modiloader | 2155ae0507a1c57cfbc9927c4c9d5cc933cbe38fdf02515ba84becd8f37bca8d

Analysis

max time kernel
73s
max time network
76s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
04-10-2022 03:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2155ae0507a1c57cfbc9927c4c9d5cc933cbe38fdf02515ba84becd8f37bca8d.exe
Size

719KB
MD5

1e5d2911fa8fde421946dfcb89e3ff8e
SHA1

14588281bee7816e60985d19957bfc5b72aa84e2
SHA256

2155ae0507a1c57cfbc9927c4c9d5cc933cbe38fdf02515ba84becd8f37bca8d
SHA512

ede9cf8d84f6e5aeebb841a9ed589b56ab1cd207a2a572aabf511323cf8096107ccfdd97937be6c97984bfc89308ec546906022a4867e74f20e7bafbf3e32690
SSDEEP

12288:6XgPVmsO7H+JeYkZQors8sEyMGXxe2lX4EEPSwDfAmgBJbf8AwnBrRm8dZ/X:AoZ3J78GLX4bEmCb+rRvZ/X

Score

10^/10

modiloader bootkit evasion persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

B85EgtCQKi4p6Z9Kt2.exezcvex.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	B85EgtCQKi4p6Z9Kt2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	zcvex.exe

ModiLoader Second Stage 5 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\cog.exe	modiloader_stage2
\Users\Admin\cog.exe	modiloader_stage2
\Users\Admin\cog.exe	modiloader_stage2
C:\Users\Admin\cog.exe	modiloader_stage2
C:\Users\Admin\cog.exe	modiloader_stage2

Executes dropped EXE 6 IoCs

Processes:

B85EgtCQKi4p6Z9Kt2.execod.execof.execog.execog.exezcvex.exe

pid process

1332 B85EgtCQKi4p6Z9Kt2.exe
2040 cod.exe
968 cof.exe
1148 cog.exe
1264 cog.exe
1600 zcvex.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

572 cmd.exe

pid	process
1332	B85EgtCQKi4p6Z9Kt2.exe
2040	cod.exe
968	cof.exe
1148	cog.exe
1264	cog.exe
1600	zcvex.exe

pid	process
572	cmd.exe

Loads dropped DLL 18 IoCs

Processes:

2155ae0507a1c57cfbc9927c4c9d5cc933cbe38fdf02515ba84becd8f37bca8d.exerundll32.exeB85EgtCQKi4p6Z9Kt2.exerundll32.exe

pid	process
1760	2155ae0507a1c57cfbc9927c4c9d5cc933cbe38fdf02515ba84becd8f37bca8d.exe
1760	2155ae0507a1c57cfbc9927c4c9d5cc933cbe38fdf02515ba84becd8f37bca8d.exe
1760	2155ae0507a1c57cfbc9927c4c9d5cc933cbe38fdf02515ba84becd8f37bca8d.exe
1760	2155ae0507a1c57cfbc9927c4c9d5cc933cbe38fdf02515ba84becd8f37bca8d.exe
1760	2155ae0507a1c57cfbc9927c4c9d5cc933cbe38fdf02515ba84becd8f37bca8d.exe
1760	2155ae0507a1c57cfbc9927c4c9d5cc933cbe38fdf02515ba84becd8f37bca8d.exe
1760	2155ae0507a1c57cfbc9927c4c9d5cc933cbe38fdf02515ba84becd8f37bca8d.exe
1760	2155ae0507a1c57cfbc9927c4c9d5cc933cbe38fdf02515ba84becd8f37bca8d.exe
1572	rundll32.exe
1572	rundll32.exe
1572	rundll32.exe
1572	rundll32.exe
1332	B85EgtCQKi4p6Z9Kt2.exe
1332	B85EgtCQKi4p6Z9Kt2.exe
1020	rundll32.exe
1020	rundll32.exe
1020	rundll32.exe
1020	rundll32.exe

Adds Run key to start application 2 TTPs 42 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

