ef483723ac88d655dfc5f08537cbc7ca6bef3ca2c2f34fd1ade321156f4efe08

Analysis

max time kernel
1713s
max time network
1720s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14-10-2024 13:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ZRK 1.1 UC/src/PyQt5/Qt5/bin/Qt5QmlModels.dll
Size

428KB
MD5

2030c4177b499e6118be5b9e5761fce1
SHA1

050d0e67c4aa890c80f46cf615431004f2f4f8fc
SHA256

51e4e5a5e91f78774c44f69b599fae4735277ef2918f7061778615cb5c4f6e81
SHA512

488f7d5d9d8deee9bbb9d63dae346e46efeb62456279f388b323777999b597c2d5aea0ee379bdf94c9cbcfd3367d344fb6b5e90ac40be2ce95efa5bbdd363bcc
SSDEEP

6144:k1tE6lq982HdyuEZ5gw+VHDZjZ0yOWm7Vdcm4GyasLCZCu6vdQp:k1tEuq9Hdyuo5gwguyOtVIup

Score

8^/10

discovery persistence

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

Processes:

Gnil.exe

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\spoclsv.exe	Gnil.exe
File created	C:\Windows\SysWOW64\drivers\spoclsv.exe	Gnil.exe
File created	C:\Windows\SysWOW64\drivers\spoclsv.exe:SmartScreen:$DATA	Gnil.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ColorBug.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\~~CB = "cb.exe"	ColorBug.exe

Downloads MZ/PE file

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

Processes:

flow	ioc
124	raw.githubusercontent.com
125	raw.githubusercontent.com

Executes dropped EXE 16 IoCs

Processes:

Gnil.exespoclsv.exeWinNuke.98.exeGas.exeWinNuke.98.exeColorBug.exeColorBug.exeColorBug.exeColorBug.exeColorBug.exeColorBug.exeColorBug.exeColorBug.exeWinNuke.98.exeColorBug.exeColorBug.exe

pid	Process
3028	Gnil.exe
4228	spoclsv.exe
2168	WinNuke.98.exe
5072	Gas.exe
1588	WinNuke.98.exe
1872	ColorBug.exe
1952	ColorBug.exe
2248	ColorBug.exe
2988	ColorBug.exe
4484	ColorBug.exe
4048	ColorBug.exe
2216	ColorBug.exe
448	ColorBug.exe
2840	WinNuke.98.exe
4320	ColorBug.exe
2384	ColorBug.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Gnil.exeWinNuke.98.exeGas.exeWinNuke.98.exeColorBug.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gnil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinNuke.98.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gas.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinNuke.98.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ColorBug.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies Control Panel 64 IoCs

evasion

Processes:

ColorBug.exeColorBug.exeColorBug.exeColorBug.exeColorBug.exeColorBug.exeColorBug.exeColorBug.exeColorBug.exeColorBug.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Colors	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Colors\HilightText = "22 252 49"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Colors\ButtonText = "151 94 5"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Colors\InactiveBorder = "69 179 45"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Colors\TitleText = "237 224 76"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Colors\MenuText = "95 110 71"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Colors\ButtonShadow = "55 165 212"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Colors\ButtonText = "26 125 229"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Colors\ButtonText = "33 200 78"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Colors\InactiveBorder = "4 222 126"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Colors\ButtonFace = "211 194 181"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Colors\Window = "227 247 92"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Colors\WindowFrame = "194 29 74"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Colors\WindowText = "2 246 145"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Colors\MenuText = "24 153 110"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Colors\Scrollbar = "209 179 116"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Colors\Hilight = "74 110 184"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Colors\InactiveTitleText = "106 134 37"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Colors\WindowText = "101 163 77"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Colors\Scrollbar = "122 114 83"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Colors\InactiveTitle = "148 41 88"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Colors\HilightText = "163 29 231"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Colors\ActiveTitle = "162 231 209"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Colors\ButtonShadow = "152 13 108"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Colors\Menu = "146 210 237"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Colors\ButtonShadow = "37 118 167"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Colors\ActiveTitle = "210 154 2"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Colors\Scrollbar = "15 47 9"	ColorBug.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Colors	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Colors\InactiveTitle = "129 239 184"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Colors\MenuText = "246 88 108"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Colors\InactiveBorder = "123 216 207"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Colors\ButtonFace = "0 147 253"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Colors\InactiveTitle = "212 203 252"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Colors\InactiveBorder = "95 53 252"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Colors\InactiveTitleText = "130 100 92"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Colors\HilightText = "247 66 30"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Colors\WindowFrame = "254 89 8"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Colors\WindowText = "179 246 59"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Colors\InactiveTitleText = "223 121 202"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Colors\ActiveBorder = "52 123 56"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Colors\WindowText = "169 157 150"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Colors\AppWorkspace = "95 199 55"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Colors\Menu = "230 161 1"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Colors\Hilight = "60 158 152"	ColorBug.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Colors	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Colors\Window = "130 164 180"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Colors\ButtonText = "37 85 79"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Colors\MenuText = "244 237 87"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Colors\HilightText = "49 58 51"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Colors\Window = "79 133 85"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Colors\MenuText = "108 227 30"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Colors\InactiveTitle = "235 117 205"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Colors\ActiveBorder = "138 149 28"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Colors\AppWorkspace = "115 36 44"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Colors\ActiveTitle = "211 114 35"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Colors\Window = "85 254 40"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Colors\Background = "76 173 74"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Colors\TitleText = "17 119 236"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Colors\TitleText = "38 183 83"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Colors\Hilight = "183 193 68"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Colors\WindowFrame = "51 249 185"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Colors\ActiveBorder = "61 68 72"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Colors\ButtonText = "129 218 204"	ColorBug.exe

