Behavioral Report

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
14-10-2022 19:41

Sharing

Copy URL

Twitter E-mail

Report Files Registry Network Processes Mutex Misc

General

Target

06cb1bb9f65f954677aa5e66cfecad10.exe
Size

4MB
MD5

06cb1bb9f65f954677aa5e66cfecad10
SHA1

7226decd411a371d2727b8b6742f578425b0a7c2
SHA256

4faa19632922332b8aedd25006c9c3349bcb9f2bf24bf116857258a7769efbf0
SHA512

ea81cca73a9abad99666e974ae73b9cc38d19fa666b0914d518dee731eab4ed2ed3b7797f453db2f0f22ce6cdc2866591ac0cc56aa01d7530b29e30da8cc098b
SSDEEP

49152:rl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

colibri dcrat build1 evasion infostealer loader rat spyware stealer trojan

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

Signatures

Colibri Loader
A loader sold as MaaS first seen in August 2021.
loader colibri
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	4220	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3556	4220	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2300	4220	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5036	4220	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4180	4220	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3884	4220	schtasks.exe

UAC bypass 3 TTPs 6 IoCs

evasion trojan

TTPs:

Bypass User Account Control Disabling Security Tools Modify Registry

Processes:

wininit.exe06cb1bb9f65f954677aa5e66cfecad10.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	06cb1bb9f65f954677aa5e66cfecad10.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	06cb1bb9f65f954677aa5e66cfecad10.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	06cb1bb9f65f954677aa5e66cfecad10.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe

Executes dropped EXE 7 IoCs

Processes:

tmpF8BC.tmp.exetmpF8BC.tmp.exetmpF8BC.tmp.exetmpF8BC.tmp.exewininit.exetmp972F.tmp.exetmp972F.tmp.exe

pid process

3604 tmpF8BC.tmp.exe
204 tmpF8BC.tmp.exe
4500 tmpF8BC.tmp.exe
3600 tmpF8BC.tmp.exe
3472 wininit.exe
260 tmp972F.tmp.exe
3244 tmp972F.tmp.exe

pid	process
3604	tmpF8BC.tmp.exe
204	tmpF8BC.tmp.exe
4500	tmpF8BC.tmp.exe
3600	tmpF8BC.tmp.exe
3472	wininit.exe
260	tmp972F.tmp.exe
3244	tmp972F.tmp.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

TTPs:

Query Registry System Information Discovery

Processes:

06cb1bb9f65f954677aa5e66cfecad10.exewininit.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	06cb1bb9f65f954677aa5e66cfecad10.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	wininit.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

TTPs:

Data from Local System Credentials in Files
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

TTPs:

Data from Local System Credentials in Files

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

TTPs:

System Information Discovery

Processes:

06cb1bb9f65f954677aa5e66cfecad10.exewininit.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	06cb1bb9f65f954677aa5e66cfecad10.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	06cb1bb9f65f954677aa5e66cfecad10.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

35 ipinfo.io
34 ipinfo.io

flow	ioc
35	ipinfo.io
34	ipinfo.io

Suspicious use of SetThreadContext 2 IoCs

Processes:

tmpF8BC.tmp.exetmp972F.tmp.exe

description	pid	process	target process
PID 4500 set thread context of 3600	4500	tmpF8BC.tmp.exe	tmpF8BC.tmp.exe
PID 260 set thread context of 3244	260	tmp972F.tmp.exe	tmp972F.tmp.exe

Drops file in Windows directory 5 IoCs

Processes:

06cb1bb9f65f954677aa5e66cfecad10.exe

description	ioc	process
File created	C:\Windows\ShellComponents\56085415360792	06cb1bb9f65f954677aa5e66cfecad10.exe
File opened for modification	C:\Windows\ShellComponents\RCX10B.tmp	06cb1bb9f65f954677aa5e66cfecad10.exe
File created	C:\Windows\System\Speech\fontdrvhost.exe	06cb1bb9f65f954677aa5e66cfecad10.exe
File created	C:\Windows\ShellComponents\wininit.exe	06cb1bb9f65f954677aa5e66cfecad10.exe
File opened for modification	C:\Windows\ShellComponents\wininit.exe	06cb1bb9f65f954677aa5e66cfecad10.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