zcvex.exeB85EgtCQKi4p6Z9Kt2.exerundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\zcvex = "C:\\Users\\Admin\\zcvex.exe /e"	zcvex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\zcvex = "C:\\Users\\Admin\\zcvex.exe /D"	zcvex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\zcvex = "C:\\Users\\Admin\\zcvex.exe /x"	zcvex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\zcvex = "C:\\Users\\Admin\\zcvex.exe /o"	B85EgtCQKi4p6Z9Kt2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\zcvex = "C:\\Users\\Admin\\zcvex.exe /q"	zcvex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\zcvex = "C:\\Users\\Admin\\zcvex.exe /n"	zcvex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\zcvex = "C:\\Users\\Admin\\zcvex.exe /o"	zcvex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\zcvex = "C:\\Users\\Admin\\zcvex.exe /z"	zcvex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\zcvex = "C:\\Users\\Admin\\zcvex.exe /Q"	zcvex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\zcvex = "C:\\Users\\Admin\\zcvex.exe /F"	zcvex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\zcvex = "C:\\Users\\Admin\\zcvex.exe /L"	zcvex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\zcvex = "C:\\Users\\Admin\\zcvex.exe /i"	zcvex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\zcvex = "C:\\Users\\Admin\\zcvex.exe /g"	zcvex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\zcvex = "C:\\Users\\Admin\\zcvex.exe /O"	zcvex.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\	zcvex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\zcvex = "C:\\Users\\Admin\\zcvex.exe /v"	zcvex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\zcvex = "C:\\Users\\Admin\\zcvex.exe /f"	zcvex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\zcvex = "C:\\Users\\Admin\\zcvex.exe /E"	zcvex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\zcvex = "C:\\Users\\Admin\\zcvex.exe /a"	zcvex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\zcvex = "C:\\Users\\Admin\\zcvex.exe /Z"	zcvex.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\	B85EgtCQKi4p6Z9Kt2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\zcvex = "C:\\Users\\Admin\\zcvex.exe /P"	zcvex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\zcvex = "C:\\Users\\Admin\\zcvex.exe /j"	zcvex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\zcvex = "C:\\Users\\Admin\\zcvex.exe /c"	zcvex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\zcvex = "C:\\Users\\Admin\\zcvex.exe /R"	zcvex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\zcvex = "C:\\Users\\Admin\\zcvex.exe /C"	zcvex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\zcvex = "C:\\Users\\Admin\\zcvex.exe /p"	zcvex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\zcvex = "C:\\Users\\Admin\\zcvex.exe /h"	zcvex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\zcvex = "C:\\Users\\Admin\\zcvex.exe /A"	zcvex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\zcvex = "C:\\Users\\Admin\\zcvex.exe /y"	zcvex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\zcvex = "C:\\Users\\Admin\\zcvex.exe /X"	zcvex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\zcvex = "C:\\Users\\Admin\\zcvex.exe /H"	zcvex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\zcvex = "C:\\Users\\Admin\\zcvex.exe /d"	zcvex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\zcvex = "C:\\Users\\Admin\\zcvex.exe /r"	zcvex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\zcvex = "C:\\Users\\Admin\\zcvex.exe /w"	zcvex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\zcvex = "C:\\Users\\Admin\\zcvex.exe /J"	zcvex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Yqotowiyeluk = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\KBDEnt.dll\",Startup"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\zcvex = "C:\\Users\\Admin\\zcvex.exe /T"	zcvex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\zcvex = "C:\\Users\\Admin\\zcvex.exe /l"	zcvex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\zcvex = "C:\\Users\\Admin\\zcvex.exe /M"	zcvex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\zcvex = "C:\\Users\\Admin\\zcvex.exe /u"	zcvex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\zcvex = "C:\\Users\\Admin\\zcvex.exe /S"	zcvex.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

cod.exe

description ioc process

File opened for modification \??\physicaldrive0 cod.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

cog.exe

description pid process target process

PID 1148 set thread context of 1264 1148 cog.exe cog.exe
Drops file in Windows directory 1 IoCs

Processes:

rundll32.exe

description ioc process

File opened for modification C:\Windows\INF\setupapi.app.log rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

1968 tasklist.exe

description	ioc	process
File opened for modification	\??\physicaldrive0	cod.exe

description	pid	process	target process
PID 1148 set thread context of 1264	1148	cog.exe	cog.exe

description	ioc	process
File opened for modification	C:\Windows\INF\setupapi.app.log	rundll32.exe

pid	process
1968	tasklist.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

cog.exeB85EgtCQKi4p6Z9Kt2.exezcvex.exe

pid	process
1264	cog.exe
1332	B85EgtCQKi4p6Z9Kt2.exe
1264	cog.exe
1332	B85EgtCQKi4p6Z9Kt2.exe
1264	cog.exe
1264	cog.exe
1264	cog.exe
1600	zcvex.exe
1600	zcvex.exe
1600	zcvex.exe
1264	cog.exe
1600	zcvex.exe
1264	cog.exe
1264	cog.exe
1600	zcvex.exe
1264	cog.exe
1600	zcvex.exe
1600	zcvex.exe
1264	cog.exe
1600	zcvex.exe
1264	cog.exe
1600	zcvex.exe
1264	cog.exe
1600	zcvex.exe
1264	cog.exe
1600	zcvex.exe
1264	cog.exe
1600	zcvex.exe
1264	cog.exe
1264	cog.exe
1600	zcvex.exe
1264	cog.exe
1600	zcvex.exe
1264	cog.exe
1264	cog.exe
1600	zcvex.exe
1264	cog.exe
1600	zcvex.exe
1264	cog.exe
1600	zcvex.exe
1264	cog.exe
1600	zcvex.exe
1600	zcvex.exe
1264	cog.exe
1264	cog.exe
1264	cog.exe
1600	zcvex.exe
1264	cog.exe
1264	cog.exe
1600	zcvex.exe
1264	cog.exe
1600	zcvex.exe
1600	zcvex.exe
1264	cog.exe
1264	cog.exe
1600	zcvex.exe
1264	cog.exe
1264	cog.exe
1264	cog.exe
1600	zcvex.exe
1264	cog.exe
1600	zcvex.exe
1600	zcvex.exe
1264	cog.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

