory/2828-227-0x00007FF833920000-0x00007FF8343E1000-memory.dmp

Filesize
10.8MB

Download
memory/2828-183-0x0000000000B50000-0x0000000000BC2000-memory.dmp

Filesize
456KB

Download
memory/2828-179-0x0000000000000000-mapping.dmp

Download
memory/2828-191-0x00007FF833920000-0x00007FF8343E1000-memory.dmp

Filesize
10.8MB

Download
memory/3024-203-0x0000000000000000-mapping.dmp

Download
memory/3236-167-0x0000000001250000-0x0000000001253000-memory.dmp

Filesize
12KB

Download
memory/3236-164-0x0000000000000000-mapping.dmp

Download
memory/3336-199-0x0000000000000000-mapping.dmp

Download
memory/3336-201-0x0000000000784000-0x0000000000787000-memory.dmp

Filesize
12KB

Download
memory/3932-239-0x0000000000000000-mapping.dmp

Download
memory/4068-236-0x0000000003340000-0x00000000033EA000-memory.dmp

Filesize
680KB

Download
memory/4068-216-0x0000000000400000-0x00000000005A2000-memory.dmp

Filesize
1.6MB

Download
memory/4068-222-0x00000000011E0000-0x00000000011E6000-memory.dmp

Filesize
24KB

Download
memory/4068-212-0x0000000000000000-mapping.dmp

Download
memory/4068-231-0x0000000003280000-0x0000000003340000-memory.dmp

Filesize
768KB

Download
memory/4072-196-0x0000000000000000-mapping.dmp

Download
memory/4264-153-0x0000000000000000-mapping.dmp

Download
memory/4320-245-0x00000000028D0000-0x0000000002A72000-memory.dmp

Filesize
1.6MB

Download
memory/4320-254-0x0000000000A20000-0x0000000000A26000-memory.dmp

Filesize
24KB

Download
memory/4320-238-0x0000000000000000-mapping.dmp

Download
memory/4320-256-0x0000000002C30000-0x0000000002CF0000-memory.dmp

Filesize
768KB

Download
memory/4320-259-0x0000000002CF0000-0x0000000002D9A000-memory.dmp

Filesize
680KB

Download
memory/4320-242-0x00000000028D0000-0x0000000002A72000-memory.dmp

Filesize
1.6MB

Download
memory/4364-255-0x00000000028E0000-0x00000000028E6000-memory.dmp

Filesize
24KB

Download
memory/4364-257-0x0000000002ED0000-0x0000000002F90000-memory.dmp

Filesize
768KB

Download
memory/4364-262-0x0000000002F90000-0x000000000303A000-memory.dmp

Filesize
680KB

Download
memory/4364-244-0x0000000000000000-mapping.dmp

Download
memory/4368-206-0x0000000000000000-mapping.dmp

Download
memory/4476-132-0x0000000000000000-mapping.dmp

Download
memory/4508-180-0x000000001E010000-0x000000001E538000-memory.dmp

Filesize
5.2MB

Download
memory/4508-192-0x000000001E740000-0x000000001E75E000-memory.dmp

Filesize
120KB

Download
memory/4508-177-0x00007FF833920000-0x00007FF8343E1000-memory.dmp

Filesize
10.8MB

Download
memory/4508-178-0x000000001D910000-0x000000001DAD2000-memory.dmp

Filesize
1.8MB

Download
memory/4508-226-0x00007FF833920000-0x00007FF8343E1000-memory.dmp

Filesize
10.8MB

Download
memory/4508-176-0x0000000000A40000-0x0000000000AFA000-memory.dmp

Filesize
744KB

Download
memory/4508-228-0x00007FF833920000-0x00007FF8343E1000-memory.dmp

Filesize
10.8MB

Download
memory/4508-173-0x0000000000000000-mapping.dmp

Download
memory/4508-190-0x000000001E800000-0x000000001E876000-memory.dmp

Filesize
472KB

Download
memory/4508-193-0x000000001E880000-0x000000001E8D0000-memory.dmp

Filesize
320KB

Download
memory/4512-149-0x0000000000000000-mapping.dmp

Download
memory/4652-187-0x0000000000000000-mapping.dmp

Download
memory/4880-168-0x0000000000000000-mapping.dmp

Download
memory/4924-208-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4924-145-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4924-146-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4924-143-0x0000000000000000-mapping.dmp

Download
memory/4924-148-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4924-144-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4924-171-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4964-210-0x0000000000000000-mapping.dmp

Download
memory/5024-137-0x0000000000000000-mapping.dmp

Download
memory/5024-138-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/5024-147-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/5028-235-0x0000000000000000-mapping.dmp

Download
memory/5044-141-0x0000000000000000-mapping.dmp

Download
memory/5044-142-0x00000000005FE000-0x0000000000611000-memory.dmp

Filesize
76KB

Download