gcleaner | 106d93ced41d81795f66bb29ad5c847a25a1e2c094fe28a67dc576f1c33fcad4

Analysis

max time kernel
148s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05-04-2024 04:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ca48a01552acf9cb77202bf0b77a7a1c_JaffaCakes118.exe
Size

3.4MB
MD5

ca48a01552acf9cb77202bf0b77a7a1c
SHA1

1daba5dbab15456462e1ac3e80b782aa867889c2
SHA256

106d93ced41d81795f66bb29ad5c847a25a1e2c094fe28a67dc576f1c33fcad4
SHA512

f5942e6a162c2b3e5df3ac14b24350f36e393ddb80400fcd47070e70b6eccaa366ef3406c8452b795c7b28cf2266fd8eb1339f51dcc1910a004c72e14cbe8a55
SSDEEP

49152:Kj4FOCYYcrX7JGwyTL2RhE3IiSKVFGclOt45MaUEr7NSv2opoSH7QirAnN4tSqJS:cRCHCowyTL2RgSWj5WaU28wN4t0N

Score

10^/10

gcleaner lgoogloader onlylogger raccoon vidar xmrig 87d2a2b472952d29d9ef08f8b28a7b6b1e587f6a 933 downloader loader miner stealer

Malware Config

Extracted

Family

gcleaner

ppp-gl.biz

45.9.20.13

Extracted

Family

vidar

Version

41.4

Botnet

933

https://mas.to/@sslam

Attributes

profile_id
933

Extracted

Family

raccoon

Version

1.8.2

Botnet

87d2a2b472952d29d9ef08f8b28a7b6b1e587f6a

Attributes

url4cnc
http://telemirror.top/jredmankun

http://tgmirror.top/jredmankun

http://telegatt.top/jredmankun

http://telegka.top/jredmankun

http://telegin.top/jredmankun

https://t.me/jredmankun

rc4.plain

Signatures

Detects LgoogLoader payload 1 IoCs

resource	yara_rule
behavioral2/memory/5004-47-0x0000000000430000-0x0000000000442000-memory.dmp	family_lgoogloader

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
LgoogLoader
A downloader capable of dropping and executing other malware families.
downloader lgoogloader
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V1 payload 5 IoCs

resource	yara_rule
behavioral2/memory/2532-266-0x0000000000400000-0x0000000000491000-memory.dmp	family_raccoon_v1
behavioral2/memory/2532-269-0x0000000000400000-0x0000000000491000-memory.dmp	family_raccoon_v1
behavioral2/memory/2532-270-0x0000000000400000-0x0000000000491000-memory.dmp	family_raccoon_v1
behavioral2/memory/2532-271-0x0000000000400000-0x0000000000491000-memory.dmp	family_raccoon_v1
behavioral2/memory/2532-297-0x0000000000400000-0x0000000000491000-memory.dmp	family_raccoon_v1

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

OnlyLogger payload 3 IoCs

resource	yara_rule
behavioral2/memory/4584-210-0x0000000000A10000-0x0000000000A3F000-memory.dmp	family_onlylogger
behavioral2/memory/4584-211-0x0000000000400000-0x0000000000790000-memory.dmp	family_onlylogger
behavioral2/memory/4584-273-0x0000000000400000-0x0000000000790000-memory.dmp	family_onlylogger

Vidar Stealer 3 IoCs

stealer

resource	yara_rule
behavioral2/memory/4676-209-0x0000000000400000-0x00000000007F1000-memory.dmp	family_vidar
behavioral2/memory/4676-212-0x0000000002490000-0x0000000002566000-memory.dmp	family_vidar
behavioral2/memory/4676-227-0x0000000000400000-0x00000000007F1000-memory.dmp	family_vidar

XMRig Miner payload 9 IoCs

miner

resource	yara_rule
behavioral2/memory/3892-300-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/3892-302-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/3892-303-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/3892-308-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/3892-309-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/3892-310-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/3892-311-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/3892-312-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/3892-325-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	ca48a01552acf9cb77202bf0b77a7a1c_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	setup.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	Chrome 5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	services64.exe