NTFS ADS 4 IoCs

Processes:

msedge.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 845369.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 853758.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 819934.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 676115.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exeGnil.exespoclsv.exemsedge.exemsedge.exemsedge.exe

pid	Process
2584	msedge.exe
2584	msedge.exe
4944	msedge.exe
4944	msedge.exe
3488	identity_helper.exe
3488	identity_helper.exe
1304	msedge.exe
1304	msedge.exe
1304	msedge.exe
1304	msedge.exe
2248	msedge.exe
2248	msedge.exe
3028	Gnil.exe
3028	Gnil.exe
3028	Gnil.exe
3028	Gnil.exe
3028	Gnil.exe
3028	Gnil.exe
4228	spoclsv.exe
4228	spoclsv.exe
2520	msedge.exe
2520	msedge.exe
4984	msedge.exe
4984	msedge.exe
448	msedge.exe
448	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

msedge.exe

pid	Process
4944	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs

Processes:

msedge.exe

pid	Process
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exe

pid	Process
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

msedge.exe

pid	Process
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	Process	procid_target
PID 4944 wrote to memory of 4856	4944	msedge.exe	96
PID 4944 wrote to memory of 4856	4944	msedge.exe	96
PID 4944 wrote to memory of 2892	4944	msedge.exe	97
PID 4944 wrote to memory of 2892	4944	msedge.exe	97
PID 4944 wrote to memory of 2892	4944	msedge.exe	97
PID 4944 wrote to memory of 2892	4944	msedge.exe	97
PID 4944 wrote to memory of 2892	4944	msedge.exe	97
PID 4944 wrote to memory of 2892	4944	msedge.exe	97
PID 4944 wrote to memory of 2892	4944	msedge.exe	97
PID 4944 wrote to memory of 2892	4944	msedge.exe	97
PID 4944 wrote to memory of 2892	4944	msedge.exe	97
PID 4944 wrote to memory of 2892	4944	msedge.exe	97
PID 4944 wrote to memory of 2892	4944	msedge.exe	97
PID 4944 wrote to memory of 2892	4944	msedge.exe	97
PID 4944 wrote to memory of 2892	4944	msedge.exe	97
PID 4944 wrote to memory of 2892	4944	msedge.exe	97
PID 4944 wrote to memory of 2892	4944	msedge.exe	97
PID 4944 wrote to memory of 2892	4944	msedge.exe	97
PID 4944 wrote to memory of 2892	4944	msedge.exe	97
PID 4944 wrote to memory of 2892	4944	msedge.exe	97
PID 4944 wrote to memory of 2892	4944	msedge.exe	97