Processes:

tasklist.execod.exerundll32.exe

description	pid	process
Token: SeDebugPrivilege	1968	tasklist.exe
Token: SeShutdownPrivilege	2040	cod.exe
Token: SeRestorePrivilege	1020	rundll32.exe
Token: SeRestorePrivilege	1020	rundll32.exe
Token: SeRestorePrivilege	1020	rundll32.exe
Token: SeRestorePrivilege	1020	rundll32.exe
Token: SeRestorePrivilege	1020	rundll32.exe
Token: SeRestorePrivilege	1020	rundll32.exe
Token: SeRestorePrivilege	1020	rundll32.exe
Token: SeRestorePrivilege	1020	rundll32.exe
Token: SeRestorePrivilege	1020	rundll32.exe
Token: SeRestorePrivilege	1020	rundll32.exe
Token: SeRestorePrivilege	1020	rundll32.exe
Token: SeRestorePrivilege	1020	rundll32.exe
Token: SeRestorePrivilege	1020	rundll32.exe
Token: SeRestorePrivilege	1020	rundll32.exe
Token: SeRestorePrivilege	1020	rundll32.exe
Token: SeRestorePrivilege	1020	rundll32.exe
Token: SeRestorePrivilege	1020	rundll32.exe
Token: SeRestorePrivilege	1020	rundll32.exe
Token: SeRestorePrivilege	1020	rundll32.exe
Token: SeRestorePrivilege	1020	rundll32.exe
Token: SeRestorePrivilege	1020	rundll32.exe
Token: SeRestorePrivilege	1020	rundll32.exe
Token: SeRestorePrivilege	1020	rundll32.exe
Token: SeRestorePrivilege	1020	rundll32.exe
Token: SeRestorePrivilege	1020	rundll32.exe
Token: SeRestorePrivilege	1020	rundll32.exe
Token: SeRestorePrivilege	1020	rundll32.exe
Token: SeRestorePrivilege	1020	rundll32.exe
Token: SeRestorePrivilege	1020	rundll32.exe
Token: SeRestorePrivilege	1020	rundll32.exe
Token: SeRestorePrivilege	1020	rundll32.exe
Token: SeRestorePrivilege	1020	rundll32.exe
Token: SeRestorePrivilege	1020	rundll32.exe
Token: SeRestorePrivilege	1020	rundll32.exe
Token: SeRestorePrivilege	1020	rundll32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

B85EgtCQKi4p6Z9Kt2.exezcvex.exe

pid process

1332 B85EgtCQKi4p6Z9Kt2.exe
1600 zcvex.exe

pid	process
1332	B85EgtCQKi4p6Z9Kt2.exe
1600	zcvex.exe

Suspicious use of WriteProcessMemory 57 IoCs

Processes:

2155ae0507a1c57cfbc9927c4c9d5cc933cbe38fdf02515ba84becd8f37bca8d.execof.execog.exeB85EgtCQKi4p6Z9Kt2.execmd.exerundll32.exe