Executes dropped EXE 17 IoCs

pid	Process
1156	DownFlSetup110.exe
5004	inst1.exe
4676	Soft1WW02.exe
4888	4.exe
5072	5.exe
5000	setup.exe
3448	EASS.exe
4584	setup_2.exe
1924	setup.tmp
3824	9.exe
3912	setup.exe
4300	Calculator Installation.exe
2596	Chrome 5.exe
2684	setup.tmp
1260	services64.exe
2532	EASS.exe
1860	sihost64.exe

Loads dropped DLL 6 IoCs

pid	Process
1924	setup.tmp
4300	Calculator Installation.exe
4300	Calculator Installation.exe
2684	setup.tmp
4300	Calculator Installation.exe
4300	Calculator Installation.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
7	iplogger.org
8	iplogger.org
20	iplogger.org
21	iplogger.org
97	raw.githubusercontent.com
98	raw.githubusercontent.com
9	iplogger.org
19	iplogger.org
104	pastebin.com
105	pastebin.com

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3448 set thread context of 2532	3448	EASS.exe	144
PID 1260 set thread context of 3892	1260	services64.exe	149

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 11 IoCs

pid	pid_target	Process	procid_target
4036	4584	WerFault.exe	103
4516	4676	WerFault.exe	98
1872	4584	WerFault.exe	103
3336	4584	WerFault.exe	103
4472	4584	WerFault.exe	103
5020	4584	WerFault.exe	103
4548	4584	WerFault.exe	103
3272	4584	WerFault.exe	103
4468	4584	WerFault.exe	103
2668	4584	WerFault.exe	103
1356	4584	WerFault.exe	103

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral2/files/0x0007000000023306-140.dat	nsis_installer_1
behavioral2/files/0x0007000000023306-140.dat	nsis_installer_2

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2532	schtasks.exe
4516	schtasks.exe

Suspicious behavior: EnumeratesProcesses 52 IoCs

pid	Process
2596	Chrome 5.exe
2596	Chrome 5.exe
1260	services64.exe
1260	services64.exe
3892	explorer.exe
3892	explorer.exe
3892	explorer.exe
3892	explorer.exe
3892	explorer.exe
3892	explorer.exe
3892	explorer.exe
3892	explorer.exe
3892	explorer.exe
3892	explorer.exe
3892	explorer.exe
3892	explorer.exe
3892	explorer.exe
3892	explorer.exe
3892	explorer.exe
3892	explorer.exe
3892	explorer.exe
3892	explorer.exe
3892	explorer.exe
3892	explorer.exe
3892	explorer.exe
3892	explorer.exe
3892	explorer.exe
3892	explorer.exe
3892	explorer.exe
3892	explorer.exe
3892	explorer.exe
3892	explorer.exe
3892	explorer.exe
3892	explorer.exe
3892	explorer.exe
3892	explorer.exe
3892	explorer.exe
3892	explorer.exe
3892	explorer.exe
3892	explorer.exe
3892	explorer.exe
3892	explorer.exe
3892	explorer.exe
3892	explorer.exe
3892	explorer.exe
3892	explorer.exe
3892	explorer.exe
3892	explorer.exe
3892	explorer.exe
3892	explorer.exe
3892	explorer.exe
3892	explorer.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
672	Process not Found