PID 4944 wrote to memory of 2892	4944	msedge.exe	97
PID 4944 wrote to memory of 2892	4944	msedge.exe	97
PID 4944 wrote to memory of 2892	4944	msedge.exe	97
PID 4944 wrote to memory of 2892	4944	msedge.exe	97
PID 4944 wrote to memory of 2892	4944	msedge.exe	97
PID 4944 wrote to memory of 2892	4944	msedge.exe	97
PID 4944 wrote to memory of 2892	4944	msedge.exe	97
PID 4944 wrote to memory of 2892	4944	msedge.exe	97
PID 4944 wrote to memory of 2892	4944	msedge.exe	97
PID 4944 wrote to memory of 2892	4944	msedge.exe	97
PID 4944 wrote to memory of 2892	4944	msedge.exe	97
PID 4944 wrote to memory of 2892	4944	msedge.exe	97
PID 4944 wrote to memory of 2892	4944	msedge.exe	97
PID 4944 wrote to memory of 2892	4944	msedge.exe	97
PID 4944 wrote to memory of 2892	4944	msedge.exe	97
PID 4944 wrote to memory of 2892	4944	msedge.exe	97
PID 4944 wrote to memory of 2892	4944	msedge.exe	97
PID 4944 wrote to memory of 2892	4944	msedge.exe	97
PID 4944 wrote to memory of 2892	4944	msedge.exe	97
PID 4944 wrote to memory of 2892	4944	msedge.exe	97
PID 4944 wrote to memory of 2892	4944	msedge.exe	97
PID 4944 wrote to memory of 2584	4944	msedge.exe	98
PID 4944 wrote to memory of 2584	4944	msedge.exe	98
PID 4944 wrote to memory of 4560	4944	msedge.exe	99
PID 4944 wrote to memory of 4560	4944	msedge.exe	99
PID 4944 wrote to memory of 4560	4944	msedge.exe	99
PID 4944 wrote to memory of 4560	4944	msedge.exe	99
PID 4944 wrote to memory of 4560	4944	msedge.exe	99
PID 4944 wrote to memory of 4560	4944	msedge.exe	99
PID 4944 wrote to memory of 4560	4944	msedge.exe	99
PID 4944 wrote to memory of 4560	4944	msedge.exe	99
PID 4944 wrote to memory of 4560	4944	msedge.exe	99
PID 4944 wrote to memory of 4560	4944	msedge.exe	99
PID 4944 wrote to memory of 4560	4944	msedge.exe	99
PID 4944 wrote to memory of 4560	4944	msedge.exe	99
PID 4944 wrote to memory of 4560	4944	msedge.exe	99
PID 4944 wrote to memory of 4560	4944	msedge.exe	99
PID 4944 wrote to memory of 4560	4944	msedge.exe	99
PID 4944 wrote to memory of 4560	4944	msedge.exe	99
PID 4944 wrote to memory of 4560	4944	msedge.exe	99
PID 4944 wrote to memory of 4560	4944	msedge.exe	99
PID 4944 wrote to memory of 4560	4944	msedge.exe	99
PID 4944 wrote to memory of 4560	4944	msedge.exe	99

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\ZRK 1.1 UC\src\PyQt5\Qt5\bin\Qt5QmlModels.dll",#1
1⤵
PID:3804