TTPs:

System Information Discovery
Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

TTPs:

Scheduled Task

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

4180 schtasks.exe
3884 schtasks.exe
2020 schtasks.exe
3556 schtasks.exe
2300 schtasks.exe
5036 schtasks.exe

pid	process
4180	schtasks.exe
3884	schtasks.exe
2020	schtasks.exe
3556	schtasks.exe
2300	schtasks.exe
5036	schtasks.exe

Modifies registry class 2 IoCs

Processes:

06cb1bb9f65f954677aa5e66cfecad10.exewininit.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	06cb1bb9f65f954677aa5e66cfecad10.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	wininit.exe

Suspicious behavior: EnumeratesProcesses 56 IoCs

Processes:

06cb1bb9f65f954677aa5e66cfecad10.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exewininit.exe

pid	process
4648	06cb1bb9f65f954677aa5e66cfecad10.exe
4648	06cb1bb9f65f954677aa5e66cfecad10.exe
4648	06cb1bb9f65f954677aa5e66cfecad10.exe
4648	06cb1bb9f65f954677aa5e66cfecad10.exe
4648	06cb1bb9f65f954677aa5e66cfecad10.exe
808	powershell.exe
808	powershell.exe
968	powershell.exe
968	powershell.exe
4324	powershell.exe
4324	powershell.exe
900	powershell.exe
900	powershell.exe
760	powershell.exe
760	powershell.exe
1852	powershell.exe
1852	powershell.exe
1844	powershell.exe
1844	powershell.exe
3296	powershell.exe
3296	powershell.exe
1316	powershell.exe
1316	powershell.exe
2848	powershell.exe
2848	powershell.exe
2528	powershell.exe
2528	powershell.exe
1956	powershell.exe
1956	powershell.exe
808	powershell.exe
808	powershell.exe
968	powershell.exe
900	powershell.exe
4324	powershell.exe
760	powershell.exe
1852	powershell.exe
1316	powershell.exe
1844	powershell.exe
3296	powershell.exe
2848	powershell.exe
2528	powershell.exe
1956	powershell.exe
3472	wininit.exe
3472	wininit.exe
3472	wininit.exe
3472	wininit.exe
3472	wininit.exe
3472	wininit.exe
3472	wininit.exe
3472	wininit.exe
3472	wininit.exe
3472	wininit.exe
3472	wininit.exe
3472	wininit.exe
3472	wininit.exe
3472	wininit.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	4648	06cb1bb9f65f954677aa5e66cfecad10.exe
Token: SeDebugPrivilege	808	powershell.exe
Token: SeDebugPrivilege	760	powershell.exe
Token: SeDebugPrivilege	968	powershell.exe
Token: SeDebugPrivilege	4324	powershell.exe
Token: SeDebugPrivilege	900	powershell.exe
Token: SeDebugPrivilege	1852	powershell.exe
Token: SeDebugPrivilege	1844	powershell.exe
Token: SeDebugPrivilege	3296	powershell.exe
Token: SeDebugPrivilege	1316	powershell.exe
Token: SeDebugPrivilege	2848	powershell.exe
Token: SeDebugPrivilege	2528	powershell.exe
Token: SeDebugPrivilege	1956	powershell.exe
Token: SeDebugPrivilege	3472	wininit.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

wininit.exe

pid process

3472 wininit.exe

pid	process
3472	wininit.exe

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

06cb1bb9f65f954677aa5e66cfecad10.exetmpF8BC.tmp.exetmpF8BC.tmp.exetmpF8BC.tmp.exewininit.exetmp972F.tmp.exe