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	4888	4.exe
Token: SeDebugPrivilege	1156	DownFlSetup110.exe
Token: SeDebugPrivilege	5072	5.exe
Token: SeDebugPrivilege	3824	9.exe
Token: SeDebugPrivilege	2596	Chrome 5.exe
Token: SeDebugPrivilege	1260	services64.exe
Token: SeLockMemoryPrivilege	3892	explorer.exe
Token: SeLockMemoryPrivilege	3892	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1512 wrote to memory of 1156	1512	ca48a01552acf9cb77202bf0b77a7a1c_JaffaCakes118.exe	96
PID 1512 wrote to memory of 1156	1512	ca48a01552acf9cb77202bf0b77a7a1c_JaffaCakes118.exe	96
PID 1512 wrote to memory of 1156	1512	ca48a01552acf9cb77202bf0b77a7a1c_JaffaCakes118.exe	96
PID 1512 wrote to memory of 5004	1512	ca48a01552acf9cb77202bf0b77a7a1c_JaffaCakes118.exe	97
PID 1512 wrote to memory of 5004	1512	ca48a01552acf9cb77202bf0b77a7a1c_JaffaCakes118.exe	97
PID 1512 wrote to memory of 5004	1512	ca48a01552acf9cb77202bf0b77a7a1c_JaffaCakes118.exe	97
PID 1512 wrote to memory of 4676	1512	ca48a01552acf9cb77202bf0b77a7a1c_JaffaCakes118.exe	98
PID 1512 wrote to memory of 4676	1512	ca48a01552acf9cb77202bf0b77a7a1c_JaffaCakes118.exe	98
PID 1512 wrote to memory of 4676	1512	ca48a01552acf9cb77202bf0b77a7a1c_JaffaCakes118.exe	98
PID 1512 wrote to memory of 4888	1512	ca48a01552acf9cb77202bf0b77a7a1c_JaffaCakes118.exe	99
PID 1512 wrote to memory of 4888	1512	ca48a01552acf9cb77202bf0b77a7a1c_JaffaCakes118.exe	99
PID 1512 wrote to memory of 5072	1512	ca48a01552acf9cb77202bf0b77a7a1c_JaffaCakes118.exe	100
PID 1512 wrote to memory of 5072	1512	ca48a01552acf9cb77202bf0b77a7a1c_JaffaCakes118.exe	100
PID 1512 wrote to memory of 5000	1512	ca48a01552acf9cb77202bf0b77a7a1c_JaffaCakes118.exe	101
PID 1512 wrote to memory of 5000	1512	ca48a01552acf9cb77202bf0b77a7a1c_JaffaCakes118.exe	101
PID 1512 wrote to memory of 5000	1512	ca48a01552acf9cb77202bf0b77a7a1c_JaffaCakes118.exe	101
PID 1512 wrote to memory of 3448	1512	ca48a01552acf9cb77202bf0b77a7a1c_JaffaCakes118.exe	102
PID 1512 wrote to memory of 3448	1512	ca48a01552acf9cb77202bf0b77a7a1c_JaffaCakes118.exe	102
PID 1512 wrote to memory of 3448	1512	ca48a01552acf9cb77202bf0b77a7a1c_JaffaCakes118.exe	102
PID 1512 wrote to memory of 4584	1512	ca48a01552acf9cb77202bf0b77a7a1c_JaffaCakes118.exe	103
PID 1512 wrote to memory of 4584	1512	ca48a01552acf9cb77202bf0b77a7a1c_JaffaCakes118.exe	103
PID 1512 wrote to memory of 4584	1512	ca48a01552acf9cb77202bf0b77a7a1c_JaffaCakes118.exe	103
PID 5000 wrote to memory of 1924	5000	setup.exe	104
PID 5000 wrote to memory of 1924	5000	setup.exe	104
PID 5000 wrote to memory of 1924	5000	setup.exe	104
PID 1512 wrote to memory of 3824	1512	ca48a01552acf9cb77202bf0b77a7a1c_JaffaCakes118.exe	105
PID 1512 wrote to memory of 3824	1512	ca48a01552acf9cb77202bf0b77a7a1c_JaffaCakes118.exe	105
PID 1924 wrote to memory of 3912	1924	setup.tmp	106
PID 1924 wrote to memory of 3912	1924	setup.tmp	106
PID 1924 wrote to memory of 3912	1924	setup.tmp	106
PID 1512 wrote to memory of 4300	1512	ca48a01552acf9cb77202bf0b77a7a1c_JaffaCakes118.exe	107
PID 1512 wrote to memory of 4300	1512	ca48a01552acf9cb77202bf0b77a7a1c_JaffaCakes118.exe	107
PID 1512 wrote to memory of 4300	1512	ca48a01552acf9cb77202bf0b77a7a1c_JaffaCakes118.exe	107
PID 1512 wrote to memory of 2596	1512	ca48a01552acf9cb77202bf0b77a7a1c_JaffaCakes118.exe	108
PID 1512 wrote to memory of 2596	1512	ca48a01552acf9cb77202bf0b77a7a1c_JaffaCakes118.exe	108
PID 3912 wrote to memory of 2684	3912	setup.exe	109
PID 3912 wrote to memory of 2684	3912	setup.exe	109
PID 3912 wrote to memory of 2684	3912	setup.exe	109
PID 2596 wrote to memory of 1196	2596	Chrome 5.exe	135
PID 2596 wrote to memory of 1196	2596	Chrome 5.exe	135
PID 1196 wrote to memory of 2532	1196	cmd.exe	137
PID 1196 wrote to memory of 2532	1196	cmd.exe	137
PID 2596 wrote to memory of 1260	2596	Chrome 5.exe	138
PID 2596 wrote to memory of 1260	2596	Chrome 5.exe	138
PID 3448 wrote to memory of 2532	3448	EASS.exe	144
PID 3448 wrote to memory of 2532	3448	EASS.exe	144
PID 3448 wrote to memory of 2532	3448	EASS.exe	144
PID 3448 wrote to memory of 2532	3448	EASS.exe	144
PID 3448 wrote to memory of 2532	3448	EASS.exe	144
PID 3448 wrote to memory of 2532	3448	EASS.exe	144
PID 3448 wrote to memory of 2532	3448	EASS.exe	144
PID 3448 wrote to memory of 2532	3448	EASS.exe	144
PID 3448 wrote to memory of 2532	3448	EASS.exe	144
PID 1260 wrote to memory of 2856	1260	services64.exe	145
PID 1260 wrote to memory of 2856	1260	services64.exe	145
PID 1260 wrote to memory of 1860	1260	services64.exe	147
PID 1260 wrote to memory of 1860	1260	services64.exe	147
PID 2856 wrote to memory of 4516	2856	cmd.exe	148
PID 2856 wrote to memory of 4516	2856	cmd.exe	148
PID 1260 wrote to memory of 3892	1260	services64.exe	149
PID 1260 wrote to memory of 3892	1260	services64.exe	149
PID 1260 wrote to memory of 3892	1260	services64.exe	149
PID 1260 wrote to memory of 3892	1260	services64.exe	149
PID 1260 wrote to memory of 3892	1260	services64.exe	149