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb110d46f8,0x7ffb110d4708,0x7ffb110d4718
  2⤵
  PID:4856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,5905666007019250707,10159634307504266815,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2
  2⤵
  PID:2892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,5905666007019250707,10159634307504266815,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,5905666007019250707,10159634307504266815,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2860 /prefetch:8
  2⤵
  PID:4560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,5905666007019250707,10159634307504266815,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:1384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,5905666007019250707,10159634307504266815,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:2140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,5905666007019250707,10159634307504266815,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5088 /prefetch:1
  2⤵
  PID:2548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,5905666007019250707,10159634307504266815,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3696 /prefetch:1
  2⤵
  PID:5000
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,5905666007019250707,10159634307504266815,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3356 /prefetch:8
  2⤵
  PID:4980
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,5905666007019250707,10159634307504266815,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3356 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,5905666007019250707,10159634307504266815,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:1
  2⤵
  PID:3964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,5905666007019250707,10159634307504266815,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4132 /prefetch:1
  2⤵
  PID:4232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,5905666007019250707,10159634307504266815,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3708 /prefetch:1
  2⤵
  PID:1400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,5905666007019250707,10159634307504266815,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:1
  2⤵
  PID:4608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,5905666007019250707,10159634307504266815,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5552 /prefetch:1
  2⤵
  PID:4248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,5905666007019250707,10159634307504266815,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:1
  2⤵
  PID:1384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,5905666007019250707,10159634307504266815,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5728 /prefetch:1
  2⤵
  PID:2512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,5905666007019250707,10159634307504266815,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:1
  2⤵
  PID:2380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,5905666007019250707,10159634307504266815,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5740 /prefetch:1
  2⤵
  PID:1020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,5905666007019250707,10159634307504266815,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5636 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2100,5905666007019250707,10159634307504266815,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4912 /prefetch:8
  2⤵
  PID:1288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,5905666007019250707,10159634307504266815,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4792 /prefetch:1
  2⤵
  PID:2196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,5905666007019250707,10159634307504266815,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1936 /prefetch:1
  2⤵
  PID:4112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2100,5905666007019250707,10159634307504266815,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6392 /prefetch:8
  2⤵
  PID:1660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2100,5905666007019250707,10159634307504266815,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6416 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,5905666007019250707,10159634307504266815,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6392 /prefetch:1
  2⤵
  PID:388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2100,5905666007019250707,10159634307504266815,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2216 /prefetch:8
  2⤵
  PID:2900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2100,5905666007019250707,10159634307504266815,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6500 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2520
- C:\Users\Admin\Downloads\WinNuke.98.exe
  "C:\Users\Admin\Downloads\WinNuke.98.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,5905666007019250707,10159634307504266815,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5964 /prefetch:1
  2⤵
  PID:2552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2100,5905666007019250707,10159634307504266815,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6532 /prefetch:8
  2⤵
  PID:4248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2100,5905666007019250707,10159634307504266815,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1764 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,5905666007019250707,10159634307504266815,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1852 /prefetch:1
  2⤵
  PID:4596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2100,5905666007019250707,10159634307504266815,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6024 /prefetch:8
  2⤵
  PID:1240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2100,5905666007019250707,10159634307504266815,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5716 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:448

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3924

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4392

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1500

C:\Users\Admin\Downloads\Gnil.exe
"C:\Users\Admin\Downloads\Gnil.exe"
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3028
- C:\Windows\SysWOW64\drivers\spoclsv.exe
  C:\Windows\system32\drivers\spoclsv.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4228

C:\Users\Admin\Downloads\Gas.exe
"C:\Users\Admin\Downloads\Gas.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5072

C:\Users\Admin\Downloads\WinNuke.98.exe
"C:\Users\Admin\Downloads\WinNuke.98.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1588

C:\Users\Admin\Downloads\ColorBug.exe
"C:\Users\Admin\Downloads\ColorBug.exe"
1⤵
- Adds Run key to start application
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies Control Panel
PID:1872

C:\Users\Admin\Downloads\ColorBug.exe
"C:\Users\Admin\Downloads\ColorBug.exe"
1⤵
- Executes dropped EXE
- Modifies Control Panel
PID:1952

C:\Users\Admin\Downloads\ColorBug.exe
"C:\Users\Admin\Downloads\ColorBug.exe"
1⤵
- Executes dropped EXE
- Modifies Control Panel
PID:2248

C:\Users\Admin\Downloads\ColorBug.exe
"C:\Users\Admin\Downloads\ColorBug.exe"
1⤵
- Executes dropped EXE
- Modifies Control Panel
PID:2988

C:\Users\Admin\Downloads\ColorBug.exe
"C:\Users\Admin\Downloads\ColorBug.exe"
1⤵
- Executes dropped EXE
- Modifies Control Panel
PID:4484

C:\Users\Admin\Downloads\ColorBug.exe
"C:\Users\Admin\Downloads\ColorBug.exe"
1⤵
- Executes dropped EXE
- Modifies Control Panel
PID:4048

C:\Users\Admin\Downloads\ColorBug.exe
"C:\Users\Admin\Downloads\ColorBug.exe"
1⤵
- Executes dropped EXE
- Modifies Control Panel
PID:2216

C:\Users\Admin\Downloads\ColorBug.exe
"C:\Users\Admin\Downloads\ColorBug.exe"
1⤵
- Executes dropped EXE
- Modifies Control Panel
PID:448