description	pid	process	target process
PID 4648 wrote to memory of 3604	4648	06cb1bb9f65f954677aa5e66cfecad10.exe	tmpF8BC.tmp.exe
PID 4648 wrote to memory of 3604	4648	06cb1bb9f65f954677aa5e66cfecad10.exe	tmpF8BC.tmp.exe
PID 4648 wrote to memory of 3604	4648	06cb1bb9f65f954677aa5e66cfecad10.exe	tmpF8BC.tmp.exe
PID 3604 wrote to memory of 204	3604	tmpF8BC.tmp.exe	tmpF8BC.tmp.exe
PID 3604 wrote to memory of 204	3604	tmpF8BC.tmp.exe	tmpF8BC.tmp.exe
PID 3604 wrote to memory of 204	3604	tmpF8BC.tmp.exe	tmpF8BC.tmp.exe
PID 204 wrote to memory of 4500	204	tmpF8BC.tmp.exe	tmpF8BC.tmp.exe
PID 204 wrote to memory of 4500	204	tmpF8BC.tmp.exe	tmpF8BC.tmp.exe
PID 204 wrote to memory of 4500	204	tmpF8BC.tmp.exe	tmpF8BC.tmp.exe
PID 4500 wrote to memory of 3600	4500	tmpF8BC.tmp.exe	tmpF8BC.tmp.exe
PID 4500 wrote to memory of 3600	4500	tmpF8BC.tmp.exe	tmpF8BC.tmp.exe
PID 4500 wrote to memory of 3600	4500	tmpF8BC.tmp.exe	tmpF8BC.tmp.exe
PID 4500 wrote to memory of 3600	4500	tmpF8BC.tmp.exe	tmpF8BC.tmp.exe
PID 4500 wrote to memory of 3600	4500	tmpF8BC.tmp.exe	tmpF8BC.tmp.exe
PID 4500 wrote to memory of 3600	4500	tmpF8BC.tmp.exe	tmpF8BC.tmp.exe
PID 4500 wrote to memory of 3600	4500	tmpF8BC.tmp.exe	tmpF8BC.tmp.exe
PID 4648 wrote to memory of 808	4648	06cb1bb9f65f954677aa5e66cfecad10.exe	powershell.exe
PID 4648 wrote to memory of 808	4648	06cb1bb9f65f954677aa5e66cfecad10.exe	powershell.exe
PID 4648 wrote to memory of 760	4648	06cb1bb9f65f954677aa5e66cfecad10.exe	powershell.exe
PID 4648 wrote to memory of 760	4648	06cb1bb9f65f954677aa5e66cfecad10.exe	powershell.exe
PID 4648 wrote to memory of 968	4648	06cb1bb9f65f954677aa5e66cfecad10.exe	powershell.exe
PID 4648 wrote to memory of 968	4648	06cb1bb9f65f954677aa5e66cfecad10.exe	powershell.exe
PID 4648 wrote to memory of 900	4648	06cb1bb9f65f954677aa5e66cfecad10.exe	powershell.exe
PID 4648 wrote to memory of 900	4648	06cb1bb9f65f954677aa5e66cfecad10.exe	powershell.exe
PID 4648 wrote to memory of 1852	4648	06cb1bb9f65f954677aa5e66cfecad10.exe	powershell.exe
PID 4648 wrote to memory of 1852	4648	06cb1bb9f65f954677aa5e66cfecad10.exe	powershell.exe
PID 4648 wrote to memory of 4324	4648	06cb1bb9f65f954677aa5e66cfecad10.exe	powershell.exe