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ca48a01552acf9cb77202bf0b77a7a1c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ca48a01552acf9cb77202bf0b77a7a1c_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1512
- C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe
  "C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1156
- C:\Users\Admin\AppData\Local\Temp\inst1.exe
  "C:\Users\Admin\AppData\Local\Temp\inst1.exe"
  2⤵
  - Executes dropped EXE
  PID:5004
- C:\Users\Admin\AppData\Local\Temp\Soft1WW02.exe
  "C:\Users\Admin\AppData\Local\Temp\Soft1WW02.exe"
  2⤵
  - Executes dropped EXE
  PID:4676
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 1016
    3⤵
    - Program crash
    PID:4516
- C:\Users\Admin\AppData\Local\Temp\4.exe
  "C:\Users\Admin\AppData\Local\Temp\4.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4888
- C:\Users\Admin\AppData\Local\Temp\5.exe
  "C:\Users\Admin\AppData\Local\Temp\5.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5072
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5000
- - C:\Users\Admin\AppData\Local\Temp\is-JLA8C.tmp\setup.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-JLA8C.tmp\setup.tmp" /SL5="$401DE,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1924
  - - C:\Users\Admin\AppData\Local\Temp\setup.exe
      "C:\Users\Admin\AppData\Local\Temp\setup.exe" /SILENT
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3912
    - - C:\Users\Admin\AppData\Local\Temp\is-KF6H0.tmp\setup.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-KF6H0.tmp\setup.tmp" /SL5="$80200,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup.exe" /SILENT
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2684
- C:\Users\Admin\AppData\Local\Temp\EASS.exe
  "C:\Users\Admin\AppData\Local\Temp\EASS.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:3448
- - C:\Users\Admin\AppData\Local\Temp\EASS.exe
    "C:\Users\Admin\AppData\Local\Temp\EASS.exe"
    3⤵
    - Executes dropped EXE
    PID:2532
- C:\Users\Admin\AppData\Local\Temp\setup_2.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
  2⤵
  - Executes dropped EXE
  PID:4584
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 624
    3⤵
    - Program crash
    PID:4036
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 632
    3⤵
    - Program crash
    PID:1872
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 688
    3⤵
    - Program crash
    PID:3336
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 784
    3⤵
    - Program crash
    PID:4472
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 876
    3⤵
    - Program crash
    PID:5020
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 972
    3⤵
    - Program crash
    PID:4548
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 944
    3⤵
    - Program crash
    PID:3272
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 1196
    3⤵
    - Program crash
    PID:4468
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 1204
    3⤵
    - Program crash
    PID:2668
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 1372
    3⤵
    - Program crash
    PID:1356
- C:\Users\Admin\AppData\Local\Temp\9.exe
  "C:\Users\Admin\AppData\Local\Temp\9.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3824
- C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe
  "C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4300
- C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe
  "C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2596
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1196
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
      4⤵
      Creates scheduled task(s)
      PID:2532
- - C:\Users\Admin\AppData\Roaming\services64.exe
    "C:\Users\Admin\AppData\Roaming\services64.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1260
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2856
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        5⤵
        Creates scheduled task(s)
        