C:\Users\Admin\Downloads\WinNuke.98.exe
"C:\Users\Admin\Downloads\WinNuke.98.exe"
1⤵
- Executes dropped EXE
PID:2840

C:\Users\Admin\Downloads\ColorBug.exe
"C:\Users\Admin\Downloads\ColorBug.exe"
1⤵
- Executes dropped EXE
- Modifies Control Panel
PID:4320

C:\Users\Admin\Downloads\ColorBug.exe
"C:\Users\Admin\Downloads\ColorBug.exe"
1⤵
- Executes dropped EXE
- Modifies Control Panel
PID:2384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\87a68c52-caa5-465a-bb8d-edcf24f573b1.tmp

Filesize
11KB

MD5
f73f1ee64b4017ebe5e9b9c7522f7392

SHA1
0c5ac87b4bea178daa31a2cf3fcafa8bd64eea90

SHA256
b033d2068b98e760f2cf7ee19d30024a4c6af1a39dd1fc093709e5f0fce2c0d3

SHA512
22788e21e4221872debce317b69eb4453d91a1a712063d109cc7398fc290cc00acc13914094a1e880f0690adc6ac2dba8cfe7c6a75c2df26268193b5c44e9950

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
99afa4934d1e3c56bbce114b356e8a99

SHA1
3f0e7a1a28d9d9c06b6663df5d83a65c84d52581

SHA256
08e098bb97fd91d815469cdfd5568607a3feca61f18b6b5b9c11b531fde206c8

SHA512
76686f30ed68144cf943b80ac10b52c74eee84f197cee3c24ef7845ef44bdb5586b6e530824543deeed59417205ac0e2559808bcb46450504106ac8f4c95b9da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
443a627d539ca4eab732bad0cbe7332b

SHA1
86b18b906a1acd2a22f4b2c78ac3564c394a9569

SHA256
1e1ad9dce141f5f17ea07c7e9c2a65e707c9943f172b9134b0daf9eef25f0dc9

SHA512
923b86d75a565c91250110162ce13dd3ef3f6bdde1a83f7af235ed302d4a96b8c9ed722e2152781e699dfcb26bb98afc73f5adb298f8fd673f14c9f28b5f764d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
784bfcb28fa73a43f885dc2a9f43454e

SHA1
7175a477829f8b5098b464c7a6d425083869a25a

SHA256
214f2c85e3e6dce85f4f95c882db081aef078242bceeaddc941d510cd1a758d0

SHA512
48c20aa191265a3a9174e6c389ba817fdf70d92518fd9309653aaefae98f92fc240643dd63a905d782617c83267f4e3c75281348bc85ed6db6f8a3f428044a96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
940B

MD5
83f161ee68c45f87d3a2668ba9d6164d

SHA1
f94825fbcf086e6e3b02cc1c2710c3cd51b097ee

SHA256
081d48cb0d58e357ac76fa5f94822e83da8b4494d570d0815691248421fd10c4

SHA512
5e15e345b045aec2be79dd580eec8e33a99ece7b8293ce8d33cdd1257ed7860d5f27f9703450f540879b0910dd6c8d887659e5b052943bd6906df2a82a1c8e6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
857B

MD5
d4581af87c92acd22fcbdd95e5b10984

SHA1
12b694a76f04814e2d3d89cf2cea2985e494d988

SHA256
82114f3758fb48bef52060f86329df035e82c2db82cf85dfdf174e2a22cf6dba

SHA512
febddc64c1c2a7e3cb1c1ba1c6389503c94829dcfaaf9ac8acf13ecdc020fcb7b26731f0e4af043f4bb0b117b0208bec58713e71e154bfe842e6045a40440e59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
857B

MD5
249d149b3404df439725f37236c8cf67

SHA1
bc5ae29aa96d71f45b2eae2b3e9eee4a4879fb96

SHA256
c34b0049a75fd8555719179dad649271272d7427fbadd0bc4ff8350fc79bcb4e

SHA512
5b70cc46f96cb21eaa398280c5ba2edb0efaa6fc105496008470b3769eddaa5b42090ce3eb9c7aa03cbe252fcd3ae9dc6d1e0a1535065d92d99346c017385530

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
8da36168bfc1a06b5c7b3d8bf570b54b