PID 4648 wrote to memory of 4324	4648	06cb1bb9f65f954677aa5e66cfecad10.exe	powershell.exe
PID 4648 wrote to memory of 1844	4648	06cb1bb9f65f954677aa5e66cfecad10.exe	powershell.exe
PID 4648 wrote to memory of 1844	4648	06cb1bb9f65f954677aa5e66cfecad10.exe	powershell.exe
PID 4648 wrote to memory of 3296	4648	06cb1bb9f65f954677aa5e66cfecad10.exe	powershell.exe
PID 4648 wrote to memory of 3296	4648	06cb1bb9f65f954677aa5e66cfecad10.exe	powershell.exe
PID 4648 wrote to memory of 2848	4648	06cb1bb9f65f954677aa5e66cfecad10.exe	powershell.exe
PID 4648 wrote to memory of 2848	4648	06cb1bb9f65f954677aa5e66cfecad10.exe	powershell.exe
PID 4648 wrote to memory of 1316	4648	06cb1bb9f65f954677aa5e66cfecad10.exe	powershell.exe
PID 4648 wrote to memory of 1316	4648	06cb1bb9f65f954677aa5e66cfecad10.exe	powershell.exe
PID 4648 wrote to memory of 1956	4648	06cb1bb9f65f954677aa5e66cfecad10.exe	powershell.exe
PID 4648 wrote to memory of 1956	4648	06cb1bb9f65f954677aa5e66cfecad10.exe	powershell.exe
PID 4648 wrote to memory of 2528	4648	06cb1bb9f65f954677aa5e66cfecad10.exe	powershell.exe
PID 4648 wrote to memory of 2528	4648	06cb1bb9f65f954677aa5e66cfecad10.exe	powershell.exe
PID 4648 wrote to memory of 3472	4648	06cb1bb9f65f954677aa5e66cfecad10.exe	wininit.exe
PID 4648 wrote to memory of 3472	4648	06cb1bb9f65f954677aa5e66cfecad10.exe	wininit.exe
PID 3472 wrote to memory of 260	3472	wininit.exe	tmp972F.tmp.exe
PID 3472 wrote to memory of 260	3472	wininit.exe	tmp972F.tmp.exe
PID 3472 wrote to memory of 260	3472	wininit.exe	tmp972F.tmp.exe
PID 260 wrote to memory of 3244	260	tmp972F.tmp.exe	tmp972F.tmp.exe
PID 260 wrote to memory of 3244	260	tmp972F.tmp.exe	tmp972F.tmp.exe
PID 260 wrote to memory of 3244	260	tmp972F.tmp.exe	tmp972F.tmp.exe
PID 260 wrote to memory of 3244	260	tmp972F.tmp.exe	tmp972F.tmp.exe
PID 260 wrote to memory of 3244	260	tmp972F.tmp.exe	tmp972F.tmp.exe
PID 260 wrote to memory of 3244	260	tmp972F.tmp.exe	tmp972F.tmp.exe
PID 260 wrote to memory of 3244	260	tmp972F.tmp.exe	tmp972F.tmp.exe
PID 3472 wrote to memory of 2364	3472	wininit.exe	WScript.exe
PID 3472 wrote to memory of 2364	3472	wininit.exe	WScript.exe
PID 3472 wrote to memory of 4028	3472	wininit.exe	WScript.exe
PID 3472 wrote to memory of 4028	3472	wininit.exe	WScript.exe