description	pid	process	target process
PID 1760 wrote to memory of 1332	1760	2155ae0507a1c57cfbc9927c4c9d5cc933cbe38fdf02515ba84becd8f37bca8d.exe	B85EgtCQKi4p6Z9Kt2.exe
PID 1760 wrote to memory of 1332	1760	2155ae0507a1c57cfbc9927c4c9d5cc933cbe38fdf02515ba84becd8f37bca8d.exe	B85EgtCQKi4p6Z9Kt2.exe
PID 1760 wrote to memory of 1332	1760	2155ae0507a1c57cfbc9927c4c9d5cc933cbe38fdf02515ba84becd8f37bca8d.exe	B85EgtCQKi4p6Z9Kt2.exe
PID 1760 wrote to memory of 1332	1760	2155ae0507a1c57cfbc9927c4c9d5cc933cbe38fdf02515ba84becd8f37bca8d.exe	B85EgtCQKi4p6Z9Kt2.exe
PID 1760 wrote to memory of 2040	1760	2155ae0507a1c57cfbc9927c4c9d5cc933cbe38fdf02515ba84becd8f37bca8d.exe	cod.exe
PID 1760 wrote to memory of 2040	1760	2155ae0507a1c57cfbc9927c4c9d5cc933cbe38fdf02515ba84becd8f37bca8d.exe	cod.exe
PID 1760 wrote to memory of 2040	1760	2155ae0507a1c57cfbc9927c4c9d5cc933cbe38fdf02515ba84becd8f37bca8d.exe	cod.exe
PID 1760 wrote to memory of 2040	1760	2155ae0507a1c57cfbc9927c4c9d5cc933cbe38fdf02515ba84becd8f37bca8d.exe	cod.exe
PID 1760 wrote to memory of 968	1760	2155ae0507a1c57cfbc9927c4c9d5cc933cbe38fdf02515ba84becd8f37bca8d.exe	cof.exe
PID 1760 wrote to memory of 968	1760	2155ae0507a1c57cfbc9927c4c9d5cc933cbe38fdf02515ba84becd8f37bca8d.exe	cof.exe
PID 1760 wrote to memory of 968	1760	2155ae0507a1c57cfbc9927c4c9d5cc933cbe38fdf02515ba84becd8f37bca8d.exe	cof.exe
PID 1760 wrote to memory of 968	1760	2155ae0507a1c57cfbc9927c4c9d5cc933cbe38fdf02515ba84becd8f37bca8d.exe	cof.exe
PID 1760 wrote to memory of 1148	1760	2155ae0507a1c57cfbc9927c4c9d5cc933cbe38fdf02515ba84becd8f37bca8d.exe	cog.exe
PID 1760 wrote to memory of 1148	1760	2155ae0507a1c57cfbc9927c4c9d5cc933cbe38fdf02515ba84becd8f37bca8d.exe	cog.exe
PID 1760 wrote to memory of 1148	1760	2155ae0507a1c57cfbc9927c4c9d5cc933cbe38fdf02515ba84becd8f37bca8d.exe	cog.exe
PID 1760 wrote to memory of 1148	1760	2155ae0507a1c57cfbc9927c4c9d5cc933cbe38fdf02515ba84becd8f37bca8d.exe	cog.exe
PID 1760 wrote to memory of 572	1760	2155ae0507a1c57cfbc9927c4c9d5cc933cbe38fdf02515ba84becd8f37bca8d.exe	cmd.exe
PID 1760 wrote to memory of 572	1760	2155ae0507a1c57cfbc9927c4c9d5cc933cbe38fdf02515ba84becd8f37bca8d.exe	cmd.exe
PID 1760 wrote to memory of 572	1760	2155ae0507a1c57cfbc9927c4c9d5cc933cbe38fdf02515ba84becd8f37bca8d.exe	cmd.exe
PID 1760 wrote to memory of 572	1760	2155ae0507a1c57cfbc9927c4c9d5cc933cbe38fdf02515ba84becd8f37bca8d.exe	cmd.exe
PID 968 wrote to memory of 1572	968	cof.exe	rundll32.exe
PID 968 wrote to memory of 1572	968	cof.exe	rundll32.exe
PID 968 wrote to memory of 1572	968	cof.exe	rundll32.exe
PID 968 wrote to memory of 1572	968	cof.exe	rundll32.exe
PID 968 wrote to memory of 1572	968	cof.exe	rundll32.exe
PID 968 wrote to memory of 1572	968	cof.exe	rundll32.exe
PID 968 wrote to memory of 1572	968	cof.exe	rundll32.exe
PID 1148 wrote to memory of 1264	1148	cog.exe	cog.exe
PID 1148 wrote to memory of 1264	1148	cog.exe	cog.exe
PID 1148 wrote to memory of 1264	1148	cog.exe	cog.exe
PID 1148 wrote to memory of 1264	1148	cog.exe	cog.exe
PID 1148 wrote to memory of 1264	1148	cog.exe	cog.exe
PID 1148 wrote to memory of 1264	1148	cog.exe	cog.exe
PID 1148 wrote to memory of 1264	1148	cog.exe	cog.exe
PID 1148 wrote to memory of 1264	1148	cog.exe	cog.exe
PID 1148 wrote to memory of 1264	1148	cog.exe	cog.exe
PID 1148 wrote to memory of 1264	1148	cog.exe	cog.exe
PID 1148 wrote to memory of 1264	1148	cog.exe	cog.exe
PID 1332 wrote to memory of 1600	1332	B85EgtCQKi4p6Z9Kt2.exe	zcvex.exe
PID 1332 wrote to memory of 1600	1332	B85EgtCQKi4p6Z9Kt2.exe	zcvex.exe
PID 1332 wrote to memory of 1600	1332	B85EgtCQKi4p6Z9Kt2.exe	zcvex.exe
PID 1332 wrote to memory of 1600	1332	B85EgtCQKi4p6Z9Kt2.exe	zcvex.exe
PID 1332 wrote to memory of 2016	1332	B85EgtCQKi4p6Z9Kt2.exe	cmd.exe
PID 1332 wrote to memory of 2016	1332	B85EgtCQKi4p6Z9Kt2.exe	cmd.exe
PID 1332 wrote to memory of 2016	1332	B85EgtCQKi4p6Z9Kt2.exe	cmd.exe
PID 1332 wrote to memory of 2016	1332	B85EgtCQKi4p6Z9Kt2.exe	cmd.exe
PID 2016 wrote to memory of 1968	2016	cmd.exe	tasklist.exe
PID 2016 wrote to memory of 1968	2016	cmd.exe	tasklist.exe
PID 2016 wrote to memory of 1968	2016	cmd.exe	tasklist.exe
PID 2016 wrote to memory of 1968	2016	cmd.exe	tasklist.exe
PID 1572 wrote to memory of 1020	1572	rundll32.exe	rundll32.exe
PID 1572 wrote to memory of 1020	1572	rundll32.exe	rundll32.exe
PID 1572 wrote to memory of 1020	1572	rundll32.exe	rundll32.exe
PID 1572 wrote to memory of 1020	1572	rundll32.exe	rundll32.exe
PID 1572 wrote to memory of 1020	1572	rundll32.exe	rundll32.exe
PID 1572 wrote to memory of 1020	1572	rundll32.exe	rundll32.exe
PID 1572 wrote to memory of 1020	1572	rundll32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\2155ae0507a1c57cfbc9927c4c9d5cc933cbe38fdf02515ba84becd8f37bca8d.exe
"C:\Users\Admin\AppData\Local\Temp\2155ae0507a1c57cfbc9927c4c9d5cc933cbe38fdf02515ba84becd8f37bca8d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1760