        PID:4516
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
      4⤵
      Executes dropped EXE
      PID:1860
  - - C:\Windows\explorer.exe
      C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.add/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6O4DG/ZgkwoY7/pmBv4ks3wJ7PR9JPsLklOJLkitFc6Y" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4584 -ip 4584
1⤵
PID:4796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4676 -ip 4676
1⤵
PID:4548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4584 -ip 4584
1⤵
PID:3564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4584 -ip 4584
1⤵
PID:5080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4584 -ip 4584
1⤵
PID:4200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4584 -ip 4584
1⤵
PID:4380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4584 -ip 4584
1⤵
PID:1880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4584 -ip 4584
1⤵
PID:1228

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4160 --field-trial-handle=2588,i,14229658658073991926,6938034815163866135,262144 --variations-seed-version /prefetch:8
1⤵
PID:3192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4584 -ip 4584
1⤵
PID:1928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4584 -ip 4584
1⤵
PID:4088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4584 -ip 4584
1⤵
PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4.exe

Filesize
8KB

MD5
320681737aca2a42ef41a7a802e7e395

SHA1
bc6974316d2668a7d0e92cb1ab61a8a758cbd76b

SHA256
5e40c7686d99670b996cae8582dcf3aef6885f87934273f03d7bf10a232e0b33

SHA512
01e25cfb81095a7b0f37d1f69a35be63e6df8c428a0a2a37610c49fb3516dba69d91a6e98738fe7aefe77fd71a3978221817e20dd9dd1bfffe2b09c0deca1bce

Download Submit
C:\Users\Admin\AppData\Local\Temp\5.exe

Filesize
8KB

MD5
f37e479ee64ec5b9d75689a12aa79cd2

SHA1
d6b2c01e90a1488cab24063e29bed1a22de5ca9b

SHA256
8127fa63cb781d32e4f0f91dde38c2c9d0307e9267c721922c6b8d9a31c915f0

SHA512
468245b2b9237de8cd9800da7881770525d14462faa95c0b608b3c972f70c6306851be7a41d92447f4dba9450f462be9328f7c867844fe42a8e7be123be13c17

Download Submit
C:\Users\Admin\AppData\Local\Temp\9.exe

Filesize
8KB

MD5
3c7203aee224472579c502ad5adb8fb6

SHA1
f4ae3519f99431a4fb8130e929c94d89824b29fe

SHA256
f82dbb015721f197b206f377d1b0676c52c9725ad463a5ad09e12ca1cfc798e2

SHA512
9eae3f0db67cc1597d018203c9a0f53291fe08a3892c404e07093e658ef989cc77765669c19884e362ec0452946d75cb38749d74d7fa23b618e6dc021bd5c0c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe

Filesize
328KB

MD5
7c4dd7df0090fafa88ea953ebf7e82c6

SHA1
587b32f765393a33aac665d2ead53012840ccb75

SHA256
bcc5b73bd77beae3ff24c384562c0902f90b212f4c345b99f97cae8452111f65

SHA512
8ab5dfd7ed4654e3f738a74ba3ec2c31ef79ea463edc81b5c781411401fac6982b6436ae668476f2a50ae88006379a57c85fec2f98c886bbb77a4d749969cdf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe

Filesize
43KB

MD5
93460c75de91c3601b4a47d2b99d8f94

SHA1
f2e959a3291ef579ae254953e62d098fe4557572

SHA256
0fdba84fe8ed2cf97023c544d3f0807dbb12840c8e7d445a3a4f55174d78b5b2

SHA512
4370ae1a1fc10c91593839c51d0fbae5c0838692f95e03cac315882b026e70817b238f7fe7d9897049856469b038acc8ccfd73aae1af5775bfef35bde2bf7856