System policy modification 1 TTPs 6 IoCs

evasion

TTPs:

Modify Registry

Processes:

06cb1bb9f65f954677aa5e66cfecad10.exewininit.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	06cb1bb9f65f954677aa5e66cfecad10.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	06cb1bb9f65f954677aa5e66cfecad10.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	06cb1bb9f65f954677aa5e66cfecad10.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe

C:\Users\Admin\AppData\Local\Temp\06cb1bb9f65f954677aa5e66cfecad10.exe

"C:\Users\Admin\AppData\Local\Temp\06cb1bb9f65f954677aa5e66cfecad10.exe"

UAC bypass
Checks computer location settings
Checks whether UAC is enabled
Drops file in Windows directory
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification

PID:4648

C:\Users\Admin\AppData\Local\Temp\tmpF8BC.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpF8BC.tmp.exe"

Executes dropped EXE
Suspicious use of WriteProcessMemory

PID:3604

C:\Users\Admin\AppData\Local\Temp\tmpF8BC.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpF8BC.tmp.exe"

Executes dropped EXE
Suspicious use of WriteProcessMemory

PID:204

C:\Users\Admin\AppData\Local\Temp\tmpF8BC.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpF8BC.tmp.exe"

Executes dropped EXE
Suspicious use of SetThreadContext
Suspicious use of WriteProcessMemory

PID:4500

C:\Users\Admin\AppData\Local\Temp\tmpF8BC.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpF8BC.tmp.exe"

Executes dropped EXE

PID:3600

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken

PID:808

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken

PID:760

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'

Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken

PID:900

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken

PID:968

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken

PID:1852

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken

PID:4324

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken

PID:1844

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken

PID:3296

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken

PID:1316

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken

PID:1956

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken

PID:2848

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken

PID:2528

C:\Windows\ShellComponents\wininit.exe

"C:\Windows\ShellComponents\wininit.exe"

UAC bypass
Executes dropped EXE
Checks computer location settings
Checks whether UAC is enabled
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification

PID:3472

C:\Users\Admin\AppData\Local\Temp\tmp972F.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp972F.tmp.exe"

Executes dropped EXE
Suspicious use of SetThreadContext
Suspicious use of WriteProcessMemory

PID:260

C:\Users\Admin\AppData\Local\Temp\tmp972F.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp972F.tmp.exe"

Executes dropped EXE

PID:3244

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a6b25c67-b63c-4af4-9af3-82aafaaf80a0.vbs"

PID:2364

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cf54d50b-189e-4011-b8e0-4238d33b324a.vbs"

PID:4028

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Windows\ShellComponents\wininit.exe'" /f

Process spawned unexpected child process
Creates scheduled task(s)

PID:2020

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\ShellComponents\wininit.exe'" /rl HIGHEST /f

Process spawned unexpected child process
Creates scheduled task(s)

PID:3556

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Windows\ShellComponents\wininit.exe'" /rl HIGHEST /f

Process spawned unexpected child process
Creates scheduled task(s)

PID:2300

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\My Documents\RuntimeBroker.exe'" /f

Process spawned unexpected child process
Creates scheduled task(s)

PID:5036

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Admin\My Documents\RuntimeBroker.exe'" /rl HIGHEST /f

Process spawned unexpected child process
Creates scheduled task(s)

PID:4180

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\My Documents\RuntimeBroker.exe'" /rl HIGHEST /f

Process spawned unexpected child process
Creates scheduled task(s)

PID:3884

Network

MITRE ATT&CK Matrix

Collection

Data from Local System

T1005

Command and Control

Credential Access

Credentials in Files

T1081

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Discovery

Query Registry

T1012

System Information Discovery

T1082

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Replay Monitor

00:00 00:00

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\a6b25c67-b63c-4af4-9af3-82aafaaf80a0.vbs
Filesize
714B

MD5
af41f7a7cabee6f74596de4e097bb80e

SHA1
29237ba92748d98d7b9c28549f49c7ca95f62be9

SHA256
d6cea33c3eae9f07eb81d48a3ed2f7341ff07f5d6b297c1661f5045390e6f558

SHA512
b06404219ded85f0844ea8d56df99a6eaa543dc40019fb2aec4f97887fbbfb8af650d5caa45cc3d236bc7a566d777bf1b06d891e446f3db3bac02ed07532d6f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\cf54d50b-189e-4011-b8e0-4238d33b324a.vbs
Filesize
490B

MD5
4111a36294777424783f46b12228a760

SHA1
1e1818961ccc2cd3af546874da0f7fe9a6b2e9d6

SHA256
775e90cfcd95eb7c5251164a1ac6ba464feff6d8ebad6ead880d98c120bbf7b7

SHA512
ecf4dc2424d443e615a7079d1abe527d13c157e500ca62dbd521e59046c02855e8d3f3e22d15210bb733f23ec5c685ed6a25f26e4f73b1292b3196d6532de005