C:\Users\Admin\B85EgtCQKi4p6Z9Kt2.exe
B85EgtCQKi4p6Z9Kt2.exe
2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1332

C:\Users\Admin\zcvex.exe
"C:\Users\Admin\zcvex.exe"
3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1600

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c tasklist&&del B85EgtCQKi4p6Z9Kt2.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\SysWOW64\tasklist.exe
tasklist
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1968

C:\Users\Admin\cod.exe
cod.exe
2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
PID:2040

C:\Users\Admin\cof.exe
cof.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:968

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\KBDEnt.dll",Startup
3⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1572

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\KBDEnt.dll",iep
4⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1020

C:\Users\Admin\cog.exe
cog.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1148

C:\Users\Admin\cog.exe
cog.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1264

C:\Windows\SysWOW64\cmd.exe
cmd /c del 2155ae0507a1c57cfbc9927c4c9d5cc933cbe38fdf02515ba84becd8f37bca8d.exe
2⤵
- Deletes itself
PID:572

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Bootkit

T1067

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Process Discovery

T1057

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\KBDEnt.dll
Filesize
103KB

MD5
be60099ceffb0aece0bc0c52998e9d65

SHA1
6ff11181390b5eccfb9a832ea5311d58bcc7a3a3

SHA256
e41f195954abff7c7bdc150773ad9f0b4029a883386ac179c1aa9d44f9ab6e4a

SHA512
c4beef5b86370a959b624041cc2db1de2da07a15df17077d728ea74036398fd1e62b6e7e147c53ea944606d751d0934f423b70193ad570a8cba097a823facdc0

Download Submit
C:\Users\Admin\B85EgtCQKi4p6Z9Kt2.exe
Filesize
152KB

MD5
72e9d71fe7ad21610b846614566d6e2f

SHA1
35071ef247823ff6fa675449c6506caa2f5b145f

SHA256
4dc0b35a38321c71c24289acf43c102e6aa875307f830900d39f25491c83cda9

SHA512
14431710838e2eea0fdb3a7b73743b6d101ec6a4ceebdf0716e2855e845bd2b1722e5178d310a24ce7e5754076a9dc0e62f351c1518c391c6db8533af35203f3

Download Submit
C:\Users\Admin\B85EgtCQKi4p6Z9Kt2.exe
Filesize
152KB

MD5
72e9d71fe7ad21610b846614566d6e2f

SHA1
35071ef247823ff6fa675449c6506caa2f5b145f

SHA256
4dc0b35a38321c71c24289acf43c102e6aa875307f830900d39f25491c83cda9

SHA512
14431710838e2eea0fdb3a7b73743b6d101ec6a4ceebdf0716e2855e845bd2b1722e5178d310a24ce7e5754076a9dc0e62f351c1518c391c6db8533af35203f3

Download Submit
C:\Users\Admin\cod.exe
Filesize
176KB

MD5
dbadc5fadb7497f5761537c06026ff47

SHA1
c8bd7319e170bd5966a73bae6f34cee4782b4f97

SHA256
b8fdc5c5f8aa378ef3ba8ee5172550a8f7ca295bebe858dab8ec171f1328036e

SHA512
7bced6bbdeb0f770d78f199d16d8ed86e90794141df101d1bb4878c55313af058a5551e0df2da65f6cd3507185cca13c7459aabf97c22faa83518b53321c2b7e

Download Submit
C:\Users\Admin\cod.exe
Filesize
176KB

MD5
dbadc5fadb7497f5761537c06026ff47

SHA1
c8bd7319e170bd5966a73bae6f34cee4782b4f97

SHA256
b8fdc5c5f8aa378ef3ba8ee5172550a8f7ca295bebe858dab8ec171f1328036e

SHA512
7bced6bbdeb0f770d78f199d16d8ed86e90794141df101d1bb4878c55313af058a5551e0df2da65f6cd3507185cca13c7459aabf97c22faa83518b53321c2b7e

Download Submit
C:\Users\Admin\cof.exe
Filesize
103KB

MD5
d15f3d9213e5972e1e2c069448d6f228

SHA1
224f67d7bcb15f1921211d68df19a072dc84ccfe

SHA256
9c0e3fcd2615c0a3678e77583970c5d9401ea223db3e517d048453db6427214d

SHA512
3e53dde211235f50f7507839f4f0e8ef6c0456f4f92b40e3a9d57eb64c1ee17774698858213e1cdefb8e87803648ff97001b2a00ad2c2c6b0c896774b1e785e3