SHA1
69b7a1b93e2fc3ca9475f3ed81d366ecc779914c

SHA256
77488e645afc04110e38776cc2813e5040f189b71d6447bdd91b85f99931fb14

SHA512
90ce7352c1760602315037cef104cb8e00b7f3213027a8396323889d5ea0bd3b5e582f5ba93d4efe027aae2300b64cb66dcc6bff35b260943265c2c362f87711

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5b9732ecac160fb98316d9af98bcc846

SHA1
a6500a06ef11db5f6e98489f7b87d4ebda4c03b6

SHA256
afa573be9df78c1f259c1f296eff02a6e34b9b40504b8c8a0078a0d7d6f45621

SHA512
0cf46311312d93adfa0d6bfe64f09e99320c4aa2ece8d47ab80ba6ecdfc3b751903a57c17269c2294d3bcba148a132118467f5d6b1eda595882bc154c8f10d78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
aafab495658d9fc2659fde0cb14bd79e

SHA1
5855b4783a31a49ba8886c631b819d97e74b0a72

SHA256
b9a3e9f7ea54f5213d36ef31fccd186a8a2805efe73d699d52022143bfd225e5

SHA512
76023043c227b1a23fc8c9bc5af274b257462e3d0fd82298da9d40d80db1971bc8eab9896e5c9c71642e23549db7dca4eb33cbe99f0cbbef5baee7568b203a36

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
3404575a631cdc34bdf91f5d847f839b

SHA1
1eacafc207da83cc31187ecdf96de8f97f42abdd

SHA256
e1ce5414da006dd03fc05437a798b1bad8cf7dbe3cfe6127a43e818091d35c6a

SHA512
f3e6b2c035c5182c115f2f932a41cddd5ab64cc338741caf923f9358924e2406e0d5486d691beed6c920b4fc9a9c936edbec3965669281736668bee37a54df4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
0098bae93898a0c526e4c47b40b02d95

SHA1
90e93347a328f447183c6e3e1aa66807c9782aea

SHA256
69dd72082f3973c5adacfd6716e706add9a5d4e7f81389bfd4642d470769d59c

SHA512
63e9a571ad26e22ab88349cc31a6b0b5b96fb60e0a1cb750e6b2f77371b2c2d810f2524315a8442328f6a78b0fbb7ce5a0b2c671302cc4365319193719979201

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
4938a7ea0645ada007f93cc46391cba7

SHA1
e1322511355d32ae13fe8bd5225a9c9213083667

SHA256
6b14ee87ad332ca3b5662b71ae4b322e9e7f5bd3030a33de246ae969e906ce2b

SHA512
f35913d3633a3be149b20a31941bb70dc7c56d59ee747ed46d741820f01679c431eb67a5b917e0d1293b9d26b36748f94ab9c35b6136ef048585254f16b7346d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f75de1b2a184d7223992a5c052dd99bc

SHA1
43ac24ac3fbb6f5bad8ae3d4f3095f06f73927c6

SHA256
ead2bb2c2de02d6fbbdf2785b45a4e6c727ff53f010b5f578d531d3d930c5407

SHA512
cb0967f44b06d12cfe0f57ad95802cd4ea7d356dc57b3244d9c602fe5b68e8a79f5061356c000b641bb4f634b8a91c55a2d3fb3eb0be8fd304777f5949905149

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2df3024574202728fa97202c0f03966a

SHA1
036f6801a4b669a1415bdabd7e57ef7ed3462b9a

SHA256
3c004072f56f7fd0662740097148f4e1193a167b482bad14e8bbdedbd3751129

SHA512
a65539d747b9dc3e65a2e8718183715686f8a088ec16e9445c9ec295e96097ced3e4c896c7b08573ea6f756759c8f2477bbbf85a1de350384263327dc60f6897

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e602e6b02412f1bd6232f3747326068e

SHA1
7c74f83ba0e461553783e32533b0d96f973a2997

SHA256
6c7425e89589426f8b458e51dd21a468b2232751294959c5ae6a4fd63c46ee18

SHA512
a983f93cfc0b4fb0e3d8e8a7ba097fb6320f0daefea9346a4503dff3032a32649509abbfb281752069a01ec7fbf3d7b44aaa2e27d88d17761773fb5e4f715d2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
4227c3c54bbab13f354e9792211f2a17