Download Submit
C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe

Filesize
63KB

MD5
978582a03929afba9f50b7d149dfdb25

SHA1
fd27dfbd0ffec108b3c2ab648993817592010bbc

SHA256
7f413eeaf2db3ec6c7f94d3a5d06644fe5406afdde27e3552a736eaec373f283

SHA512
b37d706c64c15b6aec33d8c104ad18de335cb08dc831103669fd58995ef174f5306a0b5a083790a0f724d5cd9c5c0b7e384d243604e931a1f347521a863b7eaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\EASS.exe

Filesize
1.3MB

MD5
c32404b0c8f851f345c1c48692ebc017

SHA1
41d93e106962f20ad85b70dd525a1c3475496a33

SHA256
175a43161c32ae6f4f66e777411304d07e0196156251c9756e61432cd577c70c

SHA512
30c837fa76ed4c3eeab7289db8115ba792131caf325ce9192be7d0bd2dc7669ee1ba1b1596ae40185e27716e65b9f8f7d3ee3dddd4308f5706b8e055e28923ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\Soft1WW02.exe

Filesize
765KB

MD5
dd505d9dbf82b624095781c1a01e4dbb

SHA1
2c0d3d6e6b70435e8e5608ad8a3c20db7d76b23e

SHA256
bb1ad922f27d0bb3b41988829a5716bce113ac947f6ba9d66ef12876b7af78fe

SHA512
7668c2ce458d96b9e0a6f8ab9d72799582dfd316e2e28b293f3697f3d1cf47f2fb0fd9cd3e0b99f92d44aa91df6dbcaaa24a348baa3f1a62f07d93922ecff0d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\inst1.exe

Filesize
221KB

MD5
39bf3527ab89fc724bf4e7bc96465a89

SHA1
ac454fcd528407b2db8f2a3ad13b75e3903983bc

SHA256
460cd65ce2698135e30e978ea9e4048a015c34dd4284d735b0f7061e4b9c1a69

SHA512
bc9cdb005b54187e1277cb4de9a6e273a3efda886c7735ccda188f164745ceb2a3a449c94f02b18ed71e79ae0c0f289c846f5f0e66290e299429f1458d7f457b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-DB4NE.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-I7JO6.tmp\idp.dll

Filesize
216KB

MD5
b37377d34c8262a90ff95a9a92b65ed8

SHA1
faeef415bd0bc2a08cf9fe1e987007bf28e7218d

SHA256
e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f

SHA512
69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JLA8C.tmp\setup.tmp

Filesize
691KB

MD5
9303156631ee2436db23827e27337be4

SHA1
018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

SHA256
bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

SHA512
9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw8A9E.tmp\INetC.dll

Filesize
21KB

MD5
2b342079303895c50af8040a91f30f71

SHA1
b11335e1cb8356d9c337cb89fe81d669a69de17e

SHA256
2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f

SHA512
550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw8A9E.tmp\System.dll

Filesize
11KB

MD5
fbe295e5a1acfbd0a6271898f885fe6a

SHA1
d6d205922e61635472efb13c2bb92c9ac6cb96da

SHA256
a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1

SHA512
2cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
379KB

MD5
429d0e06d7add76fdbfeb404a7bf4469

SHA1
11dedd36c146ae82f6a46360a6c5019284cc86f2

SHA256
32dccba4478d58b4e41bbf18f9d7532fd7d49ba6429b460b377f01e3f9bab736

SHA512
1443c7fc5a07ea82bb1a19211ee73a14e17961dd275e0d9118196ae99fae0de47a67e3ca74e50e90248923691d816aa50acb88329407f6128a2fe30bf405bee4

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_2.exe

Filesize
376KB

MD5
571f9ac1a144d07f5f8e5054ebd737d9

SHA1
6aebb0894669814622bf9417e91870e0c81e0fc1

SHA256
8760d706dffea96fd453a150ba18a3110518fbdc7dfa8c48f84b94a06d7ab47c

SHA512
13ef865efd4c61cbc95c570e956a9bc70ee3a261d60ac6ef138c8c285bb093859e499f92e5f8ac7180b9c017e4ed362f2b1c40ba567f179d658d5978751f4ba8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