Download Submit
C:\Users\Admin\cof.exe
Filesize
103KB

MD5
d15f3d9213e5972e1e2c069448d6f228

SHA1
224f67d7bcb15f1921211d68df19a072dc84ccfe

SHA256
9c0e3fcd2615c0a3678e77583970c5d9401ea223db3e517d048453db6427214d

SHA512
3e53dde211235f50f7507839f4f0e8ef6c0456f4f92b40e3a9d57eb64c1ee17774698858213e1cdefb8e87803648ff97001b2a00ad2c2c6b0c896774b1e785e3

Download Submit
C:\Users\Admin\cog.exe
Filesize
145KB

MD5
262a039229f90ba2461f2e810ad74447

SHA1
9dfe5040a3d6ea8262313953c02a1e6ae39c6916

SHA256
e20729c3095a40a637efb304bdf57902cd4948f22406138e0dbdf28f034cedb3

SHA512
d7612cdbc38aea73462aa7851ab3078dfb89a1b4c96414f5d8144c456f694971f08a79bbb1a738ffeb273f99122432b1009cbf4bd483884dd50ca115a64ef641

Download Submit
C:\Users\Admin\cog.exe
Filesize
145KB

MD5
262a039229f90ba2461f2e810ad74447

SHA1
9dfe5040a3d6ea8262313953c02a1e6ae39c6916

SHA256
e20729c3095a40a637efb304bdf57902cd4948f22406138e0dbdf28f034cedb3

SHA512
d7612cdbc38aea73462aa7851ab3078dfb89a1b4c96414f5d8144c456f694971f08a79bbb1a738ffeb273f99122432b1009cbf4bd483884dd50ca115a64ef641

Download Submit
C:\Users\Admin\cog.exe
Filesize
145KB

MD5
262a039229f90ba2461f2e810ad74447

SHA1
9dfe5040a3d6ea8262313953c02a1e6ae39c6916

SHA256
e20729c3095a40a637efb304bdf57902cd4948f22406138e0dbdf28f034cedb3

SHA512
d7612cdbc38aea73462aa7851ab3078dfb89a1b4c96414f5d8144c456f694971f08a79bbb1a738ffeb273f99122432b1009cbf4bd483884dd50ca115a64ef641

Download Submit
C:\Users\Admin\zcvex.exe
Filesize
152KB

MD5
562644d58b1e86e6f84b00b160c32fdc

SHA1
5aff5c561a1891d773a91d45b9a1b66a0409b1f4

SHA256
cbfdc53514625b3856e89e613b41ae0cda17ef97ec17f145a1fd3e21e6d68763

SHA512
b8678a67e1279992cc23f3ccf2ea59d6582fd946d798fa4447841b5dbb269c9002cf670bb84ba04db1d23898876ef8733b7c8ca5d88338e4a7a044d63972cf5d

Download Submit
C:\Users\Admin\zcvex.exe
Filesize
152KB

MD5
562644d58b1e86e6f84b00b160c32fdc

SHA1
5aff5c561a1891d773a91d45b9a1b66a0409b1f4

SHA256
cbfdc53514625b3856e89e613b41ae0cda17ef97ec17f145a1fd3e21e6d68763

SHA512
b8678a67e1279992cc23f3ccf2ea59d6582fd946d798fa4447841b5dbb269c9002cf670bb84ba04db1d23898876ef8733b7c8ca5d88338e4a7a044d63972cf5d

Download Submit
\Users\Admin\AppData\Local\KBDEnt.dll
Filesize
103KB

MD5
be60099ceffb0aece0bc0c52998e9d65

SHA1
6ff11181390b5eccfb9a832ea5311d58bcc7a3a3

SHA256
e41f195954abff7c7bdc150773ad9f0b4029a883386ac179c1aa9d44f9ab6e4a

SHA512
c4beef5b86370a959b624041cc2db1de2da07a15df17077d728ea74036398fd1e62b6e7e147c53ea944606d751d0934f423b70193ad570a8cba097a823facdc0

Download Submit
\Users\Admin\AppData\Local\KBDEnt.dll
Filesize
103KB

MD5
be60099ceffb0aece0bc0c52998e9d65

SHA1
6ff11181390b5eccfb9a832ea5311d58bcc7a3a3

SHA256
e41f195954abff7c7bdc150773ad9f0b4029a883386ac179c1aa9d44f9ab6e4a

SHA512
c4beef5b86370a959b624041cc2db1de2da07a15df17077d728ea74036398fd1e62b6e7e147c53ea944606d751d0934f423b70193ad570a8cba097a823facdc0

Download Submit
\Users\Admin\AppData\Local\KBDEnt.dll
Filesize
103KB

MD5
be60099ceffb0aece0bc0c52998e9d65

SHA1
6ff11181390b5eccfb9a832ea5311d58bcc7a3a3

SHA256
e41f195954abff7c7bdc150773ad9f0b4029a883386ac179c1aa9d44f9ab6e4a

SHA512
c4beef5b86370a959b624041cc2db1de2da07a15df17077d728ea74036398fd1e62b6e7e147c53ea944606d751d0934f423b70193ad570a8cba097a823facdc0