SHA1
dc45cf4ffc523aa6395afa0af6ee352652f04de5

SHA256
b30e8d02a801193e302e0c80479c9dcb99bc65ea08f6e1aca161245ad93438ea

SHA512
a4b3aa45893bfe623bd716ec71d09fd78b5eae809965247ea2b88e82ebbc949cf3536b75dc662224f667f4beba2e8fd0a454ec39bad6a37e66f3059667da0a50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
b49991d3f45440e3910c20f8c7f9649a

SHA1
5a665399912c04387f3c607f2abb2fc266377576

SHA256
840c6ecb137896a67165c844b20881c6f9af5ce8e7f5c6ca2ba15dcbadb09002

SHA512
1d7c9eec7d9ac7ce0b2aa371366085076ee52338b0e566e6b77a7466e898f89bcbb3ba6c9adf8b96256b550aa4d0cf648251dd002ed6f094783bbc08d7ea19f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c5afd1c2e7e99420a39b4d080f360531

SHA1
5efe2e80c4b4c26a3b5d0bd0fe2965aac2eb90a0

SHA256
4d1162ef46dc315121936c34f3920116d8abad9484a2a01c420ea22a4d610338

SHA512
6cda072f9da53f104226218388a03ee4e4bf9b11e9981d24c116e113afa9e475e1c7d91523b4275c185e3920e434836082c0d0205397be6e350e2cb28b5e4a81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
1a55bd5f2e56ca0ca25bd4cb43dae466

SHA1
5e586a490770fb6362edbe56544d309ae15b40e6

SHA256
5309d170f26c64b46cacaab625cfea319c070df32cb009c6564a0b7d734039e9

SHA512
3fc8056f532847d34e1f3b435fc1faa8569024025190f8d62e36f1d859024a2c4a0bd85b57f4709b8f2ce875fe33f85ebc65e0aceca8c60d99665119679daa62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
cb53c66d1af1306ae403e5d852e5c41d

SHA1
463ccb2ff9249b20cc90c7aa5ab9f80d2140045a

SHA256
7672359a0082c120b27749dc8a40152aaf736dfb9885aecb1c686b7114a00d24

SHA512
7813a89a00c66237ab3d14d5dab271b851654add92e79cf0acf77cd596503080dbd91cb00ca833e1117f7a415fc5e1a7c0478418bf88befb1b5f0fbeb7be365d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
22c49123b55c5e2c94fd8739b667d5f8

SHA1
e1fe99846fce1531ae3aa3b9053da0370856f571

SHA256
8d1f99181822a6151fab783d32e49cc169e30e9217d6fd77e069c80e66d96ce2

SHA512
d7a2b97d0cb1d1f2f93d787ed1311f4fd72af475b914ece293d429144437822d56b46fb1ef55a51ca68f2a1e059c1c4efc344d1c3c9187cbad8780034e9e2024

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58750c.TMP

Filesize
1KB

MD5
e10b1976242361a59cbcda95e97dacd3

SHA1
fe129d3e7031c8cfee06b2d8eae4c015882949bc

SHA256
9b0aa61a00147bdeca9d60f021be33d23f7cb61e9a826dd2fc257a114ccfcfa4

SHA512
9f9339aae2b4079aeaab7df368766629e6ef2a6fb6671e973948739c9072c49a161d444426f6791af085c65b9bc6681fbca4227578f4c89d0a53cc8abcd19c54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
bacdd4506dab8150221377733e3e26a0

SHA1
9387b51c284a329820fc0d554b0539d93ba6f6e6

SHA256
aa18094624c69766a573e95ed7b14ac6b3dd9c03ab516d0445da84ab3929ee26

SHA512
bbba87d65c97ddd0250ab861e2fd0bcd1af1944fb7bedfe972dd1a2288765f4f8afabbf8c36942b9774c77b04cd09ab50ab5aa9639ab4575e4e160311644f573

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
2c72b03cca5112c23c9f01464dfd8928

SHA1
eb735f31f7743d54a8b6c7b28bb9991c7854086f

SHA256
5627afe67d1410353c1f005f080e0b84e135f10461a89a45686b2ef370b24f20

SHA512
2229e6abcb7ef4fb6a6f58aaef6a8e4a67b0abd1f286a29e4fc592a14858613e1101dbb44a1c34ba51561547937f6f711e63079b4d15c92fa2cfdc44bdb77f34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ab96f10ffa511543418613efa9c96feb