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp972F.tmp.exe
Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp972F.tmp.exe
Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp972F.tmp.exe
Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF8BC.tmp.exe
Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF8BC.tmp.exe
Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF8BC.tmp.exe
Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF8BC.tmp.exe
Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF8BC.tmp.exe
Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Windows\ShellComponents\wininit.exe
Filesize
4MB

MD5
edea1ba139a7a0c24ba1c90e07db6657

SHA1
e39984a3df1afc09ffb85be64a2a93bd0c37acbb

SHA256
9f265d81be450276e57de81011d944bc6c43e0b1ffb29e23df5ae00db19a18f2

SHA512
9d88bba9f3a3d2dace5e05c50638688b49208fdde98facb9e824dd100ba3bde974a35b5b825e8e7b84c3e28b6771951d7a95f5127638d9df813d464a0d7c2249

Download Submit
C:\Windows\ShellComponents\wininit.exe
Filesize
4MB

MD5
edea1ba139a7a0c24ba1c90e07db6657

SHA1
e39984a3df1afc09ffb85be64a2a93bd0c37acbb

SHA256
9f265d81be450276e57de81011d944bc6c43e0b1ffb29e23df5ae00db19a18f2

SHA512
9d88bba9f3a3d2dace5e05c50638688b49208fdde98facb9e824dd100ba3bde974a35b5b825e8e7b84c3e28b6771951d7a95f5127638d9df813d464a0d7c2249