Download Submit
\Users\Admin\AppData\Local\KBDEnt.dll
Filesize
103KB

MD5
be60099ceffb0aece0bc0c52998e9d65

SHA1
6ff11181390b5eccfb9a832ea5311d58bcc7a3a3

SHA256
e41f195954abff7c7bdc150773ad9f0b4029a883386ac179c1aa9d44f9ab6e4a

SHA512
c4beef5b86370a959b624041cc2db1de2da07a15df17077d728ea74036398fd1e62b6e7e147c53ea944606d751d0934f423b70193ad570a8cba097a823facdc0

Download Submit
\Users\Admin\AppData\Local\KBDEnt.dll
Filesize
103KB

MD5
be60099ceffb0aece0bc0c52998e9d65

SHA1
6ff11181390b5eccfb9a832ea5311d58bcc7a3a3

SHA256
e41f195954abff7c7bdc150773ad9f0b4029a883386ac179c1aa9d44f9ab6e4a

SHA512
c4beef5b86370a959b624041cc2db1de2da07a15df17077d728ea74036398fd1e62b6e7e147c53ea944606d751d0934f423b70193ad570a8cba097a823facdc0

Download Submit
\Users\Admin\AppData\Local\KBDEnt.dll
Filesize
103KB

MD5
be60099ceffb0aece0bc0c52998e9d65

SHA1
6ff11181390b5eccfb9a832ea5311d58bcc7a3a3

SHA256
e41f195954abff7c7bdc150773ad9f0b4029a883386ac179c1aa9d44f9ab6e4a

SHA512
c4beef5b86370a959b624041cc2db1de2da07a15df17077d728ea74036398fd1e62b6e7e147c53ea944606d751d0934f423b70193ad570a8cba097a823facdc0

Download Submit
\Users\Admin\AppData\Local\KBDEnt.dll
Filesize
103KB

MD5
be60099ceffb0aece0bc0c52998e9d65

SHA1
6ff11181390b5eccfb9a832ea5311d58bcc7a3a3

SHA256
e41f195954abff7c7bdc150773ad9f0b4029a883386ac179c1aa9d44f9ab6e4a

SHA512
c4beef5b86370a959b624041cc2db1de2da07a15df17077d728ea74036398fd1e62b6e7e147c53ea944606d751d0934f423b70193ad570a8cba097a823facdc0

Download Submit
\Users\Admin\AppData\Local\KBDEnt.dll
Filesize
103KB

MD5
be60099ceffb0aece0bc0c52998e9d65

SHA1
6ff11181390b5eccfb9a832ea5311d58bcc7a3a3

SHA256
e41f195954abff7c7bdc150773ad9f0b4029a883386ac179c1aa9d44f9ab6e4a

SHA512
c4beef5b86370a959b624041cc2db1de2da07a15df17077d728ea74036398fd1e62b6e7e147c53ea944606d751d0934f423b70193ad570a8cba097a823facdc0

Download Submit
\Users\Admin\B85EgtCQKi4p6Z9Kt2.exe
Filesize
152KB

MD5
72e9d71fe7ad21610b846614566d6e2f

SHA1
35071ef247823ff6fa675449c6506caa2f5b145f

SHA256
4dc0b35a38321c71c24289acf43c102e6aa875307f830900d39f25491c83cda9

SHA512
14431710838e2eea0fdb3a7b73743b6d101ec6a4ceebdf0716e2855e845bd2b1722e5178d310a24ce7e5754076a9dc0e62f351c1518c391c6db8533af35203f3

Download Submit
\Users\Admin\B85EgtCQKi4p6Z9Kt2.exe
Filesize
152KB

MD5
72e9d71fe7ad21610b846614566d6e2f

SHA1
35071ef247823ff6fa675449c6506caa2f5b145f

SHA256
4dc0b35a38321c71c24289acf43c102e6aa875307f830900d39f25491c83cda9

SHA512
14431710838e2eea0fdb3a7b73743b6d101ec6a4ceebdf0716e2855e845bd2b1722e5178d310a24ce7e5754076a9dc0e62f351c1518c391c6db8533af35203f3

Download Submit
\Users\Admin\cod.exe
Filesize
176KB

MD5
dbadc5fadb7497f5761537c06026ff47

SHA1
c8bd7319e170bd5966a73bae6f34cee4782b4f97

SHA256
b8fdc5c5f8aa378ef3ba8ee5172550a8f7ca295bebe858dab8ec171f1328036e

SHA512
7bced6bbdeb0f770d78f199d16d8ed86e90794141df101d1bb4878c55313af058a5551e0df2da65f6cd3507185cca13c7459aabf97c22faa83518b53321c2b7e

Download Submit
\Users\Admin\cod.exe
Filesize
176KB

MD5
dbadc5fadb7497f5761537c06026ff47

SHA1
c8bd7319e170bd5966a73bae6f34cee4782b4f97

SHA256
b8fdc5c5f8aa378ef3ba8ee5172550a8f7ca295bebe858dab8ec171f1328036e

SHA512
7bced6bbdeb0f770d78f199d16d8ed86e90794141df101d1bb4878c55313af058a5551e0df2da65f6cd3507185cca13c7459aabf97c22faa83518b53321c2b7e