SHA1
d222b5bc26242093ef6f554a66ed4bde68da9ef0

SHA256
1817f49d6c0a447d27bba13602110e35f301701105524b54c75a184ef5d63a41

SHA512
6f35f3b38e278ce00624b17a56a51bcd5dc34d72acb0d8a0caa67689e2dd8a1178bd39141cd7daed831c5cb3afed304dbc443245ffd0985f2975459d7694c6a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
822a89a57de4363b24a061f06ba021b7

SHA1
f6a46532ce03149dbde7f8d0d540a5fdcd9d8fe9

SHA256
c76a39e88288fe9119a9d411b2bad27f1f84ea1bc9afe32cca9cb97bee73625f

SHA512
18d77aa7cbd57e93ce50643ddf3a561d2c403bd1bc772549bded13a68ea97b9135068dc9314f362510eb5c43dddf80d55086076ea75e28da3d19a3362a144e83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
eeb63c9bb5db732d7a167dc15d3faecb

SHA1
579fc3e5f99c50d9c224ffe7c5c33dba211e451a

SHA256
cbf44f3959a6d994fa8279f56eb99fe95d88c0c1b5c6e44dca843c0f75e8f444

SHA512
e6bf75f402f4339ca0aea19452c30f1a6a4e9edd81fc59921c0fc70f5c1b52e45fb60a705caf805161b43b93ee9f4dd525d80bd577d9776f5c3952df4de6085d

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 676115.crdownload

Filesize
73KB

MD5
37e887b7a048ddb9013c8d2a26d5b740

SHA1
713b4678c05a76dbd22e6f8d738c9ef655e70226

SHA256
24c0638ff7571c7f4df5bcddd50bc478195823e934481fa3ee96eb1d1c4b4a1b

SHA512
99f74eb00c6f6d1cbecb4d88e1056222e236cb85cf2a421243b63cd481939d3c4693e08edde743722d3320c27573fbcc99bf749ff72b857831e4b6667374b8af

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 819934.crdownload

Filesize
53KB

MD5
6536b10e5a713803d034c607d2de19e3

SHA1
a6000c05f565a36d2250bdab2ce78f505ca624b7

SHA256
775ba68597507cf3c24663f5016d257446abeb66627f20f8f832c0860cad84de

SHA512
61727cf0b150aad6965b4f118f33fd43600fb23dde5f0a3e780cc9998dfcc038b7542bfae9043ce28fb08d613c2a91ff9166f28a2a449d0e3253adc2cb110018

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 819934.crdownload:SmartScreen

Filesize
7B

MD5
4047530ecbc0170039e76fe1657bdb01

SHA1
32db7d5e662ebccdd1d71de285f907e3a1c68ac5

SHA256
82254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750

SHA512
8f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 845369.crdownload

Filesize
32KB

MD5
eb9324121994e5e41f1738b5af8944b1

SHA1
aa63c521b64602fa9c3a73dadd412fdaf181b690

SHA256
2f1f93ede80502d153e301baf9b7f68e7c7a9344cfa90cfae396aac17e81ce5a

SHA512
7f7a702ddec8d94cb2177b4736d94ec53e575be3dd2d610410cb3154ba9ad2936c98e0e72ed7ab5ebbcbe0329be0d9b20a3bcd84670a6d1c8d7e0a9a3056edd2

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 853758.crdownload

Filesize
18KB

MD5
e7af185503236e623705368a443a17d9

SHA1
863084d6e7f3ed1ba6cc43f0746445b9ad218474

SHA256
da3f40b66cc657ea33dbf547eb05d8d4fb5fb5cf753689d0222039a3292c937a

SHA512
8db51d9029dfb0a1a112899ca1f1dacfd37ae9dec4d07594900c5725bc0f60212ab69395f560b30b20f6e1dffba84d585ef5ae2b43f77c3d5373fe481a8b8fc3

Download Submit
\??\pipe\LOCAL\crashpad_4944_MLXNADNSJVVQLLRQ

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/448-770-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1872-726-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1952-728-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2216-768-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2248-748-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2384-793-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2988-750-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3028-482-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3028-490-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4048-763-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4228-489-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4320-782-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4484-752-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download