Download Submit
memory/204-140-0x0000000000000000-mapping.dmp

Download
memory/204-142-0x00000000006B4000-0x00000000006B7000-memory.dmp

Filesize
12KB

Download
memory/260-206-0x0000000000000000-mapping.dmp

Download
memory/760-163-0x00007FFAB6DA0000-0x00007FFAB7861000-memory.dmp

Filesize
10MB

Download
memory/760-151-0x0000000000000000-mapping.dmp

Download
memory/760-188-0x00007FFAB6DA0000-0x00007FFAB7861000-memory.dmp

Filesize
10MB

Download
memory/760-162-0x00000210299A0000-0x00000210299C2000-memory.dmp

Filesize
136KB

Download
memory/808-164-0x00007FFAB6DA0000-0x00007FFAB7861000-memory.dmp

Filesize
10MB

Download
memory/808-150-0x0000000000000000-mapping.dmp

Download
memory/808-196-0x00007FFAB6DA0000-0x00007FFAB7861000-memory.dmp

Filesize
10MB

Download
memory/900-153-0x0000000000000000-mapping.dmp

Download
memory/900-192-0x00007FFAB6DA0000-0x00007FFAB7861000-memory.dmp

Filesize
10MB

Download
memory/900-166-0x00007FFAB6DA0000-0x00007FFAB7861000-memory.dmp

Filesize
10MB

Download
memory/968-197-0x00007FFAB6DA0000-0x00007FFAB7861000-memory.dmp

Filesize
10MB

Download
memory/968-152-0x0000000000000000-mapping.dmp

Download
memory/968-165-0x00007FFAB6DA0000-0x00007FFAB7861000-memory.dmp

Filesize
10MB

Download
memory/1316-159-0x0000000000000000-mapping.dmp

Download
memory/1316-172-0x00007FFAB6DA0000-0x00007FFAB7861000-memory.dmp

Filesize
10MB

Download
memory/1316-189-0x00007FFAB6DA0000-0x00007FFAB7861000-memory.dmp

Filesize
10MB

Download
memory/1844-193-0x00007FFAB6DA0000-0x00007FFAB7861000-memory.dmp

Filesize
10MB

Download
memory/1844-169-0x00007FFAB6DA0000-0x00007FFAB7861000-memory.dmp

Filesize
10MB

Download
memory/1844-156-0x0000000000000000-mapping.dmp

Download
memory/1852-194-0x00007FFAB6DA0000-0x00007FFAB7861000-memory.dmp

Filesize
10MB

Download
memory/1852-154-0x0000000000000000-mapping.dmp

Download
memory/1852-167-0x00007FFAB6DA0000-0x00007FFAB7861000-memory.dmp

Filesize
10MB

Download
memory/1956-160-0x0000000000000000-mapping.dmp

Download
memory/1956-199-0x00007FFAB6DA0000-0x00007FFAB7861000-memory.dmp

Filesize
10MB

Download
memory/1956-174-0x00007FFAB6DA0000-0x00007FFAB7861000-memory.dmp

Filesize
10MB

Download
memory/2364-213-0x0000000000000000-mapping.dmp

Download
memory/2528-161-0x0000000000000000-mapping.dmp

Download
memory/2528-173-0x00007FFAB6DA0000-0x00007FFAB7861000-memory.dmp

Filesize
10MB

Download
memory/2528-198-0x00007FFAB6DA0000-0x00007FFAB7861000-memory.dmp

Filesize
10MB

Download
memory/2848-171-0x00007FFAB6DA0000-0x00007FFAB7861000-memory.dmp

Filesize
10MB

Download
memory/2848-158-0x0000000000000000-mapping.dmp

Download
memory/2848-190-0x00007FFAB6DA0000-0x00007FFAB7861000-memory.dmp

Filesize
10MB

Download
memory/3244-209-0x0000000000000000-mapping.dmp

Download
memory/3296-195-0x00007FFAB6DA0000-0x00007FFAB7861000-memory.dmp

Filesize
10MB

Download
memory/3296-170-0x00007FFAB6DA0000-0x00007FFAB7861000-memory.dmp

Filesize
10MB

Download
memory/3296-157-0x0000000000000000-mapping.dmp

Download
memory/3472-212-0x00007FFAB6DA0000-0x00007FFAB7861000-memory.dmp

Filesize
10MB

Download
memory/3472-200-0x0000000000000000-mapping.dmp

Download
memory/3472-204-0x00007FFAB6DA0000-0x00007FFAB7861000-memory.dmp

Filesize
10MB

Download
memory/3472-203-0x0000000000200000-0x00000000006F4000-memory.dmp

Filesize
4MB

Download
memory/3472-217-0x000000001DEE0000-0x000000001E0A2000-memory.dmp

Filesize
1MB

Download
memory/3600-147-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/3600-146-0x0000000000000000-mapping.dmp

Download
memory/3600-149-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/3604-139-0x000000000111B000-0x0000000001121000-memory.dmp

Filesize
24KB

Download
memory/3604-136-0x0000000000000000-mapping.dmp

Download
memory/4028-214-0x0000000000000000-mapping.dmp

Download
memory/4324-191-0x00007FFAB6DA0000-0x00007FFAB7861000-memory.dmp

Filesize
10MB

Download
memory/4324-155-0x0000000000000000-mapping.dmp

Download
memory/4324-168-0x00007FFAB6DA0000-0x00007FFAB7861000-memory.dmp

Filesize
10MB

Download
memory/4500-143-0x0000000000000000-mapping.dmp

Download
memory/4500-145-0x0000000000A04000-0x0000000000A07000-memory.dmp

Filesize
12KB

Download
memory/4648-205-0x00007FFAB6DA0000-0x00007FFAB7861000-memory.dmp

Filesize
10MB

Download
memory/4648-132-0x0000000000A60000-0x0000000000F54000-memory.dmp

Filesize
4MB

Download
memory/4648-135-0x000000001D400000-0x000000001D928000-memory.dmp

Filesize
5MB

Download
memory/4648-175-0x00007FFAB6DA0000-0x00007FFAB7861000-memory.dmp

Filesize
10MB

Download
memory/4648-134-0x000000001CE80000-0x000000001CED0000-memory.dmp

Filesize
320KB

Download
memory/4648-133-0x00007FFAB6DA0000-0x00007FFAB7861000-memory.dmp

Filesize
10MB

Download