Download Submit
\Users\Admin\cof.exe
Filesize
103KB

MD5
d15f3d9213e5972e1e2c069448d6f228

SHA1
224f67d7bcb15f1921211d68df19a072dc84ccfe

SHA256
9c0e3fcd2615c0a3678e77583970c5d9401ea223db3e517d048453db6427214d

SHA512
3e53dde211235f50f7507839f4f0e8ef6c0456f4f92b40e3a9d57eb64c1ee17774698858213e1cdefb8e87803648ff97001b2a00ad2c2c6b0c896774b1e785e3

Download Submit
\Users\Admin\cof.exe
Filesize
103KB

MD5
d15f3d9213e5972e1e2c069448d6f228

SHA1
224f67d7bcb15f1921211d68df19a072dc84ccfe

SHA256
9c0e3fcd2615c0a3678e77583970c5d9401ea223db3e517d048453db6427214d

SHA512
3e53dde211235f50f7507839f4f0e8ef6c0456f4f92b40e3a9d57eb64c1ee17774698858213e1cdefb8e87803648ff97001b2a00ad2c2c6b0c896774b1e785e3

Download Submit
\Users\Admin\cog.exe
Filesize
145KB

MD5
262a039229f90ba2461f2e810ad74447

SHA1
9dfe5040a3d6ea8262313953c02a1e6ae39c6916

SHA256
e20729c3095a40a637efb304bdf57902cd4948f22406138e0dbdf28f034cedb3

SHA512
d7612cdbc38aea73462aa7851ab3078dfb89a1b4c96414f5d8144c456f694971f08a79bbb1a738ffeb273f99122432b1009cbf4bd483884dd50ca115a64ef641

Download Submit
\Users\Admin\cog.exe
Filesize
145KB

MD5
262a039229f90ba2461f2e810ad74447

SHA1
9dfe5040a3d6ea8262313953c02a1e6ae39c6916

SHA256
e20729c3095a40a637efb304bdf57902cd4948f22406138e0dbdf28f034cedb3

SHA512
d7612cdbc38aea73462aa7851ab3078dfb89a1b4c96414f5d8144c456f694971f08a79bbb1a738ffeb273f99122432b1009cbf4bd483884dd50ca115a64ef641

Download Submit
\Users\Admin\zcvex.exe
Filesize
152KB

MD5
562644d58b1e86e6f84b00b160c32fdc

SHA1
5aff5c561a1891d773a91d45b9a1b66a0409b1f4

SHA256
cbfdc53514625b3856e89e613b41ae0cda17ef97ec17f145a1fd3e21e6d68763

SHA512
b8678a67e1279992cc23f3ccf2ea59d6582fd946d798fa4447841b5dbb269c9002cf670bb84ba04db1d23898876ef8733b7c8ca5d88338e4a7a044d63972cf5d

Download Submit
\Users\Admin\zcvex.exe
Filesize
152KB

MD5
562644d58b1e86e6f84b00b160c32fdc

SHA1
5aff5c561a1891d773a91d45b9a1b66a0409b1f4

SHA256
cbfdc53514625b3856e89e613b41ae0cda17ef97ec17f145a1fd3e21e6d68763

SHA512
b8678a67e1279992cc23f3ccf2ea59d6582fd946d798fa4447841b5dbb269c9002cf670bb84ba04db1d23898876ef8733b7c8ca5d88338e4a7a044d63972cf5d

Download Submit
memory/572-76-0x0000000000000000-mapping.dmp

Download
memory/968-65-0x0000000000000000-mapping.dmp

Download
memory/968-89-0x0000000001D41000-0x0000000001D4E000-memory.dmp

Filesize
52KB

Download
memory/968-72-0x0000000010000000-0x000000001001D000-memory.dmp

Filesize
116KB

Download
memory/1020-127-0x0000000000AB1000-0x0000000000ABE000-memory.dmp

Filesize
52KB

Download
memory/1020-120-0x0000000000000000-mapping.dmp

Download
memory/1148-70-0x0000000000000000-mapping.dmp

Download
memory/1264-106-0x00000000004012A0-mapping.dmp

Download
memory/1264-93-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1264-102-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1264-100-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1264-104-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1264-96-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1264-108-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1264-98-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1264-94-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1332-56-0x0000000000000000-mapping.dmp

Download
memory/1572-78-0x0000000000000000-mapping.dmp

Download
memory/1572-91-0x0000000000291000-0x000000000029E000-memory.dmp

Filesize
52KB

Download
memory/1572-86-0x0000000010000000-0x000000001001D000-memory.dmp

Filesize
116KB

Download
memory/1600-112-0x0000000000000000-mapping.dmp

Download
memory/1968-118-0x0000000000000000-mapping.dmp

Download
memory/2016-117-0x0000000000000000-mapping.dmp

Download
memory/2040-68-0x0000000075931000-0x0000000075933000-memory.dmp

Filesize
8KB

Download
memory/2040-79-0x0000000000220000-0x0000000000278000-memory.dmp

Filesize
352KB

Download
memory/2040-90-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2040-88-0x0000000000220000-0x0000000000278000-memory.dmp

Filesize
352KB

Download
memory/2040-60-0x0000000000000000-mapping.dmp

Download
memory/2040-87-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download