Filesize
7KB

MD5
339347f8a4bc7137b6a6a485f6cd0688

SHA1
9b198dc642f9f32ea38884d47c1fe7d8868e3f39

SHA256
c6f8eec2d3204bad0712705405fdb09555bf2bc26f83f0cf1d7966b86a46f601

SHA512
04c73aa7cff15895daf42119873df920e2ee9500d1293f470ad590cbd9cccf09f6df206f1aa9fa09e744f404f5365174f570a7f33a9a642453531dcfbaeb26fd

Download Submit
memory/1156-71-0x0000000004F50000-0x0000000004F60000-memory.dmp

Filesize
64KB

Download
memory/1156-166-0x0000000075100000-0x00000000758B0000-memory.dmp

Filesize
7.7MB

Download
memory/1156-32-0x0000000001060000-0x0000000001066000-memory.dmp

Filesize
24KB

Download
memory/1156-194-0x0000000075100000-0x00000000758B0000-memory.dmp

Filesize
7.7MB

Download
memory/1156-25-0x0000000075100000-0x00000000758B0000-memory.dmp

Filesize
7.7MB

Download
memory/1156-14-0x00000000006A0000-0x00000000006B8000-memory.dmp

Filesize
96KB

Download
memory/1260-278-0x00007FFB6E830000-0x00007FFB6F2F1000-memory.dmp

Filesize
10.8MB

Download
memory/1260-280-0x000000001D160000-0x000000001D170000-memory.dmp

Filesize
64KB

Download
memory/1260-259-0x00007FFB6E830000-0x00007FFB6F2F1000-memory.dmp

Filesize
10.8MB

Download
memory/1512-0-0x0000000000BB0000-0x0000000000F20000-memory.dmp

Filesize
3.4MB

Download
memory/1512-1-0x0000000075100000-0x00000000758B0000-memory.dmp

Filesize
7.7MB

Download
memory/1512-177-0x0000000075100000-0x00000000758B0000-memory.dmp

Filesize
7.7MB

Download
memory/1512-146-0x0000000075100000-0x00000000758B0000-memory.dmp

Filesize
7.7MB

Download
memory/1860-295-0x00000000006F0000-0x00000000006F6000-memory.dmp

Filesize
24KB

Download
memory/1860-296-0x00007FFB6E830000-0x00007FFB6F2F1000-memory.dmp

Filesize
10.8MB

Download
memory/1924-147-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/1924-121-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download
memory/2532-266-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2532-269-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2532-297-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2532-271-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2532-270-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2596-260-0x00007FFB6E830000-0x00007FFB6F2F1000-memory.dmp

Filesize
10.8MB

Download
memory/2596-238-0x00007FFB6E830000-0x00007FFB6F2F1000-memory.dmp

Filesize
10.8MB

Download
memory/2596-182-0x0000000000A60000-0x0000000000A70000-memory.dmp

Filesize
64KB

Download
memory/2596-192-0x00007FFB6E830000-0x00007FFB6F2F1000-memory.dmp

Filesize
10.8MB

Download
memory/2596-245-0x00000000032E0000-0x00000000032F0000-memory.dmp

Filesize
64KB

Download
memory/2596-243-0x0000000001890000-0x000000000189E000-memory.dmp

Filesize
56KB

Download
memory/2596-246-0x00000000018C0000-0x00000000018D2000-memory.dmp

Filesize
72KB

Download
memory/2684-240-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/2684-230-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2684-193-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/3448-99-0x0000000075100000-0x00000000758B0000-memory.dmp

Filesize
7.7MB

Download
memory/3448-109-0x0000000005190000-0x0000000005222000-memory.dmp

Filesize
584KB

Download
memory/3448-98-0x0000000000770000-0x00000000008B8000-memory.dmp

Filesize
1.3MB

Download
memory/3448-265-0x0000000006D00000-0x0000000006DDA000-memory.dmp

Filesize
872KB

Download
memory/3448-130-0x0000000005170000-0x000000000517A000-memory.dmp

Filesize
40KB

Download
memory/3448-264-0x00000000069E0000-0x0000000006A7C000-memory.dmp

Filesize
624KB

Download
memory/3448-107-0x00000000056A0000-0x0000000005C44000-memory.dmp

Filesize
5.6MB

Download
memory/3448-195-0x0000000005330000-0x000000000533A000-memory.dmp

Filesize
40KB

Download
memory/3448-127-0x0000000005340000-0x0000000005350000-memory.dmp

Filesize
64KB

Download
memory/3448-272-0x0000000075100000-0x00000000758B0000-memory.dmp

Filesize
7.7MB

Download
memory/3448-232-0x0000000075100000-0x00000000758B0000-memory.dmp

Filesize
7.7MB

Download
memory/3448-234-0x0000000005340000-0x0000000005350000-memory.dmp

Filesize
64KB

Download
memory/3824-161-0x0000000000BC0000-0x0000000000BD0000-memory.dmp

Filesize
64KB

Download
memory/3824-237-0x00007FFB6E830000-0x00007FFB6F2F1000-memory.dmp

Filesize
10.8MB

Download
memory/3824-152-0x00007FFB6E830000-0x00007FFB6F2F1000-memory.dmp

Filesize
10.8MB

Download
memory/3824-132-0x00000000003C0000-0x00000000003C8000-memory.dmp

Filesize
32KB

Download
memory/3892-310-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/3892-325-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/3892-303-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/3892-308-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/3892-305-0x0000000000E50000-0x0000000000E70000-memory.dmp

Filesize
128KB

Download
memory/3892-309-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/3892-300-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/3892-311-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/3892-312-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/3892-302-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/3912-229-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3912-148-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3912-176-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4584-215-0x0000000000A80000-0x0000000000B80000-memory.dmp

Filesize
1024KB

Download
memory/4584-210-0x0000000000A10000-0x0000000000A3F000-memory.dmp

Filesize
188KB

Download
memory/4584-211-0x0000000000400000-0x0000000000790000-memory.dmp

Filesize
3.6MB

Download
memory/4584-244-0x0000000000A80000-0x0000000000B80000-memory.dmp

Filesize
1024KB

Download
memory/4584-273-0x0000000000400000-0x0000000000790000-memory.dmp

Filesize
3.6MB

Download
memory/4676-212-0x0000000002490000-0x0000000002566000-memory.dmp

Filesize
856KB

Download
memory/4676-201-0x00000000008D0000-0x00000000009D0000-memory.dmp

Filesize
1024KB

Download
memory/4676-209-0x0000000000400000-0x00000000007F1000-memory.dmp

Filesize
3.9MB

Download
memory/4676-227-0x0000000000400000-0x00000000007F1000-memory.dmp

Filesize
3.9MB

Download
memory/4888-231-0x000000001B7D0000-0x000000001B7E0000-memory.dmp

Filesize
64KB

Download
memory/4888-200-0x00007FFB6E830000-0x00007FFB6F2F1000-memory.dmp

Filesize
10.8MB

Download
memory/4888-85-0x000000001B7D0000-0x000000001B7E0000-memory.dmp

Filesize
64KB

Download
memory/4888-63-0x00007FFB6E830000-0x00007FFB6F2F1000-memory.dmp

Filesize
10.8MB

Download
memory/4888-48-0x0000000000A60000-0x0000000000A68000-memory.dmp

Filesize
32KB

Download
memory/5000-164-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5000-93-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5000-77-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5004-47-0x0000000000430000-0x0000000000442000-memory.dmp

Filesize
72KB

Download
memory/5004-33-0x00000000003B0000-0x00000000003C0000-memory.dmp

Filesize
64KB

Download
memory/5072-62-0x0000000000270000-0x0000000000278000-memory.dmp

Filesize
32KB

Download
memory/5072-76-0x00007FFB6E830000-0x00007FFB6F2F1000-memory.dmp

Filesize
10.8MB

Download
memory/5072-214-0x000000001AE40000-0x000000001AE50000-memory.dmp

Filesize
64KB

Download
memory/5072-202-0x00007FFB6E830000-0x00007FFB6F2F1000-memory.dmp

Filesize
10.8MB

Download
memory/5072-88-0x000000001AE40000-0x000000001AE50000-memory.dmp

Filesize
64KB

Download